公开(公告)号：US20130111583A1

公开(公告)日：2013-05-02

申请号：US13283371

申请日：2011-10-27

申请人： Milton H. Hernandez ,  Jim A. Laredo ,  Supreet R. Mandala ,  Yaoping Ruan ,  Vugranam C. Sreedhar ,  Maja Vukovic

发明人： Milton H. Hernandez ,  Jim A. Laredo ,  Supreet R. Mandala ,  Yaoping Ruan ,  Vugranam C. Sreedhar ,  Maja Vukovic

IPC分类号： G06F21/00

CPC分类号： G06F21/6218

摘要： An embodiment of the invention is directed to a data processing system having a plurality of users, a portion of which were previously assigned permissions respectively corresponding to system resources. The embodiment includes acquiring data from a first data source, containing information pertaining to the portion of users and their permissions, and further includes acquiring data from a second data source, containing information pertaining to attributes of each user of the plurality. A set of permissions is determined for a given role, from both first and second data sources. First and second criteria are determined for assigning users to the given role, from information in the first and second data sources, respectively. A particular user is selected for admission to the given role only if the particular user is in compliance with both the first criterion and second criterion.

摘要翻译： 本发明的实施例涉及一种数据处理系统，其具有多个用户，其一部分先前被分配对应于系统资源的许可。 该实施例包括从第一数据源获取包含与用户部分及其许可有关的信息的数据，并且还包括从第二数据源获取包含与多个用户的属性有关的信息的数据。 对于给定的角色，从第一和第二数据源确定一组权限。 确定从第一和第二数据源中的信息将用户分配给给定角色的第一和第二标准。 仅当特定用户符合第一准则和第二标准时才选择特定用户才能进入给定角色。

公开(公告)号：US08171454B2

公开(公告)日：2012-05-01

申请号：US09925580

申请日：2001-08-09

申请人： Vugranam C. Sreedhar

发明人： Vugranam C. Sreedhar

IPC分类号： G06F9/44

CPC分类号： G06F8/70 ,  G06F8/315 ,  G06F8/36

摘要： A method and apparatus are disclosed for programming software components that treats software components as the basic unit of abstraction and computation. A software component is encapsulated and classes and other program entities, such as data fields and methods, within a given component do not exist beyond a component boundary. A component interacts with other components only by means of a defined set of input and output ports. A component can inherit and implement ports declared in a template and can declare and implement new ports. A component can only access the external environment through its output ports. An output port of one component can only be connected to a conforming input port of another component. A connect statement is an explicit plumbing operation for connecting components together. Interactions between components are loosely coupled. A related set of templates can be grouped together to form a group. Groups are useful for implementing implicit invocation and multicasting.

摘要翻译： 公开了一种用于对软件组件进行编程以将软件组件视为抽象和计算的基本单元的方法和装置。 软件组件被封装，给定组件内的类和其他程序实体（例如数据字段和方法）不存在于组件边界之外。 组件只能通过一组定义的输入和输出端口与其他组件交互。 组件可以继承和实现在模板中声明的端口，并可以声明和实现新端口。 组件只能通过其输出端口访问外部环境。 一个组件的输出端口只能连接到另一个组件的一致输入端口。 连接语句是将组件连接在一起的显式管道操作。 组件之间的相互作用松耦合。 相关的一组模板可以组合在一起形成一个组。 组对于实现隐式调用和多播是有用的。

公开(公告)号：US08918866B2

公开(公告)日：2014-12-23

申请号：US12493356

申请日：2009-06-29

申请人： Lin Luo ,  Vugranam C. Sreedhar ,  Shun X. Yang ,  Yu Zhang

发明人： Lin Luo ,  Vugranam C. Sreedhar ,  Shun X. Yang ,  Yu Zhang

IPC分类号： H04L29/06

CPC分类号： H04L63/1441 ,  H04L63/20

摘要： Mechanisms are provided for handling client computing device requests with adaptive rule loading and session control. The mechanisms partition a set of rules, into a plurality of filter sets with each filter set having a different subset of the set of rules and being directed to identifying a different type of attack on a backend application or service. A subset of filter sets is selected to be used to validate client computing device requests received from client computing devices. The selected filter sets are applied to requests and/or responses to requests. The mechanisms dynamically modify which filter sets are included in the subset of filter sets based on an adaptive reinforcement learning operation on results of applying the selected filter sets to the requests and/or responses to requests.

