Computer system resources such as web servers and database services may be directly accessible through networks such as LANs, WANs, and the Internet. Communication between computer systems over a network typically takes place through transmitted data structures called packets. A packet may include data being transported from one system to another system. Such data is generally referred to as payload. A packet may also include other data that defines the structure and nature of the packet, and information indicating the origin and destination of the packet and information indicating other packet characteristics such as information in network and transport layer headers. A stream of packets may constitute a communication from one system to another system.
The invention is embodied as a method and a system for managing packet flow. Respective packets each may include an inserted application identifier identifying a registered application. The method may include receiving packets destined for one or more resources. The method may further include a packet processor of a security node determining the inserted application identifier for each of the respective packets received and managing the packet flow of each received packet sent from the security node based at least in part on the inserted application identifier of the received packet.
The invention also is embodied as a method and a system for inserting an application identifier into respective packets sent from a sending node destined for a resource on a network. The method may include an electronic database of the sending node storing information identifying registered applications including associated application identifiers and a program processor of the sending node determining each currently executing process and at least a process identifier corresponding to each currently executing process. The method may also include the information identifying registered applications being matched with information associated with the process identifiers of each currently executing process using the electronic database to determine a matched application identifier associated with each currently executing process. The method may further include the program processor inserting the matched application identifier in each packet to authenticate that the registered application corresponding to the matched application identifier is associated with the respective packets.
The invention further is embodied as a security node for managing packet flow between a sending node and one or more resources on a network. The security node may include a registration unit for registering applications that are authorized to access the one or more resources on the network and a packet processor for determining an application identifier and a user identifier inserted in each received packet and for managing the packet flow of each received packet based at least in part on the application and user identifiers inserted in each received packet.
The invention is additionally embodied as a sending node for managing packet flow to one or more resources on a network. The sending node includes an electronic database for storing information identifying registered applications including associated application identifiers, a program processor for determining each currently executing process and at least a process identifier corresponding to each currently executing process, and a sending unit for sending each packet destined for the one or more resources. The information identifying registered applications is matched with information associated with the process identifiers of each currently executing process to determine a matched application identifier associated with each currently executing process. The program processor inserts the matched application identifier in each packet to authenticate that the registered application corresponding to the matched application identifier is associated with the respective packets.
The invention is best understood from the following detailed description when read in connection with the accompanying drawings. According to common practice, various features/elements of the drawings may not be drawn to scale. Common numerical references represent like features/elements. The following figures are included in the drawings:
Access control of packets in a communication based exclusively on conventional network and transport layer headers may be inadequate to ensure security from malicious applications, trojans, worms, malware, spyware and other forms of rogue programs. Currently, network based application recognition technology relies on complex deep packet inspection technologies to analyze data streams above the network layer, which use, for example, application protocol level statefulness, packet defragmentation at the network layer, message reassembly at the transport layer and heuristic rules. Application recognition may infer (may make a best guess at) the source application generating a packet in a communication by inspecting, for example, the protocols used within the packet. The emergence of new application layer protocols, payload encryption or encoding, and the demand for higher throughput and lower latencies for communications may pose challenges to scale and sustain such technologies within core enterprise networks. Application recognition, which relies on protocol recognition, may allow a rogue program to maliciously trespass on a communication by mimicking an application protocol used in the communication. For example, a rogue application may be able to mimic a SQL or POP3 client to gain access to an SQL or Mail server. Because the payload of the packets in the communication may be encrypted or encoded, mid-stream deep packet inspection may be rendered ineffective at stopping the malicious trespass.
As used herein, application watermarking refers to watermarking of a source application that is running on a sending node after a user has logged in and has been authenticated. Application watermarking at the packet level may provide a viable and scalable alternative to application recognition and access controls derived from non-repudiable application identity. Application watermarking (e.g., fingerprinting or marking) at the sending node may simplify verification and validation of application level privileges and access policies and may enable granting or blocking (preventing) access at any policy enforcement point (PEP) along the flow based on security rules (or policies).
Access management, auditing, bandwidth management and packet marking for quality of service, among others may be performed with relative ease using application watermarking using in-band meta-data tags to overcome the challenges posed by application recognition technologies. For example, computer security systems may prevent trespasses by authenticating users and/or applications that desire to use resources and then, watermarking packets in a communication to ensure that the communication between authenticated users/applications and resources are not taken over by outside entities intent on malicious trespass.
Methods for maintaining secure communications via packets may include insert a security tag into each packet. The security tag may include information that the sender and receiver may verify. This ensures to the receiver that the packet is from a known (verified) sender and/or that the application is a registered (known) application. For example, a validated security tag may ensure that the corresponding packet is from a particular sender and is not from an outside source that is attempting to break into the associated packet stream. In addition, the security tag may ensure that the payload of such a packet has not been altered during transmission.
Referring to
In certain exemplary embodiments, a security plug-in 40 that may run within OS 30 may examine (analyze) and/or may modify packets sent by sending node 20. Security plug-in 40 may be an application program, may be another program or may be a hardware module executing on sending node 20.
In certain exemplary embodiments, security plug-in may insert a security tag into a portion or all of the packets sent by sending node 20.
A security node 60 may be a gateway device to a sub-network 90 of network 50 that may connect to one or more network resources 95, such as web servers, database servers, and/or other services that user 10 may desire to access. A security gateway 70 (e.g., a program or a hardware module) may run on security node 60. A security server 80 may run as part of security gateway 70 to examine and/or modify incoming packets and may communicate with sending node 20 via sub-network 90 and/or network 50.
