公开(公告)号：US07171685B2

公开(公告)日：2007-01-30

申请号：US09935395

申请日：2001-08-23

申请人： Gaurav Batra ,  Dave Kemper ,  Charles Kunzinger ,  Guha Prasad Venkataraman ,  Jacqueline Hegedus Wilson

发明人： Gaurav Batra ,  Dave Kemper ,  Charles Kunzinger ,  Guha Prasad Venkataraman ,  Jacqueline Hegedus Wilson

IPC分类号： G06F9/00 ,  G06F17/21

CPC分类号： H04L63/0272 ,  H04L63/0435 ,  H04L63/0442 ,  H04L63/061 ,  H04L63/08 ,  H04L63/0823 ,  H04L63/20

摘要： A data processing system, method, and product are disclosed for automatically configuring IP security tunnels. A security policy specification format is established that is capable of being utilized by any one of multiple different operating systems and any one of multiple different machine types. An IP security tunnel is automatically configured utilizing the security policy specification format.

摘要翻译： 公开了一种数据处理系统，方法和产品，用于自动配置IP安全隧道。 建立了能够被多个不同操作系统中的任何一个和多种不同机器类型中的任何一种使用的安全策略规范格式。 使用安全策略规范格式自动配置IP安全隧道。

公开(公告)号：US06938155B2

公开(公告)日：2005-08-30

申请号：US09864136

申请日：2001-05-24

申请人： Ajit Clarence D'Sa ,  William Alton Fiveash ,  Denise Marie Genty ,  Guha Prasad Venkataraman ,  Jacqueline Hegedus Wilson

发明人： Ajit Clarence D'Sa ,  William Alton Fiveash ,  Denise Marie Genty ,  Guha Prasad Venkataraman ,  Jacqueline Hegedus Wilson

IPC分类号： H04L29/06 ,  H04L9/00

CPC分类号： H04L63/0272 ,  H04L63/0823

摘要： A system and method for providing multiple virtual private networks from a computer system. The computer system communicates with a remote computer system in order to allow encrypted data traffic to flow between the respective systems. Two phases are used to authenticate the computer systems to one another. During the first phase, digital certificates or pre-shared keys are used to authenticate the computer systems. A phase 1 ID rules list contains authentication rules for local-remote computer pairs. During the second phase, a hash value is used to authenticate the computer systems and a security association payload is created. The remote system's IP address is used for connecting. The phase 1 ID rules list corresponds to one or more phase 2 ID rules lists. If the remote ID is not found in the phase 2 ID rules list, a default rule is used based upon the phase 1 ID rules list.

摘要翻译： 一种用于从计算机系统提供多个虚拟专用网络的系统和方法。 计算机系统与远程计算机系统进行通信，以允许加密的数据流量在各个系统之间流动。 两个阶段用于将计算机系统彼此认证。 在第一阶段，数字证书或预共享密钥用于认证计算机系统。 第1阶段ID规则列表包含本地远程计算机对的身份验证规则。 在第二阶段期间，使用散列值来认证计算机系统，并创建安全关联有效载荷。 远程系统的IP地址用于连接。 阶段1 ID规则列表对应于一个或多个阶段2 ID规则列表。 如果在第2阶段ID规则列表中找不到远程ID，则将根据第1阶段规则列表使用默认规则。

公开(公告)号：US07003662B2

公开(公告)日：2006-02-21

申请号：US09864112

申请日：2001-05-24

申请人： Denise Marie Genty ,  Guha Prasad Venkataraman ,  Jacqueline Hegedus Wilson

发明人： Denise Marie Genty ,  Guha Prasad Venkataraman ,  Jacqueline Hegedus Wilson

IPC分类号： H04L9/00 ,  G06F15/16

CPC分类号： H04L63/0272 ,  G06Q20/0855 ,  G06Q50/188 ,  H04L63/0435 ,  H04L63/0442 ,  H04L63/0823 ,  H04L63/12 ,  H04L63/164 ,  H04L63/20

摘要： A system and method for dynamically determining a CRL location and protocol. CRL location names and protocols are retrieved from a digital certificate data structure which includes a network servers that contain the CRL file. A determination is made as to whether any of the servers reside in the current domain, in which case the server is used because the data is more secure. If no locations are within the current domain, Internet servers outside the current domain are analyzed. Security parameters may be established that restrict which Internet servers can be used to retrieve the data. The security parameters may also include which access methods may be used to retrieve data since some access methods provide greater security than other access methods. A security parameter may also be based upon both the access method and the name, or address, of the Internet server.