摘要翻译： 提供了用于处理具有自适应规则加载和会话控制的客户端计算设备请求的机制。 这些机制将一组规则划分成多个过滤器集合，其中每个过滤器集合具有该组规则的不同子集，并被引导以识别对后端应用或服务的不同类型的攻击。 选择过滤器集合的子集以用于验证从客户端计算设备接收的客户端计算设备请求。 所选择的过滤器集合应用于请求和/或对请求的响应。 基于对所请求的请求和/或对请求的响应的结果的自适应强化学习操作，机制动态地修改哪些过滤器集合被包括在过滤器组的子集中。

公开(公告)号：US08635689B2

公开(公告)日：2014-01-21

申请号：US13283371

申请日：2011-10-27

申请人： Milton H. Hernandez ,  Jim A. Laredo ,  Supreet R. Mandala ,  Yaoping Ruan ,  Vugranam C. Sreedhar ,  Maja Vukovic

发明人： Milton H. Hernandez ,  Jim A. Laredo ,  Supreet R. Mandala ,  Yaoping Ruan ,  Vugranam C. Sreedhar ,  Maja Vukovic

IPC分类号： H04L29/06 ,  G06F21/00

CPC分类号： G06F21/6218

摘要： An embodiment of the invention is directed to a data processing system having a plurality of users, a portion of which were previously assigned permissions respectively corresponding to system resources. The embodiment includes acquiring data from a first data source, containing information pertaining to the portion of users and their permissions, and further includes acquiring data from a second data source, containing information pertaining to attributes of each user of the plurality. A set of permissions is determined for a given role, from both first and second data sources. First and second criteria are determined for assigning users to the given role, from information in the first and second data sources, respectively. A particular user is selected for admission to the given role only if the particular user is in compliance with both the first criterion and second criterion.

摘要翻译： 本发明的实施例涉及一种数据处理系统，其具有多个用户，其一部分先前被分配对应于系统资源的许可。 该实施例包括从第一数据源获取包含与用户部分及其许可有关的信息的数据，并且还包括从第二数据源获取包含与多个用户的属性有关的信息的数据。 对于给定的角色，从第一和第二数据源确定一组权限。 确定从第一和第二数据源中的信息将用户分配给给定角色的第一和第二标准。 仅当特定用户符合第一准则和第二标准时才选择特定用户才能进入给定角色。

公开(公告)号：US08555246B2

公开(公告)日：2013-10-08

申请号：US13407097

申请日：2012-02-28

申请人： Vugranam C. Sreedhar

发明人： Vugranam C. Sreedhar

IPC分类号： G06F9/44

CPC分类号： G06F8/70 ,  G06F8/315 ,  G06F8/36

摘要： A method and apparatus are disclosed for programming software components that treats software components as the basic unit of abstraction and computation. A software component is encapsulated and classes and other program entities, such as data fields and methods, within a given component do not exist beyond a component boundary. A component interacts with other components only by means of a defined set of input and output ports. A component can inherit and implement ports declared in a template and can declare and implement new ports. A component can only access the external environment through its output ports. An output port of one component can only be connected to a conforming input port of another component. A connect statement is an explicit plumbing operation for connecting components together. Interactions between components are loosely coupled. A related set of templates can be grouped together to form a group.

