WO2004092961A1 - Network security system based on physical location - Google Patents

Network security system based on physical location Download PDF

Info

Publication number
WO2004092961A1
WO2004092961A1 PCT/US2004/010507 US2004010507W WO2004092961A1 WO 2004092961 A1 WO2004092961 A1 WO 2004092961A1 US 2004010507 W US2004010507 W US 2004010507W WO 2004092961 A1 WO2004092961 A1 WO 2004092961A1
Authority
WO
WIPO (PCT)
Prior art keywords
login
network
user
workstation
physical location
Prior art date
Application number
PCT/US2004/010507
Other languages
French (fr)
Inventor
Peter L. Pela
Original Assignee
Itracs Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Itracs Corporation filed Critical Itracs Corporation
Priority to EA200501559A priority Critical patent/EA200501559A1/en
Priority to JP2006509723A priority patent/JP2006522420A/en
Priority to EP04759140A priority patent/EP1611518A1/en
Priority to US10/551,568 priority patent/US20070162954A1/en
Priority to CA002520882A priority patent/CA2520882A1/en
Priority to AU2004230005A priority patent/AU2004230005A1/en
Publication of WO2004092961A1 publication Critical patent/WO2004092961A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F15/00Digital computers in general; Data processing equipment in general
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/14Protection against unauthorised use of memory or access to memory
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/82Protecting input, output or interconnection devices
    • G06F21/85Protecting input, output or interconnection devices interconnection devices, e.g. bus-connected or in-line devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/107Network architectures or network communication protocols for network security for controlling access to devices or network resources wherein the security policies are location-dependent, e.g. entities privileges depend on current location or allowing specific operations only from locally connected terminals
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2111Location-sensitive, e.g. geographical location, GPS
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2137Time limited access, e.g. to a computer or data

