Patents by Inventor Wei Shiau Suen
Wei Shiau Suen has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 11265303Abstract: Embodiments provide a system and method for stateless session synchronization between inspectors for high availability deployments. Man in the Middle inspectors of a communication session between a client and server exchange a shared key that is used as a common seed value in a mapping function algorithm. Each inspector generates identical key-pairs using the common mapping function algorithm, and the inspectors generate the session keys from the key-pairs. Inspectors use the session keys to decrypt and either actively or passively inspect data transferred in a session between a client and server.Type: GrantFiled: March 30, 2020Date of Patent: March 1, 2022Assignee: International Business Machines CorporationInventors: Kuo-Chun Chen, Wei-Hsiang Hsiung, Cheng-Ta Lee, Wei-Shiau Suen, Ming Hsun Wu
-
Patent number: 11178171Abstract: Embodiments are directed to a method of monitoring a suspicious file, including: receiving, from a web server, a first file; encrypting, by an intermediary network device, the first file; transferring the encrypted file, from the intermediary network device, to an end device; transferring the first file, from the intermediary network device, to a malware analysis device for a malware analysis; and receiving a malware analysis result, from the malware analysis device. If the malware analysis result indicates the first file is not a malware, requesting a key; decrypting the encrypted file using the key; and accessing the decrypted file.Type: GrantFiled: December 4, 2018Date of Patent: November 16, 2021Assignee: International Business Machines CorporationInventors: Wei-Hsiang Hsiung, Ming Hsun Wu, Wei-Shiau Suen, Cheng-ta Lee
-
Patent number: 11146588Abstract: A network-based appliance includes a mechanism to set-up and selectively use an “out-of-band” encryption channel. The mechanism comprises a packet parser, and a packet dispatcher, and it is integrated with an existing network layer stack that typically is not visible to host applications. In lieu of simply encrypting all data it receives, the mechanism instead analyzes one or more attributes, e.g., protocol type, application type, current encryption strength, content payload, etc., associated with a packet transmission to determine whether further encryption is required. The evaluation may include a deep packet inspection (DPI) when the information at the network layer (e.g., IP address, port number, etc.) is not sufficient to determine if the payload in the packet needs to be further encrypted. Based on the result of the analysis, packets are dispatched to the encryption channel as and when necessary.Type: GrantFiled: June 29, 2019Date of Patent: October 12, 2021Assignee: International Business Machines CorporationInventors: Cheng-Ta Lee, Chun-Shuo Lin, Wei-Shiau Suen, Ming-Hsun Wu
-
Patent number: 11121918Abstract: An intelligent network management device including an analytic unit, conducting an analysis according to received packets in order to determine whether a given event is occurred; and a processing unit, generating and sending a control instruction to a SDN controller to change configurations of a SDN switch when the analytic unit determined the given event has been occurred.Type: GrantFiled: November 7, 2017Date of Patent: September 14, 2021Assignee: International Business Machines CorporationInventors: Chih-Wen Chao, Cheng-Ta Lee, Wei-Shiau Suen, Ming-Hsun Wu
-
Patent number: 11089058Abstract: A network-based appliance includes a mechanism to set-up and selectively use an “out-of-band” encryption channel. The mechanism comprises a packet parser, and a packet dispatcher, and it is integrated with an existing network layer stack that typically is not visible to host applications. In lieu of simply encrypting all data it receives, the mechanism instead analyzes one or more attributes, e.g., protocol type, application type, current encryption strength, content payload, etc., associated with a packet transmission to determine whether further encryption is required. The evaluation may include a deep packet inspection (DPI) when the information at the network layer (e.g., IP address, port number, etc.) is not sufficient to determine if the payload in the packet needs to be further encrypted. Based on the result of the analysis, packets are dispatched to the encryption channel as and when necessary.Type: GrantFiled: January 25, 2018Date of Patent: August 10, 2021Assignee: International Business Machines CorporationInventors: Cheng-Ta Lee, Chun-Shuo Lin, Wei-Shiau Suen, Ming-Hsun Wu
-
