专利快速检索-快速检索全球专利，免费商用专利数据库-IPRDB

1. 发明授权

EP2139199B1 Dynamic policy provisioning within network security devices 失效转让
标题翻译：网络安全设备内的动态策略配置
公开(公告)号：EP2139199B1
公开(公告)日：2018-05-09
申请号：EP09163021.0
申请日：2009-06-17
申请人： Juniper Networks, Inc.
发明人： Narayanaswamy, Krishna , Arun, Prashanth
IPC分类号： H04L29/06
CPC分类号： H04L63/1425 , H04L63/1408 , H04L63/20
摘要： The invention is directed to techniques for dynamic policy provisioning. A network security device may comprise a memory that stores a first policy that identifies a first set of patterns that correspond to a first set of network attacks and a second policy, and a control unit that applies the first policy to the network traffic to detect the first set of network attacks. The control unit, while applying the first policy, monitors parameters corresponding to one or more resources and dynamically determines whether to apply a second policy to the network traffic based on the parameters. The control unit, based on the dynamic determination, applies the second policy to the network traffic to detect a second set of network attacks and forwards the network traffic based on the application of the second policy. In this manner, the network security device may implement the dynamic policy provisioning techniques.

2. 发明公开

EP2343864A2 High availability for network security devices 有权转让
标题翻译： HoheVerfügbarkeitvon Netzwerksicherheitsvorrichtungen
公开(公告)号：EP2343864A2
公开(公告)日：2011-07-13
申请号：EP10186865.1
申请日：2010-10-07
申请人： Juniper Networks, Inc.
发明人： Narayanaswamy, Krishna , Ranjan, Rajiv
IPC分类号： H04L29/06
CPC分类号： H04L63/1408
摘要： In one example, a backup intrusion detection and prevention (IDP) device includes one or more network interfaces to receive a state update message from a primary IDP device, wherein the state update message indicates a network session being inspected by the primary IDP device and an identified application-layer protocol for the device, to receive an indication that the primary device has switched over or failed over to the backup device, and to receive a plurality of packets of the network session after receiving the indication, each of the plurality of packets comprising a respective payload including application-layer data, a protocol decoder to detect a beginning of a new transaction from the application-layer data of one of the plurality of packets, and a control unit to statefully process only the application-layer data of the network session that include and follow the beginning of the new transaction.
摘要翻译：在一个示例中，备份入侵检测和预防（IDP）设备包括一个或多个网络接口，用于从主IDP设备接收状态更新消息，其中状态更新消息指示由主IDP设备检查的网络会话，为设备识别的应用层协议，接收主设备已经切换或故障切换到备份设备的指示，并且在接收到指示之后接收多个分组的网络会话，多个分组中的每一个分组包括相应的有效载荷，包括应用层数据，协议解码器，用于从多个分组之一的应用层数据检测新事务的开始;以及控制单元，用于仅仅处理应用层数据的应用层数据网络会话包括并跟随新事务的开始。

3. 发明公开

EP2175603A1 Dynamic access control policy with port restrictions for a network security appliance 无效转让
标题翻译：端口Beschränkungenfüreine防火墙的Dynamische Zugangssteuerungsregeln
公开(公告)号：EP2175603A1
公开(公告)日：2010-04-14
申请号：EP09161760.5
申请日：2009-06-03
申请人： Juniper Networks, Inc.
发明人： Narayanaswamy, Krishna
IPC分类号： H04L29/06
CPC分类号： H04L63/20 , H04L63/0245 , H04L63/0254 , H04L63/0263
摘要： A network security appliance, commonly referred to as firewall device, supports definition of a security policy to control access to a network. The security policy is defined by match criteria including a layer seven network application, a static port list of layer four ports for a transport-layer protocol, and actions to be applied to packet flows that match the match criteria. A rules engine dynamically identifies a type of layer seven network application associated with the received packet flow based on inspection of application-layer data within payloads of packets of the packet flow without basing the identification solely on a layer four port specified by headers within the packets. The rules engine is configured to apply the security policy to determine whether the packet flow matches the static port lists specified by the match criteria. The network security appliance applies the actions specified by the security policy to the packet flow.
摘要翻译：通常称为防火墙设备的网络安全设备支持定义安全策略来控制对网络的访问。安全策略由匹配标准定义，包括第七层网络应用，传输层协议的第四层端口的静态端口列表，以及适用于匹配匹配标准的数据包流的动作。基于对分组流的分组的有效载荷内的应用层数据的检查，规则引擎动态地识别与所接收的分组流相关联的第七层网络应用的类型，而不将该识别仅基于由分组中的报头指定的第四层端口。规则引擎配置为应用安全策略来确定数据包流是否与匹配条件指定的静态端口列表匹配。网络安全设备将安全策略指定的操作应用于数据包流。

4. 发明授权

EP2247064B1 Detecting malicious network software agents 有权转让
公开(公告)号：EP2247064B1
公开(公告)日：2018-11-14
申请号：EP10156048.0
申请日：2010-03-10
申请人： Juniper Networks, Inc.
发明人： Burns, Bryan , Narayanaswamy, Krishna
IPC分类号： H04L29/06
CPC分类号： H04L63/1441 , H04L63/14 , H04L63/1416 , H04L2463/144
摘要： This disclosure describes techniques for determining whether a network session originates from an automated software agent. In one example, a network device, such as a router, includes a network interface to receive packets of a network session, a bot detection module to calculate a plurality of scores for network session data based on a plurality of metrics, wherein each of the metrics corresponds to a characteristic of a network session originated by an automated software agent, to produce an aggregate score from an aggregate of the plurality of scores, and to determine that the network session is originated by an automated software agent when the aggregate score exceeds a threshold, and an attack detection module to perform a programmed response when the network session is determined to be originated by an automated software agent. Each score represents a likelihood that the network session is originated by an automated software agent.

