Packet Filtering Patents (Class 726/13)
  • Patent number: 10735378
    Abstract: Embodiments relate to systems, computer readable media, devices, and computer-implemented methods for providing improved network security by receiving a network packet, applying a filter rule in a first instance of a distributed reputation database to the network packet, determining, using a network interface card with a field programmable gate array, to drop or modify the network packet based on the applying, and transmitting reputation data to a security control center that includes a second instance of the distributed reputation database, where the reputation data includes information corresponding to the network packet that was dropped or modified.
    Type: Grant
    Filed: June 15, 2017
    Date of Patent: August 4, 2020
    Assignee: VERISIGN, INC.
    Inventors: John Bosco, Kenneth Ryan, Dow Summers
  • Patent number: 10735453
    Abstract: Implementations disclosed herein provide a managed security service that distributes processing tasks among a number of network security modules working in parallel to process component portions of a replayed network traffic stream. If a network security module detects a potential security threat, the network security module may generate a delivery request specifying other information potentially useful in further investigation of the potential security threat. The delivery request is communicated to a plurality of other processing entities, such as the other network security modules, and any processing entity currently receiving the requested information may respond to the delivery request. Once a source of the requested information is determined, the requested information is routed to the origin of the request.
    Type: Grant
    Filed: March 1, 2019
    Date of Patent: August 4, 2020
    Assignee: Verizon Patent and Licensing Inc.
    Inventors: Eugene B. Stevens, IV, Eric J. Stevens, Benjamin E. Kornmeier, Joshua J. Hollander, Antonis Papadogiannakis
  • Patent number: 10723587
    Abstract: An elevator system stores, in a server, information on an elevator installed in a building that is communicably connected to a data center in which the server is installed, the building and the data center being communicable independently via a first network and a second network, respectively, wherein the building includes: an information collection device configured to collect information on the elevator; a sorting device configured to determine which of the first network and the second network is to be used as a transmission path via which the information on the elevator collected by the information collection device is to be transmitted to the data center; and a communication device configured to transmit the information on the elevator collected by the information collection device to the data center via the transmission path determined by the sorting device.
    Type: Grant
    Filed: March 14, 2016
    Date of Patent: July 28, 2020
    Assignee: Mitsubishi Electric Corporation
    Inventor: Tomohiro Hattori
  • Patent number: 10715466
    Abstract: According to one aspect, a system for locating application-specific data that includes a server, a broker, and an agent. An operator may define a command using the server, and this command may be sent to the broker. The broker may then send the command to the agent operating on an end-point system. The agent may then conduct an application-specific data search on the end-point system in respect of the user command. Search results may then be sent to the broker. The broker may then sent the search results to the server.
    Type: Grant
    Filed: September 20, 2018
    Date of Patent: July 14, 2020
    Assignee: MAGNET FORENSICS INC.
    Inventors: Nicholas Bruce Alexander Cosentino, Tayfun Uzun
  • Patent number: 10701036
    Abstract: A method for containing a threat in network environment using dynamic firewall policies is provided. In one example embodiment, the method can include detecting a threat originating from a first node having a source address in a network, applying a local firewall policy to block connections with the source address, and broadcasting an alert to a second node in the network. In more particular embodiments, an alert may be sent to a network administrator identifying the source address and providing remedial information. In yet other particular embodiments, the method may also include applying a remote firewall policy to the first node blocking outgoing connections from the first node.
    Type: Grant
    Filed: June 27, 2016
    Date of Patent: June 30, 2020
    Assignee: McAfee, LLC
    Inventors: Manabendra Paul, Praveen Ravichandran Sudharma
  • Patent number: 10691795
    Abstract: This document describes a system and method for quantitatively unifying and assimilating all unstructured, unlabelled and/or fragmented real-time and non-real-time cyber threat data generated by a plurality of sources. These sources may include cyber-security surveillance systems that are equipped with machine learning capabilities.
    Type: Grant
    Filed: October 24, 2016
    Date of Patent: June 23, 2020
    Assignee: Certis Cisco Security Pte Ltd
    Inventor: Keng Leng Albert Lim
  • Patent number: 10693892
    Abstract: A technique for network attack tainting and tracking includes monitoring data packets received from a network for a malicious request. Responsive to detecting a malicious request, a payload is created that is digitally signed. The digitally signed payload is encrypted and injected into a response message, and the response message is then transmitted to a source of the request as a response to the request.
