公开(公告)号：US08925079B2

公开(公告)日：2014-12-30

申请号：US13295553

申请日：2011-11-14

Applicant: Ravichander Vaidyanathan ,  Abhrajit Ghosh ,  Aditya Naidu ,  Akira Yamada ,  Ayumu Kubota ,  Yukiko Sawaya ,  Yutaka Miyake

Inventor： Ravichander Vaidyanathan ,  Abhrajit Ghosh ,  Aditya Naidu ,  Akira Yamada ,  Ayumu Kubota ,  Yukiko Sawaya ,  Yutaka Miyake

IPC: G06F11/00 ,  G06F12/14 ,  G06F12/16 ,  G08B23/00 ,  G06F15/173

CPC classification number: G06F21/00 ,  H04L63/1466

Abstract: A method, an apparatus and a program for detecting spoofed Internet Protocol (IP) traffic directed to a network having a plurality of autonomous systems (AS) is provided. The method comprises receiving an incoming packet through an AS, the incoming packet containing a source IP address and a destination IP address, acquiring a corresponding source and destination IP address prefixes, converting the corresponding source and destination IP address prefixes into a source AS number and a destination AS number, determining if the incoming packet arrived from an unexpected source based upon the corresponding destination IP address prefix and the converted source and destination AS number using an unexpected pair tuple table generated from network routing information and generating an alert indicating that the incoming packet is not allowed to enter the network.

Abstract translation: 提供了一种用于检测针对具有多个自治系统（AS）的网络的欺骗性因特网协议（IP）流量的方法，装置和程序。 该方法包括：通过AS接收输入的分组，该分组包含源IP地址和目的IP地址，获取相应的源和目的IP地址前缀，将相应的源和目的IP地址前缀转换为源AS号， 目的AS号码，根据网络路由信息生成表示基于相应的目的地IP地址前缀和转换后的源和目的地AS号码，确定传入分组是否从意外的源到达，并产生一个警报， 数据包不允许进入网络。

公开(公告)号：US20110283348A1

公开(公告)日：2011-11-17

申请号：US12779069

申请日：2010-05-13

Applicant: Yibei Ling ,  Aditya Naidu ,  Rajesh Talpade

Inventor： Yibei Ling ,  Aditya Naidu ,  Rajesh Talpade

IPC: G06F21/00

CPC classification number: H04L63/0263

Abstract: Aspects of the invention pertain to integrated compliance analysis of multiple firewalls and access control lists for network segregation and partitioning. Access control lists may have many individual rules that indicate whether information can be passed between certain devices in a computer network. The access control lists in different firewalls in different network segments within a given network may overlap or have inconsistent rules. Aspects of the invention generate differences between firewalls, analyze equivalency of firewalls, generate the intersection (if any) between a pair of firewalls, and generate the union (if any) between firewalls. Such information provides an integrated analysis of multiple interrelated firewalls, including inbound and outbound access control lists for such firewalls, and may be used to manage firewall operation within the network to ensure consistent operation and maintain network security. It also addresses a wide range of security questions that arise when dealing with multiple firewalls.

Abstract translation: 本发明的方面涉及用于网络隔离和分区的多个防火墙和访问控制列表的集成合规性分析。 访问控制列表可以具有许多单独的规则，其指示信息是否可以在计算机网络中的某些设备之间传递。 给定网络内不同网段的不同防火墙中的访问控制列表可能重叠或具有不一致的规则。 本发明的方面在防火墙之间产生差异，分析防火墙的等效性，在一对防火墙之间生成交集（如果有的话），并在防火墙之间生成联合（如果有的话）。 这些信息提供了多个相互关联的防火墙的集成分析，包括这种防火墙的入站和出站访问控制列表，可用于管理网络中的防火墙操作，以确保一致的操作和维护网络安全。 它还解决了处理多个防火墙时出现的各种安全问题。