Although security plug-in 40 and security server 80 are illustrated in the network application and security gateway, respectively, security plug-in 40 and security server 80 may be provided in any device on the network or sub-network that interacts with the stream of packets being secured.
Although security node 60 is illustrated as a gateway device, it is contemplated that the operations of security node 20 may be included in a router device, a bridge device or a virtualized (hypervisor) platform.
Referring to
Flow table 25 may store information (records) identifying each packet flow (e.g., a currently executing packet flow) associated with a particular registered application (e.g., an application identifier). Each record in flow table 25 may include a flow identifier, for example, indexed to (associated with) a particular application identifier (e.g., that is associated with a currently executing process validated as matched to a registered application). For example, a plurality of source applications may be executing on sending node 20 and each may be accessing network 50 (e.g., creating a packet flow on network 50). Each packet flow may be identified by a flow identifier and associated with an application identifier in flow table 25 such that flow table maintains a record of each currently executing packet flow (e.g., to maintain statefulness of each packet flow).
Process tree 24 may store a tree structure (or a set of linked lists) of process identifiers such that process identifiers associated with parent processes are linked to process identifiers associated with child processes. Process tree 24 may be used to validate that each of the associated parent processes in a sequence of parent processes, such as grandparent and great grandparent processes, of a currently executing process are also associated with registered applications. This validation process will be described below.
Process table 23 of electronic database 22 may be used to match the information identifying registered applications stored or temporarily cached, for example, in application profile 250 (see
The information identifying a respective registered application may include, for example: (1) an application name; (2) a digital digest (hash value) of the gold-master copy of the executable; (3) a file date and time associated with the gold master copy of the executable; (4) a version associated with the gold master copy of the executable; (5) a size of the gold-master copy of the executable; (6) publication information associated with the gold-master copy of the executable and/or (7) an application identifier associated with the gold-master copy of the executable, among others. This information may be securely stored as an application profile in a centralized repository accessible to security node 60. A globally unique application identifier (AID) may be assigned to each configured registered application and application profiles may be downloaded by the security node during user authentication.
The information identifying a respective currently executing process may be matched to the information identifying the registered application, and may include, for example, the operating system (OS) process identifiers, application executable image loaded into the process space from a storage media, executable file date and file time markers and/or the file digest (hash value) of the executable file invoking the process, among others.
In certain exemplary embodiments, the matching of the application identifier and/or the validation of the parent processes may be responsive to the currently executing process being invoked or based on a resync signal/command being issued. For example, a resync signal/command may be issued (1) periodically; (2) after a predetermined number of packets are sent by sending node 20; and/or (3) based on a signal/command from security node 60, among others.
Program processor 26 may determine each currently executing process and at least a process identifier corresponding to each currently executing process and may insert a matched application identifier in each packet. By inserting the matched application identifier in each packet, sending node 20 authenticates to security node 60 that the registered application corresponding to the matched application identifier is associated with the respective packets. As used herein, a matched application identifier refers to an identifier associated with a registered application that is registered in security node 60.
Sending unit 28 may send the packets destined for resources external to sending node 20 (e.g., the one or more resources 95, see
In certain exemplary embodiments, communications between receiving unit 29 and security node 60 may be encrypted, a security tag inserted into each packet sent from receiving unit 29 may be encrypted, certain fields within the security tag may be encrypted and/or certain fields within the security tag may be obfuscated (e.g., changed or scrambled to make the data in those fields non-obvious to a malicious trespasser).
Security node 60 may manage packet flow between sending node 20 and one or more resources 95 on network 50 (and/or sub-network 90). Security node 60 may include: (1) a receiving unit 62; (2) a packet processor 63; (3) a sending unit 64; (4) a registration unit 65 and/or (5) an event logger 66. Receiving and sending units 62 and 64 function substantially the same as receiving and sending units 28 and 29 of sending node 20 to communicate with devices/nodes external to security node 60.
In various exemplary embodiments, packets sent from sending node 64 may include only an application identifier associated with a registered application. Alternatively, such packets may include: (1) an application identifier and user identifier; or (3) an application identifier, user identifier and other security information embedded in a security tag, among other possible data schema.
Packet processor 63 may determine the application identifier and/or the user identifier inserted in each received packet, and may manage packet flow of each received packet based at least in part on the inserted application identifier and/or the inserted user identifier in each received packet.
Security node 60 may receive from a policy server (not shown) or have stored internally a set of security rules (policies) for managing the packet flow from security node 60. Packet processor 63 may scan for embedded security tag or security information (e.g., a user identifier and/or an application identifier) in each of the packets received by security node 60 and may extract the inserted security tag or security information from the received packets.
In certain exemplary embodiments, packet processor 63 may reassemble the packets without the security tag or security information. Packet processor 63 may manage packet flow sent from security node 60 by: determining, for each received packet, whether a user associated with the inserted user identifier is authorized to use a specific application or a specific resource based on the set of security rules. If the user is authorized to use the specific application and the specific resource, security node 60 may determine at least one of a priority or a bandwidth for flow of the respective packets to the specific resource. This determination of the priority or the bandwidth may be based on at least the application identifier and the user identifier inserted in the packets received by security node 60. If the user is non-authorized to use the specific application or the specific resource, security node 60 may block (prevent) the packet flow associated with the non-authorized user to the packet destination (one or more of resources 95, for example). Such blocking is based on security rules setup, for example, by the policy administrator.
