公开(公告)号：US09715401B2

公开(公告)日：2017-07-25

申请号：US12210249

申请日：2008-09-15

申请人： Wesley M. Devine ,  Sivaram Gottimukkala ,  Lap T. Huynh ,  Dinakaran Joseph ,  Michael S. Law ,  Linwood H. Overby, Jr.

发明人： Wesley M. Devine ,  Sivaram Gottimukkala ,  Lap T. Huynh ,  Dinakaran Joseph ,  Michael S. Law ,  Linwood H. Overby, Jr.

IPC分类号： G06F9/455

CPC分类号： G06F9/45558 ,  G06F9/4856 ,  G06F2009/4557

摘要： In an embodiment of the invention, a method for secure live migration of a virtual machine (VM) in a virtualized computing environment can include selecting a VM in a secure virtualized computing environment for live migration to a different virtualized computing environment and blocking data communications with the selected VM and other VMs in the secure virtualized computing environment. The selected VM can be live migrated to the different virtualized computing environment and the VM can be restarted in the different virtualized computing environment. Notably, a secure communicative link can be established between the restarted VM and at least one other of the VMs in the secure virtualized computing environment. Finally, data communications between the restarted VM and the at least one other of the VMs can be enabled over the secure communicative link.

公开(公告)号：US09137203B2

公开(公告)日：2015-09-15

申请号：US11626513

申请日：2007-01-24

申请人： Curtis M. Gearhart ,  Christopher Meyer ,  Linwood H. Overby, Jr. ,  David J. Wierbowski

发明人： Curtis M. Gearhart ,  Christopher Meyer ,  Linwood H. Overby, Jr. ,  David J. Wierbowski

IPC分类号： H04L29/06 ,  G06F15/16

CPC分类号： H04L63/0209 ,  H04L63/04 ,  H04L63/0485 ,  H04L63/0823 ,  H04L63/1408 ,  H04L2209/76

摘要： Embodiments of the present invention address deficiencies of the art in respect to network security and provide a method, system and computer program product for centralized secure offload of key exchange services for distributed security enforcement points. In one embodiment, a data processing system for centralized secure offload of key exchange services for distributed security enforcement points can be provided. The system can include a security enforcement point controlling communication flows between devices in different less trusted zones of protection, and a security server communicatively coupled to the security enforcement point and hosting key exchange services disposed in a more trusted zone of protection. The security enforcement point can include an interface to the key exchange services and program code enabled to offload at least one portion of a key exchange through the interface to the key exchange services disposed in the more trusted zone of protection.

摘要翻译： 本发明的实施例解决了本领域在网络安全方面的缺陷，并且提供了一种用于分布式安全执行点的密钥交换服务的集中安全卸载的方法，系统和计算机程序产品。 在一个实施例中，可以提供用于分布式安全执行点的密钥交换服务的集中安全卸载的数据处理系统。 该系统可以包括控制不同不太信任的保护区域中的设备之间的通信流的安全执行点，以及通信地耦合到安全执行点并承载设置在更受信任的保护区域中的密钥交换服务的安全服务器。 安全执行点可以包括密钥交换服务的接口和能够通过接口将密钥交换的至少一部分卸载到设置在更受信任的保护区域中的密钥交换服务的密码交换服务和程序代码。

公开(公告)号：US09021250B2

公开(公告)日：2015-04-28

申请号：US11738500

申请日：2007-04-22

申请人： Linwood H. Overby, Jr.

发明人： Linwood H. Overby, Jr.

IPC分类号： H04L29/06

CPC分类号： H04L63/0428 ,  H04L63/062 ,  H04L63/168 ,  H04L63/30 ,  H04L63/306

摘要： Embodiments of the present invention address deficiencies of the art in respect to security function processing of encrypted data in a security enforcement point and provide a method, system and computer program product for security enforcement point inspection of a traversing encrypted data in a secure, end-to-end communications path. In an embodiment of the invention, a method for security enforcement point inspection of encrypted data in a secure, end-to-end communications path can be provided. The method can include establishing a persistent secure session with a key server holding an SA for an end-to-end secure communications path between endpoints, receiving the SA for the end-to-end secure communications path over the persistent secure session, decrypting an encrypted payload for the end-to-end secure communications path using session key data in the SA, and performing a security function on the decrypted payload.

摘要翻译： 本发明的实施例解决了在安全执行点中关于加密数据的安全功能处理方面的技术缺陷，并且提供了一种用于安全执行点检查安全执行点检测的方法，系统和计算机程序产品， 端到端通信路径。 在本发明的实施例中，可以提供一种用于在安全的端到端通信路径中对加密数据进行安全执行点检查的方法。 该方法可以包括与端点之间的端对端安全通信路径保持SA的密钥服务器建立持久的安全会话，通过持久安全会话接收端到端安全通信路径的SA，解密 使用SA中的会话密钥数据进行端到端安全通信路径的加密有效载荷，并对解密的有效载荷执行安全功能。

公开(公告)号：US08925081B2

公开(公告)日：2014-12-30

申请号：US13469357

申请日：2012-05-11

申请人： Lap T. Huynh ,  Linwood H. Overby, Jr.