Patent number: 11032268Abstract: Embodiments provide a system and method for network tracking. Through various methods of packet encapsulation or IP option filling, one or more packets of information can be tagged with a unique security tag to prevent unauthorized access. A user agent can be validated by an authentication server through acceptance of one or more user credentials. The authentication server can generate a security token that can be transmitted to the user agent. The user agent can generate a keystream from the security token, and portions of that keystream can be attached to the packets as the security tag. The tagged packets can be forwarded to an authenticator, who can recreate the keystream from a copy of the security token provided by the authentication server. If the tags generated from the authenticator match the tags on the tagged packet, the authenticator can strip the tag from the tagged packet and forward the packet on to its next network address.Type: GrantFiled: April 11, 2019Date of Patent: June 8, 2021Assignee: International Business Machines CorporationInventors: Chih-Wen Chao, Cheng-Ta Lee, Wei-Shiau Suen, Ming-Hsun Wu
-
Patent number: 11032073Abstract: A Man in the Middle (MitM) computer receives a first session identifier from a client for a first communication session between the client and a server, and monitors Transport Layer Security (TLS) communication sessions between the client and the server, where the first session identifier is one of an unknown session identifier and an invalid session identifier. In response to receiving the first session identifier from the client, the MitM computer performs one of: requesting a second session identifier from the server for a second communication session if the first session identifier is an unknown session identifier; and transmitting, to the client, an instruction to flush a session cache in the client, where flushing the session cache in the client forces the client and the server to establish a full TLS handshake in order to obtain a session key if the first session identifier is an invalid session identifier.Type: GrantFiled: March 29, 2019Date of Patent: June 8, 2021Assignee: International Business Machines CorporationInventors: Cheng-Ta Lee, Ping Min Lin, Wei-Shiau Suen, Ming-Hsun Wu
-
Patent number: 10915374Abstract: Embodiments pertain to facilitation of live migration of a virtual machine in a network system. During live migration, a first appliance is cloned and state information directed to a first network flow is obtained. The state information is utilized by the cloned appliance to re-direct operations associated with the first network flow. At such time as the first network flow is terminated, the cloned is removed.Type: GrantFiled: September 14, 2018Date of Patent: February 9, 2021Assignee: International Business Machines CorporationInventors: Chih-Wen Chao, Cheng-Ta Lee, Wei-Shiau Suen, Travis Wu, Lun Pin Yuan
-
Publication number: 20200228513Abstract: Embodiments provide a system and method for stateless session synchronization between inspectors for high availability deployments. Man in the Middle inspectors of a communication session between a client and server exchange a shared key that is used as a common seed value in a mapping function algorithm. Each inspector generates identical key-pairs using the common mapping function algorithm, and the inspectors generate the session keys from the key-pairs. Inspectors use the session keys to decrypt and either actively or passively inspect data transferred in a session between a client and server.Type: ApplicationFiled: March 30, 2020Publication date: July 16, 2020Inventors: Kuo-Chun Chen, Wei-Hsiang Hsiung, Cheng-ta Lee, Wei-Shiau Suen, Ming Hsun Wu
-
Patent number: 10708348Abstract: Methods and systems for high-availability data processing include detecting, at a first data processing system, a change in link state between the first data processing system and a second data processing system. A link state between the first data processing system and a third data processing system is changed responsive to the detection in accordance with a first high availability policy stored at the first data processing system. An identifier of the first data processing system is changed in accordance with the first high availability policy to conform to a second high availability policy stored at the first data processing system. The detection, change of the link state, and change of the identifier are repeated in accordance with the second high availability policy.Type: GrantFiled: August 15, 2016Date of Patent: July 7, 2020Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Paul Coccoli, Gregory L. Galloway, Cheng-Ta Lee, Wei-Shiau Suen, Ming-Hsun Wu
-
Publication number: 20200177605Abstract: Embodiments are directed to a method of monitoring a suspicious file, including: receiving, from a web server, a first file; encrypting, by an intermediary network device, the first file; transferring the encrypted file, from the intermediary network device, to an end device; transferring the first file, from the intermediary network device, to a malware analysis device for a malware analysis; and receiving a malware analysis result, from the malware analysis device. If the malware analysis result indicates the first file is not a malware, requesting a key; decrypting the encrypted file using the key; and accessing the decrypted file.Type: ApplicationFiled: December 4, 2018Publication date: June 4, 2020Inventors: Wei-Hsiang Hsiung, Ming Hsun Wu, Wei-Shiau Suen, Cheng-ta Lee