    Type: Grant
    Filed: December 11, 2017
    Date of Patent: June 23, 2020
    Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATION
    Inventors: Cheng-ta Lee, Ronald B. Williams
  • Patent number: 10686916
    Abstract: A novel algorithm for packet classification that is based on a novel search structure for packet classification rules is provided. Addresses from all the containers are merged and maintained in a single Trie. Each entry in the Trie has additional information that can be traced back to the container from where the address originated. This information is used to keep the Trie in sync with the containers when the container definition dynamically changes.
    Type: Grant
    Filed: September 2, 2018
    Date of Patent: June 16, 2020
    Assignee: NICIRA, INC.
    Inventors: Mohan Parthasarathy, Jayant Jain, Xinhua Hong, Anirban Sengupta
  • Patent number: 10680847
    Abstract: A gateway device for a vehicle network system, the vehicle network system including a bus, a first electronic control unit connected to the bus, and the gateway device connected to the bus. The gateway device comprising: one or more memories; and circuitry which, in operation, performs operations including: receiving a first frame transmitted to the bus by the first electronic control unit; when the first frame is received, including first control information in a second frame, the second frame including information based on content of the first frame, the first control information related to a restriction on processing, the restriction on processing being after a reception of the second frame; and transmitting the second frame to the bus.
    Type: Grant
    Filed: January 5, 2017
    Date of Patent: June 9, 2020
    Assignee: PANASONIC INTELLECTUAL PROPERTY CORPORATION OF AMERICA
    Inventors: Yoshihiro Ujiie, Hideki Matsushima, Toshihisa Nakano, Tohru Wakabayashi, Hiroshi Amano, Tomoyuki Haga, Takeshi Kishikawa
  • Patent number: 10659481
    Abstract: Systems and methods that determine an anomaly in a network are provided. A monitoring engine is installed on a computing device that monitors network information and application information for data flows generated on the computing device and transmitted over a network and for data flows received by the computing device from the network. The network information includes an internet protocol (IP) source address, a source port, an IP destination address, a destination port, and a transport protocol, and a number of bytes sent or received by the flow. The application information includes a process identifier (ID), the threads ID, an application ID and/or a function call, arguments passed to the function, a stack trace of the function, etc., that application used to generate the data flows. The network information and application information can be used to identify the application, thread and/or a function that caused an anomaly in the network.
    Type: Grant
    Filed: June 29, 2016
    Date of Patent: May 19, 2020
    Assignee: PayPal, Inc.
    Inventor: Shlomi Boutnaru
  • Patent number: 10659571
    Abstract: Disclosed are techniques for implementing network devices with pluralities of packet checkers or packet generators. The packet generators can be configured to self generate data packets with a packet payload and header information and a test type of data packets. The packet checkers can determine if a data packet is a test type of data packet and perform one or more actions.
    Type: Grant
    Filed: December 27, 2016
    Date of Patent: May 19, 2020
    Assignee: Amazon Technologies, Inc.
    Inventor: Thomas A. Volpe
  • Patent number: 10652265
    Abstract: The present invention provides a method for detecting a website attack, comprising: selecting multiple uniform resource locators (URLs) from history access records of a website; clustering the multiple uniform resource locators; and generating a whitelist from the multiple uniform resource locators according to a clustering result. In some embodiments of the present invention, a common OWASP attack at URL level can be checked.
    Type: Grant
    Filed: January 12, 2018
    Date of Patent: May 12, 2020
    Inventor: Lianqun Yang
  • Patent number: 10637827
    Abstract: A security network system is disclosed. The security network system includes a processor selectively operable in either a normal world or a secure world, wherein the processor receives, from an external network, a packet by using a network driver module of the secure world, extracts data of the packet by using a TCP/IP module of the secure world if the packet received from the external network is used in the secure world, uses the data of the packet in the secure world, and extracts the data of the packet by using the TCP/IP module of the secure world so as to transmit the data of the packet to the normal world if the packet is not used in the secure world.
    Type: Grant
    Filed: July 21, 2016
    Date of Patent: April 28, 2020
    Assignee: SAMSUNG ELECTRONICS CO., LTD.
    Inventors: Yu-sun Kim, In-ho Kim, In-hwan We, Jong-tak Lee
  • Patent number: 10630645
    Abstract: Private network request forwarding can include receiving a request from a user for Internet services over a public network. Private network request forwarding can include analyzing the request and determining whether the request is legitimate. Private network request forwarding can include forwarding the request to an entity through a private network when it is determined that the request is legitimate, wherein the user has access to the entity through a proxy.