5. 发明公开

EP2680513A1 Methods and apparatus for providing services in a distributed switch 失效转让
标题翻译：用于在分布式交换机提供服务的方法和装置
公开(公告)号：EP2680513A1
公开(公告)日：2014-01-01
申请号：EP13165633.2
申请日：2013-04-26
申请人： Juniper Networks, Inc.
发明人： Narayanaswamy, Krishna , Frailong, Jean-Marc , Venkatramani, Anjan , Jagannadhan, Srinivasan
IPC分类号： H04L12/70 , H04L29/08
CPC分类号： H04L49/355 , H04L45/38 , H04L45/54 , H04L49/25 , H04L67/327
摘要： In some embodiments, a processor-readable medium stores code representing instructions to be executed by a processor. The code causes the processor to receive, at an edge device (181;182,183), a first data unit having a characteristic. The code causes the processor to identify, at a first time, an identifier of a service module associated with the characteristic in response to each entry from a set of entries within a flow table not being associated with the characteristic. The code causes the processor to define an entry in the flow table associated with the characteristic and the identifier of the service module. The code causes the processor to send the first data unit to the service module. The code causes the processor to receive, at the edge device (181;182,183), a second data unit having the characteristic, and send the second data unit to the service module based on the entry.
摘要翻译：在一些实施例中，代表指令的处理器可读介质存储代码，以由处理器执行。该代码使得处理器接收，在在边缘设备（181; 182,183），其具有特性的第一数据单元。该代码使得处理器识别，在第一时间，在与特征响应于不与所述特性相关联的流表内从一组条目的每个条目相关联的服务模块的标识符。该代码使得处理器定义与特性和服务模块的标识符相关联的所述流表中的条目。该代码使得所述处理器将所述第一数据单元发送到所述服务模块。该代码使得处理器接收，在边缘设备（181; 182,183），具有第二数据单元中的特性，并且所述第二数据单元发送到基于该条目中的服务模块。

6. 发明公开

EP2247064A3 Detecting malicious network software agents 有权转让
标题翻译： Erkennung vonbösartigenNetzwerksoftware-Agenten
公开(公告)号：EP2247064A3
公开(公告)日：2014-07-09
申请号：EP10156048.0
申请日：2010-03-10
申请人： Juniper Networks, Inc.
发明人： Burns, Bryan , Narayanaswamy, Krishna
IPC分类号： H04L29/06
CPC分类号： H04L63/1441 , H04L63/14 , H04L63/1416 , H04L2463/144
摘要： This disclosure describes techniques for determining whether a network session originates from an automated software agent. In one example, a network device, such as a router, includes a network interface to receive packets of a network session, a bot detection module to calculate a plurality of scores for network session data based on a plurality of metrics, wherein each of the metrics corresponds to a characteristic of a network session originated by an automated software agent, to produce an aggregate score from an aggregate of the plurality of scores, and to determine that the network session is originated by an automated software agent when the aggregate score exceeds a threshold, and an attack detection module to perform a programmed response when the network session is determined to be originated by an automated software agent. Each score represents a likelihood that the network session is originated by an automated software agent.
摘要翻译：本公开描述了用于确定网络会话是否源于自动化软件代理的技术。在一个示例中，诸如路由器的网络设备包括网络接口以接收网络会话的分组，机器人检测模块，用于基于多个度量来计算网络会话数据的多个分数，其中每个度量对应于由自动化软件代理发起的网络会话的特征，以从多个分数的聚合中产生聚合分数，并且当聚合分数超过一个分数时确定网络会话由自动软件代理发起阈值，以及当网络会话被确定由自动化软件代理发起时执行编程响应的攻击检测模块。每个分数表示网络会话由自动化软件代理发起的可能性。