-
Patent number: 10652224Abstract: Embodiments provide a system and method for stateless session synchronization between inspectors for high availability deployments. Man in the Middle inspectors of a communication session between a client and server exchange a shared key that is used as a common seed value in a mapping function algorithm. Each inspector generates identical key-pairs using the common mapping function algorithm, and the inspectors generate the session keys from the key-pairs. Inspectors use the session keys to decrypt and either actively or passively inspect data transferred in a session between a client and server.Type: GrantFiled: December 5, 2017Date of Patent: May 12, 2020Assignee: International Business Machines CorporationInventors: Kuo-Chun Chen, Wei-Hsiang Hsiung, Cheng-ta Lee, Wei-Shiau Suen, Ming Hsun Wu
-
Patent number: 10547641Abstract: A network-based appliance includes a mechanism to provide TLS inspection with session resumption, but without requiring that a session cache be maintained. To this end, the inspector is configured to cause the TLS client to participate in maintaining the session context, in effect on behalf of the TLS inspector. In operation, when the inspector first receives a session ID from the TLS server, the inspector generates and issues to the client a session ticket that includes the original session ID and other session context information. In this manner, the inspector converts the Session ID-based connection to a Session Ticket-based connection. The session ticket is encrypted by the inspector to secure the session information. When the TLS client presents the session ticket to resume the TLS connection, the inspector decrypts the ticket and retrieves the session ID from it directly. The inspector then uses the original session ID to resume the TLS session.Type: GrantFiled: June 1, 2017Date of Patent: January 28, 2020Assignee: International Business Machines CorporationInventors: Cheng-Ta Lee, Wei-Hsiang Hsiung, Wei-Shiau Suen, Ming-Hsun Wu
-
Patent number: 10542041Abstract: A network-based appliance includes a mechanism to provide TLS inspection with session resumption, but without requiring that a session cache be maintained. To this end, the inspector is configured to cause the TLS client to participate in maintaining the session context, in effect on behalf of the TLS inspector. In operation, when the inspector first receives the session ticket from the TLS server, and in lieu of caching it, the inspector generates and issues to the client a composited ticket that includes the original ticket and session context information that contains the session key. The composited ticket is encrypted by the inspector to secure the session information. When the TLS client presents the composited session ticket to resume the TLS connection, the inspector decrypts the ticket and retrieves the session context from it directly. The inspector then uses the original session ticket to resume the TLS session.Type: GrantFiled: June 1, 2017Date of Patent: January 21, 2020Assignee: International Business Machines CorporationInventors: Cheng-Ta Lee, Wei-Hsiang Hsiung, Wei-Shiau Suen, Ming-Hsun Wu
-
Publication number: 20190327269Abstract: A network-based appliance includes a mechanism to set-up and selectively use an “out-of-band” encryption channel. The mechanism comprises a packet parser, and a packet dispatcher, and it is integrated with an existing network layer stack that typically is not visible to host applications. In lieu of simply encrypting all data it receives, the mechanism instead analyzes one or more attributes, e.g., protocol type, application type, current encryption strength, content payload, etc., associated with a packet transmission to determine whether further encryption is required. The evaluation may include a deep packet inspection (DPI) when the information at the network layer (e.g., IP address, port number, etc.) is not sufficient to determine if the payload in the packet needs to be further encrypted. Based on the result of the analysis, packets are dispatched to the encryption channel as and when necessary.Type: ApplicationFiled: June 29, 2019Publication date: October 24, 2019Applicant: International Business Machines CorporationInventors: Cheng-Ta Lee, Chun-Shuo Lin, Wei-Shiau Suen, Ming-Hsun Wu
-