    Type: Grant
    Filed: February 2, 2018
    Date of Patent: April 21, 2020
    Assignee: United Services Automobile Association (USAA)
    Inventors: Donald E. Clemons, Jr., Christopher T. Wilkinson
  • Patent number: 10616067
    Abstract: A deployment service at a remote provider network receives topology data for a local network and generates data filters for edge devices of the local network based on the topology data. The deployment service then sends the data filters to a hub device connected to the local network. The hub device deploys the data filters to respective edge devices of the local network. The data filters may be configured to discard a sufficient portion of collected data to prevent routers from being overloaded by network traffic. The data filters may also be configured to discard a sufficient portion of collected data to prevent the edge devices from consuming too much power in order to preserve energy cost or battery life.
    Type: Grant
    Filed: June 27, 2017
    Date of Patent: April 7, 2020
    Assignee: Amazon Technologies, Inc.
    Inventor: Aran Khanna
  • Patent number: 10587706
    Abstract: Methods, apparatus, systems, and articles of manufacture to correlate a demographic segment with a fixed device are disclosed. An example method includes accessing a record indicating a public Internet Protocol (IP) address used by a fixed device. A monitoring data record received from a mobile device is accessed. A demographic segment of a user of the mobile device is determined. The mobile device is associated with the fixed device when an IP address of the mobile device from the monitoring data record matches the public IP address used by the fixed device. The demographic segment of the user of the mobile device is associated with the fixed device based on the association of the fixed device and the mobile device.
    Type: Grant
    Filed: December 19, 2014
    Date of Patent: March 10, 2020
    Assignee: The Nielsen Company (US)
    Inventors: Jean-Pierre Abello, Arun Ramaswamy, Jan Besehanic
  • Patent number: 10587491
    Abstract: Disclosed are techniques for implementing features within a network device. The network device can function to forward sequences of data packets received by the network device as well as concurrently generate or check test type of data packets.
    Type: Grant
    Filed: December 27, 2016
    Date of Patent: March 10, 2020
    Assignee: Amazon Technologies, Inc.
    Inventor: Thomas A. Volpe
  • Patent number: 10567964
    Abstract: A method includes establishing, by a mobile device in a wireless network, an indirect connection of a first device to a node of the wireless network using the mobile device as an intermediate node for wireless transport and transferring, by the mobile device, data over the indirect connection via a first wireless link comprising a direct device connection between the first device and the mobile device and a second wireless link comprising a direct 3GPP (3rd Generation Partnership Project) connection between the mobile device and the wireless network. The indirect connection supports security protection of communications between the node of the wireless network and the first device based at least in part on an active security context maintained within the wireless network for communication via at least one messaging protocol layer with at least the first device.
    Type: Grant
    Filed: November 22, 2016
    Date of Patent: February 18, 2020
    Assignee: Futurewei Technologies, Inc.
    Inventors: Nathan Edward Tenny, Hui Jin
  • Patent number: 10554790
    Abstract: The disclosed embodiments relate to provisioning of a service, such as a financial service, to a device, such as a mobile device operative to access the service wirelessly or otherwise, in a manner which efficiently provides a consistent user experience which meets a user's expectations as to the functionality and quality of the service, including the user interface therefore and service delivery, which leverages the available capacities of the devices through which the service is provided so as to maximize the functionality and quality of the provided service without diminishing the experience, i.e. without substantially reducing the quality or functionality.
    Type: Grant
    Filed: May 23, 2018
    Date of Patent: February 4, 2020
    Assignee: E*TRADE Financial Corporation
    Inventor: Sanjib Sahoo
  • Patent number: 10554684
    Abstract: A first device may receive content from a second device based on a request for the content. The first device may be located between the second device and a third device. The first device may determine a value for a portion of the content using a function, where the value is to be used to analyze the content. The value may uniquely identify the portion of the content. The first device may determine whether a classification of the content can be determined. The first device may selectively determine the classification of the content by providing the value or the portion of the content corresponding to the value, to a fourth device when the classification cannot be determined, or determine the classification of the content using a data store when the classification can be determined. The first device may perform an action with respect to the content.
    Type: Grant
    Filed: March 29, 2017
    Date of Patent: February 4, 2020
    Assignee: Juniper Networks, Inc.
    Inventors: Venkata Rama Raju Manthena, Chandrasekar Nagarajan
  • Patent number: 10540651
    Abstract: A system that communicates information is described. This system includes: a network interface, a proxy device coupled to the network interface, and an interface node coupled to the proxy device and configured to couple to a channel. Note that the network interface is configured to transmit outbound messages from the system to a location and to receive inbound messages to the system from the location, and the channel is configured to convey the outbound messages and the inbound messages. Moreover, the proxy device is configured to inspect a given message inbound or outbound based on a pre-determined profile of the location and pre-defined communication rules. Then, the proxy device is configured to restrict the given message based on a result of the inspection, where the restriction occurs after the system begins a communication session with the location and is performed for the duration of the communication session.
