公开(公告)号：US20050005165A1

公开(公告)日：2005-01-06

申请号：US10603648

申请日：2003-06-25

申请人： Dennis Morgan ,  Alexandru Gavrilescu ,  Jonathan Burstein ,  Art Shelest ,  David LeBlanc

发明人： Dennis Morgan ,  Alexandru Gavrilescu ,  Jonathan Burstein ,  Art Shelest ,  David LeBlanc

IPC分类号： G06F21/20 ,  G06F11/00 ,  G06F13/00 ,  G06F15/00 ,  H04L29/06 ,  H04L9/00

CPC分类号： H04L63/0227 ,  H04L63/0218 ,  H04L63/029

摘要： A method for a firewall-aware application to communicate its expectations to a firewall without requiring the firewall to change its policy or compromise network security. An application API is provided for applications to inform a firewall or firewalls of the application's needs, and a firewall API is provided that informs the firewall or firewalls of the application's needs. An interception module watches for connect and listen attempts by applications and services to the network stack on the local computer. The interception module traps these attempts and determines what user is making the attempt, what application or service is making the attempt, and conducts a firewall policy look-up to determine whether the user and/or application or service are allowed to connect to the network. If so, the interception module may instruct the host and/or edge firewall to configure itself for the connection being requested.

摘要翻译： 防火墙感知应用程序将其期望传达到防火墙的方法，而不需要防火墙更改其策略或损害网络安全性。 为应用程序提供应用程序API以通知防火墙或防火墙应用程序的需求，并提供防火墙API，通知防火墙或防火墙应用程序的需求。 拦截模块监视应用程序和服务对本地计算机上的网络堆栈的连接和监听尝试。 拦截模块捕获这些尝试，并确定用户正在进行的尝试，什么应用程序或服务正在进行尝试，并进行防火墙策略查找，以确定是否允许用户和/或应用程序或服务连接到网络 。 如果是这样，则拦截模块可以指示主机和/或边缘防火墙为正在请求的连接配置自身。

公开(公告)号：US07559082B2

公开(公告)日：2009-07-07

申请号：US10603648

申请日：2003-06-25

申请人： Dennis Morgan ,  Alexandru Gavrilescu ,  Jonathan L. Burstein ,  Art Shelest ,  David LeBlanc

发明人： Dennis Morgan ,  Alexandru Gavrilescu ,  Jonathan L. Burstein ,  Art Shelest ,  David LeBlanc

IPC分类号： H04L29/06

CPC分类号： H04L63/0227 ,  H04L63/0218 ,  H04L63/029

摘要： A method for a firewall-aware application to communicate its expectations to a firewall without requiring the firewall to change its policy or compromise network security. An application API is provided for applications to inform a firewall or firewalls of the application's needs, and a firewall API is provided that informs the firewall or firewalls of the application's needs. An interception module watches for connect and listen attempts by applications and services to the network stack on the local computer. The interception module traps these attempts and determines what user is making the attempt, what application or service is making the attempt, and conducts a firewall policy look-up to determine whether the user and/or application or service are allowed to connect to the network. If so, the interception module may instruct the host and/or edge firewall to configure itself for the connection being requested.

摘要翻译： 防火墙感知应用程序将其期望传达到防火墙的方法，而不需要防火墙更改其策略或损害网络安全性。 为应用程序提供应用程序API以通知防火墙或防火墙应用程序的需求，并提供防火墙API，通知防火墙或防火墙应用程序的需求。 拦截模块监视应用程序和服务对本地计算机上的网络堆栈的连接和监听尝试。 拦截模块捕获这些尝试，并确定用户正在进行的尝试，什么应用程序或服务正在进行尝试，并进行防火墙策略查找，以确定是否允许用户和/或应用程序或服务连接到网络 。 如果是这样，则拦截模块可以指示主机和/或边缘防火墙为正在请求的连接配置自身。

公开(公告)号：US07725586B2

公开(公告)日：2010-05-25

申请号：US11699182

申请日：2007-01-29

申请人： Art Shelest ,  Christian Huitema

发明人： Art Shelest ,  Christian Huitema

IPC分类号： G06F15/16 ,  G01R31/08

CPC分类号： G06F9/44505

摘要： A method to negotiate computer settings in advance is presented. A prediction is made to determine if the computer setting will be needed, and if needed, whether a value outside of a normal range of values will be needed. A value for the computer setting that is outside of the normal range of values is determined and the value is set to the outside value. A value within the normal range of values is used if it was predicted that there is no need for a value outside of the normal range of values.

