Packet Filtering Patents (Class 726/13)
  • Patent number: 10382448
    Abstract: Methods and systems are described for detecting command injection attacks. A positive, taint inference method includes receiving signature fragments on one hand, converting command injection instructions into command fragments on another hand, thus identifying potential attacks upon the condition that a command injection instruction includes critical untrusted parts by using signature fragments. A system detects command injection attacks using this kind of method, and remediates and rejects potential attacks.
    Type: Grant
    Filed: April 20, 2017
    Date of Patent: August 13, 2019
    Assignee: University of Virginia Patent Foundation
    Inventors: Anh Nguyen-Tuong, Jack W. Davidson, Michele Co, Jason D. Hiser, John C. Knight
  • Patent number: 10382461
    Abstract: Described are techniques for identifying anomalous and non-anomalous requests based on metric values determined from a request. Weights to be associated with particular metric values may be determined based on metric data for those values. The metric data may indicate a total number of accesses by requests having a particular metric value, a frequency of access, or particular access times. Based on the weight values and the metric values for the request, a security score for the request may be determined. The security score may indicate a confidence that the request is anomalous or non-anomalous. Potentially anomalous requests may be determined to be non-anomalous if the metric values correspond to known sets of metric values, determined from previous requests. In some cases, metric data may be normalized prior to use to facilitate faster queries and conserve available data storage.
    Type: Grant
    Filed: May 26, 2016
    Date of Patent: August 13, 2019
    Assignee: AMAZON TECHNOLOGIES, INC.
    Inventors: Nima Sharifi Mehr, Dominique Imjya Brezinski, Sunu Aby Mathew
  • Patent number: 10382457
    Abstract: An attack stream identification method, apparatus, and device on a software defined network is presented, where an invalid stream filter table is stored in a switch, and the method includes the steps of the switch receives a data packet of a data stream and searches, according to a characteristic value of the data packet, the invalid stream filter table for a state field of a filter entry; when the state field is a suspected attack stream state or a non-attack stream state, the switch sends a report message to a controller, determines a rate value for sending the report message to the controller, and fills the rate value in a rate field of the filter entry; and when the rate value is greater than a preset rate threshold, the switch changes the state field of the filter entry to an attack stream state.
    Type: Grant
    Filed: November 29, 2016
    Date of Patent: August 13, 2019
    Assignee: HUAWEI TECHNOLOGIES CO., LTD.
    Inventors: Laijun Zhong, Xiuchu Zhao, Kai Qi
  • Patent number: 10361899
    Abstract: Some embodiments provide a method for a managed forwarding element that processes packets through a set of packet processing tables by matching rules in the tables. The method receives an update that requires modification to at least one of the packet processing tables. Each rule in the packet processing tables is assigned a range of packet processing table versions in which the rule is valid for processing packets. The method modifies the packet processing tables according to the received update by at least one of (i) modifying the range of packet processing table versions in which an existing rule is valid to end after a current packet processing table version and (ii) adding a new rule with a range of valid packet processing table versions that begins with a next packet processing table version. The method increments the current version of the packet processing tables to commit the modifications.
    Type: Grant
    Filed: January 26, 2016
    Date of Patent: July 23, 2019
    Assignee: NICIRA, INC.
    Inventor: Jarno Rajahalme
  • Patent number: 10360361
    Abstract: The invention relates to a computer-implemented method for controlling access of a terminal (118) to an attribute (112) stored in an ID token (100), wherein the ID token (100) is associated with a user, wherein the method comprises receipt of an identification of the terminal (118) by the ID token (100) and checking by the ID token (100) if a session identification validly associated with the identification of the terminal (118) is stored in the ID token (100), wherein, if a session identification validly associated with the identification of the terminal (118) is stored in the ID token (100), the ID token (100) transmits the session identification to the terminal (118) and grants the terminal (118) access to the attribute (112), wherein a subsequent communication with access to the attribute (112) is carried out in an encrypted manner using a session-specific session key, wherein the session-specific session key is stored in the ID token (100) in a manner associated with the session identification or the ide
    Type: Grant
    Filed: February 10, 2016
    Date of Patent: July 23, 2019
    Assignee: BUNDESDRUCKEREI GMBH
    Inventors: Frank Morgner, Paul Bastian
  • Patent number: 10326793
    Abstract: Systems and methods for guarding a controller area network are disclosed. In one embodiment, a system for guarding a controller area network comprises one or more processors. The one or more processors may be configured to receive a message destined for the controller area network. The one or more processors may further be configured to determine whether the message is legitimate. The one or more processors may further be configured to modify the message, if the message is determined as illegitimate, as an error message.
    Type: Grant
    Filed: June 9, 2016
    Date of Patent: June 18, 2019
    Assignee: RUNSAFE SECURITY, INC.