    Type: Grant
    Filed: July 31, 2007
    Date of Patent: January 21, 2020
    Assignee: INTUIT INC.
    Inventors: Rodney A. Robinson, Joann Ferguson, Thomas J. Holodnik, Thomas E. Dockman, Spencer W. Fong, Michael P. Owen
  • Patent number: 10541972
    Abstract: In some variations, first and second rule sets may be received by a network protection device. The first and second rule sets may be preprocessed. The network protection device may be configured to process packets in accordance with the first rule set. Packets may be received by the network protection device. A first portion of the packets may be processed in accordance with the first rule set. The network protection device may be reconfigured to process packets in accordance with the second rule set. A second portion of the packets may be processed in accordance with the second rule set.
    Type: Grant
    Filed: March 19, 2019
    Date of Patent: January 21, 2020
    Assignee: Centripetal Networks, Inc.
    Inventors: David K. Ahn, Steven Rogers, Sean Moore
  • Patent number: 10523593
    Abstract: A network system is provided between at least a first client site and a second client site, the first and the second client site are at a distance from one another. A client site network component is implemented at least at the first client site, the client site network component bonding or aggregating one or more diverse network connections so as to configure a bonded/aggregated connection that has increased throughput. At least one network server component may be configured to connect to the client site network component using the bonded/aggregated connection. A cloud network controller may be configured to manage the data traffic and a virtual edge providing transparent lower-link encryption for the bonded/aggregated connection between the client site network component and the network server component.
    Type: Grant
    Filed: June 30, 2016
    Date of Patent: December 31, 2019
    Inventor: Patricio Humberto Saavedra
  • Patent number: 10516687
    Abstract: Systems and methods are described to predict spikes in requests for content on a computing network based on referrer field values of prior requests associated with spikes. Specifically, a traffic spike prediction service is disclosed that can analyze information regarding past requests on the computing network to detect a spike in requests to a content item, where a significant number of request within the spike include a common referrer field value. The traffic spike prediction service can then detect a request to a second content also including the common referrer field value, and predict that a spike is expected to occur with respect to the second content. The traffic spike prediction service can manage the expected spike by increasing an amount of computing resources available to service requests to the second content and by marking traffic of the expected spike as likely legitimate, as opposed to malicious.
    Type: Grant
    Filed: June 15, 2017
    Date of Patent: December 24, 2019
    Assignee: AMAZON TECHNOLOGIES, INC.
    Inventor: Pratap Ramamurthy
  • Patent number: 10516586
    Abstract: Systems, methods, and computer-readable media for identifying bogon addresses. A system can obtain an indication of address spaces in a network. The indication can be based on route advertisements transmitted by routers associated with the network. The system can receive a report generated by a capturing agent deployed on a host. The report can identify a flow captured by the capturing agent at the host. The system can identify a network address associated with the flow and, based on the indication of address spaces, the system can determine whether the network address is within the address spaces in the network. When the network address is not within the address spaces in the network, the system can determine that the network address is a bogon address. When the network address is within the address spaces in the network, the system can determine that the network address is not a bogon address.
    Type: Grant
    Filed: June 2, 2016
    Date of Patent: December 24, 2019
    Assignee: CISCO TECHNOLOGY, INC.
    Inventors: Shashidhar Gandham, Rohit Chandra Prasad, Abhishek Ranjan Singh, Navindra Yadav, Khawar Deen, Varun Sagar Malhotra
  • Patent number: 10511572
    Abstract: In some variations, first and second rule sets may be received by a network protection device. The first and second rule sets may be preprocessed. The network protection device may be configured to process packets in accordance with the first rule set. Packets may be received by the network protection device. A first portion of the packets may be processed in accordance with the first rule set. The network protection device may be reconfigured to process packets in accordance with the second rule set. A second portion of the packets may be processed in accordance with the second rule set.
    Type: Grant
    Filed: July 22, 2019
    Date of Patent: December 17, 2019
    Assignee: Centripetal Networks, Inc.
    Inventors: David K. Ahn, Steven Rogers, Sean Moore
  • Patent number: 10498750
    Abstract: Systems and methods of monitoring and controlling Internet of Things (IOT) and ZeroConf devices using a cloud-based security system include receiving fingerprints of the IOT and ZeroConf devices and data related to operation from a plurality of user devices; receiving updates related to the IOT and ZeroConf devices, configuration thereof, and proper operation thereof; determining security risk of the IOT and ZeroConf devices based on the fingerprints, the data related to operation, and the updates; and providing the security risk to the plurality of user devices and causing one or more policy-based actions to be performed based on the security risk.
