公开(公告)号：US08713682B2

公开(公告)日：2014-04-29

申请号：US12814753

申请日：2010-06-14

申请人： Amichai Shulman ,  Michael Boodaei ,  Shlomo Kramer

发明人： Amichai Shulman ,  Michael Boodaei ,  Shlomo Kramer

IPC分类号： G06F11/00 ,  G06F21/57 ,  H04L29/06

CPC分类号： H04L63/14 ,  G06F17/30306 ,  G06F21/577 ,  H04L41/142 ,  H04L41/16 ,  H04L43/00 ,  H04L43/106 ,  H04L63/102 ,  H04L63/1433

摘要： An adaptive normal behavior profile (NBP) architecture for providing fast protection of enterprise applications are disclosed. The adaptive NBP architecture includes a plurality of profile items. Each profile item includes a plurality of profile properties holding the descriptive values of the respective item. An application-level security system can identify and prevent attacks targeted at enterprise applications by matching application events against at least a single profile item in the adaptive NBP.

摘要翻译： 公开了一种用于提供企业应用程序快速保护的适应性正常行为简档（NBP）架构。 自适应NBP架构包括多个简档项。 每个简档项目包括保持相应项目的描述值的多个简档属性。 应用级安全系统可以通过将应用事件与自适应NBP中的至少一个配置文件项匹配来识别和防止针对企业应用程序的攻击。

公开(公告)号：US08135948B2

公开(公告)日：2012-03-13

申请号：US11698976

申请日：2007-01-29

申请人： Amichai Shulman ,  Shlomo Kramer

发明人： Amichai Shulman ,  Shlomo Kramer

IPC分类号： H04L29/06

CPC分类号： G06F17/30436 ,  G06F21/6227 ,  H04L63/0471

摘要： A method for transparently encrypting sensitive information, comprising detecting at least one literal in a database command that includes sensitive information. The literal is extracted from the database command. The literal is encrypted thereby forming an encrypted string. The literal is replaced by the encrypted string in the database command.

摘要翻译： 一种用于对敏感信息进行透明加密的方法，包括检测包括敏感信息的数据库命令中的至少一个文字。 从数据库命令中提取文字。 文字被加密，从而形成一个加密的字符串。 该字符串由数据库命令中的加密字符串替换。

公开(公告)号：US20070294539A1

公开(公告)日：2007-12-20

申请号：US11698976

申请日：2007-01-29

申请人： Amichai Shulman ,  Shlomo Kramer

发明人： Amichai Shulman ,  Shlomo Kramer

IPC分类号： H04K1/00

CPC分类号： G06F17/30436 ,  G06F21/6227 ,  H04L63/0471

摘要： A method for transparently encrypting sensitive information, comprising detecting at least one literal in a database command that includes sensitive information. The literal is extracted from the database command. The literal is encrypted thereby forming an encrypted string. The literal is replaced by the encrypted string in the database command.

摘要翻译： 一种用于对敏感信息进行透明加密的方法，包括检测包括敏感信息的数据库命令中的至少一个文字。 从数据库命令中提取文字。 文字被加密，从而形成一个加密的字符串。 该字符串由数据库命令中的加密字符串替换。

公开(公告)号：US5835726A

公开(公告)日：1998-11-10

申请号：US664839

申请日：1996-06-17

申请人： Gil Shwed ,  Shlomo Kramer ,  Nir Zuk ,  Gil Dogon ,  Ehud Ben-Reuven

发明人： Gil Shwed ,  Shlomo Kramer ,  Nir Zuk ,  Gil Dogon ,  Ehud Ben-Reuven

IPC分类号： H04L9/32 ,  H04L29/06 ,  G06F13/36 ,  G06F15/401

CPC分类号： H04L63/0227 ,  H04L29/06 ,  H04L63/0263 ,  H04L63/0272 ,  H04L63/123 ,  H04L63/126 ,  H04L9/3247

摘要： The present invention discloses a novel system for controlling the inbound and outbound data packet flow in a computer network. By controlling the packet flow in a computer network, private networks can be secured from outside attacks in addition to controlling the flow of packets from within the private network to the outside world. A user generates a rule base which is then converted into a set of filter language instruction. Each rule in the rule base includes a source, destination, service, whether to accept or reject the packet and whether to log the event. The set of filter language instructions are installed and execute on inspection engines which are placed on computers acting as firewalls. The firewalls are positioned in the computer network such that all traffic to and from the network to be protected is forced to pass through the firewall. Thus, packets are filtered as they flow into and out of the network in accordance with the rules comprising the rule base. The inspection engine acts as a virtual packet filtering machine which determines on a packet by packet basis whether to reject or accept a packet. If a packet is rejected, it is dropped. If it is accepted, the packet may then be modified. Modification may include encryption, decryption, signature generation, signature verification or address translation. All modifications are performed in accordance with the contents of the rule base. The present invention provides additional security to a computer network by encrypting communications between two firewalls between a client and a firewall. This permits the use of insecure public networks in constructing a WAN that includes both private and public network segments, thus forming a virtual private network.

摘要翻译： 本发明公开了一种用于控制计算机网络中的入站和出站数据分组流的新颖系统。 通过控制计算机网络中的分组流，除了控制从专用网络到外界的分组流之外，还可以保护专用网络免受外部攻击。 用户生成规则库，然后将其转换成一组过滤器语言指令。 规则库中的每个规则都包括源，目标，服务，是接受还是拒绝数据包以及是否记录事件。 一组过滤器语言指令在安装在作为防火墙的计算机上的检测引擎上安装和执行。 防火墙位于计算机网络中，以便所有来往和来自网络的流量都被强制通过防火墙。 因此，根据包括规则库的规则，分组在流入和流出网络时被过滤。 检查引擎作为虚拟分组过滤机，其基于分组确定是否拒绝或接受分组。 如果数据包被拒绝，则丢弃。 如果接受，则可以修改分组。 修改可以包括加密，解密，签名生成，签名验证或地址转换。 所有修改都是根据​​规则库的内容进行的。 本发明通过加密客户端和防火墙之间的两个防火墙之间的通信来向计算机网络提供额外的安全性。 这允许在构建包括私有和公共网段的WAN的情况下使用不安全的公共网络，从而形成虚拟专用网络。