摘要翻译： 公开了一种用于对软件组件进行编程以将软件组件视为抽象和计算的基本单元的方法和装置。 软件组件被封装，给定组件内的类和其他程序实体（如数据字段和方法）不存在于组件边界之外。 组件只能通过一组定义的输入和输出端口与其他组件交互。 组件可以继承和实现在模板中声明的端口，并可以声明和实现新端口。 组件只能通过其输出端口访问外部环境。 一个组件的输出端口只能连接到另一个组件的一致输入端口。 连接语句是将组件连接在一起的显式管道操作。 组件之间的相互作用松耦合。 相关的一组模板可以组合在一起形成一个组。

公开(公告)号：US20130019314A1

公开(公告)日：2013-01-17

申请号：US13182724

申请日：2011-07-14

申请人： Peng Ji ,  Lin Luo ,  Vugranam C. Sreedhar ,  Shun Xiang Yang ,  Yu Zhang

发明人： Peng Ji ,  Lin Luo ,  Vugranam C. Sreedhar ,  Shun Xiang Yang ,  Yu Zhang

IPC分类号： G06F21/20

CPC分类号： H04L63/0263 ,  H04L63/1433 ,  H04L63/168 ,  H04L67/02

摘要： A plurality of templates for web application server firewall rules are generated. A vulnerability report for the web application is obtained. At least one web application server firewall rule is generated, using the vulnerability report and at least one of the plurality of templates. The at least one web application server firewall rule is tested. The at least one web application server firewall rule is deployed to run on the web application server firewall.

摘要翻译： 生成用于Web应用服务器防火墙规则的多个模板。 获取了Web应用程序的漏洞报告。 生成至少一个Web应用服务器防火墙规则，使用该漏洞报告和多个模板中的至少一个。 测试了至少一个Web应用服务器防火墙规则。 部署至少一个Web应用程序服务器防火墙规则以在Web应用程序服务器防火墙上运行。

公开(公告)号：US20120304275A1

公开(公告)日：2012-11-29

申请号：US13114315

申请日：2011-05-24

申请人： Peng Ji ,  Lin Luo ,  Vugranam C. Sreedhar ,  Shun Xiang Yang ,  Yu Zhang

发明人： Peng Ji ,  Lin Luo ,  Vugranam C. Sreedhar ,  Shun Xiang Yang ,  Yu Zhang

IPC分类号： G06F21/00

CPC分类号： H04L63/0263 ,  H04L63/02 ,  H04L63/0245 ,  H04L63/105 ,  H04L63/1416 ,  H04L67/02

摘要： At least one of an HTTP request message and an HTTP response message is intercepted. A corresponding HTTP message model is identified. The HTTP message model includes a plurality of message model sections. Additional steps include parsing a representation of the at least one of an HTTP request message and an HTTP response message into message sections in accordance with the message model sections of the HTTP message model; and binding a plurality of security rules to the message model sections. The plurality of security rules each specify at least one action to be taken in response to a given condition. The given condition is based, at least in part, on a corresponding given one of the message sections. A further step includes processing the at least one of an HTTP request message and an HTTP response message in accordance with the plurality of security rules. Techniques for developing rules for a web application server firewall are also provided.

摘要翻译： HTTP请求消息和HTTP响应消息中的至少一个被拦截。 识别出相应的HTTP消息模型。 HTTP消息模型包括多个消息模型部分。 附加步骤包括根据HTTP消息模型的消息模型部分将HTTP请求消息和HTTP响应消息中的至少一个的表示解析成消息部分; 并将多个安全规则绑定到消息模型部分。 多个安全规则每个指定响应于给定条件要采取的至少一个动作。 给定条件至少部分地基于相应给定的一个消息部分。 另一步骤包括根据多个安全规则处理HTTP请求消息和HTTP响应消息中的至少一个。 还提供了开发Web应用服务器防火墙规则的技术。

公开(公告)号：US07392515B2

公开(公告)日：2008-06-24

申请号：US10073630

申请日：2002-02-11

申请人： Douglas N. Kimelman ,  Vadakkedathu T. Rajan ,  Tova Roth ,  Vugranam C. Sreedhar ,  Mark N. Wegman

发明人： Douglas N. Kimelman ,  Vadakkedathu T. Rajan ,  Tova Roth ,  Vugranam C. Sreedhar ,  Mark N. Wegman

IPC分类号： G06F9/44 ,  G06F9/45

CPC分类号： G06F11/3409 ,  G06F11/3447 ,  G06F11/3466 ,  G06F2201/865

摘要： Libraries and individual program components are provided with a common interface and a number of alternative implementations (e.g. hash table, tree, compressed) which can be selected. The component is instrumented to measure a cost of each of its alternative implementations, both independent of and in the context of the interaction of that component with other components of the computer program. Based on measured cost, the desired implementation is chosen for the component by an external controller that is generic to the computer program or by an application program that interfaces with the library or component.

