公开(公告)号：US20220147496A1

公开(公告)日：2022-05-12

申请号：US17095867

申请日：2020-11-12

Applicant: INTERNATIONAL BUSINESS MACHINES CORPORATION

Inventor： Ahilan Rajadeva ,  Al Chakra ,  Constantinos Kassimis ,  Christopher Meyer

IPC: G06F16/188 ,  G06F16/14 ,  G06F9/455

Abstract: A method, system, and computer program product are provided for virtualizing specific values in a guest configuration based on the underlying host symbol substitution values. A symbolic link located in a traditional file system in a virtual guest is opened. Each symbol is extracted from a symbol-based file located in a symbol-based file system. The symbol-based file is accessed through a symbolic link from the traditional file system. The virtual guest issues a privileged instruction to a hypervisor for each symbol in the symbol-based file to retrieve a substitution value from a symbol table that is stored in hypervisor storage. The substitution value for each symbol is returned to the virtual guest, and it replaces the symbol in the symbol-based file. In response to a file read request for the traditional file, the substitution value is retrieved from the symbol-based file using the symbolic link from the traditional file.

公开(公告)号：US20200090431A1

公开(公告)日：2020-03-19

申请号：US16689649

申请日：2019-11-20

Applicant: International Business Machines Corporation

Inventor： William Lucy ,  Hank Ibell ,  John Anthony Feller ,  Christopher Meyer

IPC: G07C9/00 ,  G08B13/22

Abstract: A method for monitoring a physical area for unauthorized access by a user of a wireless device, includes scanning for signals from a wireless device, detecting a wireless signal from a wireless device, determining a wireless device ID associated with the wireless signal, determining whether the wireless device ID matches a wireless ID in an authorized or unauthorized ID list and in response to determining that the wireless device ID matches a wireless ID in the unauthorized wireless ID list, activate a security alert. The method may further include in response to determining, that the wireless device ID does not match a wireless ID in the authorized wireless ID list nor the unauthorized wireless ID list, receiving, signal strength information associated with the detected wireless signal for a predetermined time interval and determining a pattern as a function of time of the received signal strength.

公开(公告)号：US10382490B2

公开(公告)日：2019-08-13

申请号：US15413577

申请日：2017-01-24

Applicant: INTERNATIONAL BUSINESS MACHINES CORPORATION

Inventor： Constantinos Kassimis ,  Christopher Meyer ,  Linwood H. Overby, Jr. ,  David J. Wierbowski

IPC: G06F21/00 ,  H04L29/06 ,  H04L29/08

Abstract: A computer-implemented method includes monitoring a plurality of connections of a plurality of host applications at a host, where each connection of the plurality of connections carries network traffic associated with a respective host application of the plurality of host applications. A plurality of sets of security attributes are detected, and include a respective set of security attributes for each connection of the plurality of connections. The plurality of sets of security attributes are stored in a security database. From the security database, the respective set of security attributes of a first connection are compared to a centralized security policy. It is determined that the respective set of security attributes of the first connection do not meet the centralized security policy. A remedial action is performed on the first connection, responsive to the respective set of security attributes of the first connection not meeting the centralized security policy.

公开(公告)号：US20130219175A1

公开(公告)日：2013-08-22

申请号：US13778050

申请日：2013-02-26

Applicant: INTERNATIONAL BUSINESS MACHINES CORPORATION

Inventor： Curtis Matthew Gearhart ,  Christopher Meyer ,  Scott Christopher Moonen ,  Linwood Hugh Overby

IPC: H04L29/06

CPC classification number: H04L63/0428 ,  H04L63/0471 ,  H04L63/0485

Abstract: A network node for communicating data packets secured with a security protocol over a communications network includes a host information handling system (IHS) and one or more external security offload devices coupled by a secure data link. The host IHS communicates state information about data packets, and the external offload security device provides stateless secure data encapsulation and decapsulation of packets using a security protocol. An external network interface controller or internal network interface controller communicates encapsulated data packets over the communications network to a final destination. Encapsulation and decapsulation of packets by the external security offload device reduces network latency and reduces the computational load on the processor in the host IHS. Maintaining state information in the host IHS allows hot-swapping of external security offload devices without information loss. The external security offload device may be included in a firewall, or intrusion detection device, and may implement IPsec protocol.

Abstract translation: 用于通过通信网络传送用安全协议保护的数据分组的网络节点包括主机信息处理系统（IHS）和通过安全数据链路耦合的一个或多个外部安全卸载设备。 主机IHS通信有关数据包的状态信息，外部卸载安全设备使用安全协议提供无状态安全数据封装和封包封包。 外部网络接口控制器或内部网络接口控制器通过通信网络将封装的数据包传送到最终目的地。 由外部安全卸载设备封装和解封包减少了网络延迟并降低了主机IHS处理器的计算负担。 在主机IHS中维护状态信息允许热插拔外部安全卸载设备，而不会出现信息丢失。 外部安全卸载设备可以包含在防火墙或入侵检测设备中，并且可以实现IPsec协议。

公开(公告)号：US11184113B2

公开(公告)日：2021-11-23

申请号：US16422950

申请日：2019-05-24

Applicant: International Business Machines Corporation

Inventor： Benjamin Thomas Rau ,  Christopher Meyer ,  Kaleb Joshua Holley ,  Richard Roberts

IPC: H04L1/00 ,  H04L1/18 ,  H04L5/00

Abstract: An example operation may include one or more of receiving a data packet from a network controller, where the data packet is marked as valid based on a checksum calculated by the network controller, determining that the checksum generated by the network controller is in error based on a recalculation of the checksum of the data packet via a network layer, and transmitting the data packet from the network layer to the network controller with a notification that the checksum is in error.