发明人： Lap T. Huynh ,  Linwood H. Overby, Jr.

IPC分类号： H04L29/06 ,  G06F21/55

CPC分类号： G06F21/554

摘要： Intrusion detection is performed by communicating an initialization request from an intrusion detection system enabled application to an intrusion module to begin intrusion detection. Also, a request is communicated to a policy transfer agent to provide an intrusion detection system policy specifically configured for the application. The application identifies where in the application code the intrusion detection system policy is to be checked against an incoming or outgoing communication. Information obtained by the application program is selectively evaluated against information in the intrusion detection system policy. A conditional response is made based upon information in the intrusion detection system policy if an intrusion associated with the application program is detected.

摘要翻译： 通过将初始化请求从入侵检测系统启用的应用程序传送到入侵模块以开始入侵检测来执行入侵检测。 而且，请求被传送给策略传输代理，以提供专门为应用配置的入侵检测系统策略。 该应用程序在应用程序代码中识别入侵检测系统策略要根据传入或传出通信进行检查。 根据入侵检测系统策略中的信息选择性地评估由应用程序获得的信息。 如果检测到与应用程序相关联的入侵，则基于入侵检测系统策略中的信息进行条件响应。

公开(公告)号：US08891550B2

公开(公告)日：2014-11-18

申请号：US11355023

申请日：2006-02-15

申请人： Lap T. Huynh ,  Dinakaran Joseph ,  Linwood H. Overby, Jr. ,  Mark T. Wright

发明人： Lap T. Huynh ,  Dinakaran Joseph ,  Linwood H. Overby, Jr. ,  Mark T. Wright

IPC分类号： H04J3/16 ,  H04J3/22 ,  H04L29/06

CPC分类号： H04L63/105 ,  H04L63/166

摘要： Embodiments of the present invention address deficiencies of the art in respect to network services protocol implementation configuration and provide a method, system and computer program product for platform independent configuration of multiple network services protocol implementations. In one embodiment of the invention, a method for configuring a network services protocol implementation can include configuring a platform independent configuration for a network services protocol implementation. Thereafter, a target node can be selected to receive a deployment of the network services protocol implementation and the configured platform independent configuration can be transformed into a platform specific configuration for the target node. Finally, the transformed platform specific configuration can be deployed onto the target node.

摘要翻译： 本发明的实施例解决了关于网络服务协议实现配置的本领域的缺陷，并提供了用于多个网络服务协议实现的用于独立于平台的配置的方法，系统和计算机程序产品。 在本发明的一个实施例中，用于配置网络服务协议实现的方法可以包括为网络服务协议实现配置与平台无关的配置。 此后，可以选择目标节点以接收网络服务协议实现的部署，并且将配置的平台无关配置转换为目标节点的平台特定配置。 最后，转换的平台特定配置可以部署到目标节点上。

公开(公告)号：US20120222087A1

公开(公告)日：2012-08-30

申请号：US13469357

申请日：2012-05-11

申请人： Lap T. Huynh ,  Linwood H. Overby, JR.

发明人： Lap T. Huynh ,  Linwood H. Overby, JR.

IPC分类号： G06F21/00 ,  G06F11/00 ,  G06F17/00

CPC分类号： G06F21/554

摘要： Intrusion detection is performed by communicating an initialization request from an intrusion detection system enabled application to an intrusion module to begin intrusion detection. Also, a request is communicated to a policy transfer agent to provide an intrusion detection system policy specifically configured for the application. The application identifies where in the application code the intrusion detection system policy is to be checked against an incoming or outgoing communication. Information obtained by the application program is selectively evaluated against information in the intrusion detection system policy. A conditional response is made based upon information in the intrusion detection system policy if an intrusion associated with the application program is detected.

摘要翻译： 通过将初始化请求从入侵检测系统启用的应用程序传送到入侵模块以开始入侵检测来执行入侵检测。 而且，请求被传送给策略传输代理，以提供专门为应用配置的入侵检测系统策略。 该应用程序在应用程序代码中识别入侵检测系统策略要根据传入或传出通信进行检查。 根据入侵检测系统策略中的信息选择性地评估由应用程序获得的信息。 如果检测到与应用程序相关联的入侵，则基于入侵检测系统策略中的信息进行条件响应。

公开(公告)号：US20090169005A1

公开(公告)日：2009-07-02

申请号：US11964503

申请日：2007-12-26

申请人： Christopher Meyer ,  Wuchieh J. Jong ,  Linwood H. Overby, JR.

发明人： Christopher Meyer ,  Wuchieh J. Jong ,  Linwood H. Overby, JR.