Registration unit 65 may register applications that are authorized to access one or more resources 95 on network 50. During user authentication, the white-list of application profiles may be securely dispatched (via encryption using a negotiated session key) from registration unit 65 via sending unit 62 to sending node 20 based on application privileges provisioned by the security rules (e.g., the policies) for a specific user. Security node 60 may also issue a session key to sending node 20 to enable decryption of the white-list of application profiles. The session key may be periodically changed using a secure communication channel between sending node 20 and security node 60. The changing of the session key may not impact already established transactions.
Event logger 66 may generate audit logs from packets received by security node 60. Such packets may include at least information to watermark an application associated with the received packets. For example, security node 60 may identify for each packet, a particular application identify corresponding to a registered application invoked by the user to access a resource, a particular user identifier, and other information to identify an origin and a destination of the packet. The information may be stored as audit information in audit logs on an ongoing basis or when an exception to a security policy occurs. Events logged by the security node 60 may be sent to an audit server (or other SYSLOG) for archival, compliance reports and other audit purposes to provide an audit trail for compliance with non-repudiable application information.
Referring now to
Network filter driver 220 and transport hook driver 210 may be used to associate each packet sent external to sending node 20 with a specific application context running on sending node 60.
Transport hook driver 210 may monitor for application executable images (e.g., files) being loaded into processing space from a storage media and may provide an image load indication to plugin driver 230 when an executable image has been loaded. Transport hook driver 210 may also monitor for a process start or a process stop indication, when a process identifier is created or is deleted by the operating system, and may provide a process start indication or a process stop indication to plugin driver 230 when a process, respectively, is started or stopped. Transport hook driver 210 may further monitor for when the loaded image starts to access network 50, and may provide a flow start indication to plugin driver 230 when the executable image is accessing network 50.
Transport hook driver 210 may provide: (1) a process identifier (PID), image path and name information, as an image load indication; (2) the process identifier and a process start epoch or a process stop epoch, as a process start indication or a process stop indication, respectively; and (3) the process identifier and process name, as a flow start indication.
When plugin driver 230 receives the image load indication that an image is loaded, plugin driver 230 may provide service 240 with the process identifier corresponding to the loaded image. Service 240 may fetch (retrieve) using the process identifier a sequence of parent processes of the process corresponding to the loaded image from process tree 24. That is, a sequence of parent processes (parent, grandparent and great-grandparent, among others) associated with the currently executed process is retrieved by service 240. Service 240 may use the process identifiers of the currently executing process and those of the sequence (chain) of parent processes in one or more calls to sending node's operating system process management Application Program Interface (API) to determine the files that invoked the currently executing process and its parent processes. Services 240 may receive information from the operating system process management API regarding the file names that generated the currently executing process and its parent processes.
In certain exemplary embodiments, services may retrieve additional information include: (1) the actual files; (2) the application names; and (3) file attributes such as file size, file date and time. This information and possibly other information derived from the retrieved information (e.g., a file digest) associated with the files generating the currently executing process are matched by service 240 to information stored or temporarily cached in application profile 250. If a match occurs between the information (e.g., application name and/or file digest) of the file generating the currently executing process and a record in application profile 250 and each of the parent processes in the sequence also match a record in application profile 250, an application identifier associated with the particular record in application profile 250 is sent to service 240. That is, the currently executing process and its parents are validated as corresponding to registered applications.
Although the matching process in application profile 250 is described as including the currently executing process and each of its parent processing in the sequence, it is possible to only validate the currently executing process or to validate the currently executing process and a portion of its parent processes.
If a match occurs, service 240 may send the matched application identifier to plugin driver 230. Plugin driver 230 may send an add indication to process table 23. The add indication may include: (1) the process identifier corresponding to the currently executing process received from transport hook driver 210; (2) the image name associated with the currently executing process received from transport hook driver 210; and (3) the application identifier matched to the process identifier received via services 240 from application profile 250.
When a currently executing process is stopped, transport hook driver 210 may send a process stop indication to plugin driver 230. Plugin driver 230 may process the process stop indication, as a termination, and may send a termination (delete) indication to process table 23. The termination (delete) indication may include the process identifier of the process that is stopped. Process table 23 may delete the record including the process identifier of the process that is stopped. That is, process table 23 and/or process tree 24 may include each of the processes currently executing on sending node 20, and may delete records associated with processes as the processes are terminated.
In certain exemplary embodiments, process tree 24 may store process information (e.g., process identifiers and/or other identification information associated with the process identifiers, such as hash values) as a tree structure or a set of linked lists. When requested by plugin driver 230 process table 23 may provide an application identifier associated with a process, for example, using a particular process identifier.
Plugin driver 230, after receiving the flow start indication of a currently executing process, which indicates the start of a packet flow on network 50, from transport hook driver 210, may send a create flow context to flow table 25. The created flow context may include: (1) a flow identifier; and (2) a corresponding application identifier received from service 240. The flow context may be indexed by flow identifier. Flow table 25 may store the flow identifier and the corresponding application identifier received from plugin driver 230. Flow table 25 may send to plugin driver 230 a plugin context including a flow context handle. Plugin driver 230 may issue a find request to flow table 25 using the plugin context and flow table 25 may send a flow context, in response, to plugin driver 230. The flow context may include an application identifier to be retrieved by plugin driver 230. That is, flow table 25 may maintain persistent records of the application identifiers corresponding to particular currently executing processes creating packet flows while the particular currently executing processes continue to create those packet flows.