    Type: Grant
    Filed: September 14, 2017
    Date of Patent: December 3, 2019
    Assignee: Zscaler, Inc.
    Inventor: Abhinav Bansal
  • Patent number: 10492139
    Abstract: A method for waking up a radio communications module (RCM) of a station with a wake-up receiver includes receiving a wake-up signal with the wake-up receiver, waking up the RCM from a sleeping mode, transmitting a second frame if a first frame is received within a specified time after waking up the RCM and if an integrity of the first frame is verified successfully, and placing the RCM into the sleeping mode and the wake-up receiver into an active mode if the first frame is not received within the specified time after waking up the RCM or if the first frame is received within the specified time after waking up the RCM but the integrity of the first frame is not verified successfully.
    Type: Grant
    Filed: October 27, 2016
    Date of Patent: November 26, 2019
    Assignee: Futurewei Technologies, Inc.
    Inventors: Yunsong Yang, Gaokun Pang, Shimon Shilo, Avi Weitzman, Genadiy Tsodik
  • Patent number: 10484380
    Abstract: A system that includes a switch, a network authentication server (NAS), and a threat management server. The NAS sends a device identifier for an endpoint device to the threat management server in response to the endpoint device connecting to a port on the switch. The threat management server identifies the endpoint device for removal in response to receiving the device identifier. The threat management server determines the number of times the endpoint device has failed authentication exceeds a first threshold value within a first time period. The threat management server blocks the endpoint device from accessing the network via the port on the switch in response to identifying the endpoint device for removal.
    Type: Grant
    Filed: June 26, 2017
    Date of Patent: November 19, 2019
    Assignee: Bank of America Corporation
    Inventors: Rahul Isola, Anthony P. Grossi
  • Patent number: 10476910
    Abstract: A system for secure network communications is provided. The system includes an enforcement switch in communication with a third-party device and an external device and a plurality of core devices in communication with the third-party device and a plurality of access devices. The enforcement switch is configured to receive a secure frame from the external device. The secure frame includes one or more security features. The secure frame is destined for one or more of the plurality of access devices. The enforcement switch is also configured to generate a regular frame based on the secure frame by removing the one or more security features and transmit the regular frame to the third-party device for routing to the one or more of the plurality of access devices through at least one of the plurality of core devices.
    Type: Grant
    Filed: June 21, 2017
    Date of Patent: November 12, 2019
    Assignee: MASTERCARD INTERNATIONAL INCORPORATED
    Inventor: Gregory T. Spillman
  • Patent number: 10462877
    Abstract: The present invention is related to verifying an installed lighting system (300), in particular an Ethernet-based lighting system (300), without it being necessary to employ a designated lighting controller and allowing the automatic commissioning of the installed lighting system (300). According to an aspect of the invention, this is achieved by providing a network switch (200) that comprises a plurality of ports for coupling luminaires (312A, 312B, 312C, 312D) and sensors and or actuators (314A, 314B) of the lighting system (300) to the network switch (200); and by setting the network switch (200) such that a signal received at a first port (e.g. port 4) of the plurality of ports is only forwarded to pre-selected ports (e.g. ports 2,3,5,6 and 7) of the plurality of ports.
    Type: Grant
    Filed: July 24, 2013
    Date of Patent: October 29, 2019
    Assignee: SIGNIFY HOLDING B.V.
    Inventors: Xiangyu Wang, Emmanuel David Lucas Michael Frimout, Aloys Hubbers
  • Patent number: 10462134
    Abstract: A system that includes a switch, a network authentication server (NAS), and a threat management server. The NAS sends a device identifier for an endpoint device to the threat management server in response to the endpoint device connecting to a port on the switch. The threat management server determines the endpoint device is present in the device log file using the device identifier. The threat management server determines the number of times the device has failed authentication exceeds a first threshold value within a first time period and determines the number of times the device has passed authentication is less than a second threshold value within a second time period. The threat management engine determines the device does not have a lease for the port on the switch and blocks the device from accessing the network via the port on the switch in response to identifying the device for removal.
