公开(公告)号：US07512782B2

公开(公告)日：2009-03-31

申请号：US10218584

申请日：2002-08-15

申请人： Christopher G. Kaler ,  John P. Shewchuk ,  Giovanni Moises Della-Libera ,  Robert George Atkinson

发明人： Christopher G. Kaler ,  John P. Shewchuk ,  Giovanni Moises Della-Libera ,  Robert George Atkinson

IPC分类号： H04L9/00 ,  G06F7/04 ,  G06F7/58 ,  G06F17/30 ,  H04K1/00 ,  G06K15/00 ,  G09F3/00

CPC分类号： G06Q30/02 ,  G06F21/10 ,  G06F21/31

摘要： A method and system are provided such that a universal license may be used for authentication and authorization purposes and may include one or more cryptographic keys as well as assertions and related indications of authenticity. In an aspect of the invention, a license may be presented that includes access information, such that authentication and authorization decisions may be made based only on the access information. In other aspects of the invention, rights may be delegated and a trusted party may assert that another party can be trusted.

摘要翻译： 提供了一种方法和系统，使得通用许可证可以用于认证和授权目的，并且可以包括一个或多个密码密钥以及真实性的断言和相关的指示。 在本发明的一个方面，可以呈现包括访问信息的许可证，使得可以仅基于访问信息进行认证和授权决定。 在本发明的其他方面，可以委托权利，并且可信方可以断言另一方可以被信任。

公开(公告)号：US07373666B2

公开(公告)日：2008-05-13

申请号：US10185008

申请日：2002-07-01

申请人： Christopher G. Kaler ,  Giovanni Moises Della-Libera ,  John P. Shewchuk

发明人： Christopher G. Kaler ,  Giovanni Moises Della-Libera ,  John P. Shewchuk

IPC分类号： G06F12/00 ,  G06F7/04 ,  G06F11/30 ,  H04L9/32

CPC分类号： G06F21/554

摘要： A method and system are provided for managing a security threat in a distributed system. A distributed element of the system detects and reports suspicious activity to a threat management agent. The threat management agent determines whether an attack is taking place and deploys a countermeasure to the attack when the attack is determined to be taking place. Another method and system are also provided for managing a security threat in a distributed system. A threat management agent reviews reported suspicious activity including suspicious activity reported from at least one distributed element of the system, determines, based on the reports, whether a pattern characteristic of an attack occurred, and predicts when a next attack is likely to occur. Deployment of a countermeasure to the predicted next attack is directed in a time window based on when the next attack is predicted to occur.

摘要翻译： 提供了一种用于管理分布式系统中的安全威胁的方法和系统。 系统的分布式元素会将威胁管理代理的可疑活动检测并报告。 威胁管理代理确定攻击是否发生，并在攻击确定发生时部署对攻击的对策。 还提供另一种方法和系统来管理分布式系统中的安全威胁。 威胁管理代理审查报告了可疑活动，包括从系统的至少一个分布式元素报告的可疑活动，根据报告确定是否发生攻击的模式特征，并预测何时可能发生下一次攻击。 基于预测发生下一次攻击的时间窗口，针对预测的下一次攻击的对策部署。

公开(公告)号：US07707637B2

公开(公告)日：2010-04-27

申请号：US12058156

申请日：2008-03-28

申请人： Christopher G. Kaler ,  Giovanni Moises Della-Libera ,  John P. Shewchuk

发明人： Christopher G. Kaler ,  Giovanni Moises Della-Libera ,  John P. Shewchuk

IPC分类号： G06F7/04 ,  G06F11/30 ,  H04L9/00

CPC分类号： G06F21/554

摘要： A method and system are provided for managing a security threat in a distributed system. A distributed element of the system detects and reports suspicious activity to a threat management agent. The threat management agent determines whether an attack is taking place and deploys a countermeasure to the attack when the attack is determined to be taking place. Another method and system are also provided for managing a security threat in a distributed system. A threat management agent reviews reported suspicious activity including suspicious activity reported from at least one distributed element of the system, determines, based on the reports, whether a pattern characteristic of an attack occurred, and predicts when a next attack is likely to occur. Deployment of a countermeasure to the predicted next attack is directed in a time window based on when the next attack is predicted to occur.