Definitions

  • the present invention relates to a network security system and method for monitoring, tracking, and authorizing the physical location of a network login. More specifically, the present invention relates to a system that maintains records of authorized network users and monitors, tracks, and authorizes the physical location from which those users are authorized to access a computer network.
  • a firewall is a set of related programs that protects the resources of a private network, or intranet, from users outside the network and also controls what outside resources users of the network can access.
  • a firewall is located at a network's gateway server, the network entrance point, and is often installed in a specially designated computer that is separate from the network. Essentially, a firewall examines each network packet, or unit of data routed between an origin and a destination on the Internet or other network, to determine if it should be forwarded to its destination.
  • Firewall screening methods include, for example, screening requests to ensure the requests come from acceptable domain name and Internet Protocol addresses. Mobile network users are allowed remote access to the network by the use of secure logon procedures and authentication.
  • firewalls protect private networks from unauthorized external users of a company's network, such as the proverbial computer hacker.
  • employees typically have authorization, that is, an authorized Usemame and Password, to access a company's network, the most potentially damaging security threat is posed not from an external user over the Internet but rather from within the company itself over the local area network, that is, "insider hacking.”
  • the prior art systems fail to prevent this type of security threat.
  • the present invention relates to a network security system and method for monitoring, tracking, and authorizing the physical location of a network login. More specifically, the present invention relates to a system that maintains records of authorized network users and monitors, tracks, and authorizes the physical location from which those users are authorized to access a computer network.
  • the system of the present invention generally comprises a software component and a hardware component.
  • the software component monitors the access of network users and constructs a database which can include records of network login attempts and information such as, for example, the login ID, or Usemame and Password; the workstation name, including the IP/MAC address, and the physical location and time of the login.
  • the hardware component of the present invention includes a system for determining the physical location from which a user attempts to connect to the network.
  • the hardware component comprises a microprocessor that monitors the connection of data ports and generates a database which contains physical location information associated with the network computers and related equipment.
  • the system of the present invention monitors the network security server, which grants or denies initial access to the network, and records login information.
  • the microprocessor of the hardware component which continuously monitors the connection of data ports, communicates the data port connection information to a database.
  • the software component looks up the physical location information on the database generated by the hardware component to determine, among other things, whether the user is authorized to login from the particular physical location of the login. That is, the software component monitors the access granted by the security server to determine whether a particular user, which has been granted initial access, is authorized to login from a particular location. If the user is not authorized to login from a particular login location, the software component can take preventive action such as instructing the switch or patch panel of the hardware component to shut down the user's data port.
  • the software component also maintains records of network login attempts in an event log.
  • FIG. 1 is a schematic illustrating the overall system of the present invention.
  • FIG. 2 is a table illustrating the database of Data Port Connection Information according to one embodiment of the present invention.
  • the present invention relates to a network security system and method for monitoring, tracking, and authorizing the physical location of a network login. More specifically, the present invention relates to a system that maintains records of logins of network users and monitors, tracks, and authorizes the physical location from which those users are allowed to access a computer network.
  • FIG. 1 depicts a schematic of a network security system according to one embodiment of the present invention.
  • the system allows a network manager, such as a company, to control network logins and thereby prevent or prohibit breaches of network security and/or track or monitor for investigative or administrative purposes the physical location from which users access the network.
  • the network security system of the present invention includes workstations, generally indicated as 101 through 110, that consist of a computer, which can be a desktop or laptop, and other related equipment.
  • Each workstation, 101 through 110 is associated with a specific physical location, generally indicated as 111 through 120, such as, for example, an office, floor of a building, portion of a floor of a building or department, or any other type of desired physical boundary.
  • Workstations, 101 through 110 are coupled to each other via a local area-network (LAN), generally indicated as 150. More specifically, workstations, 101 through 110, a security server, generally indicated as 152, an administration terminal, generally indicated as 154, and the hardware component of the present invention are all in communication via LAN 150.
  • LAN local area-network
  • Network users or employees, can be associated with one particular workstation,
  • Security server 152 which can include one or more security servers, can be coupled to LAN 150 or directly to each workstation and grants or denies initial network access based upon the Usemame and Password entered by a user.
  • the hardware component of the present invention which is connected to LAN
  • the hardware component comprises a system for determining the connection of data ports, which includes a switch or patch panel that is electrically connected to a microprocessor, which continually records and updates data port connection information.
  • a system for determining the connection of data ports which includes a switch or patch panel that is electrically connected to a microprocessor, which continually records and updates data port connection information.
  • a microprocessor which continually records and updates data port connection information.
  • One such system is described in issued U.S. Patent No. 6,574,586.
  • Other such hardware systems are known in the art and contemplated herein. That is, the present invention is not limited to any particular hardware component and will work equally well with any type of hardware component that can determine the physical location of an attempted login.
  • the present invention also contemplates an embodiment with no hardware system wherein the data port connection information is manually entered into the database of a microprocessor.
