公开(公告)号：US07568078B2

公开(公告)日：2009-07-28

申请号：US11494036

申请日：2006-07-26

Applicant: Samar Sharma ,  Dinesh G. Dutt ,  Fabio R. Maino ,  Sanjaya Kumar

Inventor： Samar Sharma ,  Dinesh G. Dutt ,  Fabio R. Maino ,  Sanjaya Kumar

IPC: G06F12/00

CPC classification number: G06F11/2082 ,  H04L67/1097

Abstract: Methods and apparatus for performing MUD logging for a volume in a system implementing network-based virtualization are disclosed. This is accomplished by enabling two or more MUD loggers to separately maintain a MUD log for the volume. Through enabling the MUD loggers to communicate, the MUD loggers may update their respective MUD logs. Each MUD log includes information for one or more epochs, where the information for each of the epochs indicates a set of one or more regions that have been modified during the corresponding epoch.

Abstract translation: 公开了在实现基于网络的虚拟化的系统中执行用于卷的MUD日志记录的方法和装置。 这是通过使两个或多个MUD记录器能够单独维护该卷的MUD日志来实现的。 通过启用MUD记录器进行通信，MUD记录器可以更新其各自的MUD日志。 每个MUD日志包括一个或多个纪元的信息，其中每个历元的信息指示在相应历元期间被修改的一个或多个区域的集合。

公开(公告)号：US08914858B2

公开(公告)日：2014-12-16

申请号：US13107521

申请日：2011-05-13

Applicant: Fabio R. Maino ,  Marco Di Benedetto ,  Claudio Desanti

Inventor： Fabio R. Maino ,  Marco Di Benedetto ,  Claudio Desanti

IPC: H04L9/00 ,  H04L9/08 ,  H04L9/32 ,  H04L29/06

CPC classification number: H04L63/123 ,  H04L9/0838 ,  H04L9/3239 ,  H04L63/12

Abstract: Methods and apparatus are provided for improving both node-based and message-based security in a fiber channel network. Entity to entity authentication and key exchange services can be included in existing initialization messages used for introducing fiber channel network entities into a fiber channel fabric, or with specific messages exchanged over an already initialized communication channel. Both per-message authentication and encryption mechanisms can be activated using the authentication and key exchange services. Messages passed between fiber channel network entities can be encrypted and authenticated using information provided during the authentication sequence. Security services such as per-message authentication, confidentiality, integrity protection, and anti-replay protection can be implemented.

Abstract translation: 提供了用于改进光纤通道网络中的基于节点和基于消息的安全性的方法和装置。 可以将实体认证和密钥交换服务的实体包括在用于将光纤信道网络实体引入光纤信道结构的现有初始化消息中，或者通过已经初始化的通信信道交换的特定消息。 可以使用认证和密钥交换服务来激活每消息认证和加密机制。 在光纤通道网络实体之间通过的消息可以使用在认证序列期间提供的信息进行加密和认证。 可以实现诸如每消息认证，机密性，完整性保护和反重放保护等安全服务。

公开(公告)号：US08151318B1

公开(公告)日：2012-04-03

申请号：US10374490

申请日：2003-02-25

Applicant: Claudio DeSanti ,  Silvano Gai ,  Fabio R. Maino ,  Maurilio Cometto ,  Sachin Jain

Inventor： Claudio DeSanti ,  Silvano Gai ,  Fabio R. Maino ,  Maurilio Cometto ,  Sachin Jain

IPC: G06F17/30 ,  H04L12/56

CPC classification number: H04L49/357 ,  H04L63/102

Abstract: A reliable asymmetric method for distributing security information within a Fiber Channel Fabric. The Switching Fabric includes a set of security servers, which maintain among themselves a replicated copy of the Fabric security databases using the currently defined Merge and Change protocols. The other Switches of the Fabric are configured as client-Switches. They maintain only the subset of the authorization and authentication information required for their correct operation. A client-Switch queries the security server when a new end-device is connected to it, or when it is connected to the Fabric. When the security configuration of the Fabric changes by an administrative action, a security server solicits the client-Switches to update their information. In an alternative embodiment, the end-devices may query directly the security server, usually for authentication purposes. A Fabric with a plurality of security servers balances among them the load of inquiries from clients, and is more reliable because it continues to operate in the event of failure of one or more servers. Reliability is achieved in a stateless manner through the FSPF protocol, the Fiber Channel routing protocol. Each security server announces itself to the Fabric by advertising an adjacency to a predefined virtual Domain_ID in its FSPF LSRs. Clients access servers by directing queries to this virtual Domain_ID.