Plugin driver 230 may send monitor flow requests using its plugin context to network filter driver 220. Network filter driver 220 may send a flow stop indication to plugin driver 230 using the plugin context.
The plugin driver may insert an application identifier associated with a packet flow in flow table 25 in each outgoing packet that corresponds to the particular packet flow. The outgoing packets may be sent via network filter driver 220 from sending node 20, for example, to resource 95 secured by security node. 60.
Packets which do not correspond to any flow may be blocked (prevented) by plugin driver 230 from having an application identifier inserted therein. Such packets may be sent via network filter driver 220 over network 50. The management of access, priority and bandwidth for particular packet flows may be controlled by security (policy) rules enforced in security node 60 (e.g., a policy enforcement point).
A validated application identifier may be used by security node 60: (1) to grant or deny access to resource 95 based on configured policies; (2) to allocate asymmetric bandwidth based on the policies (i.e., to allocate particular channels or frequencies or time slots, for example, based on security tag information; (3) to mark packets with IP Cost of Service/Type of Service (COS/TOS) or Diff-Server Code Point (DSCP) based on configured such policies. The marking of packets and the configuration of policies may be based on the validated application identifier alone or in combination with other attributes in a security tag. For example, a security tag may include a control field, a random number, an opaque client identifier, the application identifier, a TCP sequence number and a digital signature.
In certain exemplary embodiments, the control field may include a release version indicating the version of security tag included in each datagram, a length indicator which indicates the length of the security tag, the key number, the length scale indicating the length of the secret key in bytes, a flag indicating whether the TCP sequence number is included in the security tag, another flag indicating whether the entire payload or a partial payload is included in the security tag and the gateway software instance.
A random number of the same byte length as the client identifier may be exclusively ORed (XOR) with the client identifier to produce the opaque client identifier. A random number of the same byte length as the application identifier may be exclusively ORed with the application identifier to produce an opaque application identifier. The random numbers, opaque application identifier and client identifier may be embedded in the security tag. By obfuscating the client identifier and/or application identifier, security of the embedded security tag may be improved.
Although the opaque identifiers are illustrated as generated by an XOR process, it is contemplated that many other obfuscation techniques may be used as long as the original identifiers can be decoded. For example the random number may be added to or subtracted from the client identifier and/or the application identifier.
A digital signature may be generated, for example, from a hash function or other cryptographic algorithm (include secure hash algorithms (SHA) such as SHA-0, SHA-1, SHA-224, SHA-256, SHA-384, SHA-512 or Message-Digest algorithm MD5).
In certain exemplary embodiments, the digital signature may be based on a negotiated secret key, a random number, the opaque client identifier, the control field, the application identifier, the TCP sequence and/or the payload of the datagram.
Network filter driver 220 may monitor for the stoppage of each flow stored in flow table 25, and may provide a flow stop indication that packets corresponding to a particular packet flow having a flow identifier stored in flow table 25 have stopped.
As illustrated in
Now referring to
Security node 60 receiving packets having inserted application identifiers associated with Microsoft Excel, may validate that each packet received is authorized based on the application identifier and/or other information of the security tag embedded in each packet and may determine whether to block the packet from its destination (e.g., Database Server) or to establish a proper priority/bandwidth for the packetized communication.
In block 292, 294 and 296, because malicious programs are not registered in registration unit 65 or process tree 24, program processor 26 may block insertion of an application identifier into packets destined for the Mail Servicer, Web Server and Application Server, respectively. That is, when the file associated with the parent process identifier of each malicious program is checked against records in application profile 250, no application identifiers match. In such a case, program processor 26 of sending node 20 may not insert an application identifier into packets flowing from Outlook Express in block 292 and Internet Explorer in blocks 294 and 296. Security node 60 when receiving such packets may prevent the packets from being sent to Mail Server in block 292, Web Server in block 294 and Application Server in block 296 based on security rules internally stored or received from a policy server. Such rules may allow the packets to be sent to protected resources or may block such packets from these resources.
Referring to
At block 330, receiving unit 62 of security node 60 may receive packets destined for one or more resources 95. These packets may each include an inserted application identifier identifying a registered application. At block 340, packet processor 63 of security node 60 may determine the inserted application identifier for each of the packets received by receiving unit 62. At block 350, packet processor 63 may manage the packet flow from security node 60 based at least in part on the inserted application identifier of the packet received by receiving unit 62.
The determination at block 340 may include: (1) scanning for the embedded security tag in each of the packets received by security node 60; and (2) extracting the inserted application and user identifiers from the scanned security tags of the packets received by security node 60. The management at block 350 may include: (1) determining, for each received packet, whether the user associated with the inserted user identifier is authorized to use a specific application or a specific resource based on the set of security rules. If the user is authorized to use the specific application and the specific resource, packet processor 63 may determine at least one of a priority or a bandwidth for flow of the respective packets to the specific resource. Alternatively, if the user is non-authorized to use the specific application or the specific resource, packet processor 63 may prevent (block) the flow of the packets associated with the non-authorized user to one or more resources 95 or the specific resource.
In certain exemplary embodiments, receiving unit 29 of sending node 20 may receive a list of registered application and their unique application identifiers and program processor 26 may insert the application identifier identifying the registered application into packets to be sent from sending node 20 to one or more resources 95. Sending unit 28 of sending node 20 may send the packets destined for one or more resources 95 via security node 60.
