公开(公告)号：US20050132231A1

公开(公告)日：2005-06-16

申请号：US11004349

申请日：2004-12-03

Applicant: Matthew Williamson ,  Andrew Norman ,  Jonathan Griffin

Inventor： Matthew Williamson ,  Andrew Norman ,  Jonathan Griffin

IPC: G06F11/34 ,  G06F21/55 ,  H04L29/06 ,  H04L9/00

CPC classification number: H04L63/0227 ,  G06F21/554 ,  H04L63/083 ,  H04L63/166

Abstract: A computer program product for monitoring a user computing entity's status, the program being adapted to: evaluate one more parameters of operation of one more functional elements of the user entity; if an evaluated parameter has a value outside of a predetermined range which is indicative of normal user entity behaviour, operate the user entity to enable, in a predetermined manner, administrative access to the user entity to be gained by an administrative computing entity, thereby to permit the administrative entity to perform an administrative operation on the user entity.

Abstract translation: 一种用于监视用户计算实体的状态的计算机程序产品，所述程序适于：评估所述用户实体的一个以上功能元素的多个操作参数; 如果评估参数具有指示正常用户实体行为的预定范围之外的值，则操作用户实体以预定方式使得能够由管理计算实体获得对用户实体的管理访问，由此 允许管理实体对用户实体进行管理操作。

公开(公告)号：US07865876B2

公开(公告)日：2011-01-04

申请号：US10175542

申请日：2002-06-18

Applicant: Jonathan Griffin ,  Christopher I. Dalton ,  Michael Child ,  Liqun Chen ,  Andrew Patrick Norman

Inventor： Jonathan Griffin ,  Christopher I. Dalton ,  Michael Child ,  Liqun Chen ,  Andrew Patrick Norman

IPC: G06F9/44 ,  G06F9/455 ,  H04L9/32

CPC classification number: G06F21/64 ,  G06F21/57 ,  G06F2211/009 ,  G06F2211/1097 ,  G06F2221/2101 ,  G06F2221/2103 ,  G06F2221/2129 ,  G06F2221/2141 ,  G06F2221/2149 ,  G06F2221/2153

Abstract: A computing platform 20 provides multiple computing environments 24 each containing a guest operating system 25 provided by a virtual machine application 26. Optionally, each computing environment 24 is formed in a compartment 220 of a compartmented host operating system 22. A trusted device 213 verifies that the host operating system 22 and each guest operating system 25 operates in a secure and trusted manner by forming integrity metrics which can be interrogated by a user 10. Each computing environment is isolated and secure, and can be verified as trustworthy independent of any other computing environment.

Abstract translation: 计算平台20提供多个计算环境24，每个计算环境包含由虚拟机应用程序26提供的客户机操作系统25.可选地，每个计算环境24形成在分隔的主机操作系统22的隔室220中。可信设备213验证 主机操作系统22和每个客户操作系统25通过形成可由用户10询问的完整性度量以安全和可靠的方式操作。每个计算环境是隔离和安全的，并且可以被验证为独立于任何其他计算 环境。

公开(公告)号：US07076655B2

公开(公告)日：2006-07-11

申请号：US10175183

申请日：2002-06-18

Applicant: Jonathan Griffin ,  Liqun Chen

Inventor： Jonathan Griffin ,  Liqun Chen

IPC: H04L9/00 ,  G06F12/14 ,  G08B29/00

CPC classification number: G06F21/53 ,  G06F21/57 ,  G06F2221/2103 ,  G06F2221/2149

Abstract: A host computing platform 20 provides one or more computing environments 24 and includes a trusted device 213 arranged to form an integrity metric individual to each computing environment 24. The integrity metric is provided to a user 10 in response to an integrity challenge, signed for authentication using a signature key 213 held by the trusted device. In one embodiment the trusted device 213 selects a signature key unique to the computing environment 24, or in a second embodiment the trusted device forms the signed integrity metric including an identity label, in each case such that the user 10 can verify that the signed integrity metric corresponds to the expected computing environment 24.