    Inventors: Andrew Michael Wesie, Joseph Michael Saunders
  • Patent number: 10320851
    Abstract: The following disclosure relates a method and mediation device (100) in a Lawful Interception (LI) system for detecting and correlating copies of SIP and RTP flows, from different domains EPS or IMS, said method comprising to determine a unique IMS Communication Identity Number, IMS CIN, and a corresponding correlation set of identifiers, storing each unique IMS CIN together with its correlation set for an intercepted communication session, correlating a SIP or RTP flow received from one domain to the same SIP or RTP flows of the same communication session received from the other domain by comparing the flow identity information of the received flow to the stored correlation sets for identifying a matching correlation set and its unique IMS CIN and sending to a LEA requesting for LI of the target said received SIP or RTP flow comprising said identified unique IMS CIN for a matching correlation set.
    Type: Grant
    Filed: August 27, 2015
    Date of Patent: June 11, 2019
    Assignee: TELEFONAKTIEBOLAGET LM ERICSSON (PUBL)
    Inventors: Andrea Senatore, Francesco Toro, Elvira Villani
  • Patent number: 10305921
    Abstract: A network security apparatus includes a packet detector detecting transmission of data packets between a plurality of hosts and a plurality of domains and defining a plurality of links therefrom. A model builder circuit receives the plurality of links from the packet detector, receives ground truth information labeling one or more of the plurality of hosts or one or more of the plurality of domains as benign or malicious, generates predictive models from the received links and ground truth information, and stores generated predictive models in a predictive model database. An anomaly detector circuit retrieves the generated predictive models from the predictive model database and uses the predictive models to label each of the plurality of hosts and plurality of domains, that have not previously been labeled by the ground truth information, as benign or malicious.
    Type: Grant
    Filed: April 28, 2016
    Date of Patent: May 28, 2019
    Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATION
    Inventors: Jing Gao, Deepak Turaga, Long H. Vu, Houping Xiao
  • Patent number: 10306471
    Abstract: A determination is made as to whether a password is required for connecting to a wireless network. In response to determining that no password is required for connecting to the wireless network, data is retrieved from at least one predefined network address through the wireless network. A determination is made as to whether a secondary login verification is required for connecting to the wireless network based on, at least, the retrieved data from the at least one predefined network address.
    Type: Grant
    Filed: June 27, 2018
    Date of Patent: May 28, 2019
    Assignee: Alibaba Group Holding Limited
    Inventor: Baochu Wang
  • Patent number: 10298717
    Abstract: Aspects of the embodiments are directed to a network element that is configured for receiving, from an access point, a data packet originating from a client, the data packet comprising a packet header that comprises a packet header augmented with context information; decapsulating the packet header to identify the context information; applying a client-specific policy on the packet based, at least in part, on the context information; and forwarding the packet to a next hop in the network. The network element can be part of a network, such as a datacenter fabric architecture.
    Type: Grant
    Filed: December 4, 2016
    Date of Patent: May 21, 2019
    Assignee: Cisco Technology, Inc.
    Inventors: Sanjay Kumar Hooda, Sarath Gorthi Subrahmanya
  • Patent number: 10298619
    Abstract: A method of creating micro-segmentation policy for a network is provided. The method monitors the network packet traffic to identify network traffic types and patterns. The method, based on the network traffic types and patterns, identifies a set of components as an affinity group associated with each application. The method generates an application template that includes a set of application components for each application based on information provided by the vendor of the application. The method creates micro-segmentation policy for the network based on a mapping of the components of each affinity group into the components of the template generated for the associated application.
    Type: Grant
    Filed: December 16, 2016
    Date of Patent: May 21, 2019
    Assignee: NICIRA, INC.
    Inventors: Srinivas Nimmagadda, Jayant Jain, Anirban Sengupta
  • Patent number: 10277611
    Abstract: The present disclosure is directed toward systems and methods for identifying and abating padding oracle attacks. One or more embodiments described herein identify and abate padding oracle attacks without necessitating any changes or upgrades to an existing encryption system by providing an intermediate service that can intercept communications from a client-computing device intended for a padding oracle.
    Type: Grant
    Filed: August 21, 2015
    Date of Patent: April 30, 2019
    Assignee: ADOBE INC.
    Inventor: Joseph Steele
  • Patent number: 10264017
    Abstract: A method includes receiving a set of strings and applying one or more filters to generate a subset of strings that are determined to correspond to strings of interest. The method also includes retrieving domain name system (DNS) information associated with a first string of the subset. The method includes executing a rule-based engine to determine, based on application of one or more rules to the DNS information, whether to add the first string to a set of suspicious hostnames.
    Type: Grant
    Filed: December 22, 2016
    Date of Patent: April 16, 2019
    Assignee: PROOFPRINT, INC.