Program processor 26 may insert the application identifier into each packet by: (1) embedding at least the application identifier and a user identifier in a security tag; and (2) inserting the security tag into each of the packets sent by sending node 60, as an in-band metadata tag (e.g., a security tag sent as part of the packet and including metadata to establish, for example, the user requesting a resource and the registered application associated with the particular packet, among others). Program processor 26 may selectively insert a respective application identifier into each packet: (1) associated with an application in the white list of registered applications; and (2) destined for one of the protected resources (e.g., one or more resources 95). Alternatively, program processor 26 may prevent (or block) any application identifiers from being inserted into packets that are associated with an application not in the white list of registered applications or that are not destined for a protected resource.
Referring to
At block 430, program processor 26 may match, using the electronic database 22, the information identifying registered applications with information associated with the process identifiers of each currently executing process. At block 440, sending node 20 may determine whether there is a match. If a match does not occur at block 440, at block 450, program processor 26 may prevent (may block) the insertion of any application identifier in each packet to be sent by sending node 20 and may end the operation. If a match occurs at block 440, at block 460, program processor 26 may insert the matched application identifier in each packet to authenticate that the registered application corresponding to the matched application identifier is associated with the respective packets.
In certain exemplary embodiments, the insertion of the matched application identifier in each packet may include at least one of: (1) obfuscating the application identifier; or (2) encrypting the application identifier using a session key.
The matching of the information identifying registered applications with the information associated with the process identifiers of each currently executing process may include: (1) determining from the currently executing process a file invoking the currently executing process; and (2) matching characteristics of the file invoking the currently executing process to information identifying registered applications to authenticate the application associated with the currently executing process. The characteristics of the file to be match may include at least one of: (1) a digital digest of the file; (2) a date and time that the file was last edited; (3) a version of the file; and/or (4) publisher information.
Referring now to
Referring now to
In various exemplary embodiments, the application identifier may be inserted in each packet such that a determination of whether the application identifier matches a registered application may occur at a layer below application layer 670.
Although the invention has been described in terms of sending and receiving node, it is contemplated that it may be implemented in software on microprocessors/computers (not shown). In various embodiments, one or more of the functions of the various components may be implemented in software that controls a computer. This software may be embodied in a computer readable storage medium, for example, a magnetic or optical disk, or a memory-card.
Although the invention is illustrated and described herein with reference to specific embodiments, the invention is not intended to be limited to the details shown. Rather, various modifications may be made in the details within the scope and range of equivalents of the claims and without departing from the invention.
This application claims the benefit of U.S. Provisional Application No. 61/037,874, filed Mar. 19, 2008, entitled “Access, Priority and Bandwidth Management Based On Application Identity” the contents of which are hereby incorporated by reference.
Number | Name | Date | Kind |
---|---|---|---|
5218637 | Angebaud et al. | Jun 1993 | A |
5757916 | MacDoran et al. | May 1998 | A |
5784562 | Diener | Jul 1998 | A |
5867494 | Krishnaswamy et al. | Feb 1999 | A |