  • the software component of the present invention monitors the activity of security server 152, determines whether the user is authorized to login to the network at the specific login location, takes the necessary action upon determining a user is unauthorized, and maintains records of login attempts.
  • Security server 152 grants or denies initial access to the network based upon a comparison of the user's entered Usemame and Password and the Usemame and Password stored on security server 152 or on another network PC/Server.
  • the software component looks up the data port connection information generated by the hardware component to determine if the user has been granted authorization to access the network from that particular physical location. If the user is not authorized to access the network from that particular physical location, the software component can take various preventive actions, for example, instructing the switch or patch panel of the hardware component to shut down the user's data port or issuing an alert to the administrative terminal 154.
  • the software component also maintains records of login attempts, successful or unsuccessful. Specifically, the software component generates a database, or event log, which contains login identification information, such as, for example, Usernames and Passwords, workstation identification information, including IP/MAC address, date and time of each login attempt, date and time of each authorized login, login type description, network security agent, domain address, network resources accessed, server identification, whether the attempted login was successful or unsuccessful, number of login attempts, device identification (e.g., host name), IP address, MAC address, jack or outlet identification, jack or outlet location, port identification, and any other circuit trace information.
  • login identification information such as, for example, Usernames and Passwords
  • workstation identification information including IP/MAC address, date and time of each login attempt, date and time of each authorized login, login type description, network security agent, domain address, network resources accessed, server identification, whether the attempted login was successful or unsuccessful, number of login attempts, device identification (e.g., host name), IP address, MAC address, jack or outlet identification,
  • the database of the hardware component will now be described in greater detail with reference to FIG. 2, and continuing reference to FIG. 1.
  • the database of the hardware component includes a table of information, which is described below. As appreciated by one skilled in the art, the following arrangement of information in a table is exemplary and other arrangements are within the scope of the present invention.
  • the database of the hardware component includes a Data Port Connection
  • Data Port Connection Information Table 200 includes records for each workstation, as identified by a Workstation ID. Each such record includes the IP/MAC address and the physical location (such as an office). For example, Workstation 101 is associated with Address 1 and Location 111. Workstation 102 is associated with Address 2 and Location 112. Workstation 103 is associated with Address 3 and Location 113. Workstation 104 is associated with Address 4 and Location 114. The remaining workstations are similarly numbered as identified in Table 200.
  • the network manager provides user-identifying information to a security server database. More specifically, the network manager provides to security server 152 or another network PC/Server the Usemame and Password of each network user. In one embodiment of the present invention, the network manager manually enters the user-identifying information into the security server database 152 via administration terminal 154.
  • Security server 152 receives the information and compares the information stored in a security server database.
  • security server 152 grants or denies initial network access based upon the entered
  • the hardware component of the present invention monitors the connection of data ports.
  • a system such as that disclosed in issued U.S. Patent No.
  • 6,574,586 determines the connectivity of each workstation and related equipment and their physical location.
  • the microprocessor within the hardware component continuously receives, records, and updates a database of the data port connection information.
  • the software component retrieves information identifying the workstation, 101 through 110 of FIG. 1, and location, 111 through 120 of FIG. 1, from which the user is attempting the logon.
  • the software component records the login information and takes prevent action, as described above, if necessary.
  • a user is associated with Workstation 101 and Location 111.
  • the user enters a Usemame and Password and is either granted or denied initial network access by security server 152.
  • the software component retrieves the data port connection information from the hardware component database, represented by Table 200, to determine if the user is authorized to login to the network at that location. While the user may have been granted initial access to the network by entering the correct Usemame and Password, Workstation 103 and Location 113 are not associated with the user. Thus, the user's access can be disconnected or an alert message can be issued to administrative terminal 154. Additionally, the software component records information pertaining to this failed login event.
  • Workstations 101 through 110 can be laptop computers, or otherwise portable workstations, and therefore can be used at various locations.
  • a user is associated with Workstation 101 and Location 111.
  • the software component retrieves the data port connection information from the hardware component database, represented by Table 200, to determine if the user is authorized to login to the network at that location. While the user may have been granted initial access to the network by entering the correct Usemame and Password, and although Workstation 101 is associated with the user, Location 113 is not associated with the user. Thus, the user's access can be disconnected or an alert message can be issued to administrative terminal 154. Additionally, the software component records information pertaining to this failed login event.
  • the software component of the present invention can also monitor Usernames and Passwords in order to grant or deny initial access to the network.
  • the software component of the present invention can also monitor Usernames and Passwords in order to grant or deny initial access to the network.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Signal Processing (AREA)
  • Software Systems (AREA)
  • Power Engineering (AREA)
  • Computer And Data Communications (AREA)
  • Small-Scale Networks (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A network security system and method for monitoring, tracking, and authorizing the physical location of a network login. More specifically, the present invention relates to a system that maintains records (200) of authorized network users and monitors, tracks, and authorizes the physical location from which those users are authorized to access a computer network.