7. 发明公开

EP2680536A1 Methods and apparatus for providing services in a distributed switch 失效转让
标题翻译：用于在分布式交换机提供服务的方法和装置
公开(公告)号：EP2680536A1
公开(公告)日：2014-01-01
申请号：EP13165566.4
申请日：2013-04-26
申请人： Juniper Networks, Inc.
发明人： Narayanaswamy, Krishna , Frailong, Jean-Marc , Venkatramani, Anjan , Jagannadhan, Srinivasan
IPC分类号： H04L29/08 , H04L12/70
CPC分类号： H04L49/355 , H04L67/327
摘要： In some embodiments, a processor-readable medium stores code representing instructions to be executed by a processor. The code causes the processor to receive, from a source peripheral processing device (111; 112; ...; 116), a portion of a data packet having a destination address associated with a destination peripheral processing device (111; 112; ...; 116). The code causes the processor to identify, based on the destination address, a service to be performed on the portion of the data packet. The code causes the processor to select, based on the service, an identifier of a service module associated with the service. The code further causes the processor to send the portion of the data packet to the service module via a distributed switch fabric such that the service module performs the service on the portion of the data packet and sends the portion of the data packet to the destination peripheral processing device (111; 112; ...; 116) via the distributed switch fabric (110).
摘要翻译：在一些实施例中，代表指令的处理器可读介质存储代码，以由处理器执行。该代码使得处理器接收，从源外围处理设备（111; 112; ...; 116），具有与目的地外围处理设备（111相关联的目的地地址的数据分组的一部分; 112; .. 。; 116）。该代码使得处理器识别，基于所述目的地地址，服务以对数据分组的一部分来执行。该代码使得处理器选择的基础上，服务，标识符与该服务相关联的服务的模块。该代码还使所述处理器经由分布式交换结构检查做的服务模块对数据分组的一部分的服务，并发送所述数据分组的所述部分到目的地外围设备发送数据分组到服务模块的所述部分处理设备（111; 112; ...; 116）经由所述分布式交换结构（110）。

8. 发明公开

EP2500824A2 Security enforcement in virtualized systems 无效转让
标题翻译：安全执法虚拟系统
公开(公告)号：EP2500824A2
公开(公告)日：2012-09-19
申请号：EP11179745.2
申请日：2011-09-01
申请人： Juniper Networks, Inc.
发明人： Narayanaswamy, Krishna , Chickering, Roger A. , Malmskog, Steve
IPC分类号： G06F9/50 , G06F9/455
CPC分类号： H04L63/20 , G06F9/45558 , G06F9/5077 , G06F21/53 , G06F21/604 , G06F2009/45587 , G06F2221/2141 , G06F2221/2149 , H04L63/10 , H04L63/1416 , H04L63/1433
摘要： A system includes a virtual machine (VM) server and a policy engine server. The VM server includes two or more guest operating systems and an agent. The agent is configured to collect information from the two or more guest operating systems. The policy engine server is configured to: receive the information from the agent; generate access control information for a first guest OS, of the two or more guest operating systems, based on the information; and configure an enforcer based on the access control information.

9. 发明公开

EP2139199A2 Dynamic policy provisioning within network security devices 失效转让
标题翻译： Dynamische Richtlinienbereitstellung innerhalb von Netzsicherheitsvorrichtungen
公开(公告)号：EP2139199A2
公开(公告)日：2009-12-30
申请号：EP09163021.0
申请日：2009-06-17
申请人： Juniper Networks, Inc.
发明人： Narayanaswamy, Krishna , Arun, Prashanth
IPC分类号： H04L29/06
CPC分类号： H04L63/1425 , H04L63/1408 , H04L63/20
摘要： The invention is directed to techniques for dynamic policy provisioning. A network security device may comprise a memory that stores a first policy that identifies a first set of patterns that correspond to a first set of network attacks and a second policy, and a control unit that applies the first policy to the network traffic to detect the first set of network attacks. The control unit, while applying the first policy, monitors parameters corresponding to one or more resources and dynamically determines whether to apply a second policy to the network traffic based on the parameters. The control unit, based on the dynamic determination, applies the second policy to the network traffic to detect a second set of network attacks and forwards the network traffic based on the application of the second policy. In this manner, the network security device may implement the dynamic policy provisioning techniques.
摘要翻译：本发明涉及用于动态策略供应的技术。网络安全设备可以包括存储器，其存储标识与第一组网络攻击和第二策略相对应的第一组模式的第一策略，以及控制单元，其将第一策略应用于网络流量以检测第一套网络攻击。控制单元在应用第一策略时，监视与一个或多个资源对应的参数，并且基于参数动态地确定是否对网络流量应用第二策略。控制单元基于动态确定，将第二策略应用于网络流量，以检测第二组网络攻击，并基于第二策略的应用转发网络流量。以这种方式，网络安全设备可以实现动态策略提供技术。

10. 发明授权

EP1983717B1 Network attack detection using partial deterministic finite automaton pattern matching 有权转让
标题翻译：通过匹配部分确定性有限自动机的模式来检测网络攻击
公开(公告)号：EP1983717B1
公开(公告)日：2017-05-31
申请号：EP07253272.4
申请日：2007-08-20
申请人： Juniper Networks, Inc.
发明人： Ma, Qingming , Burns, Bryan , Narayanaswamy, Krishna , Rawat, Vipin , Shieh, Michael Chuong
IPC分类号： H04L29/06 , G06F21/55 , G06F21/74 , G06F21/76
CPC分类号： H04L63/1416 , G06F21/552 , G06F21/74 , G06F21/76 , G06F2221/2105 , H04L63/0227

你已经成功收藏专利！

检索式保存成功!

IPRDB

热门服务

关于我们

友情链接

联系方式