Publication number: 20190238527Abstract: Embodiments provide a system and method for network tracking. Through various methods of packet encapsulation or IP option filling, one or more packets of information can be tagged with a unique security tag to prevent unauthorized access. A user agent can be validated by an authentication server through acceptance of one or more user credentials. The authentication server can generate a security token that can be transmitted to the user agent. The user agent can generate a keystream from the security token, and portions of that keystream can be attached to the packets as the security tag. The tagged packets can be forwarded to an authenticator, who can recreate the keystream from a copy of the security token provided by the authentication server. If the tags generated from the authenticator match the tags on the tagged packet, the authenticator can strip the tag from the tagged packet and forward the packet on to its next network address.Type: ApplicationFiled: April 11, 2019Publication date: August 1, 2019Inventors: Chih-Wen Chao, Cheng-Ta Lee, Wei-Shiau Suen, Ming-Hsun Wu
-
Publication number: 20190230125Abstract: A network-based appliance includes a mechanism to set-up and selectively use an “out-of-band” encryption channel. The mechanism comprises a packet parser, and a packet dispatcher, and it is integrated with an existing network layer stack that typically is not visible to host applications. In lieu of simply encrypting all data it receives, the mechanism instead analyzes one or more attributes, e.g., protocol type, application type, current encryption strength, content payload, etc., associated with a packet transmission to determine whether further encryption is required. The evaluation may include a deep packet inspection (DPI) when the information at the network layer (e.g., IP address, port number, etc.) is not sufficient to determine if the payload in the packet needs to be further encrypted. Based on the result of the analysis, packets are dispatched to the encryption channel as and when necessary.Type: ApplicationFiled: January 25, 2018Publication date: July 25, 2019Applicant: International Business Machines CorporationInventors: Cheng-Ta Lee, Chun-Shuo Lin, Wei-Shiau Suen, Ming-Hsun Wu
-
Publication number: 20190229912Abstract: A Man in the Middle (MitM) computer receives a first session identifier from a client for a first communication session between the client and a server, and monitors Transport Layer Security (TLS) communication sessions between the client and the server, where the first session identifier is one of an unknown session identifier and an invalid session identifier. In response to receiving the first session identifier from the client, the MitM computer performs one of: requesting a second session identifier from the server for a second communication session if the first session identifier is an unknown session identifier; and transmitting, to the client, an instruction to flush a session cache in the client, where flushing the session cache in the client forces the client and the server to establish a full TLS handshake in order to obtain a session key if the first session identifier is an invalid session identifier.Type: ApplicationFiled: March 29, 2019Publication date: July 25, 2019Inventors: CHENG-TA LEE, PING MIN LIN, WEI-SHIAU SUEN, MING-HSUN WU
-
Patent number: 10341332Abstract: Embodiments provide a system and method for network tracking. Through various methods of packet encapsulation or IP option filling, one or more packets of information can be tagged with a unique security tag to prevent unauthorized access. A user agent can be validated by an authentication server through acceptance of one or more user credentials. The authentication server can generate a security token that can be transmitted to the user agent. The user agent can generate a keystream from the security token, and portions of that keystream can be attached to the packets as the security tag. The tagged packets can be forwarded to an authenticator, who can recreate the keystream from a copy of the security token provided by the authentication server. If the tags generated from the authenticator match the tags on the tagged packet, the authenticator can strip the tag from the tagged packet and forward the packet on to its next network address.Type: GrantFiled: July 26, 2016Date of Patent: July 2, 2019Assignee: International Business Machines CorporationInventors: Chih-Wen Chao, Cheng-Ta Lee, Wei-Shiau Suen, Ming-Hsun Wu
-
Publication number: 20190173863Abstract: Embodiments provide a system and method for stateless session synchronization between inspectors for high availability deployments. Man in the Middle inspectors of a communication session between a client and server exchange a shared key that is used as a common seed value in a mapping function algorithm. Each inspector generates identical key-pairs using the common mapping function algorithm, and the inspectors generate the session keys from the key-pairs. Inspectors use the session keys to decrypt and either actively or passively inspect data transferred in a session between a client and server.Type: ApplicationFiled: December 5, 2017Publication date: June 6, 2019Inventors: Kuo-Chun Chen, Wei-Hsiang Hsiung, Cheng-ta Lee, Wei-Shiau Suen, Ming Hsun Wu