公开(公告)号：US07962635B2

公开(公告)日：2011-06-14

申请号：US12631881

申请日：2009-12-07

Applicant: Aditya Naidu ,  Rajesh Talpade ,  Harshad Tanna ,  Sabine Winchell

Inventor： Aditya Naidu ,  Rajesh Talpade ,  Harshad Tanna ,  Sabine Winchell

IPC: G06F15/16

CPC classification number: H04L67/1027 ,  H04L67/1002 ,  H04L67/14 ,  H04L67/143 ,  H04L67/146

Abstract: Aspects of the invention pertain to user session management in load balanced clusters. Multiple application servers communicate with a central data server to ensure there is a single session per user ID. The central data server maintains a user session index and a parameter table. Each time a network access is attempted using a given user ID, a load balancer assigns the session to one of the application servers. The assigned application server queries the central data server to determine whether a session status for the user's login ID is inactive or active. If inactive, a new, unique value is assigned as the session number. If active, the session number is evaluated to determine whether multiple sessions exist. In this case, one of the sessions is terminated to ensure a single session per user ID. Preferably, the terminated session is the earlier session.

Abstract translation: 本发明的方面涉及负载平衡集群中的用户会话管理。 多个应用程序服务器与中央数据服务器进行通信，以确保每个用户ID都有一个会话。 中央数据服务器维护用户会话索引和参数表。 每次尝试使用给定的用户ID进行网络访问时，负载均衡器会将会话分配给其中一个应用程序服务器。 分配的应用程序服务器查询中央数据服务器，以确定用户登录ID的会话状态是否处于非活动状态。 如果不活动，则会将新的唯一值分配为会话号。 如果激活，则会对会话编号进行评估，以确定是否存在多个会话。 在这种情况下，其中一个会话终止，以确保每个用户ID的单个会话。 优选地，终止的会话是较早的会话。

公开(公告)号：US20100217860A1

公开(公告)日：2010-08-26

申请号：US12631881

申请日：2009-12-07

Applicant: Aditya Naidu ,  Rajesh Talpade ,  Harshad Tanna ,  Sabine Winchell

Inventor： Aditya Naidu ,  Rajesh Talpade ,  Harshad Tanna ,  Sabine Winchell

IPC: G06F15/173

CPC classification number: H04L67/1027 ,  H04L67/1002 ,  H04L67/14 ,  H04L67/143 ,  H04L67/146

Abstract: Aspects of the invention pertain to user session management in load balanced clusters. Multiple application servers communicate with a central data server to ensure there is a single session per user ID. The central data server maintains a user session index and a parameter table. Each time a network access is attempted using a given user ID, a load balancer assigns the session to one of the application servers. The assigned application server queries the central data server to determine whether a session status for the user's login ID is inactive or active. If inactive, a new, unique value is assigned as the session number. If active, the session number is evaluated to determine whether multiple sessions exist. In this case, one of the sessions is terminated to ensure a single session per user ID. Preferably, the terminated session is the earlier session.

Abstract translation: 本发明的方面涉及负载平衡集群中的用户会话管理。 多个应用程序服务器与中央数据服务器进行通信，以确保每个用户ID都有一个会话。 中央数据服务器维护用户会话索引和参数表。 每次尝试使用给定的用户ID进行网络访问时，负载均衡器会将会话分配给其中一个应用程序服务器。 分配的应用程序服务器查询中央数据服务器，以确定用户登录ID的会话状态是否处于非活动状态。 如果不活动，将分配一个新的唯一值作为会话号。 如果激活，则会对会话编号进行评估，以确定是否存在多个会话。 在这种情况下，其中一个会话终止，以确保每个用户ID的单个会话。 优选地，终止的会话是较早的会话。

公开(公告)号：US20100042605A1

公开(公告)日：2010-02-18

申请号：US12533676

申请日：2009-07-31

Applicant: Yuu-heng Cheng ,  Alexander Poylisher ,  Aditya Naidu ,  Rajesh Talpade ,  Shrirang Gadgil

Inventor： Yuu-heng Cheng ,  Alexander Poylisher ,  Aditya Naidu ,  Rajesh Talpade ,  Shrirang Gadgil

IPC: G06F17/30 ,  G06F12/00

CPC classification number: G06F16/219 ,  G06F16/2456

Abstract: An inventive system and method for versioning relational database disjoint records comprises a relational database, configuration files translated into query files, and a version control system, wherein each query file is stored and checked into the version control system, updating a version number of the query file. Each query file comprises a set of query statements. Query files are retrieved from the version control system based on the version number or an independent data item, and put into the database for analysis. In one embodiment, one of the configuration files comprises a configuration of a device, such as a router, a switch, a firewall, or a medical record. The method comprises acquiring configuration files, changing the configuration files into query files and storing the query files, and checking each query file into a version control system, wherein the checking in updates a version number of the query file.