公开(公告)号：US20050289245A1

公开(公告)日：2005-12-29

申请号：US11144461

申请日：2005-06-03

Applicant: Jonathan Griffin ,  Andrew Norman ,  Matthew Williamson

Inventor： Jonathan Griffin ,  Andrew Norman ,  Matthew Williamson

IPC: G06F15/16 ,  H04L12/26 ,  H04L29/06

CPC classification number: H04L63/0236 ,  H04L29/06 ,  H04L63/1416

Abstract: A method of restricting data communication to a network, the network comprising a plurality of data processors and a network communication element arranged to receive data communications originating outside the network, the method comprising monitoring data communications originating from outside the network and received at the network communication element and identifying the intended recipient data processor within the network of the received data communications; and determining if the identified intended recipient data processor has a corresponding entry on a record of network data processors and if not, adding a corresponding entry to the first record of network data processors and adding a corresponding entry to a second record of network data processors.

Abstract translation: 一种限制数据通信到网络的方法，所述网络包括多个数据处理器和网络通信元件，所述网络通信元件被布置为接收从网络外部发起的数据通信，所述方法包括监视从网络外部发起并在网络通信中接收的数据通信 并且识别所接收的数据通信的网络内的预期接收者数据处理器; 以及确定所识别的预期接收方数据处理器是否具有网络数据处理器的记录上的对应条目，如果不是，则将对应条目添加到网络数据处理器的第一记录，并将对应条目添加到网络数据处理器的第二记录。

公开(公告)号：US20180276374A1

公开(公告)日：2018-09-27

申请号：US15764170

申请日：2015-10-29

Applicant: Adrian BALDWIN ,  Jonathan GRIFFIN ,  Hewlett-Packard Development Company, L.P.

Inventor： Adrian Baldwin ,  Jonathan Griffin

IPC: G06F21/54 ,  G06F21/51 ,  H04L9/08 ,  G06F21/64

Abstract: An apparatus includes a first processing resource to execute a program code, and a second processing resource separate from the first processing resource. The program code includes an embedded execution unit. The execution unit, during execution of the program code, calculates a first security value for a part of the program code. The second processing resource runs a validation program. The validation program receives the first security value, checks the first security value against a second security value calculated from a corresponding part of a reference copy of the program code to obtain a check result, returns the check result to the execution unit. The execution unit performs a security-related action in response to a check result indicating a mismatch between the first security value and the second security value.

公开(公告)号：US09143524B2

公开(公告)日：2015-09-22

申请号：US11494289

申请日：2006-07-26

Applicant: Jonathan Griffin ,  Andrew Patrick Norman ,  Richard James Smith

Inventor： Jonathan Griffin ,  Andrew Patrick Norman ,  Richard James Smith

IPC: G06F11/00 ,  G06F7/04 ,  H04L29/06 ,  G06F21/56

CPC classification number: H04L63/1441 ,  G06F21/56

Abstract: A method of restricting transmission of data packets from a host entity in a network, including: transmitting outgoing packets to destination hosts whose identities are contained in a record stored in a working set of host identity records; over the course of repeated predetermined time intervals, restricting, to a predetermined number, destination hosts not identified in the working to which packets may be transmitted; upon transmission of a packet to a host whose identity is not contained in a record in the working set, adding a record containing the host's identity to the working set and attributing a time to live to the record; deleting each record from the working set whose time to live has expired.

Abstract translation: 一种限制来自网络中的主机实体的数据分组的传输的方法，包括：向存储在主机身份记录的工作集中的记录中包含其身份的目的地主机发送输出分组; 在重复的预定时间间隔的过程中，将预定数目的目的地主机限制在可以发送分组的工作中未识别的目的地主机; 在将数据包发送到其身份不包含在工作集中的记录中的主机时，将包含主持人的身份的记录添加到工作集并且将时间归因于记录; 从工作集中删除每个记录已经过期的记录。

公开(公告)号：US20110173675A9

公开(公告)日：2011-07-14

申请号：US11494291

申请日：2006-07-26

Applicant: Jonathan Griffin ,  Andrew Norman ,  Richard Smith

Inventor： Jonathan Griffin ,  Andrew Norman ,  Richard Smith

IPC: H04L9/32

CPC classification number: H04L63/1441 ,  G06F21/56

Abstract: A method of restricting transmission of data packets from a host entity in a network, comprising: transmitting outgoing packets to destination hosts whose identities are contained in a record stored in a working set of host identity records; over the course of repeated predetermined time intervals, restricting, to a predetermined number, destination hosts not identified in the working set and to which packets may be transmitted; deleting packets whose transmission has been restricted.