    Inventors: Mark Richard Stemm, Arlyn Robert Johns
  • Patent number: 10264051
    Abstract: According to embodiments described in the specification, a method and system for replicating an application on an auxiliary computing device are provided. The system includes the auxiliary computing device, a mobile computing device executing the application, and at least one server. The server provides the auxiliary computing device with a web application, and the auxiliary computing device presents a code generated using the web application on its display. The mobile computing device captures the code, and uses the code to establish a connection with the auxiliary computing device via the server. The server then routes data between the auxiliary computing device, the mobile computing device and other devices. The data includes application control data, which is routed between the mobile computing device and the auxiliary computing device; and message data, which is routed between the mobile computing device and other devices.
    Type: Grant
    Filed: May 31, 2018
    Date of Patent: April 16, 2019
    Assignee: KIK INTERACTIVE INC.
    Inventor: Christopher Best
  • Patent number: 10257166
    Abstract: A system and method for guest netfilter protection using a virtual machine function includes a memory, one or more processors, in communication with the memory, a virtual machine, a hypervisor, and a virtual network interface controller on the virtual machine. The virtual machine and the hypervisor are configured to execute on the one or more processors. The hypervisor is configured to boot a guest operating system on the virtual machine. Then, the guest operating system is configured to send a list of networking filter rules to a virtual machine function executing on the virtual machine. The virtual machine function is configured to store the list of networking filter rules in a virtual machine function memory. The hypervisor is further configured to prevent the guest operating system from directly accessing the virtual network interface controller and allow the virtual machine function to access the virtual network interface controller.
    Type: Grant
    Filed: August 30, 2016
    Date of Patent: April 9, 2019
    Assignee: Red Hat Israel, Ltd
    Inventor: Michael Tsirkin
  • Patent number: 10243750
    Abstract: The present disclosure generally relates to the field of local break-out traffic. More specifically, the present disclosure relates to a technique of selective copying of data related to traffic that is routed locally in a wireless communication network. A method embodiment comprises: selectively copying data related to locally routed traffic based on one or more control parameters received from a core network (40), the locally routed traffic being routed locally between at least one wireless device (10) and a local service cloud (30); and forwarding the copied data related to the locally routed traffic to the core network (40).
    Type: Grant
    Filed: February 20, 2015
    Date of Patent: March 26, 2019
    Assignee: Telefonaktiebolaget LM Ericsson (Publ)
    Inventors: Johan Rune, Lars Westberg, Vinay Yadhav
  • Patent number: 10230814
    Abstract: Methods, computer program products, and systems are presented. The method computer program products, and systems can include, for instance: generating a first mobile device fingerprint of a mobile device and associating the first mobile device fingerprint to an identifier, and generating a second mobile device fingerprint of the mobile device and associating the second mobile device fingerprint to a MAC address of a mobile device. The methods, computer program products, and systems can include, for instance: receiving a first mobile device fingerprint of a mobile device and an identifier associated to the first mobile device fingerprint; receiving a second mobile device fingerprint of the mobile device and a MAC address associated to the second mobile device fingerprint; and associating received data received from the mobile device to the identifier.
    Type: Grant
    Filed: December 21, 2017
    Date of Patent: March 12, 2019
    Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATION
    Inventors: Michael R. Billau, John K. Gerken, III, Jeremy A. Greenberger, Ciaran E. Hannigan
  • Patent number: 10230637
    Abstract: A wireless communication unit is arranged to communicate with one or more wireless mobile communication units. The wireless communication unit comprises: a cellular receiver arranged to receive content from a network server using a conventional client server mechanism; a processor operably coupled to the cellular receiver and configured to convert the received content into a bundle format that can be transmitted into a delay tolerant network; at least one memory operably coupled to the processor and configured to store the bundle formatted content; and at least one short-range wireless circuit operably coupled to the at least one memory and configured to extract the bundle formatted content from the at least one memory and transmit the extracted bundle formatted content to at least one wireless mobile communication unit using a short-range wireless communication technology.
    Type: Grant
    Filed: March 15, 2017
    Date of Patent: March 12, 2019
    Assignee: Virtuosys Limited
    Inventor: Timothy James Speight
  • Patent number: 10212133
    Abstract: System, methods, and apparatuses enable a network security system to more efficiently perform pattern matching against data items. For example, the disclosed approaches may be used to improve the way in which a deep packet inspection (DPI) microservice performs pattern matching against data items (e.g., network traffic, files, email messages, etc.) in order to detect various types of network security threats (e.g., network intrusion attempts, viruses, spam, and other potential network security issues). A DPI microservice generally refers to an executable component of a network security system that monitors and performs actions relative to input data items for purposes related to computer network security.
    Type: Grant
    Filed: July 29, 2016
    Date of Patent: February 19, 2019
    Assignee: ShieldX Networks, Inc.