摘要翻译： 提出了一种提前协商计算机设置的方法。 进行预测以确定是否需要计算机设置，并且如果需要，是否需要在正常值范围之外的值。 确定超出正常值范围的计算机设置的值，并将该值设置为外部值。 如果预测不需要在正常值范围之外的值，则使用在正常范围内的值。

公开(公告)号：US07698548B2

公开(公告)日：2010-04-13

申请号：US11297717

申请日：2005-12-08

申请人： Art Shelest ,  Eran Yariv ,  David Abzarian

发明人： Art Shelest ,  Eran Yariv ,  David Abzarian

IPC分类号： H04L29/06

CPC分类号： H04L63/1408 ,  H04L63/1441

摘要： Technology for applying a communications traffic security policy in which a distinct communications traffic flow is segregated based upon a security value; whereby the communications traffic security policy include one or both of a detection and an enforcement policy. The detection policy may include determining whether the segregated communications traffic flow involves malware; and, the enforcement policy may include a malware policy.

摘要翻译： 基于安全值分配不同通信业务流的通信业务安全策略的应用技术; 由此通信交通安全策略包括检测和执行策略中的一个或两个。 检测策略可以包括确定分离的通信业务流是否涉及恶意软件; 并且执法政策可能包括恶意软件策略。

公开(公告)号：US07591010B2

公开(公告)日：2009-09-15

申请号：US11039637

申请日：2005-01-19

申请人： Art Shelest ,  Scott A. Field ,  Subhashini Raghunathan

发明人： Art Shelest ,  Scott A. Field ,  Subhashini Raghunathan

IPC分类号： G06F9/00 ,  G06F15/16 ,  G06F17/00

CPC分类号： G06F21/55

摘要： A method and system that enables a security policy to separate developer-provided detection criteria from an administrator-provided custom policy is provided. The security system allows a developer of detection criteria to provide a signature file containing the signatures that are available for use by a security policy. The security system also allows an administrator of a computer system to specify a custom policy that uses the signatures of the signature file. The developer may distribute the signature file to host computer systems independently of the administrator's distribution of the rules of the custom policy to the host computer systems. When a security enforcement event occurs at the host computer system, the security system applies the rules of the security policy to the event.

摘要翻译： 提供了一种使安全策略能够将开发人员提供的检测标准与管理员提供的自定义策略分开的方法和系统。 安全系统允许检测标准的开发者提供包含可由安全策略使用的签名的签名文件。 安全系统还允许计算机系统的管理员指定使用签名文件签名的自定义策略。 开发人员可以将签名文件分发到主机计算机系统，而不管管理员将自定义策略的规则分发给主机系统。 当主机计算机系统发生安全执行事件时，安全系统将安全策略的规则应用于事件。

公开(公告)号：US07503068B2

公开(公告)日：2009-03-10

申请号：US10779950

申请日：2004-02-13

申请人： Sanjay Kaniyar ,  Art Shelest ,  Nk Srinivas ,  Scott K. Holden

发明人： Sanjay Kaniyar ,  Art Shelest ,  Nk Srinivas ,  Scott K. Holden

IPC分类号： H04L9/00

CPC分类号： H04L47/34 ,  H04L63/1458

摘要： An initial sequence number generator is provided that prevents the local server from being attacked while maintaining reliable data transfer. A random intermediate value is created that is unique to each connection identifier and is combined with a random value created from a global counter to generate the initial sequence number. The counter capable of monotonically increasing by both a fixed and variable amount for ensuring that the same connection identifier does not have data collisions from competing sequence numbers within a predetermined period of time, and also to ensures randomness of the initial sequence number on a per connection basis for preventing attacks on the local server.

摘要翻译： 提供了初始序列号生成器，其防止本地服务器在保持可靠的数据传输的同时受到攻击。 创建对每个连接标识符唯一的随机中间值，并与从全局计数器创建的随机值组合以生成初始序列号。 该计数器能够通过固定和可变量单调增加，以确保相同的连接标识符在预定时间段内没有来自竞争序列号的数据冲突，并且还确保每个连接上的初始序列号的随机性 防止对本地服务器的攻击的基础。

公开(公告)号：US07305705B2

公开(公告)日：2007-12-04

申请号：US10611832

申请日：2003-06-30

申请人： Art Shelest ,  Christian Huitema

发明人： Art Shelest ,  Christian Huitema

IPC分类号： G06F15/16

CPC分类号： H04L63/0272 ,  H04L9/3218 ,  H04L63/029 ,  H04L63/0442 ,  H04L63/08 ,  H04L63/083 ,  H04L63/0853 ,  H04L63/1458 ,  H04L63/166 ,  H04L2209/56 ,  H04L2209/76 ,  H04L2209/80

摘要： A firewall acts as a transparent gateway to a server within a private network by initiating an unsolicited challenge to a client to provide authentication credentials. After receiving the client's credentials, the firewall verifies the authentication credentials and establishes a secure channel for accessing the server. Data destined for the server from the client may be forwarded through the firewall using the secure channel. The firewall may sign, or otherwise indicate that data forwarded to the server is from a client that the firewall has authenticated. The firewall also may provide some level of authentication to the client. While connected to the server, the client may access other servers external to the private network without having the data associated with the other servers pass through the private network. The firewall reduces configuration information that a client otherwise must maintain to access various private network servers.

