公开(公告)号：US20230315842A1

公开(公告)日：2023-10-05

申请号：US17706707

申请日：2022-03-29

Applicant: INTERNATIONAL BUSINESS MACHINES CORPORATION

Inventor： Bruno dos Santos Silva ,  Cheng-Ta Lee

IPC: G06F21/55

CPC classification number: G06F21/554 ,  G06F2221/034

Abstract: A computer-implemented apparatus and related method prevent credential attacks. The method receives authentication transactions (ATs) comprising AT features (ATFs). The method then performs clustering, to produce clustered ATFs (CATFs) from the ATFs utilizing rule-based clustering. The clustering may operate by assigning user credentials: 1) from a same source IP to a common CATF; 2) targeting a same username to a common CATF; and/or with a same password to a common CATF. Upon determining a CATF is malicious, the method may classify the CATFs as malicious, and otherwise, classify the CATF as non-malicious. The method may further block an activity using a feature included in a malicious CATF.

公开(公告)号：US20230012202A1

公开(公告)日：2023-01-12

申请号：US17368627

申请日：2021-07-06

Applicant: INTERNATIONAL BUSINESS MACHINES CORPORATION

Inventor： Ci-Hao Wu ,  June-Ray Lin ,  Cheng-Ta Lee

IPC: G06N5/04 ,  G06N7/00 ,  G06F16/901 ,  G06F21/56

Abstract: Graph computing over micro and macro views includes expanding, with a processor at run-time, a set of nodes to include a node generated in response to received data corresponding to an event query. A first inference of an inference ensemble is determined by traversing a base graph whose nodes are associated with a discriminant power that exceeds a predetermined entity threshold. A second inference of the inference ensemble is determined by traversing a micro-view graph whose nodes are selected based on a number of references that exceeds a predetermined reference threshold. A third inference of the inference ensemble is determined by traversing a macro-view graph having one or more committee nodes and computing for each committee node a macro-node vote and generating a response to the event query based on the inference ensemble.

公开(公告)号：US20220156376A1

公开(公告)日：2022-05-19

申请号：US16952494

申请日：2020-11-19

Applicant: International Business Machines Corporation

Inventor： Bruno dos Santos Silva ,  Cheng-Ta Lee ,  Ron Williams ,  Bo-Yu Kuo ,  CHAO-MIN CHANG ,  Sridhar Muppidi

IPC: G06F21/56 ,  G06F21/55 ,  G06N20/00 ,  G06N5/04

Abstract: A processor may generate an enforcement point. The enforcement point may include one or more adversarial detection models. The processor may receive user input data. The processor may analyze, at the enforcement point, the user input data. The processor may determine, from the analyzing, whether there is an adversarial attack in the user input data. The processor may generate an alert based on the determining.

公开(公告)号：US11146588B2

公开(公告)日：2021-10-12

申请号：US16457942

申请日：2019-06-29

Applicant: International Business Machines Corporation

Inventor： Cheng-Ta Lee ,  Chun-Shuo Lin ,  Wei-Shiau Suen ,  Ming-Hsun Wu

IPC: H04L29/06 ,  H04L29/12 ,  H04L29/08

Abstract: A network-based appliance includes a mechanism to set-up and selectively use an “out-of-band” encryption channel. The mechanism comprises a packet parser, and a packet dispatcher, and it is integrated with an existing network layer stack that typically is not visible to host applications. In lieu of simply encrypting all data it receives, the mechanism instead analyzes one or more attributes, e.g., protocol type, application type, current encryption strength, content payload, etc., associated with a packet transmission to determine whether further encryption is required. The evaluation may include a deep packet inspection (DPI) when the information at the network layer (e.g., IP address, port number, etc.) is not sufficient to determine if the payload in the packet needs to be further encrypted. Based on the result of the analysis, packets are dispatched to the encryption channel as and when necessary. When additional encryption is not necessary, however, packet(s) are instead dispatched through an ordinary non-encrypted channel.

公开(公告)号：US10680946B2

公开(公告)日：2020-06-09

申请号：US16417684

申请日：2019-05-21

Applicant: International Business Machines Corporation

Inventor： Ronald Becker Williams ,  Cheng-Ta Lee ,  Lun-Pin Yuan

IPC: H04L12/715 ,  H04L12/751 ,  H04L12/717 ,  H04L12/713 ,  H04L12/741 ,  H04L29/12 ,  H04L12/24

Abstract: “Multi-tenant awareness” is added to a set of one or more packet processing devices in a Software Defined Network (SDN) having a controller. For each of one or more tenants, information in a table associates network protocol address attributes with an Internet Protocol (IP) address unique to the tenant. The table is associated with a multiple-layer translation layer being managed by the SDN controller. As a data packet traverses the translation layer, network protocol address attributes are translated according to values in the table to enable logical routing of the packet (to a given PPD. This translation occurs dynamically (or “on-the-fly”) as packets are “on route” to their destination. By implementing a multi-layer network address translation (NAT), one layer may be used to translate network protocol address source attributes, while a second layer may be used to translate network protocol address destination attributes.