    Inventors: Ratinder Paul Singh Ahuja, Manuel Nedbal, Sumanth Gangashanaiah
  • Patent number: 10212078
    Abstract: Methods, systems, and computer program products for enabling network services in a multi-tenant IaaS environment are provided. A service portal is deployed in the IaaS environment. In one embodiment, tenant packet associated with a first tenant of the IaaS environment is received by the service portal. The tenant packet is analyzed to identify one or more services to which to transmit the tenant packet. The tenant packet is distributed to the identified services for processing. A processed tenant packet is received from one or more of the identified services. The processed tenant packet is transmitted to a destination.
    Type: Grant
    Filed: July 9, 2015
    Date of Patent: February 19, 2019
    Assignee: International Business Machines Corporation
    Inventors: Chih-Wen Chao, Cheng-Ta Lee, Wei-Shiau Suen, Ming-Hsun Wu
  • Patent number: 10187487
    Abstract: An infrastructure for hosting services in an aircraft, and related access method are provided. The infrastructure includes a plurality of onboard platforms, each platform corresponding to a functional domain of the aircraft and hosting at least one service able to be implemented in the aircraft in the functional domain in question; at least one onboard communicator communicating with a ground structure, connected to each onboard platform; and at least one access portal able to allow centralized access to services hosted by all of the onboard platforms corresponding to the different functional domains of the aircraft.
    Type: Grant
    Filed: September 25, 2015
    Date of Patent: January 22, 2019
    Assignee: DASSAULT AVIATION
    Inventors: Adrien Drion, Arnaud Hennequin
  • Patent number: 10181148
    Abstract: A system and method is provided for using information broadcast by devices and resources in the immediate vicinity of a mobile device, or by sensors located within the mobile device itself, to ascertain and make a determination of the immediate environment and state of the mobile device. The sensor data is then used to identify situational profiles to target and determine the relevance of apps, advertisements, content, and recommendations.
    Type: Grant
    Filed: June 15, 2017
    Date of Patent: January 15, 2019
    Assignee: Sensoriant, Inc.
    Inventor: Shamim A. Naqvi
  • Patent number: 10158717
    Abstract: A fraud detection method for use in an in-vehicle network system including a plurality of electronic control units that communicate with one another via a bus in accordance with Controller Area Network (CAN) protocol is provided. The method includes receiving at least one data frame sent to the bus, verifying a specific identifier in the received data frame only if the received data frame does not follow a predetermined rule regarding a transmission period and a state of a vehicle having the in-vehicle network system mounted therein is a predetermined state, detecting the received data frame as an authenticated data frame if the verification is successful, and detecting the received data frame as a fraudulent data frame if the verification fails.
    Type: Grant
    Filed: March 22, 2016
    Date of Patent: December 18, 2018
    Assignee: PANASONIC INTELLECTUAL PROPERTY CORPORATION OF AMERICA
    Inventors: Takeshi Kishikawa, Hideki Matsushima, Tomoyuki Haga, Manabu Maeda, Yuji Unagami, Yoshihiro Ujiie
  • Patent number: 10153942
    Abstract: A method for configuring a path for intercepting user data, a method for intercepting user data, an apparatus, a system, a control plane entity and a user plane entity, the method for configuring the path for intercepting user data comprises: acquiring a target to be intercepted and an intercepting interface address; configuring data path configuration information on a user plane entity GW-U according to the target to be intercepted and the intercepting interface address; sending the data path configuration information to the user plane entity GW-U so that the GW-U establishes a path for data transmission; initiating an establishment of an intercepting connection of an intercepting interface to an intercepting entity based on the intercepting interface address so as to transmit the data of the target to be intercepted.
    Type: Grant
    Filed: May 19, 2015
    Date of Patent: December 11, 2018
    Assignee: Huawei Technologies Co., Ltd.
    Inventors: Jin Zhang, Shiyong Tan, Weihua Hu
  • Patent number: 10148761
    Abstract: System-on-chip data security appliance (“SoC-DSA”) and methods of operating the same. In one embodiment, the SoC-DSA includes data security mechanisms enclosed within a protected boundary of a single chip. In some embodiments, isolation and access control features are hidden within an on-chip field-programmable gate array (“FPGA”). The isolation and access control features can be implemented such that they are not visible to or alterable by software executing on the processing cores of the SoC-DSA, which provides for continued data security even in the presence of software exploitation, such as a malicious implant, that otherwise compromises data security in software-only systems. The SoC-DSA can be used to enhance data security in existing data security devices and protocols, such as high assurance guards (“HAG”) and can be used to create new types of security devices, such as devices enforce alternative human data interactions (“HDI”) models.
    Type: Grant
    Filed: March 22, 2016
    Date of Patent: December 4, 2018
    Assignee: WEB SENSING, LLC
    Inventors: Jason Dahlstrom, Stephen Taylor
  • Patent number: 10104099
    Abstract: A computer implemented method of monitoring a collector computer system includes receiving machine interpretable code that is configured for interpretation by the interpreter that includes: information identifying a first set of one or more monitoring targets within the collector computer system, a method for monitoring the first set of one or more monitoring targets, and predefined reporting criteria. The method also includes interpreting the machine interpretable code with an interpreter; monitoring at least a subset of the first set of one or more monitoring targets for candidate activity that satisfies the predefined reporting criteria by executing compiled instructions that correspond to the method for monitoring the first set of one or more monitoring targets; obtaining candidate event information that is associated with the candidate activity; and reporting the candidate event information to a computer system that is distinct from the collector computer system.