Description

NETWORK SECURITY SYSTEM BASED ON PHYSICAL LOCATION
CROSS-REFERENCE TO RELATED APPLICATIONS
[001] The present application claims the benefit of U.S. Provisional Application No.
60/461,002, filed April 7, 2003, which is incorporated herein by reference.
FIELD OF THE INVENTTON [002] The present invention relates to a network security system and method for monitoring, tracking, and authorizing the physical location of a network login. More specifically, the present invention relates to a system that maintains records of authorized network users and monitors, tracks, and authorizes the physical location from which those users are authorized to access a computer network.
BACKGROUND OF THE INVENTION [003] In many businesses employees are assigned their own computer network access number exchange so that the employee can interface with the company's computer network. The access number provides security to the company's network and prevents those unauthorized to use the network system from accessing the network. However, there exist circumstances in which a user who does not have authorized access to a company's network can maliciously break into network systems in order to gain unlawful access to valuable information or to ruin network programs. This unfortunate problem is not isolated to users outside the network; there are also instances in which employees, having authorization or stolen authorization, access the network for the purpose of ruining network programs or obtaining proprietary information. [004] The problems of maintaining security for company network systems are well known in the art. One type of system that deals with network security problems is a firewall. A firewall is a set of related programs that protects the resources of a private network, or intranet, from users outside the network and also controls what outside resources users of the network can access. A firewall is located at a network's gateway server, the network entrance point, and is often installed in a specially designated computer that is separate from the network. Essentially, a firewall examines each network packet, or unit of data routed between an origin and a destination on the Internet or other network, to determine if it should be forwarded to its destination. Firewall screening methods include, for example, screening requests to ensure the requests come from acceptable domain name and Internet Protocol addresses. Mobile network users are allowed remote access to the network by the use of secure logon procedures and authentication.
[005] In such systems, the focus of network security is on protecting the network from users of other networks. That is, firewalls protect private networks from unauthorized external users of a company's network, such as the proverbial computer hacker. However, there is no security system or device that protects a private network from an inside network user, such as a rogue employee. Because employees typically have authorization, that is, an authorized Usemame and Password, to access a company's network, the most potentially damaging security threat is posed not from an external user over the Internet but rather from within the company itself over the local area network, that is, "insider hacking." The prior art systems fail to prevent this type of security threat.
[006] Thus, while the systems described above have been adequate for the applications for which they are designed, the need exists for an additional network security system which can prevent unlawful or unauthorized activities by an otherwise authorized network user.
SUMMARY OF THE INVENTION [007] The present invention relates to a network security system and method for monitoring, tracking, and authorizing the physical location of a network login. More specifically, the present invention relates to a system that maintains records of authorized network users and monitors, tracks, and authorizes the physical location from which those users are authorized to access a computer network.
[008] The system of the present invention generally comprises a software component and a hardware component. The software component monitors the access of network users and constructs a database which can include records of network login attempts and information such as, for example, the login ID, or Usemame and Password; the workstation name, including the IP/MAC address, and the physical location and time of the login. [009] The hardware component of the present invention includes a system for determining the physical location from which a user attempts to connect to the network. The hardware component comprises a microprocessor that monitors the connection of data ports and generates a database which contains physical location information associated with the network computers and related equipment.
[0010] When a user attempts to connect or connects to the network, the system of the present invention monitors the network security server, which grants or denies initial access to the network, and records login information. Specifically, the microprocessor of the hardware component, which continuously monitors the connection of data ports, communicates the data port connection information to a database. The software component looks up the physical location information on the database generated by the hardware component to determine, among other things, whether the user is authorized to login from the particular physical location of the login. That is, the software component monitors the access granted by the security server to determine whether a particular user, which has been granted initial access, is authorized to login from a particular location. If the user is not authorized to login from a particular login location, the software component can take preventive action such as instructing the switch or patch panel of the hardware component to shut down the user's data port. The software component also maintains records of network login attempts in an event log.
[0011] Other objects and features of the present invention will become apparent from the following detailed description, considered in conjunction with the accompanying drawing figures. It is to be understood, however, that the drawings are designed solely for the purpose of illustration and not as a definition of the limits of the invention, for which reference shall be made to the appended claims.
BRIEF DESCRIPTION OF THE DRA TNGS [0012] In the drawing figures, which are not drawn to scale, and which are merely illustrative and wherein like reference characters denote similar elements throughout the several views:
[0013] FIG. 1 is a schematic illustrating the overall system of the present invention.
[0014] FIG. 2 is a table illustrating the database of Data Port Connection Information according to one embodiment of the present invention.
DETAILED DESCRIPTION OF THE PRESENTLY PREFERRED EMBODIMENTS [0015] The present invention relates to a network security system and method for monitoring, tracking, and authorizing the physical location of a network login. More specifically, the present invention relates to a system that maintains records of logins of network users and monitors, tracks, and authorizes the physical location from which those users are allowed to access a computer network.
[0016] FIG. 1 depicts a schematic of a network security system according to one embodiment of the present invention. In general, the system allows a network manager, such as a company, to control network logins and thereby prevent or prohibit breaches of network security and/or track or monitor for investigative or administrative purposes the physical location from which users access the network.
[0017] As seen in FIG. 1, the network security system of the present invention includes workstations, generally indicated as 101 through 110, that consist of a computer, which can be a desktop or laptop, and other related equipment. Each workstation, 101 through 110, is associated with a specific physical location, generally indicated as 111 through 120, such as, for example, an office, floor of a building, portion of a floor of a building or department, or any other type of desired physical boundary. Workstations, 101 through 110, are coupled to each other via a local area-network (LAN), generally indicated as 150. More specifically, workstations, 101 through 110, a security server, generally indicated as 152, an administration terminal, generally indicated as 154, and the hardware component of the present invention are all in communication via LAN 150.
[0018] Network users, or employees, can be associated with one particular workstation,