    Type: Grant
    Filed: June 26, 2017
    Date of Patent: October 29, 2019
    Assignee: Bank of America Corporation
    Inventors: Rahul Isola, Anthony P. Grossi
  • Patent number: 10461957
    Abstract: The invention provides a master MMC/SD apparatus for simultaneously supporting bulk storage and Ethernet communication, a slave MMC/SD apparatus for simultaneously supporting bulk storage and Ethernet communication, a system composed of these two apparatuses as well as a method of operating the system. The apparatuses, system and method which simultaneously support bulk storage and Ethernet communication and which are based on MMC/SD interface enable a master apparatus with MMC/SD interface to support network function while maintaining bulk storage function as well, thus greatly expanding applicable areas of such embedded terminal apparatus with the MMC/SD interface that has bulk storage function.
    Type: Grant
    Filed: September 24, 2012
    Date of Patent: October 29, 2019
    Assignee: China Unionpay Co., Ltd.
    Inventors: Zhijun Lu, Hongwen Meng, Yu Zhou, Wei Guo, Chengqian Chen
  • Patent number: 10453161
    Abstract: A method for measuring performance of virtual desktop services offered by a server including a processor is described. A first encoded watermark is embedded into user interface display generated by a virtual desktop when initiating an operation. The first encoded watermark includes pixels identifying the operation and indicating its initiation. A second encoded watermark is embedded into the user interface upon completion of the operation indicating completion of the operation. An action performance time is then computed and stored in a memory. Multiple performance times may be compiled from multiple operations of multiple virtual desktops to assess the performance of the system as a whole.
    Type: Grant
    Filed: September 26, 2016
    Date of Patent: October 22, 2019
    Assignee: VMware, Inc.
    Inventors: Banit Agrawal, Rishi N. Bidarkar, Sunil Satnur, Vikram Makhija
  • Patent number: 10432528
    Abstract: A first node receives data packets of a flow and forwards the data packets of the flow to a second node. The first node takes a first decision whether to perform inspection of a payload section of at least one data packet of the flow at the first node and indicate a result of the first decision to the second node. The second node receives the data packets of the flow from the first node. On the basis of the result of the first decision indicated by the first node, the second node takes a second decision whether to perform inspection of a payload section of at least one data packet of the flow at the second node.
    Type: Grant
    Filed: January 8, 2013
    Date of Patent: October 1, 2019
    Assignee: Telefonaktiebolaget LM Ericsson (publ)
    Inventor: Francisco Cortes Gomez
  • Patent number: 10416966
    Abstract: In particular embodiments, a computer-implemented data processing method for responding to a data subject access request comprises: (A) receiving a data subject access request from a requestor comprising one or more request parameters; (B) validating an identity of the requestor by prompting the requestor to identify information associated with the requestor; (C) in response to validating the identity of the requestor, processing the request by identifying one or more pieces of personal data associated with the requestor, the one or more pieces of personal data being stored in one or more data repositories associated with a particular organization; and (D) taking one or more actions based at least in part on the data subject access request, the one or more actions including one or more actions related to the one or more pieces of personal data.
    Type: Grant
    Filed: August 6, 2018
    Date of Patent: September 17, 2019
    Assignee: OneTrust, LLC
    Inventors: Kabir A. Barday, Jason L. Sabourin, Jonathan Blake Brannon, Mihir S. Karanjkar, Kevin Jones
  • Patent number: 10411950
    Abstract: In an on-vehicle system, the gateway is duplexed, and a countermeasure table is included. The countermeasure table defines a failure phenomenon occurring in communication, an identification method for identifying a factor on whether the failure phenomenon is caused by a failure of the gateway or caused by a security attack on the gateway, and a corresponding countermeasure method. When it is detected that a failure phenomenon has occurred is communication through the gateway, the on-vehicle system determines a factor of the detected failure phenomenon based on the identification method defined in the countermeasure table, and makes countermeasures in accordance with the corresponding countermeasure method.
    Type: Grant
    Filed: January 26, 2017
    Date of Patent: September 10, 2019
    Assignee: RENESAS ELECTRONICS CORPORATION
    Inventors: Shigemasa Shiota, Takeshi Sunada, Akihiro Yamate, Daisuke Oshida
  • Patent number: 10412048
    Abstract: Systems and methods provide for management of a gateway. In one embodiment, a method includes: in response to a request from a client device, establishing, by a computer system implementing a gateway to a private network, a network tunnel between the client device and the gateway; and starting a firewall service with a set of firewall rules on the computer system for selectively blocking and allowing network traffic between the client device and one or more network devices in the private network.
    Type: Grant
    Filed: April 14, 2017
    Date of Patent: September 10, 2019
    Assignee: CRYPTZONE NORTH AMERICA, INC.