公开(公告)号：US20080229417A1

公开(公告)日：2008-09-18

申请号：US12110846

申请日：2008-04-28

申请人： Denise Marie Genty ,  Shawn Patrick Mullen ,  Bhargavi Bheemreddy Reddy ,  Jacqueline Hegedus Wilson

发明人： Denise Marie Genty ,  Shawn Patrick Mullen ,  Bhargavi Bheemreddy Reddy ,  Jacqueline Hegedus Wilson

IPC分类号： G06F12/14 ,  G06N5/02 ,  G06N5/04

CPC分类号： G06N5/04 ,  G06N3/02

摘要： A computer implemented method, data processing system, and computer program product for monitoring system events and providing real-time response to security threats. System data is collected by monitors in the computing system. The expert system of the present invention compares the data against information in a knowledge base to identify a security threat to a system resource in a form of a system event and an action for mitigating effects of the system event. A determination is made as to whether a threat risk value of the system event is greater than an action risk value of the action for mitigating the system event. If the threat risk value is greater, a determination is made as to whether a trust value set by a user is greater than the action risk value. If the trust value is greater, the expert system executes the action against the security threat.

摘要翻译： 计算机实现的方法，数据处理系统和计算机程序产品，用于监控系统事件并提供对安全威胁的实时响应。 系统数据由计算系统中的监视器收集。 本发明的专家系统将数据与知识库中的信息进行比较，以系统事件的形式识别对系统资源的安全威胁以及减轻系统事件影响的动作。 确定系统事件的威胁风险值是否大于用于减轻系统事件的动作的动作风险值。 如果威胁风险值较大，则确定用户设置的信任值是否大于动作风险值。 如果信任值较大，专家系统将针对安全威胁执行操作。

公开(公告)号：US6076168A

公开(公告)日：2000-06-13

申请号：US943166

申请日：1997-10-03

申请人： William Alton Fiveash ,  Xinya Wang ,  Christiaan Blake Wenzel ,  Jacqueline Hegedus Wilson ,  Opral Vanan Wisham

发明人： William Alton Fiveash ,  Xinya Wang ,  Christiaan Blake Wenzel ,  Jacqueline Hegedus Wilson ,  Opral Vanan Wisham

IPC分类号： H04L29/06 ,  G06F13/00

CPC分类号： H04L63/0263

摘要： A method of securing data traffic between a local and remote host systems is provided. The method includes autogenerating a filter having rules associated with a defined tunnel. The filter rules are used to permit or deny acceptance of transmitted data by the host system and to direct traffic to the tunnel. The tunnel, on the other hand, is used to keep data confidential. The method further includes autogeneration of a counterpart tunnel and associated filter to be used by the remote host when in communication with the local host. The method further autogenerates a new filter to reflect changes to any one of the tunnels and autodeactivates the filter associated with a deleted tunnel.

摘要翻译： 提供了一种在本地和远程主机系统之间保护数据流量的方法。 该方法包括自动生成具有与定义的隧道相关联的规则的过滤器。 过滤规则用于允许或拒绝主机系统接收传输的数据，并将流量引导到隧道。 另一方面，隧道用于保密数据。 该方法还包括对等通道和相关过滤器的自动生成，以在远程主机与本地主机通信时使用。 该方法还自动生成新的过滤器，以反映对任何一个隧道的更改，并自动停用与删除的隧道相关联的过滤器。

公开(公告)号：US06823462B1

公开(公告)日：2004-11-23

申请号：US09657122

申请日：2000-09-07

申请人： Pau-Chen Cheng ,  Ajit Clarence D'Sa ,  Jian Hua Feng ,  Denise Marie Genty ,  Jacqueline Hegedus Wilson

发明人： Pau-Chen Cheng ,  Ajit Clarence D'Sa ,  Jian Hua Feng ,  Denise Marie Genty ,  Jacqueline Hegedus Wilson

IPC分类号： H04L900

CPC分类号： H04L63/0272 ,  H04L12/4641

摘要： A method, network system and computer program product for establishing a server node in a virtual private network with a single tunnel definition and a single security policy for a plurality of tunnels associated with a group name. In one embodiment, a method comprises the step of configuring a group database in the server node. The group database in the server node comprises the group name and a list of members associated with the group name. The method further comprises configuring a rules database in the server node. The rules database associates the group name with a particular security policy. The method further comprises configuring a tunnel definition database in the server node. In the tunnel definition database, the remote ID is defined as the group name. In another embodiment of the present invention, the list of members associated with the group name comprises a non-contiguous list of ID types. In another embodiment of the present invention, the members associated with the group name are identified by any specified name.