摘要翻译： 防火墙通过向客户端发起未经请求的挑战来提供认证凭据，作为私有网络中的服务器的透明网关。 在收到客户端凭据后，防火墙会验证身份验证凭据，并建立一个用于访问服务器的安全通道。 从客户端发往服务器的数据可以使用安全通道通过防火墙转发。 防火墙可以签署或以其他方式指示转发到服务器的数据来自防火墙已经认证的客户端。 防火墙还可以向客户端提供一定程度的认证。 当连接到服务器时，客户端可以访问专用网络外部的其他服务器，而不会使与其他服务器相关联的数据通过专用网络。 防火墙可以减少客户端必须维护的配置信息，以访问各种专用网络服务器。

公开(公告)号：US20060282876A1

公开(公告)日：2006-12-14

申请号：US11150819

申请日：2005-06-09

申请人： Art Shelest ,  Carl Ellison

发明人： Art Shelest ,  Carl Ellison

IPC分类号： G06F17/00

CPC分类号： G06F21/6218

摘要： A conditional activation system distributes a security policy to the computer systems of an enterprise. Upon receiving a security policy at a computer system, the computer system may install the received security policy without activation. When a security policy is installed without activation, it is loaded onto a computer system but is not used to process security enforcement events. The computer system may then determine whether a security policy activation criterion has been satisfied and, if so, activate the security policy.

公开(公告)号：US20060218635A1

公开(公告)日：2006-09-28

申请号：US11090679

申请日：2005-03-25

申请人： Michael Kramer ,  Art Shelest ,  Carl Carter-Schwendler ,  Gary Henderson ,  Scott Field ,  Sterling Reasor

发明人： Michael Kramer ,  Art Shelest ,  Carl Carter-Schwendler ,  Gary Henderson ,  Scott Field ,  Sterling Reasor

IPC分类号： G06F12/14

CPC分类号： G06F21/56 ,  G06F21/57 ,  H04L41/0659 ,  H04L41/0816 ,  H04L63/02 ,  H04L63/1441 ,  H04L69/40

摘要： A system and method for protecting a computer system connected to a communication network from a potential vulnerability. The system and method protects a computer system that is about to undergo or has just undergone a change in state that may result in placing the computer system at risk to viruses, and the like, over a communication network. The system and method first detect an imminent or recent change in state. A security component and a fixing component react to the detection of the change in state. The security component may raise the security level to block incoming network information, other than information from a secure or known location, or information requested by the computer system. The fixing component implements a fixing routine, such as installing missing updates or patches, and on successfully completing the fixing routine, the security level is relaxed or lowered.

公开(公告)号：US20060174318A1

公开(公告)日：2006-08-03

申请号：US11045733

申请日：2005-01-28

申请人： Art Shelest ,  Pradeep Bahl ,  Scott Field

发明人： Art Shelest ,  Pradeep Bahl ,  Scott Field

IPC分类号： H04L9/00 ,  G06F17/00 ,  H04K1/00 ,  G06F12/14 ,  G06F11/00 ,  G06F11/22 ,  G06F11/30 ,  G06F11/32 ,  G06F11/34 ,  G06F11/36 ,  G06F12/16 ,  G06F15/18 ,  G08B23/00

CPC分类号： H04L63/10 ,  G06F11/079 ,  G06F21/53 ,  G06F21/554

摘要： A method and system for selectively excluding a program from a security policy is provided. The security system receives from a user an indication of a program with a problem that is to be excluded from the security policy. When the program executes and a security enforcement event occurs, the security system does not apply the security policy. If the problem appears to be resolved as a result of excluding the program from the security policy, then the user may assume that the security policy is the cause of the problem.

摘要翻译： 提供了一种用于从安全策略中选择性地排除程序的方法和系统。 安全系统从用户接收到具有要从安全策略中排除的问题的程序的指示。 当程序执行并发生安全执行事件时，安全系统不应用安全策略。 如果由于从安全策略中排除程序，问题似乎得到解决，那么用户可能认为安全策略是问题的原因。