IPC分类号： H04L9/00

CPC分类号： H04L63/0428 ,  H04L63/062 ,  H04L63/164

摘要： A method, network element, and computer storage program product, are provided for selectively loading a communication network security enforcement point (“SEP”) with security association (“SA”) information for inspection of encrypted data in a secure, end-to-end communications path. At least one encrypted data packet is received. It is determined that SA information for decrypting the at least one encrypted data packet fails to exist locally at the SEP. A request is sent to a communication network key server for SA information associated with the at least one encrypted data packet. The SA information associated with the at least one encrypted data packet is received from the communication network key server.

摘要翻译： 提供了一种方法，网络元件和计算机存储程序产品，用于选择性地加载具有安全关联（SA））信息的通信网络安全执行点（“SEP”），以便在安全的端对端 终端通信路径。 至少接收一个加密的数据包。 确定在SEP处本地存在用于解密至少一个加密数据分组的SA信息不存在。 向通信网络密钥服务器发送与所述至少一个加密数据分组相关联的SA信息的请求。 从通信网络密钥服务器接收与该至少一个加密数据分组相关联的SA信息。

公开(公告)号：US06976164B1

公开(公告)日：2005-12-13

申请号：US09619912

申请日：2000-07-19

申请人： Julie H. King ,  Susan D. Kirkman ,  Daniel J. Labrecque ,  Linwood H. Overby, Jr. ,  Steven Wayne Pogue

发明人： Julie H. King ,  Susan D. Kirkman ,  Daniel J. Labrecque ,  Linwood H. Overby, Jr. ,  Steven Wayne Pogue

IPC分类号： G06F11/30 ,  H04L9/00 ,  H04L29/06 ,  G04K1/00

CPC分类号： H04L63/0815 ,  G06Q20/202 ,  G06Q20/367 ,  H04L63/0823 ,  Y10S707/99939

摘要： The present invention provides a method, system, and computer program product which enables changing user credentials that are used to access legacy host applications and/or systems which provide legacy host data during a secure host access session which is authenticated using a digital certificate and is protected by a host-based security system, such as RACF (Resource Access Control Facility, a product offered by the IBM Corporation), where these changed credentials are used to authenticate a user after previously-provided credentials have been used for authentication earlier in the same session. The changed credentials may belong to the same user, where that user happens to have a different user ID and/or password for different legacy host applications and wishes to change from accessing one legacy host application to accessing another. Or, the changed credentials may be used to enable a different user to interact with the same legacy host application used by the previously-authenticated user. The disclosed technique may also be used advantageously to authenticate a user for accessing an application, when the user's credentials are not changing.

摘要翻译： 本发明提供一种方法，系统和计算机程序产品，其能够改变用于访问传统主机应用的用户凭证和/或在使用数字证书认证的安全主机访问会话期间提供传统主机数据的系统，并且是 受基于主机的安全系统的保护，例如RACF（资源访问控制设施，IBM公司提供的产品），其中这些更改的凭据用于在之前提供的凭据在 相同的会话 已更改的凭据可能属于同一用户，其中该用户恰好具有不同的传统主机应用程序的不同用户ID和/或密码，并希望从访问一个旧主机应用程序改变为访问另一个。 或者，更改的凭证可以用于使不同的用户能够与先前认证的用户使用的相同的遗留主机应用交互。 当用户的凭证不改变时，所公开的技术也可以有利地用于认证用户访问应用。

公开(公告)号：US09954821B2

公开(公告)日：2018-04-24

申请号：US13547603

申请日：2012-07-12

申请人： Linwood H. Overby, Jr. ,  Joyce A. Porter ,  David J. Wierbowski

发明人： Linwood H. Overby, Jr. ,  Joyce A. Porter ,  David J. Wierbowski

IPC分类号： H04L29/06

CPC分类号： H04L63/0236 ,  H04L63/0263 ,  H04L63/164

摘要： Embodiments of the present invention address deficiencies of the art in respect to secure communications for multiple hosts in an address translation environment and provide a method, system and computer program product for IPsec SA management for multiple clients sharing a single network address. In one embodiment, a computer implemented method for IPsec SA management for multiple hosts sharing a single network address can include receiving a packet for IPsec processing for a specified client among the multiple clients sharing the single network address. A dynamic SA can be located among multiple dynamic SAs for the specified client using client identifying information exclusive of a 5-tuple produced for the dynamic SA. Finally, IPsec processing can be performed for the packet.

公开(公告)号：US09781162B2

公开(公告)日：2017-10-03

申请号：US11354360

申请日：2006-02-15

申请人： Linwood H. Overby, Jr. ,  Mark T. Wright

发明人： Linwood H. Overby, Jr. ,  Mark T. Wright

IPC分类号： H04L12/28 ,  H04L29/06

CPC分类号： H04L63/20 ,  H04L63/164

摘要： A method, system and computer program product for predictively configuring a security services protocol implementation can be provided. The method can include providing a set of network topology descriptions and determining a selection of one of the network topology descriptions. The method further can include identifying configuration settings corresponding to the selection and applying the configuration settings to the security services protocol implementation. For instance, applying the configuration settings to the security services protocol implementation can include selecting encapsulation mode and routing settings for the security services protocol implementation.