摘要翻译： 提供了一种用于管理分布式系统中的安全威胁的方法和系统。 系统的分布式元素会将威胁管理代理的可疑活动检测并报告。 威胁管理代理确定攻击是否发生，并在攻击确定发生时部署对攻击的对策。 还提供另一种方法和系统来管理分布式系统中的安全威胁。 威胁管理代理审查报告了可疑活动，包括从系统的至少一个分布式元素报告的可疑活动，根据报告确定是否发生攻击的模式特征，并预测何时可能发生下一次攻击。 基于预测发生下一次攻击的时间窗口，针对预测的下一次攻击的对策部署。

公开(公告)号：US08086849B2

公开(公告)日：2011-12-27

申请号：US10210067

申请日：2002-08-02

申请人： Christopher G. Kaler ,  John P. Shewchuk ,  Giovanni Moises Della-Libera ,  Luis Felipe Cabrera

发明人： Christopher G. Kaler ,  John P. Shewchuk ,  Giovanni Moises Della-Libera ,  Luis Felipe Cabrera

IPC分类号： H04L9/00

CPC分类号： H04L63/0428 ,  H04L63/08 ,  H04L63/126

摘要： A method and system are provided for delivering event messages in a secure scalable manner. A network includes an event distribution device serving as an event generation device for generating and disseminating an event message through the network to event distribution devices serving as edge event delivery devices having recipient devices connected thereto. Event messages may be encrypted at the event generation device for each of the destination recipient devices or event messages may be encrypted at each of the edge event delivery devices for delivery to respective recipient devices connected thereto. A signing key may also be included with the encrypted message such that the respective recipient devices may authenticate a sender of the encrypted message based on the signing key. Encryption keys may be established based on policies of the network of event distribution devices or based on policies of the respective recipient devices.

摘要翻译： 提供了一种以安全可伸缩的方式传送事件消息的方法和系统。 网络包括作为事件发生设备的事件发布设备，用于通过网络生成和传播事件消息到用作具有连接到其的接收设备的边缘事件传递设备的事件分发设备。 事件消息可以在每个目的地接收者设备的事件生成设备处被加密，或者可以在每个边缘事件传递设备处对事件消息进行加密，以便递送到与之相连接的相应接收者设备。 签名密钥也可以包含在加密的消息中，使得相应的接收者设备可以基于签名密钥来认证加密消息的发送者。 加密密钥可以基于事件分发设备的网络的策略或基于各个接收方设备的策略来建立。

公开(公告)号：US20090013410A1

公开(公告)日：2009-01-08

申请号：US12058156

申请日：2008-03-28

申请人： Christopher Kaler ,  Giovanni Moises Della-Libera ,  John P. Shewchuk

发明人： Christopher Kaler ,  Giovanni Moises Della-Libera ,  John P. Shewchuk

IPC分类号： G06F21/00

CPC分类号： G06F21/554

摘要： A method and system are provided for managing a security threat in a distributed system. A distributed element of the system detects and reports suspicious activity to a threat management agent. The threat management agent determines whether an attack is taking place and deploys a countermeasure to the attack when the attack is determined to be taking place. Another method and system are also provided for managing a security threat in a distributed system. A threat management agent reviews reported suspicious activity including suspicious activity reported from at least one distributed element of the system, determines, based on the reports, whether a pattern characteristic of an attack occurred, and predicts when a next attack is likely to occur. Deployment of a countermeasure to the predicted next attack is directed in a time window based on when the next attack is predicted to occur.

摘要翻译： 提供了一种用于管理分布式系统中的安全威胁的方法和系统。 系统的分布式元素会将威胁管理代理的可疑活动检测并报告。 威胁管理代理确定攻击是否发生，并在攻击确定发生时部署对攻击的对策。 还提供另一种方法和系统来管理分布式系统中的安全威胁。 威胁管理代理审查报告了可疑活动，包括从系统的至少一个分布式元素报告的可疑活动，根据报告确定是否发生攻击的模式特征，并预测何时可能发生下一次攻击。 基于预测发生下一次攻击的时间窗口，针对预测的下一次攻击的对策部署。

公开(公告)号：US07447785B2

公开(公告)日：2008-11-04

申请号：US10403857

申请日：2003-03-31

申请人： Christopher G. Kaler ,  Erik B. Christensen ,  Giovanni M. Della-Libera ,  John P. Shewchuk ,  Stephen J. Millet ,  Steven E. Lucco