101 through 110, and one physical location, 111 through 120, or multiple workstations and/or physical locations. As described in more detail below, a user at a workstation in a particular physical location enters a Usemame and Password. Security server 152, which can include one or more security servers, can be coupled to LAN 150 or directly to each workstation and grants or denies initial network access based upon the Usemame and Password entered by a user. [0019] The hardware component of the present invention, which is connected to LAN
150, monitors the connection pattern of data ports on a switch or patch panel. The hardware component comprises a system for determining the connection of data ports, which includes a switch or patch panel that is electrically connected to a microprocessor, which continually records and updates data port connection information. One such system is described in issued U.S. Patent No. 6,574,586. Other such hardware systems are known in the art and contemplated herein. That is, the present invention is not limited to any particular hardware component and will work equally well with any type of hardware component that can determine the physical location of an attempted login. The present invention also contemplates an embodiment with no hardware system wherein the data port connection information is manually entered into the database of a microprocessor.
[0020] The software component of the present invention monitors the activity of security server 152, determines whether the user is authorized to login to the network at the specific login location, takes the necessary action upon determining a user is unauthorized, and maintains records of login attempts. Security server 152 grants or denies initial access to the network based upon a comparison of the user's entered Usemame and Password and the Usemame and Password stored on security server 152 or on another network PC/Server. The software component then looks up the data port connection information generated by the hardware component to determine if the user has been granted authorization to access the network from that particular physical location. If the user is not authorized to access the network from that particular physical location, the software component can take various preventive actions, for example, instructing the switch or patch panel of the hardware component to shut down the user's data port or issuing an alert to the administrative terminal 154.
[0021] The software component also maintains records of login attempts, successful or unsuccessful. Specifically, the software component generates a database, or event log, which contains login identification information, such as, for example, Usernames and Passwords, workstation identification information, including IP/MAC address, date and time of each login attempt, date and time of each authorized login, login type description, network security agent, domain address, network resources accessed, server identification, whether the attempted login was successful or unsuccessful, number of login attempts, device identification (e.g., host name), IP address, MAC address, jack or outlet identification, jack or outlet location, port identification, and any other circuit trace information.
[0022] The database of the hardware component will now be described in greater detail with reference to FIG. 2, and continuing reference to FIG. 1. The database of the hardware component includes a table of information, which is described below. As appreciated by one skilled in the art, the following arrangement of information in a table is exemplary and other arrangements are within the scope of the present invention.
[0023] The database of the hardware component includes a Data Port Connection
Information Table 200, as shown in FIG. 2. In general, Data Port Connection Information Table 200 includes records for each workstation, as identified by a Workstation ID. Each such record includes the IP/MAC address and the physical location (such as an office). For example, Workstation 101 is associated with Address 1 and Location 111. Workstation 102 is associated with Address 2 and Location 112. Workstation 103 is associated with Address 3 and Location 113. Workstation 104 is associated with Address 4 and Location 114. The remaining workstations are similarly numbered as identified in Table 200.
[0024] Having described the components of the present embodiment, the operation thereof will now be described. As an initial matter, the network manager provides user- identifying information to a security server database. More specifically, the network manager provides to security server 152 or another network PC/Server the Usemame and Password of each network user. In one embodiment of the present invention, the network manager manually enters the user-identifying information into the security server database 152 via administration terminal 154.
[0025] Once a user enters a Usemame and Password into a network computer, the entered information is communicated to security server 152 via LAN 150. Security server 152 receives the information and compares the information stored in a security server database.
Specifically, security server 152 grants or denies initial network access based upon the entered
Usemame and Password.
[0026] Concurrently, the hardware component of the present invention monitors the connection of data ports. Specifically, a system such as that disclosed in issued U.S. Patent No.
6,574,586 determines the connectivity of each workstation and related equipment and their physical location. The microprocessor within the hardware component continuously receives, records, and updates a database of the data port connection information.
[0027] When a user logs onto the network, the software component retrieves information identifying the workstation, 101 through 110 of FIG. 1, and location, 111 through 120 of FIG. 1, from which the user is attempting the logon. The software component records the login information and takes prevent action, as described above, if necessary.
[0028] By way of example, with reference to FIGS. 1 and 2, as described above, a user is associated with Workstation 101 and Location 111. The user enters a Usemame and Password and is either granted or denied initial network access by security server 152. According to the present invention, if the user accesses the network from Workstation 103 in Location 113, the software component retrieves the data port connection information from the hardware component database, represented by Table 200, to determine if the user is authorized to login to the network at that location. While the user may have been granted initial access to the network by entering the correct Usemame and Password, Workstation 103 and Location 113 are not associated with the user. Thus, the user's access can be disconnected or an alert message can be issued to administrative terminal 154. Additionally, the software component records information pertaining to this failed login event.
[0029] In another example, Workstations 101 through 110 can be laptop computers, or otherwise portable workstations, and therefore can be used at various locations. As described above, a user is associated with Workstation 101 and Location 111. According to the present invention, if the user accesses the network at Workstation 101 in Location 113, the software component retrieves the data port connection information from the hardware component database, represented by Table 200, to determine if the user is authorized to login to the network at that location. While the user may have been granted initial access to the network by entering the correct Usemame and Password, and although Workstation 101 is associated with the user, Location 113 is not associated with the user. Thus, the user's access can be disconnected or an alert message can be issued to administrative terminal 154. Additionally, the software component records information pertaining to this failed login event.
[0030] In an alternate embodiment, the software component of the present invention can also monitor Usernames and Passwords in order to grant or deny initial access to the network. [0031] While there have been shown and described and pointed out novel features of the present invention as applied to preferred embodiments thereof, it will be understood that various omissions and substitutions and changes in the form and details of the disclosed invention may be made by those skilled in the art without departing from the spirit of the invention. It is the intention, therefore, to be limited only as indicated by the scope of the claims appended hereto. [0032] It is also to be understood that the following claims are intended to cover all of the generic and specific features of the invention herein described and all statements of the scope of the invention which, as a matter of language, might be said to fall there between.