5887065 | Audebert | Mar 1999 | A |
5983270 | Abraham et al. | Nov 1999 | A |
5987611 | Freund | Nov 1999 | A |
5999525 | Krishnaswamy et al. | Dec 1999 | A |
6021495 | Jain et al. | Feb 2000 | A |
6070245 | Murphy et al. | May 2000 | A |
6076108 | Courts et al. | Jun 2000 | A |
6105136 | Cromer et al. | Aug 2000 | A |
6141758 | Benantar et al. | Oct 2000 | A |
6145083 | Shaffer et al. | Nov 2000 | A |
6161182 | Nadooshan | Dec 2000 | A |
6170019 | Dresel et al. | Jan 2001 | B1 |
6199113 | Alegre et al. | Mar 2001 | B1 |
6219669 | Haff et al. | Apr 2001 | B1 |
6253326 | Lincke et al. | Jun 2001 | B1 |
6304969 | Wasserman et al. | Oct 2001 | B1 |
6335927 | Elliott et al. | Jan 2002 | B1 |
6345291 | Murphy et al. | Feb 2002 | B2 |
6393569 | Orenshteyn | May 2002 | B1 |
6418472 | Mi et al. | Jul 2002 | B1 |
6442571 | Haff et al. | Aug 2002 | B1 |
6452915 | Jorgensen | Sep 2002 | B1 |
6470453 | Vilhuber | Oct 2002 | B1 |
6473794 | Guheen et al. | Oct 2002 | B1 |
6480967 | Jensen et al. | Nov 2002 | B1 |
6502192 | Nguyen | Dec 2002 | B1 |
6510350 | Steen et al. | Jan 2003 | B1 |
6519571 | Guheen et al. | Feb 2003 | B1 |
6523027 | Underwood | Feb 2003 | B1 |
6535917 | Zamanzadeh et al. | Mar 2003 | B1 |
6536037 | Guheen et al. | Mar 2003 | B1 |
6594589 | Cixx, Jr. et al. | Jul 2003 | B1 |
6601233 | Underwood | Jul 2003 | B1 |
6609128 | Underwood | Aug 2003 | B1 |
6615166 | Guheen et al. | Sep 2003 | B1 |
6633878 | Underwood | Oct 2003 | B1 |
6640248 | Jorgensen | Oct 2003 | B1 |
6704873 | Underwood | Mar 2004 | B1 |
6718535 | Underwood | Apr 2004 | B1 |
6721713 | Guheen et al. | Apr 2004 | B1 |
6725269 | Megiddo | Apr 2004 | B1 |
6731625 | Eastep et al. | May 2004 | B1 |
6735691 | Capps et al. | May 2004 | B1 |
6748287 | Hagen et al. | Jun 2004 | B1 |
6754181 | Elliott et al. | Jun 2004 | B1 |
6766314 | Burnett | Jul 2004 | B2 |
6785692 | Wolters et al. | Aug 2004 | B2 |
6826616 | Larson et al. | Nov 2004 | B2 |
6839759 | Larson et al. | Jan 2005 | B2 |
6850252 | Hoffberg | Feb 2005 | B1 |
6856330 | Chew et al. | Feb 2005 | B1 |
6870921 | Elsey et al. | Mar 2005 | B1 |
6909708 | Krishnaswamy et al. | Jun 2005 | B1 |
6944279 | Elsey et al. | Sep 2005 | B2 |
6947992 | Shachor | Sep 2005 | B1 |
6954736 | Menninger et al. | Oct 2005 | B2 |
6957186 | Guheen et al. | Oct 2005 | B1 |
6973085 | Acharya | Dec 2005 | B1 |
6985922 | Bashen et al. | Jan 2006 | B1 |
7013290 | Ananian | Mar 2006 | B2 |
7039606 | Hoffman et al. | May 2006 | B2 |
7054837 | Hoffman et al. | May 2006 | B2 |
7072843 | Menninger et al. | Jul 2006 | B2 |
7096495 | Warrier et al. | Aug 2006 | B1 |
7100195 | Underwood | Aug 2006 | B1 |
7107285 | Von Kaenel et al. | Sep 2006 | B2 |
7120596 | Hoffman et al. | Oct 2006 | B2 |
7145898 | Elliott | Dec 2006 | B1 |
7149698 | Guheen et al. | Dec 2006 | B2 |
7160599 | Hartman | Jan 2007 | B2 |
7165041 | Guheen et al. | Jan 2007 | B1 |
7171379 | Menninger et al. | Jan 2007 | B2 |
7188138 | Schneider | Mar 2007 | B1 |
7188180 | Larson et al. | Mar 2007 | B2 |
7194552 | Schneider | Mar 2007 | B1 |
7334125 | Pellacuru | Feb 2008 | B1 |
7353533 | Wright et al. | Apr 2008 | B2 |
7363347 | Thomas | Apr 2008 | B2 |
7386889 | Shay | Jun 2008 | B2 |
7398552 | Pardee et al. | Jul 2008 | B2 |
7430760 | Townsend et al. | Sep 2008 | B2 |
7509687 | Ofek et al. | Mar 2009 | B2 |
7519986 | Singhal | Apr 2009 | B2 |
7567510 | Gai et al. | Jul 2009 | B2 |
7593529 | Yang | Sep 2009 | B1 |
7596803 | Barto et al. | Sep 2009 | B1 |
7637147 | Lee et al. | Dec 2009 | B2 |
7644434 | Pollutro et al. | Jan 2010 | B2 |
7660902 | Graham et al. | Feb 2010 | B2 |
7660980 | Shay et al. | Feb 2010 | B2 |
7770223 | Shevenell et al. | Aug 2010 | B2 |
7877601 | Smith et al. | Jan 2011 | B2 |
7978700 | Kopelman et al. | Jul 2011 | B2 |
8412838 | Wang et al. | Apr 2013 | B1 |
8910241 | Pollutro et al. | Dec 2014 | B2 |
20010020195 | Patel et al. | Sep 2001 | A1 |
20010052012 | Rinne et al. | Dec 2001 | A1 |
20010054044 | Liu et al. | Dec 2001 | A1 |
20010054147 | Richards | Dec 2001 | A1 |
20020002577 | Garg et al. | Jan 2002 | A1 |
20020022969 | Berg et al. | Feb 2002 | A1 |
20020029086 | Ogushi et al. | Mar 2002 | A1 |
20020062367 | Debber et al. | May 2002 | A1 |
20020077981 | Takatori et al. | Jun 2002 | A1 |
20020078015 | Ponnekanti | Jun 2002 | A1 |