发明人： Christopher G. Kaler ,  Erik B. Christensen ,  Giovanni M. Della-Libera ,  John P. Shewchuk ,  Stephen J. Millet ,  Steven E. Lucco

IPC分类号： G06F15/16

CPC分类号： H04L63/102 ,  H04L67/327 ,  H04L69/329 ,  H04L2463/102

摘要： A network site often provides multiple offerings, each having their own context. The complete context for one of the offerings is stored. That complete context represents a root node in a hierarchical tree of context nodes, each node representing the context information for one or more of the offerings. Each node in the tree includes a reference to its parent node, and then a description of incremental changes to the context information as compared to the context information from the parent node. Accordingly, the context information for a particular node in the tree may be obtained by combining the complete context for the root node offering with incremental changes described in other nodes in the ancestral chain that leads from the particular offering to the root offering.

摘要翻译： 网络站点通常提供多个产品，每个产品都有自己的上下文。 存储其中一个产品的完整上下文。 该完整上下文表示上下文节点的分层树中的根节点，每个节点表示一个或多个提供的上下文信息。 树中的每个节点都包含对其父节点的引用，然后是与父节点的上下文信息相比较，对上下文信息的增量更改的描述。 因此，可以通过将根节点提供的完整上下文与从特定产品引导到根产品的祖先链中的其他节点中描述的增量变化相结合来获得树中的特定节点的上下文信息。

公开(公告)号：US07313687B2

公开(公告)日：2007-12-25

申请号：US10340694

申请日：2003-01-10

申请人： Christopher G. Kaler ,  Giovanni M. Della-Libera ,  John P. Shewchuk

发明人： Christopher G. Kaler ,  Giovanni M. Della-Libera ,  John P. Shewchuk

IPC分类号： H04L9/00

CPC分类号： H04L67/34 ,  H04L29/06 ,  H04L63/12 ,  H04L67/327 ,  H04L69/329

摘要： A first application layer at a first message processor identifies a first portion of context information. A second message processor receives the first portion of context information. A second application layer at the second message processor identifiers a second portion of context information. The second message processor sends the second portion of context information along with a first digital signature created from both the first and second portions of context information. The first message processor receives the second portion of context information and first digital signature. The first message processor sends a second digital signature created from the first and second portions of context information to the second message processor. If both the first and second digital signatures are authenticated, a secure context can be established between the first and second application layers.

摘要翻译： 第一消息处理器处的第一应用层识别上下文信息的第一部分。 第二消息处理器接收上下文信息的第一部分。 第二消息处理器处的第二应用层识别上下文信息的第二部分。 第二消息处理器发送上下文信息的第二部分以及从上下文信息的第一和第二部分创建的第一数字签名。 第一消息处理器接收上下文信息和第一数字签名的第二部分。 第一消息处理器将从上下文信息的第一和第二部分创建的第二数字签名发送到第二消息处理器。 如果第一和第二数字签名都被认证，则可以在第一和第二应用层之间建立安全上下文。

公开(公告)号：US07899047B2

公开(公告)日：2011-03-01

申请号：US11838161

申请日：2007-08-13

申请人： Luis F. Cabrera ,  Erik B. Christensen ,  Giovanni M. Della-Libera ,  Christopher G. Kaler ,  David E. Levin ,  Bradford H. Lovering ,  Steven E. Lucco ,  Stephen J. Millet ,  John P. Shewchuk ,  Robert S. Wahbe ,  David A. Wortendyke

发明人： Luis F. Cabrera ,  Erik B. Christensen ,  Giovanni M. Della-Libera ,  Christopher G. Kaler ,  David E. Levin ,  Bradford H. Lovering ,  Steven E. Lucco ,  Stephen J. Millet ,  John P. Shewchuk ,  Robert S. Wahbe ,  David A. Wortendyke

IPC分类号： H04L12/56

CPC分类号： H04L61/15 ,  H04L29/12047 ,  H04L67/327 ,  H04L69/32

摘要： Methods and systems for providing a virtual network are disclosed. At least one layer of abstraction is created between network service applications and conventional network protocols by inserting an adaptive dispatcher between applications and network transport services on each machine in a network. The message protocol in the virtual network is extensible, allowing application programs to create new headers within any message as needed. The adaptive dispatcher contains handlers that route and dispatch messages within the virtual network based on arbitrary content within each message, including any combination of headers and/or data content. Each device on the virtual network has a virtual address to which messages are directed, allowing devices to move within the network without reconfiguring routing tables. Handlers may be automatically created when an event meeting predefined criteria occurs, including the non-occurrence of a condition, making the virtual network self-healing and adaptive to reconfiguration.