Claims

CLAIMSI claim:
1. A method for providing security to a computer network by monitoring the physical location of a network login or login attempt, said method comprising: associating a workstation to a physical location; associating a network user to said workstation; monitoring a computer network to determine a network login or attempted login of said user; determining a physical location of said login or attempted login; determining whether said user is authorized to access said network from said physical location of said login or attempted login.
2. The method of claim 1, further comprising determining whether preventive action is necessary and, if so, automatically initiating preventive action.
3. The method of claim 2, wherein said preventive action comprises generating an alert.
4. The method of claim 2, wherein said preventive action comprises disconnecting said workstation from said network.
5. The method of claim 2, wherein said preventive action comprises generating a notification message that said user is accessing said computer network from an unauthorized location.
6. The method of claim 1, further comprising storing information regarding said physical location of said login or attempted login.
7. The method of claim 1, further comprising storing information regarding said workstation associated with said login or attempted login.
8. The method of claim 7, wherein said workstation information includes one or more of the following types of information: an IP/MAC address of said workstation, a date and time of each login attempt, a date and time of each successful login, login type description, network security agent, domain address, information regarding which network resources were accessed, server identification, the number of login attempts, host name data, jack or outlet information, port identification, or any other circuit trace information.
9. The method of claim 1 , further comprising generating an event log.
10. The method of claim 7, wherein said event log comprises information regarding said physical location of said login or attempted login and information regarding said user.
11. The method of claim 1 , further comprising associating said user with a workstation.
12. A method for providing security to a computer network by monitoring a network login or login attempt from a particular workstation, said method comprising: associating a workstation to a physical location; associating a network user to said workstation; monitoring a computer network to determine a network login or attempted login of said user; determining which workstation said login or attempted login is generated from; determining whether said user is authorized to access said network from said workstation of said login or attempted login.
13. A network security system for a plurality workstations coupled via a local area network, said network said security system comprising: electronic storage for associating said workstations to a user and a physical location; and one or more processors for receiving login information from said workstations and accessing said electronic storage to determine whether said user or said workstation is authorized to login to said network from said physical location.
14. The system of claim 13, wherein said one or more processors generates an alert based said determination.
15. The system of claim 14, wherein said alert comprises an email notification.
16. The system of claim 14, wherein said alert comprises a pager notification.
17. The system of claim 14, wherein said alert comprises a termination signal.
18. The system of claim 14, wherein said one or more processors generates an event log.
19. The system of claim 18, wherein said event log comprises a time of said access.
20. The system of claim 18, wherein said event log comprises said physical location .
21. Computer readable medium having computer readable code for causing one or more processors to associating a workstation to a physical location; associating a network user to said workstation; monitoring a computer network to determine a network login or attempted login of said user; determining a physical location of said login or attempted login; determining whether said user is authorized to access said network from said physical location of said login or attempted login.
22. A network security system for a plurality workstations coupled via a local area network, each workstation being associated with a specific user and coupled to one of a plurality of data ports of a patch panel, said patch panel being coupled to a computer network, said security system comprising: a workstation associated with a physical location and a user; a monitoring device for determining a network login or attempted login of said user; a device for determining a physical location of said login or attempted login; wherein said system determines whether said user is authorized to access said network from said physical location of said login or attempted login.
PCT/US2004/010507 2003-04-07 2004-04-05 Network security system based on physical location WO2004092961A1 (en)