公开(公告)号：US20200028862A1

公开(公告)日：2020-01-23

申请号：US16037857

申请日：2018-07-17

Applicant: International Business Machines Corporation

Inventor： Jian Lin ,  Matthew Elsner ,  Ronald Williams ,  Michael Josiah Bolding ,  Yun Pan ,  Paul Sherwood Taylor ,  Cheng-Ta Lee

IPC: H04L29/06 ,  H04L12/24 ,  G06F15/18 ,  G06F17/15

Abstract: A tiered machine learning-based infrastructure comprises a first machine learning (ML) tier configured to execute within an enterprise network environment and that learns statistics for a set of use cases locally, and to alert deviations from the learned distributions. Use cases typically are independent from one another. A second machine learning tier executes external to the enterprise network environment and provides further learning support, e.g., by determining a correlation among multiple independent use cases that are running locally in the first tier. Preferably, the second tier executes in a cloud compute environment for scalability and performance.

公开(公告)号：US10542041B2

公开(公告)日：2020-01-21

申请号：US15611229

申请日：2017-06-01

Applicant: International Business Machines Corporation

Inventor： Cheng-Ta Lee ,  Wei-Hsiang Hsiung ,  Wei-Shiau Suen ,  Ming-Hsun Wu

IPC: H04L29/06 ,  H04L9/30 ,  H04L9/08 ,  H04L9/32 ,  H04L29/08

Abstract: A network-based appliance includes a mechanism to provide TLS inspection with session resumption, but without requiring that a session cache be maintained. To this end, the inspector is configured to cause the TLS client to participate in maintaining the session context, in effect on behalf of the TLS inspector. In operation, when the inspector first receives the session ticket from the TLS server, and in lieu of caching it, the inspector generates and issues to the client a composited ticket that includes the original ticket and session context information that contains the session key. The composited ticket is encrypted by the inspector to secure the session information. When the TLS client presents the composited session ticket to resume the TLS connection, the inspector decrypts the ticket and retrieves the session context from it directly. The inspector then uses the original session ticket to resume the TLS session.

公开(公告)号：US10291600B2

公开(公告)日：2019-05-14

申请号：US15183837

申请日：2016-06-16

Applicant: International Business Machines Corporation

Inventor： Cheng-Ta Lee ,  Wei-Shiau Suen ,  Ming-Hsun Wu ,  Rick M. F. Wu

IPC: H04L29/06 ,  H04L9/08

Abstract: A first client encryption initiation is intercepted from a client. The first client encryption initiation is intended for a server. Based on the first client encryption initiation, a second client encryption initiation is initiated with the server. Receiving a server response from the server responsive to the initiated second client encryption initiation. A first secure connection is negotiated with the client. The first secure connection is based on the intercepted first client encryption initiation and based on the server response. A session key to perform secure communication with the client is obtained from the first secure connection. A second secure connection is established with the server. The second secure connection is based on the server response and the session key.

公开(公告)号：US20180351997A1

公开(公告)日：2018-12-06

申请号：US15611202

申请日：2017-06-01

Applicant: International Business Machines Corporation

Inventor： Cheng-Ta Lee ,  Wei-Hsiang Hsiung ,  Wei-Shiau Suen ,  Ming-Hsun Wu

IPC: H04L29/06 ,  H04L9/30 ,  H04L9/08 ,  H04L9/32 ,  H04L29/08

Abstract: A network-based appliance includes a mechanism to provide TLS inspection with session resumption, but without requiring that a session cache be maintained. To this end, the inspector is configured to cause the TLS client to participate in maintaining the session context, in effect on behalf of the TLS inspector. In operation, when the inspector first receives a session ID from the TLS server, the inspector generates and issues to the client a session ticket that includes the original session ID and other session context information. In this manner, the inspector converts the Session ID-based connection to a Session Ticket-based connection. The session ticket is encrypted by the inspector to secure the session information. When the TLS client presents the session ticket to resume the TLS connection, the inspector decrypts the ticket and retrieves the session ID from it directly. The inspector then uses the original session ID to resume the TLS session.

公开(公告)号：US20180115553A1

公开(公告)日：2018-04-26

申请号：US15847975

申请日：2017-12-20

Applicant: INTERNATIONAL BUSINESS MACHINES CORPORATION

Inventor： KuoChun Chen ,  Jia-Sian Jhang ,  Cheng-Ta Lee ,  Chun-Shuo Lin

IPC: H04L29/06

CPC classification number: H04L63/10 ,  H04L63/20

Abstract: A method for providing a transparent asynchronous network flow exchange is provided. The method may include receiving a query request from a requester, whereby the received query request is associated with a network packet. The method may also include determining if the network packet contains a plurality of defined signatures. The method may further include in response to determining that the network packet contains a plurality of defined signatures, authenticating a plurality of information associated with the network packet. The method may additionally include determining a plurality of flow related security information associated with the network packet based on the authentication of the plurality of information. The method may include sending the determined plurality of flow related security information to the requester.