摘要翻译： 公开了用于提供虚拟网络的方法和系统。 通过在网络中的每台机器上的应用程序和网络传输服务之间插入自适应调度器，在网络服务应用程序和常规网络协议之间创建至少一个抽象层。 虚拟网络中的消息协议是可扩展的，允许应用程序根据需要在任何消息内创建新头。 自适应调度器包含基于每个消息内的任意内容（包括报头和/或数据内容的任何组合）在虚拟网络内路由和调度消息的处理程序。 虚拟网络上的每个设备都具有指向消息的虚拟地址，允许设备在网络内移动而不重新配置路由表。 当满足预定义标准的事件发生时，可以自动创建处理程序，包括不发生条件，使虚拟网络自我修复并适应重新配置。

公开(公告)号：US07746250B2

公开(公告)日：2010-06-29

申请号：US12023998

申请日：2008-01-31

申请人： Arun K. Nanda ,  John P. Shewchuk ,  Christopher G. Kaler ,  Hervey O. Wilson

发明人： Arun K. Nanda ,  John P. Shewchuk ,  Christopher G. Kaler ,  Hervey O. Wilson

IPC分类号： H03M7/30

CPC分类号： G06F15/16 ,  H03M7/30

摘要： Communication of a compressed message over a communication channel between message processors. The compressed message may be expressed in terms of an expressed or implicit template identification, and values of one or more parameters. Based on the template identification, the meaning of the one or more parameters may be understood, whereas the meaning of the parameter(s) may not be understood without a knowledge of the template. The template provides semantic context for the one or more parameters. The transmitting message processor may have compressed the message using the identified template. Alternatively or in addition, the receiving message processor may decompress the message using the identified template. The template itself need not be part of the compressed message as transmitted.

摘要翻译： 通过消息处理器之间的通信信道通信压缩消息。 压缩消息可以用表达或隐含的模板标识和一个或多个参数的值表示。 基于模板识别，可以理解一个或多个参数的含义，而在不了解模板的情况下，参数的含义可能不被理解。 模板提供一个或多个参数的语义上下文。 发送消息处理器可以使用所标识的模板来压缩消息。 或者或另外，接收消息处理器可以使用所识别的模板解压缩消息。 模板本身不需要是传输的压缩消息的一部分。

公开(公告)号：US07627759B2

公开(公告)日：2009-12-01

申请号：US11548266

申请日：2006-10-10

申请人： David E. Langworthy ,  Christopher G. Kaler ,  Luis Felipe Cabrera ,  Patrick J. Helland ,  Steven E. Lucco ,  John P. Shewchuk

发明人： David E. Langworthy ,  Christopher G. Kaler ,  Luis Felipe Cabrera ,  Patrick J. Helland ,  Steven E. Lucco ,  John P. Shewchuk

IPC分类号： G06F9/24

CPC分类号： H04L69/16 ,  H04L67/02 ,  H04L69/162 ,  H04L69/163

摘要： Reliable end-to-end messaging in which tracking and acknowledgement information are contained in the electronic message that is visible to layers above the transport layer, thereby being independent of what transport protocols, and whether different transport protocols, are used to communicate between the two end points. Furthermore, acknowledgment messages may identify multiple ranges of sequence numbers corresponding to received electronic messages, thereby permitting further flexibility and completeness in acknowledging received messages.

摘要翻译： 可靠的端到端消息传递，其中跟踪和确认信息包含在电子消息中，对传输层之上的层是可见的，从而独立于什么传输协议以及是否使用不同的传输协议来在两者之间进行通信 终点 此外，确认消息可以标识与所接收的电子消息相对应的多个序列号范围，从而允许在确认所接收的消息时进一步的灵活性和完整性。