Priority Applications (6)

Application Number Priority Date Filing Date Title
EA200501559A EA200501559A1 (en) 2003-04-07 2004-04-05 METHOD (OPTIONS) AND SYSTEM (OPTIONS) DATA PROTECTION IN THE NETWORK
JP2006509723A JP2006522420A (en) 2003-04-07 2004-04-05 Network security system based on physical location
EP04759140A EP1611518A1 (en) 2003-04-07 2004-04-05 Network security system based on physical location
US10/551,568 US20070162954A1 (en) 2003-04-07 2004-04-05 Network security system based on physical location
CA002520882A CA2520882A1 (en) 2003-04-07 2004-04-05 Network security system based on physical location
AU2004230005A AU2004230005A1 (en) 2003-04-07 2004-04-05 Network security system based on physical location

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US46100203P 2003-04-07 2003-04-07
US60/461,002 2003-04-07

Publications (1)

Publication Number Publication Date
WO2004092961A1 true WO2004092961A1 (en) 2004-10-28

Family

ID=33299748

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2004/010507 WO2004092961A1 (en) 2003-04-07 2004-04-05 Network security system based on physical location

Country Status (9)

Country Link
US (1) US20070162954A1 (en)
EP (1) EP1611518A1 (en)
JP (1) JP2006522420A (en)
KR (1) KR20060010741A (en)
CN (1) CN1795440A (en)
AU (1) AU2004230005A1 (en)
CA (1) CA2520882A1 (en)
EA (1) EA200501559A1 (en)
WO (1) WO2004092961A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9237139B2 (en) 2006-11-29 2016-01-12 British Telecommunications Public Limited Company Controlling access to a secure resource based on user credentials and location
EP3337125A1 (en) * 2016-12-16 2018-06-20 BlackBerry Limited Authenticating for an enterprise service