公开(公告)号：US10798111B2

公开(公告)日：2020-10-06

申请号：US15265023

申请日：2016-09-14

Applicant: International Business Machines Corporation

Inventor： Henry L. Cantrell, Jr. ,  Charles Cruse, Jr. ,  Kerry R. Harpe ,  Christopher Meyer ,  Clifford P. Wall

IPC: H04L29/06 ,  H04L29/08

Abstract: A computer-implemented method includes identifying a data transmission session associated with a display-oriented data transmission scheme; identifying an outbound data stream associated with the data transmission session; and determining one or more protected fields associated with the outbound data stream. The computer-implemented method further includes determining a client attempt to write to at least one of the one or more protected fields; and in response to determining said client attempt, determining an intrusion detection report. A corresponding computer program product and computer system are also disclosed.

公开(公告)号：US20180212999A1

公开(公告)日：2018-07-26

申请号：US15413577

申请日：2017-01-24

Applicant: INTERNATIONAL BUSINESS MACHINES CORPORATION

Inventor： Constantinos Kassimis ,  Christopher Meyer ,  Linwood H. Overby, JR. ,  David J. Wierbowski

IPC: H04L29/06

CPC classification number: H04L63/20 ,  H04L63/166 ,  H04L67/14 ,  H04L67/22 ,  H04L67/2833 ,  H04L67/42 ,  H04L69/16

Abstract: A computer-implemented method includes monitoring a plurality of connections of a plurality of host applications at a host, where each connection of the plurality of connections carries network traffic associated with a respective host application of the plurality of host applications. A plurality of sets of security attributes are detected, and include a respective set of security attributes for each connection of the plurality of connections. The plurality of sets of security attributes are stored in a security database. From the security database, the respective set of security attributes of a first connection are compared to a centralized security policy. It is determined that the respective set of security attributes of the first connection do not meet the centralized security policy. A remedial action is performed on the first connection, responsive to the respective set of security attributes of the first connection not meeting the centralized security policy.

公开(公告)号：US08826003B2

公开(公告)日：2014-09-02

申请号：US13778050

申请日：2013-02-26

Applicant: International Business Machines Corporation

Inventor： Curtis Matthew Gearhart ,  Christopher Meyer ,  Scott Christopher Moonen ,  Linwood Hugh Overby

IPC: H04L29/00

CPC classification number: H04L63/0428 ,  H04L63/0471 ,  H04L63/0485

Abstract: A network node for communicating data packets secured with a security protocol over a communications network includes a host information handling system (IHS) and one or more external security offload devices coupled by a secure data link. The host IHS communicates state information about data packets, and the external offload security device provides stateless secure data encapsulation and decapsulation of packets using a security protocol. An external network interface controller or internal network interface controller communicates encapsulated data packets over the communications network to a final destination. Encapsulation and decapsulation of packets by the external security offload device reduces network latency and reduces the computational load on the processor in the host IHS. Maintaining state information in the host IHS allows hot-swapping of external security offload devices without information loss. The external security offload device may be included in a firewall, or intrusion detection device, and may implement IPsec protocol.

公开(公告)号：US11544234B2

公开(公告)日：2023-01-03

申请号：US17095867

申请日：2020-11-12

Applicant: INTERNATIONAL BUSINESS MACHINES CORPORATION

Inventor： Ahilan Rajadeva ,  Al Chakra ,  Constantinos Kassimis ,  Christopher Meyer

IPC: G06F16/188 ,  G06F16/14 ,  G06F9/455

Abstract: A method, system, and computer program product are provided for virtualizing specific values in a guest configuration based on the underlying host symbol substitution values. A symbolic link located in a traditional file system in a virtual guest is opened. Each symbol is extracted from a symbol-based file located in a symbol-based file system. The symbol-based file is accessed through a symbolic link from the traditional file system. The virtual guest issues a privileged instruction to a hypervisor for each symbol in the symbol-based file to retrieve a substitution value from a symbol table that is stored in hypervisor storage. The substitution value for each symbol is returned to the virtual guest, and it replaces the symbol in the symbol-based file. In response to a file read request for the traditional file, the substitution value is retrieved from the symbol-based file using the symbolic link from the traditional file.

公开(公告)号：US20220197680A1

公开(公告)日：2022-06-23

申请号：US17128299

申请日：2020-12-21

Applicant: International Business Machines Corporation

Inventor： Ahilan Rajadeva ,  Al Chakra ,  Constantinos Kassimis ,  Christopher Meyer

IPC: G06F9/455 ,  G06F21/44 ,  G06F16/11

Abstract: Techniques for integrated authentication for a container-based environment are described herein. An aspect includes accessing, by an application that is running in a container in a container environment that is hosted by a hypervisor on a host system, an authentication module that is located in the container environment. Another aspect includes invoking an authentication handler in the container environment based on the accessing of the authentication module. Another aspect includes passing control to the hypervisor from the authentication handler. Another aspect includes retrieving a security artifact from a security database of the host system by the hypervisor. Another aspect includes providing the retrieved security artifact to the application via the authentication handler. Another aspect includes performing an authentication operation by the application using the security artifact.