    Type: Grant
    Filed: January 7, 2016
    Date of Patent: October 16, 2018
    Assignee: Countertack, Inc.
    Inventor: Amir Szekely
  • Patent number: 10069797
    Abstract: This application discloses a network monitoring method and apparatus. The network monitoring method includes: receiving a packet transmitted on a network, where the packet has flow information that indicates a network flow for transmission of the packet; acquiring the flow information of the packet; detecting whether a metadatabase includes the flow information corresponding the packet, where the metadatabase is used to store metadata and flow information associated with the metadata; generating, according to a detection result about the flow information, metadata related to the transmission of the packet, and associating the metadata with the corresponding flow information; and storing the generated metadata and the flow information associated with the generated metadata into the metadatabase.
    Type: Grant
    Filed: February 3, 2016
    Date of Patent: September 4, 2018
    Assignee: Fluke Corporation
    Inventors: Arong Pan, Liang Zhang, Shiguang Pan
  • Patent number: 10069798
    Abstract: A method, and associated system and computer program product, for modifying rules in a firewall infrastructure are described. A unit of deployment including application code and a signed passport is received at a requestor module on a server. The passport includes a heart-beat time-out interval, a firewall rule, and a first application hash value. A trigger signal within the heart-beat time-out interval is generated. The application code is hashed, resulting in a second application hash value. In response to authenticating the passport and determining the first and second application hash values as being equal, the signed passport and trigger signal are transmitted to a border control agent of the firewall; the firewall rule is continuously confirmed within a time interval shorter than the heart-beat time-out interval; and the firewall is modified according to the firewall rule.
    Type: Grant
    Filed: December 26, 2017
    Date of Patent: September 4, 2018
    Assignee: International Business Machines Corporation
    Inventors: Joachim H. Frank, Holger Karn
  • Patent number: 10063588
    Abstract: The invention proposes a new device and method that allows scanning and downloading the content of a portable storage device (i.e., USB drive) from any computer with a portable storage device plug and a browser without the risk of having the computer infected by virus or malware resident in the portable storage device. The device can be manufactured in a small and portable device.
    Type: Grant
    Filed: March 19, 2016
    Date of Patent: August 28, 2018
    Assignee: The Boeing Company
    Inventors: Enrique Juan Casado Magaña, David Esteban-Campillo, David Scarlatti
  • Patent number: 10057292
    Abstract: A method for operating a security gateway between data buses of a vehicle, in which a correlation between an identification information item (ID) of the message (N) and a processing rule (VR) is provided by a routing matrix (RM) for each message (N) arriving on a data bus, wherein, at least one processing rule (VR) allocated to an identification information item (ID) has a reference information item (POLICY) to a security rule (SR) stored in a memory unit, which rule is used for filtering the message (N) having this identification information item (ID) by an interpreter (IP). In an alternative solution, the reference information (POLICY) is omitted.
    Type: Grant
    Filed: December 11, 2013
    Date of Patent: August 21, 2018
    Assignees: Continental Teves AG & Co. oHG, Continental Automotive GmbH, Continental Automotive Systems, Inc.
    Inventors: Hans Gregor Molter, Stefan Kruber
  • Patent number: 10057213
    Abstract: Methods and systems for selectively blocking, allowing and/or reformatting IPv6 headers by traversing devices are provided. According to one embodiment, reputation information regarding observed senders of Internet Protocol (IP) version 6 (IPv6) packets and packet fragments is maintained by a traversing device based on conformity or nonconformity of extension headers contained within the IPv6 packets with respect to a set of security checks performed by the traversing device. When an IPv6 packet or packet fragment is received from a particular source IP address indicated by the reputation information to be associated with one or more nonconformity issues, then dropping, rate limiting or quarantining, by the traversing device, the IPv6 packet or the packet fragment.
    Type: Grant
    Filed: September 11, 2017
    Date of Patent: August 21, 2018
    Assignee: Fortinet, Inc.
    Inventor: Thorsten Jäger
  • Patent number: 10044673
    Abstract: A privatized link between an origin server and a content delivery network is provided. A privatized link can be direct connection that does not route over the internet. Another privatized link is one that rotates IP addresses. An origin server may be assigned to use a set of multiple IP addresses for communication with the content delivery network. However, at any given time, the origin server is only using a small number of IP addresses. When one of the IP addresses being used to communicate with the content delivery network comes under attack, the origin server switches to another IP address in the set in order to continue serving content to the content delivery network via an IP address that is not under attack.