Abstract translation: 用于版本化关系数据库不相交记录的创新系统和方法包括关系数据库，转换成查询文件的配置文件和版本控制系统，其中每个查询文件被存储并检查到版本控制系统中，更新查询的版本号 文件。 每个查询文件都包含一组查询语句。 基于版本号或独立数据项从版本控制系统检索查询文件，并将其放入数据库进行分析。 在一个实施例中，配置文件之一包括诸如路由器，交换机，防火墙或医疗记录之类的设备的配置。 该方法包括：获取配置文件，将配置文件更改为查询文件并存储查询文件，并将每个查询文件检查到版本控制系统中，其中检查更新查询文件的版本号。

公开(公告)号：US20130125235A1

公开(公告)日：2013-05-16

申请号：US13295553

申请日：2011-11-14

Applicant: Ravichander Vaidyanathan ,  Abhrajit Ghosh ,  Aditya Naidu ,  Akira Yamada ,  Ayumu Kubota ,  Yukiko Sawaya ,  Yutaka Miyake

Inventor： Ravichander Vaidyanathan ,  Abhrajit Ghosh ,  Aditya Naidu ,  Akira Yamada ,  Ayumu Kubota ,  Yukiko Sawaya ,  Yutaka Miyake

IPC: G06F21/20

CPC classification number: G06F21/00 ,  H04L63/1466

Abstract: A method, an apparatus and a program for detecting spoofed Internet Protocol (IP) traffic directed to a network having a plurality of autonomous systems (AS) is provided. The method comprises receiving an incoming packet through an AS, the incoming packet containing a source IP address and a destination IP address, acquiring a corresponding source and destination IP address prefixes, converting the corresponding source and destination IP address prefixes into a source AS number and a destination AS number, determining if the incoming packet arrived from an unexpected source based upon the corresponding destination IP address prefix and the converted source and destination AS number using an unexpected pair tuple table generated from network routing information and generating an alert indicating that the incoming packet is not allowed to enter the network.

Abstract translation: 提供了一种用于检测针对具有多个自治系统（AS）的网络的欺骗性因特网协议（IP）流量的方法，装置和程序。 该方法包括：通过AS接收输入的分组，该分组包含源IP地址和目的IP地址，获取相应的源和目的IP地址前缀，将相应的源和目的IP地址前缀转换为源AS号， 目的AS号码，根据网络路由信息生成表示基于相应的目的地IP地址前缀和转换后的源和目的地AS号码，确定传入分组是否从意外的源到达，并产生一个警报， 数据包不允许进入网络。

公开(公告)号：US20100199346A1

公开(公告)日：2010-08-05

申请号：US12634975

申请日：2009-12-10

Applicant: Yibei Ling ,  Aditya Naidu ,  Rajesh Talpade

Inventor： Yibei Ling ,  Aditya Naidu ,  Rajesh Talpade

IPC: G06F9/32

CPC classification number: H04L63/0263

Abstract: Aspects of the invention pertain to analyzing and modifying access control lists that are used in computer networks. Access control lists may have many individual rules that indicate whether information can be passed between certain devices in a computer network. The access control lists may include redundant or conflicting rules. An aspect of the invention determines whether two or more access control lists are equivalent or not. Order-dependent access control lists are converted into order-independent access control lists, which enable checking of semantic equivalence of different access control lists. Upon conversion to an order-independent access control list, lower-precedence rules in the order-free list are checked for overlap with a current higher precedence entry. If overlap exists, existing order-free rules are modified so that spinoff rules have no overlap with the current entry. This is done while maintaining semantic equivalence.