20020080822 | Brown et al. | Jun 2002 | A1 |
20020083183 | Pujare et al. | Jun 2002 | A1 |
20020116643 | Raanan et al. | Aug 2002 | A1 |
20020133723 | Tait | Sep 2002 | A1 |
20020146026 | Unitt et al. | Oct 2002 | A1 |
20020146129 | Kaplan | Oct 2002 | A1 |
20020184224 | Haff et al. | Dec 2002 | A1 |
20020193966 | Buote et al. | Dec 2002 | A1 |
20030005118 | Williams | Jan 2003 | A1 |
20030005300 | Noble et al. | Jan 2003 | A1 |
20030009538 | Shah et al. | Jan 2003 | A1 |
20030023726 | Rice et al. | Jan 2003 | A1 |
20030033545 | Wenisch et al. | Feb 2003 | A1 |
20030055962 | Freund et al. | Mar 2003 | A1 |
20030063750 | Medvinsky et al. | Apr 2003 | A1 |
20030083991 | Kikinis | May 2003 | A1 |
20030084350 | Eibach et al. | May 2003 | A1 |
20030171885 | Coss et al. | Sep 2003 | A1 |
20030179900 | Tian et al. | Sep 2003 | A1 |
20030200439 | Moskowitz | Oct 2003 | A1 |
20030204421 | Houle et al. | Oct 2003 | A1 |
20030208448 | Perry et al. | Nov 2003 | A1 |
20030208562 | Hauck et al. | Nov 2003 | A1 |
20030217126 | Polcha et al. | Nov 2003 | A1 |
20030217166 | Dal Canto et al. | Nov 2003 | A1 |
20030220768 | Perry et al. | Nov 2003 | A1 |
20030220821 | Walter et al. | Nov 2003 | A1 |
20040006710 | Pollutro et al. | Jan 2004 | A1 |
20040022191 | Bernet et al. | Feb 2004 | A1 |
20040024764 | Hsu et al. | Feb 2004 | A1 |
20040031058 | Reisman | Feb 2004 | A1 |
20040049515 | Haff et al. | Mar 2004 | A1 |
20040107342 | Pham et al. | Jun 2004 | A1 |
20040107360 | Herrmann et al. | Jun 2004 | A1 |
20040111410 | Burgoon et al. | Jun 2004 | A1 |
20040139313 | Buer et al. | Jul 2004 | A1 |
20040142686 | Kirkup et al. | Jul 2004 | A1 |
20040193606 | Arai et al. | Sep 2004 | A1 |
20040193912 | Li et al. | Sep 2004 | A1 |
20040214576 | Myers et al. | Oct 2004 | A1 |
20040228362 | Maki et al. | Nov 2004 | A1 |
20040230797 | Ofek et al. | Nov 2004 | A1 |
20050010528 | Pelz et al. | Jan 2005 | A1 |
20050015624 | Ginter et al. | Jan 2005 | A1 |
20050027788 | Koopmans et al. | Feb 2005 | A1 |
20050038779 | Fernandez et al. | Feb 2005 | A1 |
20050132030 | Hopen et al. | Jun 2005 | A1 |
20050185647 | Rao et al. | Aug 2005 | A1 |
20050265351 | Smith et al. | Dec 2005 | A1 |
20050283822 | Appleby et al. | Dec 2005 | A1 |
20060005240 | Sundarrajan et al. | Jan 2006 | A1 |
20060068755 | Shraim et al. | Mar 2006 | A1 |
20060075464 | Golan et al. | Apr 2006 | A1 |
20060080441 | Chen et al. | Apr 2006 | A1 |
20060080667 | Sanghvi et al. | Apr 2006 | A1 |
20060090196 | Van Bemmel et al. | Apr 2006 | A1 |
20060198394 | Gotoh et al. | Sep 2006 | A1 |
20060218273 | Melvin | Sep 2006 | A1 |
20060245414 | Susai et al. | Nov 2006 | A1 |
20060248480 | Faraday et al. | Nov 2006 | A1 |
20060248580 | Fulp et al. | Nov 2006 | A1 |
20060253900 | Paddon et al. | Nov 2006 | A1 |
20060271652 | Stavrakos et al. | Nov 2006 | A1 |
20060274774 | Srinivasan et al. | Dec 2006 | A1 |
20060277275 | Glaenzer | Dec 2006 | A1 |
20060277591 | Arnold et al. | Dec 2006 | A1 |
20060282545 | Arwe et al. | Dec 2006 | A1 |
20060282876 | Shelest et al. | Dec 2006 | A1 |
20070008978 | Pirzada et al. | Jan 2007 | A1 |
20070038618 | Kosciusko et al. | Feb 2007 | A1 |
20070061434 | Schmieder et al. | Mar 2007 | A1 |
20070101154 | Bardsley et al. | May 2007 | A1 |
20070113269 | Zhang | May 2007 | A1 |
20070136317 | Przywara | Jun 2007 | A1 |
20070192853 | Shraim et al. | Aug 2007 | A1 |
20070271592 | Noda et al. | Nov 2007 | A1 |
20070283014 | Shinomiya et al. | Dec 2007 | A1 |
20070294762 | Shraim et al. | Dec 2007 | A1 |
20070299915 | Shraim et al. | Dec 2007 | A1 |
20080005779 | Takenaka et al. | Jan 2008 | A1 |
20080008202 | Terrell et al. | Jan 2008 | A1 |
20080098129 | Niddam et al. | Apr 2008 | A1 |
20080215889 | Celik et al. | Sep 2008 | A1 |
20080228932 | Monette et al. | Sep 2008 | A1 |
20090158384 | Kanade et al. | Jun 2009 | A1 |
20090210364 | Adi et al. | Aug 2009 | A1 |
20100037284 | Sachs | Feb 2010 | A1 |
20100223222 | Zhou et al. | Sep 2010 | A1 |
20100235879 | Burnside et al. | Sep 2010 | A1 |
20110280215 | Nakagawa et al. | Nov 2011 | A1 |
20120051529 | Dobbins et al. | Mar 2012 | A1 |
20120096513 | Raleigh et al. | Apr 2012 | A1 |
20120304277 | Li et al. | Nov 2012 | A1 |
Number | Date | Country |
---|---|---|
2286534 | Apr 2001 | CA |