Abstract translation: 一种用于在光纤通道结构中分发安全信息的可靠的非对称方法。 交换结构包括一组安全服务器，它们使用当前定义的合并和更改协议在其中维护Fabric安全数据库的复制副本。 Fabric的其他交换机配置为客户端交换机。 它们仅维护其正确操作所需的授权和认证信息的子集。 客户端 - 交换机在新的终端设备连接到安全服务器或连接到Fabric时查询安全服务器。 当Fabric的安全配置更改为管理操作时，安全服务器请求客户端 - 交换机更新其信息。 在替代实施例中，终端设备可以直接查询安全服务器，通常用于认证目的。 具有多个安全服务器的Fabric在其中平衡了客户端的查询负载，并且由于在一个或多个服务器发生故障的情况下继续运行而更加可靠。 通过FSPF协议（光纤通道路由协议）以无状态的方式实现可靠性。 每个安全服务器通过向其FSPF LSR中的预定义虚拟Domain_ID发布邻接关系，向Fabric发布自身。 客户端通过将查询引导到此虚拟Domain_ID来访问服务器。

公开(公告)号：US08037514B2

公开(公告)日：2011-10-11

申请号：US11069857

申请日：2005-03-01

Applicant: Irene H. Kuffel ,  Wilson Kok ,  Michael Fine ,  Fabio R. Maino ,  Jed Lin Lau

Inventor： Irene H. Kuffel ,  Wilson Kok ,  Michael Fine ,  Fabio R. Maino ,  Jed Lin Lau

IPC: G06F15/16 ,  H04L29/06 ,  H04L9/32

CPC classification number: H04L9/321 ,  H04L9/3247 ,  H04L9/3263 ,  H04L9/3271 ,  H04L63/08 ,  H04L2209/76

Abstract: Various systems and method are disclosed for disseminating security server contact information in a network. For example, one method (e.g., performed by a security server) involves determining that a network device is a secure network device, in response to participating in a security exchange with the network device; and then sending a server list to the network device. The server list includes the network address of at least one security server. Another method (e.g., performed by a network device) involves initiating an authentication exchange; receiving a server list, which includes the network address of a security server, as part of the authentication exchange; and communicating with the security server by sending a packet to the network address included in the server list.

Abstract translation: 公开了用于在网络中传播安全服务器联系信息的各种系统和方法。 例如，响应于参与与网络设备的安全交换，一种方法（例如由安全服务器执行）涉及确定网络设备是安全网络设备; 然后将服务器列表发送到网络设备。 服务器列表包括至少一个安全服务器的网络地址。 另一种方法（例如，由网络设备执行）涉及启动认证交换; 作为认证交换的一部分，接收包括安全服务器的网络地址的服务器列表; 并通过向包括在服务器列表中的网络地址发送分组来与安全服务器通信。

公开(公告)号：US20110219438A1

公开(公告)日：2011-09-08

申请号：US13107521

申请日：2011-05-13

Applicant: Fabio R. Maino ,  Marco Di Benedetto ,  Claudio Desanti

Inventor： Fabio R. Maino ,  Marco Di Benedetto ,  Claudio Desanti

IPC: G06F21/20

CPC classification number: H04L63/123 ,  H04L9/0838 ,  H04L9/3239 ,  H04L63/12

Abstract: Methods and apparatus are provided for improving both node-based and message-based security in a fibre channel network. Entity to entity authentication and key exchange services can be included in existing initialization messages used for introducing fibre channel network entities into a fibre channel fabric, or with specific messages exchanged over an already initialized communication channel. Both per-message authentication and encryption mechanisms can be activated using the authentication and key exchange services. Messages passed between fibre channel network entities can be encrypted and authenticated using information provided during the authentication sequence. Security services such as per-message authentication, confidentiality, integrity protection, and anti-replay protection can be implemented.