摘要翻译： 一种方法，网络系统和计算机程序产品，用于在虚拟专用网络中建立具有单个隧道定义的服务器节点和用于与组名称相关联的多个隧道的单个安全策略。 在一个实施例中，一种方法包括在服务器节点中配置组数据库的步骤。 服务器节点中的组数据库包括组名和与组名关联的成员列表。 该方法还包括在服务器节点中配置规则数据库。 规则数据库将组名称与特定安全策略相关联。 该方法还包括在服务器节点中配置隧道定义数据库。 在隧道定义数据库中，远程ID被定义为组名称。 在本发明的另一个实施例中，与组名相关联的成员列表包括不连续的ID类型列表。 在本发明的另一个实施例中，与组名相关联的成员由任何指定的名称来标识。

公开(公告)号：US06738909B1

公开(公告)日：2004-05-18

申请号：US09389199

申请日：1999-09-02

申请人： Pau-Chen Cheng ,  William Alton Fiveash ,  Vachaspathi Peter Kompella ,  Christiaan Blake Wenzel ,  Jacqueline Hegedus Wilson

发明人： Pau-Chen Cheng ,  William Alton Fiveash ,  Vachaspathi Peter Kompella ,  Christiaan Blake Wenzel ,  Jacqueline Hegedus Wilson

IPC分类号： H04L932

CPC分类号： H04L63/0227 ,  H04L63/0428 ,  H04L63/12 ,  H04L63/164

摘要： A method and apparatus for use in data processing system for selecting rules to filter data for a tunnel. A request is received to create a tunnel to another data processing system. A granularity of information about the data processing system is identified to form an identified granularity. The identified granularity of the information about the data processing system is used to select a rule, which matches the identified granularity. This rule is placed in a filter, wherein the filter associates data packets with the tunnel.

摘要翻译： 一种在数据处理系统中用于选择用于过滤隧道数据的规则的方法和装置。 接收请求以创建到另一数据处理系统的隧道。 识别关于数据处理系统的信息的粒度以形成所识别的粒度。 使用关于数据处理系统的信息的所确定的粒度来选择与所识别的粒度相匹配的规则。 该规则被放置在过滤器中，其中过滤器将数据分组与隧道相关联。

公开(公告)号：US07577623B2

公开(公告)日：2009-08-18

申请号：US12110846

申请日：2008-04-28

申请人： Denise Marie Genty ,  Shawn Patrick Mullen ,  Bhargavi Bheemreddy Reddy ,  Jacqueline Hegedus Wilson

发明人： Denise Marie Genty ,  Shawn Patrick Mullen ,  Bhargavi Bheemreddy Reddy ,  Jacqueline Hegedus Wilson

IPC分类号： G06N5/02 ,  G06F11/00

CPC分类号： G06N5/04 ,  G06N3/02

摘要： A computer implemented method, data processing system, and computer program product for monitoring system events and providing real-time response to security threats. System data is collected by monitors in the computing system. The expert system of the present invention compares the data against information in a knowledge base to identify a security threat to a system resource in a form of a system event and an action for mitigating effects of the system event. A determination is made as to whether a threat risk value of the system event is greater than an action risk value of the action for mitigating the system event. If the threat risk value is greater, a determination is made as to whether a trust value set by a user is greater than the action risk value. If the trust value is greater, the expert system executes the action against the security threat.

摘要翻译： 计算机实现的方法，数据处理系统和计算机程序产品，用于监控系统事件并提供对安全威胁的实时响应。 系统数据由计算系统中的监视器收集。 本发明的专家系统将数据与知识库中的信息进行比较，以系统事件的形式识别对系统资源的安全威胁以及减轻系统事件影响的动作。 确定系统事件的威胁风险值是否大于用于减轻系统事件的动作的动作风险值。 如果威胁风险值较大，则确定用户设置的信任值是否大于动作风险值。 如果信任值较大，专家系统将针对安全威胁执行操作。

公开(公告)号：US07461036B2

公开(公告)日：2008-12-02

申请号：US11334671

申请日：2006-01-18

申请人： Denise Marie Genty ,  Shawn Patrick Mullen ,  Bhargavi Bheemreddy Reddy ,  Jacqueline Hegedus Wilson

发明人： Denise Marie Genty ,  Shawn Patrick Mullen ,  Bhargavi Bheemreddy Reddy ,  Jacqueline Hegedus Wilson

IPC分类号： G06N5/02 ,  G06F11/00

CPC分类号： G06N5/04 ,  G06N3/02

摘要： A computer implemented method for monitoring system events and providing real-time response to security threats. System data is collected by monitors in the computing system. The expert system of the present invention compares the data against information in a knowledge base to identify a security threat to a system resource in a form of a system event and an action for mitigating effects of the system event. A determination is made as to whether a threat risk value of the system event is greater than an action risk value of the action for mitigating the system event. If the threat risk value is greater, a determination is made as to whether a trust value set by a user is greater than the action risk value. If the trust value is greater, the expert system executes the action against the security threat.

摘要翻译： 一种用于监控系统事件并提供对安全威胁的实时响应的计算机实现的方法。 系统数据由计算系统中的监视器收集。 本发明的专家系统将数据与知识库中的信息进行比较，以系统事件的形式识别对系统资源的安全威胁以及减轻系统事件影响的动作。 确定系统事件的威胁风险值是否大于用于减轻系统事件的动作的动作风险值。 如果威胁风险值较大，则确定用户设置的信任值是否大于动作风险值。 如果信任值较大，专家系统将针对安全威胁执行操作。