    Inventors: Kurt Glazemakers, Per Johan Allansson, Thomas Bruno Emmanuel Cellerier, Kosmas Valianos, Tom Viljo Weber
  • Patent number: 10397227
    Abstract: Outbound traffic of a host application may be received from a host device having a host processor. The secure resource may be configured to provide a secure transaction based on the outbound network traffic. Using a second processor different than the host processor, it may be determined whether the host application is authorized to provide the outbound network traffic to the secure resource. The outbound network traffic may be allowed to be forwarded to the secure resource if the host application is authorized. The outbound network traffic may be disallowed to be forwarded to the secure resource if the host application is not authorized.
    Type: Grant
    Filed: March 16, 2018
    Date of Patent: August 27, 2019
    Assignee: CUPP Computing AS
    Inventor: Shlomo Touboul
  • Patent number: 10382461
    Abstract: Described are techniques for identifying anomalous and non-anomalous requests based on metric values determined from a request. Weights to be associated with particular metric values may be determined based on metric data for those values. The metric data may indicate a total number of accesses by requests having a particular metric value, a frequency of access, or particular access times. Based on the weight values and the metric values for the request, a security score for the request may be determined. The security score may indicate a confidence that the request is anomalous or non-anomalous. Potentially anomalous requests may be determined to be non-anomalous if the metric values correspond to known sets of metric values, determined from previous requests. In some cases, metric data may be normalized prior to use to facilitate faster queries and conserve available data storage.
    Type: Grant
    Filed: May 26, 2016
    Date of Patent: August 13, 2019
    Assignee: AMAZON TECHNOLOGIES, INC.
    Inventors: Nima Sharifi Mehr, Dominique Imjya Brezinski, Sunu Aby Mathew
  • Patent number: 10382457
    Abstract: An attack stream identification method, apparatus, and device on a software defined network is presented, where an invalid stream filter table is stored in a switch, and the method includes the steps of the switch receives a data packet of a data stream and searches, according to a characteristic value of the data packet, the invalid stream filter table for a state field of a filter entry; when the state field is a suspected attack stream state or a non-attack stream state, the switch sends a report message to a controller, determines a rate value for sending the report message to the controller, and fills the rate value in a rate field of the filter entry; and when the rate value is greater than a preset rate threshold, the switch changes the state field of the filter entry to an attack stream state.
    Type: Grant
    Filed: November 29, 2016
    Date of Patent: August 13, 2019
    Assignee: HUAWEI TECHNOLOGIES CO., LTD.
    Inventors: Laijun Zhong, Xiuchu Zhao, Kai Qi
  • Patent number: 10382448
    Abstract: Methods and systems are described for detecting command injection attacks. A positive, taint inference method includes receiving signature fragments on one hand, converting command injection instructions into command fragments on another hand, thus identifying potential attacks upon the condition that a command injection instruction includes critical untrusted parts by using signature fragments. A system detects command injection attacks using this kind of method, and remediates and rejects potential attacks.
    Type: Grant
    Filed: April 20, 2017
    Date of Patent: August 13, 2019
    Assignee: University of Virginia Patent Foundation
    Inventors: Anh Nguyen-Tuong, Jack W. Davidson, Michele Co, Jason D. Hiser, John C. Knight
  • Patent number: 10361899
    Abstract: Some embodiments provide a method for a managed forwarding element that processes packets through a set of packet processing tables by matching rules in the tables. The method receives an update that requires modification to at least one of the packet processing tables. Each rule in the packet processing tables is assigned a range of packet processing table versions in which the rule is valid for processing packets. The method modifies the packet processing tables according to the received update by at least one of (i) modifying the range of packet processing table versions in which an existing rule is valid to end after a current packet processing table version and (ii) adding a new rule with a range of valid packet processing table versions that begins with a next packet processing table version. The method increments the current version of the packet processing tables to commit the modifications.
    Type: Grant
    Filed: January 26, 2016
    Date of Patent: July 23, 2019
    Assignee: NICIRA, INC.
    Inventor: Jarno Rajahalme
  • Patent number: 10360361
    Abstract: The invention relates to a computer-implemented method for controlling access of a terminal (118) to an attribute (112) stored in an ID token (100), wherein the ID token (100) is associated with a user, wherein the method comprises receipt of an identification of the terminal (118) by the ID token (100) and checking by the ID token (100) if a session identification validly associated with the identification of the terminal (118) is stored in the ID token (100), wherein, if a session identification validly associated with the identification of the terminal (118) is stored in the ID token (100), the ID token (100) transmits the session identification to the terminal (118) and grants the terminal (118) access to the attribute (112), wherein a subsequent communication with access to the attribute (112) is carried out in an encrypted manner using a session-specific session key, wherein the session-specific session key is stored in the ID token (100) in a manner associated with the session identification or the ide
    Type: Grant
    Filed: February 10, 2016
    Date of Patent: July 23, 2019
    Assignee: BUNDESDRUCKEREI GMBH
    Inventors: Frank Morgner, Paul Bastian
  • Patent number: 10326793
    Abstract: Systems and methods for guarding a controller area network are disclosed. In one embodiment, a system for guarding a controller area network comprises one or more processors. The one or more processors may be configured to receive a message destined for the controller area network. The one or more processors may further be configured to determine whether the message is legitimate. The one or more processors may further be configured to modify the message, if the message is determined as illegitimate, as an error message.