Abstract translation: 提供了用于改进光纤通道网络中的基于节点和基于消息的安全性的方法和装置。 可以将实体认证和密钥交换服务的实体包括在用于将光纤信道网络实体引入光纤信道结构的现有初始化消息中，或者通过已经初始化的通信信道交换的特定消息。 可以使用认证和密钥交换服务来激活每消息认证和加密机制。 在光纤通道网络实体之间通过的消息可以使用在认证序列期间提供的信息进行加密和认证。 可以实现诸如每消息认证，机密性，完整性保护和反重放保护等安全服务。

公开(公告)号：US20100169645A1

公开(公告)日：2010-07-01

申请号：US12604221

申请日：2009-10-22

Applicant: David A. McGrew ,  Brian E. Weis ,  Fabio R. Maino

Inventor： David A. McGrew ,  Brian E. Weis ,  Fabio R. Maino

IPC: H04L9/32 ,  H04L9/06 ,  H04L9/28

CPC classification number: H04L9/0637 ,  H04L9/0822 ,  H04L9/0833 ,  H04L9/3242

Abstract: A computer system for authenticating, encrypting, and transmitting a secret communication, where the encryption key is transmitted along with the encrypted message, is disclosed. In an embodiment, a first transmitting processor encrypts a plaintext message to a ciphertext message using a data key, encrypts the data key using a key encrypting key, and sends a communication comprising the encrypted data key and the ciphertext message. A second receiving processor receives the communication and then decrypts the encrypted data key using the key encrypting key and decrypts the ciphertext message using the data key to recover the plaintext message.

Abstract translation: 公开了一种用于认证，加密和发送秘密通信的计算机系统，其中加密密钥与加密消息一起发送。 在一个实施例中，第一发送处理器使用数据密钥将明文消息加密为密文消息，使用密钥加密密钥加密数据密钥，并发送包括加密数据密钥和密文消息的通信。 第二接收处理器接收通信，然后使用密钥加密密钥解密加密的数据密钥，并使用数据密钥解密密文消息以恢复明文消息。

公开(公告)号：US08949931B2

公开(公告)日：2015-02-03

申请号：US13462110

申请日：2012-05-02

Applicant: Vina Ermagan ,  Suraj Nellikar ,  Sudarshana Kandachar Sridhara Rao ,  Fabio R. Maino ,  Massimiliano Menarini

Inventor： Vina Ermagan ,  Suraj Nellikar ,  Sudarshana Kandachar Sridhara Rao ,  Fabio R. Maino ,  Massimiliano Menarini

IPC: G06F17/00 ,  H04L29/06

CPC classification number: H04L63/20 ,  G06F21/54 ,  G06F2221/2101 ,  H04L63/0209 ,  H04L63/102

Abstract: A method includes determining an application role in a distributed application in a network environment, generating a role profile for the application role from an interaction pattern, mapping the role profile to a virtual machine (VM), and detecting a security breach of the VM. Determining the application role includes obtaining network traces from the distributed application, and analyzing the network traces to extract the application role. In one embodiment, detection of the security breach includes generating an access control policy for the VM from the role profile, and determining an anomaly in traffic based thereon. In another embodiment, detection of the security breach includes inserting the role profile in a port profile of the VM, generating a small state machine from the role profile, running the small state machine on a port associated with the VM, and inspecting, by the small state machine, an application level traffic at the port.

Abstract translation: 一种方法包括确定在网络环境中的分布式应用程序中的应用程序角色，从交互模式生成应用程序角色的角色配置文件，将角色配置文件映射到虚拟机（VM），以及检测虚拟机的安全漏洞。 确定应用程序角色包括从分布式应用程序获取网络跟踪，并分析网络跟踪以提取应用程序角色。 在一个实施例中，安全漏洞的检测包括从角色简档生成VM的访问控制策略，并且基于此来确定业务的异常。 在另一个实施例中，安全漏洞的检测包括将角色简档插入到VM的端口配置文件中，从角色配置文件生成小状态机，在与VM关联的端口上运行小状态机，并且通过 小型状态机，端口上的应用级流量。

公开(公告)号：US08510837B2

公开(公告)日：2013-08-13

申请号：US11967731

申请日：2007-12-31

Applicant: Fabio R. Maino ,  Dinesh G. Dutt ,  Samar Sharma ,  Arindam Paul

Inventor： Fabio R. Maino ,  Dinesh G. Dutt ,  Samar Sharma ,  Arindam Paul

IPC: H04L29/06

CPC classification number: G06F21/564 ,  G06F21/566 ,  G06F2221/2151

Abstract: Embodiments of the invention improve the detection of malicious software applications, such as a rootkit, on hosts configured to access storage volumes over a storage area network (SAN). A rootkit detection program running on a switch may be configured to detect rootkits present on the storage volumes of the SAN. Because the switch may mount and access storage volumes independently from the (possibly comprised) hosts, the rootkit is not able to conceal itself from the rootkit detection program running on the switch.