    Type: Grant
    Filed: July 22, 2015
    Date of Patent: August 7, 2018
    Assignee: Fastly, Inc.
    Inventors: Sean A. Leach, Artur Bergman, Thomas J. Daly
  • Patent number: 10044680
    Abstract: The present invention relates to a receiver information hiding method of hiding receiver information of a message in a system including a transmitting terminal broadcasting the message and a multitude of receiving terminals receiving the message, and the method includes selecting by the transmitting terminal at least one receiving terminal that has to process the message from the plurality of terminals, transforming by the transmitting terminal address information regarding the selected at least one receiving terminal, generating by the transmitting terminal the message using the transformed address information and broadcasting the generated message, and determining by each of the plurality of receiving terminals whether or not the corresponding receiving terminal is included in the selected at least one receiving terminal using specific address information corresponding to each of the plurality of receiving terminals and the transformed address information, in response to the reception of the message, and se
    Type: Grant
    Filed: April 25, 2016
    Date of Patent: August 7, 2018
    Assignee: AGENCY FOR DEFENSE DEVELOPMENT
    Inventors: Woomin Lee, Mirim Ahn, Yonghyun Kim, Juyoub Kim, Yihyeong Kim, Taekyoung Kwon, Sangho Park
  • Patent number: 10033742
    Abstract: An information processing apparatus for suitably registering policy information by considering an order of priority while reducing the burden on a user has the following structure. When policy information used for communication with an apparatus of a communication partner is to be registered in a storage unit, and when an address of the apparatus of the communication partner of the policy information to be registered in the storage unit is included in an address of an apparatus of a communication partner of policy information already stored in the storage unit, registering of the policy information to be registered so that an order of priority of the policy information to be registered in the storage unit is set lower than an order of priority of the policy information whose address includes the address of the apparatus of the communication partner of the policy information to be registered is restricted.
    Type: Grant
    Filed: March 24, 2009
    Date of Patent: July 24, 2018
    Assignee: CANON KABUSHIKI KAISHA
    Inventor: Go Inoue
  • Patent number: 10021204
    Abstract: A client request originating from a client device and destined for a server via a network is intercepted. The server is configured to perform a service in response to the client request. A determination is made of whether the request action and the request resource of the client request matches a pattern action and a pattern resource of a pattern in a rule. Based on a determination there is a match, a determination is made of whether a threshold trigger condition in the rule is satisfied based. In response to the threshold trigger condition being satisfied, a determination is made of whether a reset condition in the rule is not satisfied. In response to the reset condition not being satisfied, at least one rule action associated with the pattern is performed, wherein performing the at least one rule action comprises returning an errored response back to the client device.
    Type: Grant
    Filed: July 12, 2016
    Date of Patent: July 10, 2018
    Assignee: CA, Inc.
    Inventors: John Ainsworth, John Thomas Devine
  • Patent number: 10015145
    Abstract: Systems and methods are directed towards network data leakage prevention (DLP). More specifically, the systems and methods are directed towards using TCP (Transmission Control Protocol) data packets in conjunction with the DLP monitor. The network DLP utilizes TCP data packets to carry source user identity. With the source user identity, the DLP monitor can determine if sensitive data can be transmitted based on the provided user information and corresponding DLP policies for each user. Furthermore, the DLP monitor can determine if sensitive data can also be transmitted for particular users in situations where multiple users share the same IP address.
    Type: Grant
    Filed: August 5, 2015
    Date of Patent: July 3, 2018
    Assignee: SonicWALL Inc.
    Inventors: Hui Ling, Zhong Chen, Cuiping Yu, Zunping Cheng
  • Patent number: 9985926
    Abstract: An address acquiring method includes receiving an address resolution request packet sent by a source host, where the address resolution request packet includes an Internet Protocol (IP) address of a destination host; determining another network virtualization edge (NVE) device, where the another NVE device stores a correspondence between the IP address of the destination host and a Media Access Control (MAC) address of the destination host and a correspondence between the IP address of the destination host and an IP address of a destination NVE device corresponding to the destination host; obtaining the MAC address of the destination host and the IP address of the destination NVE device corresponding to the destination host from the another NVE device according to the IP address of the destination host. The technical solutions provided in the present disclosure are intended to reduce processing pressure on a physical network.
    Type: Grant
    Filed: July 19, 2016
    Date of Patent: May 29, 2018
    Assignee: HUAWEI TECHNOLOGIES CO., LTD.
    Inventors: Xiangyang Xu, Liufei Wen
  • Patent number: 9979750
    Abstract: Provided are systems, methods, and computer-program products for providing network deceptions using a network tunnel. In various implementations, a network device on a first network can be configured as a projection point. A projection point can be configured as one endpoint of a network tunnel. The other end of the network tunnel can terminate at a deception center. The deception center can host a second network, where the second network includes network devices configured as deception mechanisms. By assigning a deception mechanism a network address from the first network, the network address and the network tunnel enable the deception mechanism to appear as a node in the first network.