Abstract translation: 本发明的方面涉及分析和修改在计算机网络中使用的访问控制列表。 访问控制列表可以具有许多单独的规则，其指示信息是否可以在计算机网络中的某些设备之间传递。 访问控制列表可以包括冗余或冲突的规则。 本发明的一个方面确定两个或更多个访问控制列表是否等同。 依赖订单的访问控制列表转换成独立于访问控制列表，可以检查不同访问控制列表的语义等价性。 在转换为与订单无关的访问控制列表时，将检查无订单列表中的较低优先级规则与当前较高优先级条目的重叠。 如果存在重叠，则修改现有的无订单规则，以便分拆规则与当前条目不重叠。 这是在保持语义等同性的同时完成的。

公开(公告)号：US08719913B2

公开(公告)日：2014-05-06

申请号：US12634984

申请日：2009-12-10

Applicant: Yibei Ling ,  Aditya Naidu ,  Rajesh Talpade

Inventor： Yibei Ling ,  Aditya Naidu ,  Rajesh Talpade

IPC: H04L29/06 ,  G06F17/00 ,  G06F9/00 ,  G06F15/16 ,  G06F7/04

CPC classification number: H04L63/0263 ,  G06F21/604 ,  G06F2221/2141 ,  H04L63/101

Abstract: Aspects of the invention pertain to analyzing and modifying access control lists that are used in computer networks. Access control lists may have many individual entries that indicate whether information can be passed between certain devices in a computer network. The access control lists may include redundant or conflicting entries. An aspect of the invention converts an order-dependent control list into an order-free equivalent. Redundant entries are identified and removed without adversely affecting the access control list. Redundancy may be identified by evaluating the volume contraction ratio, which is the ratio of the volume of spin-off entries to specific original entry in the access control list. This ratio reflects the extent of order-dependent impact on that entry in a given access control list.

Abstract translation: 本发明的方面涉及分析和修改在计算机网络中使用的访问控制列表。 访问控制列表可以具有指示信息是否可以在计算机网络中的某些设备之间传递的许多单独条目。 访问控制列表可以包括冗余或冲突条目。 本发明的一个方面将订单相关的控制列表转换成无订购的等价物。 识别和删除冗余条目，而不会对访问控制列表造成不利影响。 冗余可以通过评估体积收缩率来确定，该收缩率是分离项的数量与访问控制列表中的特定原始条目的比率。 该比率反映了在给定的访问控制列表中对该条目的订单相关影响的程度。

公开(公告)号：US20100199344A1

公开(公告)日：2010-08-05

申请号：US12634984

申请日：2009-12-10

Applicant: Yibei Ling ,  Aditya Naidu ,  Rajesh Talpade

Inventor： Yibei Ling ,  Aditya Naidu ,  Rajesh Talpade

IPC: G06F21/00

CPC classification number: H04L63/0263 ,  G06F21/604 ,  G06F2221/2141 ,  H04L63/101

Abstract: Aspects of the invention pertain to analyzing and modifying access control lists that are used in computer networks. Access control lists may have many individual entries that indicate whether information can be passed between certain devices in a computer network. The access control lists may include redundant or conflicting entries. An aspect of the invention converts an order-dependent control list into an order-free equivalent. Redundant entries are identified and removed without adversely affecting the access control list. Redundancy may be identified by evaluating the volume contraction ratio, which is the ratio of the volume of spin-off entries to specific original entry in the access control list. This ratio reflects the extent of order-dependent impact on that entry in a given access control list.

Abstract translation: 本发明的方面涉及分析和修改在计算机网络中使用的访问控制列表。 访问控制列表可以具有指示信息是否可以在计算机网络中的某些设备之间传递的许多单独条目。 访问控制列表可以包括冗余或冲突条目。 本发明的一个方面将订单相关的控制列表转换成无订购的等价物。 识别和删除冗余条目，而不会对访问控制列表造成不利影响。 冗余可以通过评估体积收缩率来确定，该收缩率是分离项的数量与访问控制列表中的特定原始条目的比率。 该比率反映了在给定的访问控制列表中对该条目的订单相关影响的程度。