Abstract translation: 一种限制来自网络中的主机实体的数据分组的传输的方法，包括：向存储在主机身份记录的工作集中的记录中包含其身份的目的地主机发送输出分组; 在重复的预定时间间隔的过程中，限制到预定数量的目的地主机，其不在工作组中识别，并且可以发送哪些分组; 删除传输限制的数据包。

公开(公告)号：US07437758B2

公开(公告)日：2008-10-14

申请号：US10697044

申请日：2003-10-31

Applicant: Matthew Murray Williamson ,  Andrew Patrick Norman ,  Jonathan Griffin

Inventor： Matthew Murray Williamson ,  Andrew Patrick Norman ,  Jonathan Griffin

IPC: G06F15/18 ,  G06F15/16

CPC classification number: H04L63/10 ,  H04L63/145

Abstract: Propagation of viruses in a network having a plurality of hosts is restricted. Network activity of a first host of the plurality is monitored, and a first record established which is at least indicative of identities of hosts within the network contacted by a first host. Contact of the first host to other hosts within the network is limited over the course of a first time interval, so that during the first time interval the first host is unable to contact more than a predetermined number of hosts not in the first record. The method further includes an additional selection process for determining hosts of the plurality the first host is allowed to contact.

Abstract translation: 具有多个主机的网络中病毒的传播受到限制。 监视多个第一主机的网络活动，并且建立至少指示由第一主机接触的网络内的主机的身份的第一记录。 第一主机与网络内的其他主机的接触在第一时间间隔的过程中受到限制，使得在第一时间间隔期间，第一主机不能接触多于不在第一记录中的预定数量的主机。 该方法还包括用于确定允许第一主机接触的多个主机的附加选择过程。

公开(公告)号：US20060023637A1

公开(公告)日：2006-02-02

申请号：US11192469

申请日：2005-07-29

Applicant: Jonathan Griffin ,  Andrew Norman ,  Matthew Williamson

Inventor： Jonathan Griffin ,  Andrew Norman ,  Matthew Williamson

IPC: H04L12/26 ,  H04L12/28

CPC classification number: H04W24/00 ,  H04L43/00 ,  H04L43/0894 ,  H04L63/1408 ,  H04W28/08

Abstract: One embodiment of an apparatus for monitoring from a first location in a computer network traffic emanating from a source at a second location in the network, the apparatus comprising means at the first location for detecting traffic emanating from the source and means for monitoring the number, per unit time, of distinct destinations of the traffic that lie outside a first set specifying familiar destinations of the traffic. This monitoring process can trigger various responses such as the isolation of the source from the network. Other systems and methods are also provided.

公开(公告)号：US20050243730A1

公开(公告)日：2005-11-03

申请号：US11119057

申请日：2005-04-28

Applicant: Matthew Williamson ,  Stefek Zaba ,  Christopher Dalton ,  Jonathan Griffin

Inventor： Matthew Williamson ,  Stefek Zaba ,  Christopher Dalton ,  Jonathan Griffin

IPC: H04L12/26 ,  H04L29/06 ,  H04L12/56 ,  H04J1/16 ,  H04J3/14 ,  H04L1/00 ,  H04L12/28 ,  H04L12/66

CPC classification number: H04L41/28 ,  H04L63/1433

Abstract: A method of administering a network comprises the steps of: detecting the occurrence of a triggering event alerting an administrator to the presence of a user entity on the network, the triggering event being selected from the group consisting of: (i) allocation of a network address to the user entity; (ii) alteration of the user entity's network address; (iii) an action by the user entity causing resolution between a network address and an identifier; (iv) association of the user entity's network address and an identifier. Upon detecting such an event, the user entity having the network address is scanned for vulnerabilities by sending at least one outward packet to it, for example seeking to establish a connection on a particular port, and the response, if any, is then used to determine whether is vulnerable to known malicious code.

Abstract translation: 管理网络的方法包括以下步骤：检测触发事件的发生，提醒管理员存在网络上的用户实体，触发事件从以下组中选择：（i）网络的分配 地址给用户实体; （ii）改变用户实体的网络地址; （iii）用户实体造成网络地址和标识符之间的分辨率的动作; （iv）用户实体的网络地址与标识符的关联。 在检测到这样的事件时，具有网络地址的用户实体通过向其发送至少一个向外的分组来扫描漏洞，例如寻求在特定端口上建立连接，然后将响应（如果有的话）用于 确定是否容易受到已知的恶意代码的攻击。