    Type: Grant
    Filed: April 26, 2017
    Date of Patent: May 22, 2018
    Assignee: ACALVIO TECHNOLOGIES, INC.
    Inventors: Johnson Wu, Sreenivas Gukal, Rammohan Varadarajan
  • Patent number: 9973501
    Abstract: Outbound traffic of a host application may be received from a host device having a host processor. The secure resource may be configured to provide a secure transaction based on the outbound network traffic. Using a second processor different than the host processor, it may be determined whether the host application is authorized to provide the outbound network traffic to the secure resource. The outbound network traffic may be allowed to be forwarded to the secure resource if the host application is authorized. The outbound network traffic may be disallowed to be forwarded to the secure resource if the host application is not authorized.
    Type: Grant
    Filed: October 9, 2013
    Date of Patent: May 15, 2018
    Assignee: CUPP Computing AS
    Inventor: Shlomo Touboul
  • Patent number: 9954869
    Abstract: Provided is authentication and authorization without the use of supplicants. Authentication and authorization includes generating a profile for a device based on at least one characteristic observed during a successful attempt by the device to access an 802.1X network infrastructure. Expected characteristics for a next attempt to access the infrastructure by the device are determined. A characteristic of the next access attempt is matched to the expected characteristic and access to the network is selectively controlled as a result of the matching. This is achieved without a supplicant being installed on the device.
    Type: Grant
    Filed: September 8, 2017
    Date of Patent: April 24, 2018
    Assignee: WELLS FARGO BANK, N.A.
    Inventors: Ryan B. Benskin, Lawrence T. Belton, Jr., Christopher Houser, Peter A. Makohon, Timothy Morris, Omar Bracey
  • Patent number: 9942277
    Abstract: A policy engine is situated within the communications path of a cloud computing environment and a user of the cloud computing environment to comply with an organization's policies for deploying web applications in the cloud computing environment. The policy engine intercepts communications packets to the cloud computing environment from a user, such as a web application developer, for example, in preparation for deploying a web application in the cloud computing environment. The policy engine identifies commands corresponding to the communications packets and directs the communications packets to appropriate rules engines corresponding to such commands in order to execute rules to comply with an organization's policies. Upon completion of execution of the rules, the communications packets are forwarded to the cloud computing environment if they comply with the policies.
    Type: Grant
    Filed: January 30, 2017
    Date of Patent: April 10, 2018
    Assignee: Pivotal Software, Inc.
    Inventors: Mark Lucovsky, Derek Collison, Vadim Spivak, Gerald C. Chen, Ramnivas Laddad
  • Patent number: 9942214
    Abstract: A computer-facilitated service receives a request, from a user client, to access a site provided by the service. The service may obtain, from the request, identifying information, which may be used to identify prior activity of the user client. This prior activity is used to determine whether the user client is to be provided with an interstitial user interface component, which may be configured to cause the user client to provide additional information about the client and to be successfully completable by an automated agent or other automated process. If an interstitial user interface component is provided, the service may receive, from the user client, this additional information, which may be used to determine whether the user client is using an automated agent to access the site.
    Type: Grant
    Filed: March 2, 2015
    Date of Patent: April 10, 2018
    Assignee: Amazon Technologies, Inc.
    Inventors: Alexandru Burciu, Blair Livingstone Hotchkies, Valeriu Palos, Gabriel-Valeriu Rizuc, Sorin Alin Stoiana, Elena Zlavog
  • Patent number: 9942315
    Abstract: Techniques are described for anonymous peer storage. In one example, techniques include invoking an action of backing up one or more files utilizing distributed storage for a node Ni in a multi-node network; encrypting the one or more files into a combined encrypted file with a private key required to decrypt the combined encrypted file; splitting the combined encrypted file into Pi portions (P1, P2 . . . Pn) and associating a file identifier Fi to each Pi; anonymously distributing the Pi portions and associated identifier Fi to other nodes Nj and Nk wherein each of j and k is different from i; retaining a look up file containing for the each Pi, the (Nj, Nk) pairs, the Fi, and the private key for future retrieval and decryption; and responsive to receiving an anonymous request containing the Fi by one of the Nj and the Nk, returning the Pi.
    Type: Grant
    Filed: October 27, 2015
    Date of Patent: April 10, 2018
    Assignee: International Business Machines Corporation
    Inventor: Timothy R Simek
  • Patent number: 9935957
    Abstract: Outbound traffic of a host application may be received from a host device having a host processor. The secure resource may be configured to provide a secure transaction based on the outbound network traffic. Using a second processor different than the host processor, it may be determined whether the host application is authorized to provide the outbound network traffic to the secure resource. The outbound network traffic may be allowed to be forwarded to the secure resource if the host application is authorized. The outbound network traffic may be disallowed to be forwarded to the secure resource if the host application is not authorized.