1 071 256 | Jan 2001 | EP |
1 418 730 | May 2004 | EP |
1 641 215 | Mar 2006 | EP |
06-097905 | Apr 1994 | JP |
11-205388 | Jul 1999 | JP |
2001-306521 | Nov 2001 | JP |
2003-008651 | Jan 2003 | JP |
WO-0133759 | May 2001 | WO |
WO-0138995 | May 2001 | WO |
WO-02079949 | Oct 2002 | WO |
WO 20050066737 | Jul 2005 | WO |
Entry |
---|
Aleksander Svelokken, “Biometric Authentication and Identification Using Keystroke Dynamics With Alert Levels”, Master Thesis (Retrieved from University of Oslo), May 23, 2007, pp. 1-124. |
Darryle Merlette, Dr. Parag Pruthi; Network Security; NetDetector: Identifying Real Threats and Securing Your Network; Copyright © 2003 Niksun, Inc., Monmouth Junction NJ, USA. |
Darryle Merlette; Spencer Parker, Dr. Parag Pruthi; Niksun Network Security; NetDetector: Monitoring and Minimizing Instant Messaging Risks; Copyright @ 2003 Niksun, Inc., Monmouth Junction NJ, USA. |
Scarfone et ai, Guide to Intrusion Detection and Prevention Systems (IOPS), Feb. 2007, NIST, Special Publication 800-94. |
Office Action for U.S. Appl. No. 10/423,444 dated Sep. 7, 2007. |
Office Action for U.S. Appl. No. 10/423,444 dated Jun. 13, 2006. |
Office Action for U.S. Appl. No. 10/423,444 dated Mar. 12, 2007. |
Office Action for U.S. Appl. No. 10/423,444 dated Mar. 14, 2008. |
Office Action for U.S. Appl. No. 10/423,444 dated Sep. 19, 2008. |
Office Action for U.S. Appl. No. 10/423,444 dated Dec. 2, 2008. |
Office Action for U.S. Appl. No. 10/423,444 dated Feb. 25, 2009. |
Office Action for U.S. Appl. No. 10/423,444 dated Jul. 27, 2009. |
Notice of Allowance for U.S. Appl. No. 10/423,444 dated Nov. 16, 2009. |
Office Action for U.S. Appl. No. 12/163,292 dated Feb. 2, 2011. |
Office Action for U.S. Appl. No. 12/163,292 dated Aug. 8, 2011. |
Office Action for JP Application No. 2006-547397 dated Nov. 30, 2010. |
Office Action for JP Application No. 2006-547397 dated Jul. 5, 2011. |
Office Action for U.S. Appl. No. 10/583,578 dated Jun. 24, 2010. |
Office Action for U.S. Appl. No. 10/583,578 dated Feb. 11, 2011. |
Office Action for U.S. Appl. No. 10/583,578 dated Jul. 19, 2011. |
Office Action for U.S. Appl. No. 12/270,278 dated Jun. 24, 2011. |
Office Action for U.S. Appl. No. 12/270,278 dated Nov. 9, 2011. |
Office Action for U.S. Appl. No. 12/267,804 dated Aug. 16, 2011. |
Office Action for U.S. Appl. No. 12/267804 dated Apr. 25, 2011. |
Office Action for U.S. Appl. No. 12/406,613 dated Oct. 24, 2011. |
Written Opinion of the International Search Authority for PCT Application No. PCT/US2004/043405; Completed Mar. 15, 2005; Mailed Mar. 23, 2005. |
International Search Report for International Application No. PCT/US2004/043405; Completed Mar. 15, 2005; Mailed Mar. 23, 2005. |
International Search Report for International Application No. PCT/US2008/007984; Completed Aug. 22, 2009; Mailed Sep. 3, 2009. |
Notice of Allowance on U.S Appl. No. 10/583,578 dated Mar. 27, 2012. |
Office Action on U.S. Appl. No. 12/267,804 dated Apr. 10, 2012. |
Office Action for U.S. Appl. No. 12/267,850 dated Nov. 7, 2012. |
Office Action for U.S. Appl. No. 12/267,850 dated Jun. 14, 2012. |
Office Action for U.S. Appl. No. 12/432,186 dated Jun. 25, 2012. |
US Notice of Allowance for U.S. Appl. No. 12/163,292 dated Aug. 6, 2014. |
US Notice of Allowance for U.S. Appl. No. 12/267,804 dated Apr. 24, 2013. |
US Office Action for U.S. Appl. No. 12/270,278 dated Feb. 20, 2014. |
US Office Action for U.S. Appl. No. 12/163,292 dated Apr. 25, 2014. |
US Office Action for U.S. Appl. No. 12/267,804 dated Sep. 27, 2012. |
US Office Action for U.S. Appl. No. 12/267,850 dated Mar. 26, 2013. |
US Office Action for U.S. Appl. No. 12/267,850 dated Sep. 30, 2013. |
US Office Action for U.S. Appl. No. 12/270,278 dated Aug. 15, 2014. |
US Office Action for U.S. Appl. No. 12/432,186 dated Feb. 21, 2013. |
US Notice of Allowance for U.S. Appl. No. 12/270,278 dated Nov. 14, 2014. |
US Notice of Allowance for U.S. Appl. No. 12/267,850 dated Nov. 6, 2014. |
US Notice of Allowance for U.S. Appl. No. 12/432,186 dated Sep. 10, 2014. |
US Office Action on U.S. Appl. No. 14/563,904 DTD Jun. 22, 2015. |
Number | Date | Country | |
---|---|---|---|
20090241170 A1 | Sep 2009 | US |
Number | Date | Country | |
---|---|---|---|
61037874 | Mar 2008 | US |