    Type: Grant
    Filed: June 9, 2016
    Date of Patent: June 18, 2019
    Assignee: RUNSAFE SECURITY, INC.
    Inventors: Andrew Michael Wesie, Joseph Michael Saunders
  • Patent number: 10320851
    Abstract: The following disclosure relates a method and mediation device (100) in a Lawful Interception (LI) system for detecting and correlating copies of SIP and RTP flows, from different domains EPS or IMS, said method comprising to determine a unique IMS Communication Identity Number, IMS CIN, and a corresponding correlation set of identifiers, storing each unique IMS CIN together with its correlation set for an intercepted communication session, correlating a SIP or RTP flow received from one domain to the same SIP or RTP flows of the same communication session received from the other domain by comparing the flow identity information of the received flow to the stored correlation sets for identifying a matching correlation set and its unique IMS CIN and sending to a LEA requesting for LI of the target said received SIP or RTP flow comprising said identified unique IMS CIN for a matching correlation set.
    Type: Grant
    Filed: August 27, 2015
    Date of Patent: June 11, 2019
    Assignee: TELEFONAKTIEBOLAGET LM ERICSSON (PUBL)
    Inventors: Andrea Senatore, Francesco Toro, Elvira Villani
  • Patent number: 10305921
    Abstract: A network security apparatus includes a packet detector detecting transmission of data packets between a plurality of hosts and a plurality of domains and defining a plurality of links therefrom. A model builder circuit receives the plurality of links from the packet detector, receives ground truth information labeling one or more of the plurality of hosts or one or more of the plurality of domains as benign or malicious, generates predictive models from the received links and ground truth information, and stores generated predictive models in a predictive model database. An anomaly detector circuit retrieves the generated predictive models from the predictive model database and uses the predictive models to label each of the plurality of hosts and plurality of domains, that have not previously been labeled by the ground truth information, as benign or malicious.
    Type: Grant
    Filed: April 28, 2016
    Date of Patent: May 28, 2019
    Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATION
    Inventors: Jing Gao, Deepak Turaga, Long H. Vu, Houping Xiao
  • Patent number: 10306471
    Abstract: A determination is made as to whether a password is required for connecting to a wireless network. In response to determining that no password is required for connecting to the wireless network, data is retrieved from at least one predefined network address through the wireless network. A determination is made as to whether a secondary login verification is required for connecting to the wireless network based on, at least, the retrieved data from the at least one predefined network address.
    Type: Grant
    Filed: June 27, 2018
    Date of Patent: May 28, 2019
    Assignee: Alibaba Group Holding Limited
    Inventor: Baochu Wang
  • Patent number: 10298717
    Abstract: Aspects of the embodiments are directed to a network element that is configured for receiving, from an access point, a data packet originating from a client, the data packet comprising a packet header that comprises a packet header augmented with context information; decapsulating the packet header to identify the context information; applying a client-specific policy on the packet based, at least in part, on the context information; and forwarding the packet to a next hop in the network. The network element can be part of a network, such as a datacenter fabric architecture.
    Type: Grant
    Filed: December 4, 2016
    Date of Patent: May 21, 2019
    Assignee: Cisco Technology, Inc.
    Inventors: Sanjay Kumar Hooda, Sarath Gorthi Subrahmanya
  • Patent number: 10298619
    Abstract: A method of creating micro-segmentation policy for a network is provided. The method monitors the network packet traffic to identify network traffic types and patterns. The method, based on the network traffic types and patterns, identifies a set of components as an affinity group associated with each application. The method generates an application template that includes a set of application components for each application based on information provided by the vendor of the application. The method creates micro-segmentation policy for the network based on a mapping of the components of each affinity group into the components of the template generated for the associated application.
    Type: Grant
    Filed: December 16, 2016
    Date of Patent: May 21, 2019
    Assignee: NICIRA, INC.
    Inventors: Srinivas Nimmagadda, Jayant Jain, Anirban Sengupta