    Type: Grant
    Filed: October 9, 2013
    Date of Patent: April 3, 2018
    Assignee: CUPP Computing AS
    Inventor: Shlomo Touboul
  • Patent number: 9930012
    Abstract: Private network request forwarding can include receiving a request from a user for Internet services over a public network. Private network request forwarding can include analyzing the request and determining whether the request is legitimate. Private network request forwarding can include forwarding the request to an entity through a private network when it is determined that the request is legitimate, wherein the user has access to the entity through a proxy.
    Type: Grant
    Filed: January 5, 2016
    Date of Patent: March 27, 2018
    Assignee: United Services Automobile Association (USAA)
    Inventors: Donald E. Clemons, Jr., Christopher T. Wilkinson
  • Patent number: 9930010
    Abstract: Some embodiments of the invention provide a method that performs security operations for packets that are processed by a forwarding element. The method of some embodiments receives, at a security agent operating on a physical machine, a packet from a forwarding element that also operates on the physical machine. The method then determines whether a security rule is stored for the packet at the security agent. When no security rule is stored for the packet, the method transmits the packet to a default security controller of several security controllers that store security rules for a network and process packets according to the stored security rules. When the security rule is stored for the packet, the method processes the packet according to the stored security rule for the packet.
    Type: Grant
    Filed: July 28, 2015
    Date of Patent: March 27, 2018
    Assignee: NICIRA, INC.
    Inventors: Keyong Sun, Yonggang Wang, Frank Guo, Liang Li, Zikang Chen
  • Patent number: 9912643
    Abstract: An attack defense processing method and a protection device. The attack defense processing method includes the protection device receives a first packet by a protection device, if it is determined that the first packet is an Internet Control Message Protocol version 6 (ICMPv6) Packet Too Big packet, parses the first packet to obtain an internet protocol (IP) address of a source node, an IP address of a destination node, and a Maximum Transmission Unit (MTU) value that are carried in the first packet, determines a range of valid MTUs on a path between the source node and the destination node according to the IP address of the source node and the IP address of the destination node, and performs attack defense processing for the first packet when it is determined that the MTU value does not belong to the range of the valid MTUs.
    Type: Grant
    Filed: September 29, 2015
    Date of Patent: March 6, 2018
    Assignee: HUAWEI TECHNOLOGIES CO., LTD.
    Inventor: Yongbo Pan
  • Patent number: 9912488
    Abstract: A system that incorporates teachings of the present disclosure may include, for example, utilizing a first diameter agent function to route messages between network elements that provide subscriber management for a communication session, utilizing the first agent function to maintain transaction state during the communication session without maintaining session state, and utilizing the first server to selectively adjust routing information for the messages without adjusting non-routing information for the messages. Other embodiments are disclosed.
    Type: Grant
    Filed: May 15, 2012
    Date of Patent: March 6, 2018
    Assignee: AT&T INTELLECTUAL PROPERTY I, L.P.
    Inventor: Walter Cooper Chastain
  • Patent number: 9906494
    Abstract: For a host that executes one or more guest virtual machines (GVMs), some embodiments provide a novel virtualization architecture for utilizing a firewall service virtual machine (SVM) on the host to check the packets sent by and/or received for the GVMs. In some embodiments, the GVMs connect to a software forwarding element (e.g., a software switch) that executes on the host to connect to each other and to other devices operating outside of the host. Instead of connecting the firewall SVM to the host's software forwarding element that connects its GVMs, the virtualization architecture of some embodiments provides an SVM interface (SVMI) through which the firewall SVM can be accessed to check the packets sent by and/or received for the GVMs.
    Type: Grant
    Filed: March 31, 2014
    Date of Patent: February 27, 2018
    Assignee: NICIRA, INC.
    Inventors: Chidambareswaran Raman, Subrahmanyam Manuguri, Todd Sabin
  • Patent number: RE47394
    Abstract: An electronic device has first and second circuitry. A wireless trigger signal at the first circuitry causes the second circuitry to power up to receive a second wireless signal. The second signal is according to a radio access technology for which the trigger signal is incompatible. In various embodiments the first circuitry (a low power receiver) may autonomously power up upon expiration of a timer. One or more security checks can be performed at various steps, each step conditional on passing the previous security check. The first circuitry operates at a lower power than the second circuitry which comprises a broadband radio. For example, the first circuitry might be a Bluetooth low energy receiver, and a trigger signal there causes a WLAN receiver to power up in order to download software/firmware updates or user content while the device is enroute between the manufacturer and end user.
    Type: Grant
    Filed: September 2, 2016
    Date of Patent: May 14, 2019
    Assignee: WSOU Investments, LLC
    Inventors: Jussi P.O. Ruutu, Jani P. J. Ollikainen, Joni J. M. Jantunen, Jukka P. Reunamaki, Mauri J. Honkanen, Jyri J. Hamalainen, Jarmo T. Arponen