摘要翻译： 库和单独的程序组件被提供有可以被选择的公共接口和多个替代实现（例如，哈希表，树，压缩）。 该组件用于测量其每个替代实现的成本，独立于该组件与计算机程序的其他组件的交互的上下文。 基于测量成本，通过与计算机程序通用的外部控制器或与库或组件接口的应用程序为组件选择所需的实现。

公开(公告)号：US07360205B2

公开(公告)日：2008-04-15

申请号：US10073628

申请日：2002-02-11

申请人： Douglas N. Kimelman ,  Vadakkedathu T. Rajan ,  Tova Roth ,  Vugranam C. Sreedhar ,  Mark N. Wegman

发明人： Douglas N. Kimelman ,  Vadakkedathu T. Rajan ,  Tova Roth ,  Vugranam C. Sreedhar ,  Mark N. Wegman

IPC分类号： G06F9/44 ,  G01D3/00

CPC分类号： G06F11/3409 ,  G06F11/3447 ,  G06F11/3466 ,  G06F2201/865

摘要： A system and method for minimizing total cost of interaction among components of a computer program which are each characterized by at least one implementation property. A implementation property may, for example, be a choice of string representation (e.g. ASCII, UNICODE, EBCDIC or choice of data structure (e.g. hash, tree, compressed). The method comprises the steps of: carrying out a run of the program; monitoring that run to measure an amount of interaction between each pair of components; determining a cost of interaction between each pair of interacting components; determining a choice of implementation properties which minimizes total cost of the run; and assigning choices of implementation properties to said components for a future run of the program.

摘要翻译： 一种用于最小化计算机程序的组件之间的交互的总成本的系统和方法，每个功能的特征在于至少一个实现属性。 例如，实现属性可以是字符串表示的选择（例如ASCII，UNICODE，EBCDIC或数据结构的选择（例如，哈希，树，压缩）。该方法包括以下步骤：执行程序的运行; 运行的监视以测量每对组件之间的交互量;确定每对相互作用组件之间的交互成本;确定最小化运行总成本的实现属性的选择;以及向所述组件分配实现属性的选择 为未来运行的程序。

公开(公告)号：US06865730B1

公开(公告)日：2005-03-08

申请号：US09579357

申请日：2000-05-26

申请人： Michael G. Burke ,  Jong-Deok Choi ,  Vugranam C. Sreedhar

发明人： Michael G. Burke ,  Jong-Deok Choi ,  Vugranam C. Sreedhar

IPC分类号： G06F9/42 ,  G06F9/44 ,  G06F9/445 ,  G08F9/44

CPC分类号： G06F9/44521 ,  G06F9/4491

摘要： A method is provided for analyzing an object oriented program that supports dynamic class loading. A set A of classes in the program is identified, wherein each class within set A is capable of, during execution of the program, causing the loading of a class outside of set A. A first set of method calls belonging to the classes in set A are identified that, during execution of the program, are capable of calling only methods belonging to a class within set A. A second set of method calls belonging to the classes in set A are identified that, during execution of the program, are capable of calling methods belonging to a class outside set A. Data that identifies the first and the second set of method calls is stored for subsequent use.

摘要翻译： 提供了一种用于分析支持动态类加载的面向对象程序的方法。 识别程序中的集合A，其中集合A内的每个类能够在执行程序期间导致在集合A之外加载类。构成集合中的类的第一组方法调用 A被识别为在程序执行期间能够仅调用属于集合A内的类的方法。识别属于集合A中的类的第二组方法调用，在程序的执行期间，能够 调用属于集合A之外的类的调用方法。标识第一和第二组方法调用的数据被存储以供后续使用。