Abstract translation: 本发明的实施例改进了被配置为通过存储区域网络（SAN）访问存储卷的主机上的恶意软件应用程序（例如rootkit）的检测。 可以将在交换机上运行的rootkit检测程序配置为检测存储在SAN存储卷上的rootkit。 因为交换机可以独立于（可能包含的）主机安装和访问存储卷，所以rootkit不能将自己隐藏在交换机上运行的rootkit检测程序中。

公开(公告)号：US07953943B2

公开(公告)日：2011-05-31

申请号：US12506975

申请日：2009-07-21

Applicant: Samar Sharma ,  Dinesh G. Dutt ,  Fabio R. Maino ,  Sanjaya Kumar

Inventor： Samar Sharma ,  Dinesh G. Dutt ,  Fabio R. Maino ,  Sanjaya Kumar

IPC: G06F13/00

CPC classification number: G06F11/2082 ,  H04L67/1097

Abstract: In one embodiment, a MUD logger receives a notification from another MUD logger maintaining another MUD log for a volume, the notification indicating one or more modifications to be made to a MUD log maintained by the MUD logger receiving the notification, wherein the MUD log includes information for one or more epochs, wherein the information for each of the epochs indicates a set of one or more regions of the volume that have been modified during the corresponding epoch. The MUD logger updates the MUD log associated with the volume, wherein updating the MUD log is performed in response to the notification.

Abstract translation: 在一个实施例中，MUD记录器从另一个MUD记录器接收另一个MUD记录器的通知，该通知维护另一个用于卷的MUD日志，该通知指示对由接收到通知的MUD记录器维护的MUD日志进行的一个或多个修改，其中MUD日志包括 用于一个或多个纪元的信息，其中每个历元的信息指示在相应历元期间已被修改的该卷的一个或多个区域的集合。 MUD记录器更新与卷关联的MUD日志，其中更新MUD日志是响应通知而执行的。

公开(公告)号：US07443845B2

公开(公告)日：2008-10-28

申请号：US10313305

申请日：2002-12-06

Applicant: Silvano Gai ,  Davide Bergamasco ,  Claudio DeSanti ,  Dante Malagrino ,  Fabio R. Maino

Inventor： Silvano Gai ,  Davide Bergamasco ,  Claudio DeSanti ,  Dante Malagrino ,  Fabio R. Maino

IPC: H04L12/28 ,  H04L12/56

CPC classification number: H04L69/16 ,  H04L12/4633 ,  H04L47/10 ,  H04L47/27 ,  H04L47/29 ,  H04L47/30 ,  H04L47/37 ,  H04L69/10 ,  H04L69/161 ,  H04L69/163 ,  H04L69/22 ,  H04L69/26

Abstract: A fast, lightweight, reliable, packet-based protocol that operates independent of the type of networking protocol used by the underlying physical layer of the network is disclosed. More specifically, the packet based protocol operates independently of or is capable of encapsulating physical layer protocols such as but not limited to MAC, Ethernet, Ethernet II, HARD or IP. The protocol defines at least three different types of frames including Information frames, Supervisory frames, and Unnumbered frames. In various embodiments of the invention, the Information, Supervisory, and Unnumbered frames include DSAP and SSAP field with semantics which are sufficiently large to support the various physical layer protocols that may be used on the network. The Information frames, Supervisory frames, and Unnumbered frames also have the ability to support urgent data delivery and certain memory management functions. The protocol is further capable of support the multiplexing of layers higher than the protocol so that multiple higher layer applications may share the same connection. Finally, the protocol of the present invention supports both flow control and congestion control, to help reduce the incidence of lost or dropped packets at a receiving node or over the network respectively.

Abstract translation: 公开了一种快速，轻量级，可靠的基于分组的协议，其独立于由网络的底层物理层使用的网络协议的类型进行操作。 更具体地，基于分组的协议独立于或者能够封装诸如但不限于MAC，以太网，以太网II，硬接口或IP的物理层协议。 该协议定义了至少三种不同类型的帧，包括信息帧，监督帧和无编号帧。 在本发明的各种实施例中，信息，监督和未编号的帧包括具有足够大以支持可能在网络上使用的各种物理层协议的语义的DSAP和SSAP字段。 信息框架，监督框架和无编号框架还能够支持紧急数据传送和某些内存管理功能。 该协议还能够支持高于协议的层的多路复用，使得多个较高层应用可以共享相同的连接。 最后，本发明的协议支持流量控制和拥塞控制，以帮助减少接收节点或网络上丢失或丢弃的分组的发生。