Families Citing this family (189)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6421322B1 (en) * 1997-11-17 2002-07-16 Adc Telecommunications, Inc. System and method for electronically identifying connections of a cross-connect system
US7133916B2 (en) * 2003-07-28 2006-11-07 Etelemetry, Inc. Asset tracker for identifying user of current internet protocol addresses within an organization's communications network
US8548170B2 (en) 2003-12-10 2013-10-01 Mcafee, Inc. Document de-registration
US8656039B2 (en) 2003-12-10 2014-02-18 Mcafee, Inc. Rule parser
US20060016107A1 (en) * 2004-05-18 2006-01-26 Davis Bruce L Photo ID cards and methods of production
US7702922B2 (en) * 2004-08-17 2010-04-20 Microsoft Corporation Physical encryption key system
US20060136372A1 (en) * 2004-11-19 2006-06-22 Schunemann Alan J Inserted contextual web content derived from intercepted web viewing content
US20060153167A1 (en) * 2004-11-19 2006-07-13 Schunemann Alan J Computer tracking and locking
JP4563794B2 (en) * 2004-12-28 2010-10-13 株式会社日立製作所 Storage system and storage management method
US20060195889A1 (en) * 2005-02-28 2006-08-31 Pfleging Gerald W Method for configuring and controlling access of a computing device based on location
TWI307593B (en) * 2005-12-14 2009-03-11 Chung Shan Inst Of Science System and method of protecting digital data
US7958227B2 (en) * 2006-05-22 2011-06-07 Mcafee, Inc. Attributes of captured objects in a capture system
ATE476049T1 (en) * 2006-12-08 2010-08-15 Ubs Ag METHOD AND DEVICE FOR DETECTING THE IP ADDRESS OF A COMPUTER AND ASSOCIATED LOCATION INFORMATION
WO2008099403A2 (en) * 2007-02-16 2008-08-21 Forescout Technologies A method and device for determining network device status
US8549584B2 (en) * 2007-04-25 2013-10-01 Cisco Technology, Inc. Physical security triggered dynamic network authentication and authorization
WO2008134708A1 (en) * 2007-04-30 2008-11-06 Etelemetry, Inc. Method and system for activity monitoring and forecasting
US8910234B2 (en) 2007-08-21 2014-12-09 Schneider Electric It Corporation System and method for enforcing network device provisioning policy
US8812409B2 (en) 2007-12-07 2014-08-19 Z-Firm, LLC Reducing payload size of machine-readable data blocks in shipment preparation packing lists
US8521656B2 (en) 2007-12-07 2013-08-27 Z-Firm, LLC Systems and methods for providing extended shipping options
US8818912B2 (en) 2007-12-07 2014-08-26 Z-Firm, LLC Methods and systems for supporting the production of shipping labels
US8805747B2 (en) 2007-12-07 2014-08-12 Z-Firm, LLC Securing shipment information accessed based on data encoded in machine-readable data blocks
US8527429B2 (en) 2007-12-07 2013-09-03 Z-Firm, LLC Shipment preparation using network resource identifiers in packing lists
US7496948B1 (en) 2008-02-04 2009-02-24 International Business Machines Corporation Method for controlling access to a target application
US20090313686A1 (en) * 2008-06-17 2009-12-17 Wilson W David Method of tracking a network-enabled device
US9253154B2 (en) 2008-08-12 2016-02-02 Mcafee, Inc. Configuration management for a capture/registration system
US8732859B2 (en) * 2008-10-03 2014-05-20 At&T Intellectual Property I, L.P. Apparatus and method for monitoring network equipment
EP2410716B1 (en) 2009-02-13 2020-04-08 CommScope Technologies LLC Device for use with physical layer information
US8473442B1 (en) 2009-02-25 2013-06-25 Mcafee, Inc. System and method for intelligent state management
US8447722B1 (en) 2009-03-25 2013-05-21 Mcafee, Inc. System and method for data mining and security policy management
US9729930B2 (en) * 2010-01-05 2017-08-08 CSC Holdings, LLC Enhanced subscriber authentication using location tracking
US20110185012A1 (en) * 2010-01-27 2011-07-28 Colley Matthew D System and method for generating a notification mailing list
WO2011156675A2 (en) 2010-06-11 2011-12-15 Adc Telecommunications, Inc. Switch-state information aggregation
US11614893B2 (en) 2010-09-15 2023-03-28 Pure Storage, Inc. Optimizing storage device access based on latency
US8732426B2 (en) 2010-09-15 2014-05-20 Pure Storage, Inc. Scheduling of reactive I/O operations in a storage environment
US12008266B2 (en) 2010-09-15 2024-06-11 Pure Storage, Inc. Efficient read by reconstruction
US8468318B2 (en) 2010-09-15 2013-06-18 Pure Storage Inc. Scheduling of I/O writes in a storage environment
US11275509B1 (en) 2010-09-15 2022-03-15 Pure Storage, Inc. Intelligently sizing high latency I/O requests in a storage environment
US8589655B2 (en) 2010-09-15 2013-11-19 Pure Storage, Inc. Scheduling of I/O in an SSD environment
US8589625B2 (en) 2010-09-15 2013-11-19 Pure Storage, Inc. Scheduling of reconstructive I/O read operations in a storage environment
US8775868B2 (en) 2010-09-28 2014-07-08 Pure Storage, Inc. Adaptive RAID for an SSD environment
US9244769B2 (en) 2010-09-28 2016-01-26 Pure Storage, Inc. Offset protection data in a RAID array
US8806615B2 (en) 2010-11-04 2014-08-12 Mcafee, Inc. System and method for protecting specified data combinations
US9497098B2 (en) 2011-03-25 2016-11-15 Commscope Technologies Llc Event-monitoring in a system for automatically obtaining and managing physical layer information using a reliable packet-based communication protocol
KR101750914B1 (en) 2011-03-25 2017-06-27 콤스코프 커넥티비티 엘엘씨 Identifier encoding scheme for use with multi-path connectors
US8832503B2 (en) 2011-03-25 2014-09-09 Adc Telecommunications, Inc. Dynamically detecting a defective connector at a port
KR101923611B1 (en) * 2011-04-11 2018-11-29 삼성전자주식회사 Service server, user terminal, service providing method and control method thereof
US9509513B2 (en) * 2011-04-15 2016-11-29 Comcast Cable Communications, Llc Provisioning using a generic configuration
US11636031B2 (en) 2011-08-11 2023-04-25 Pure Storage, Inc. Optimized inline deduplication
US8589640B2 (en) 2011-10-14 2013-11-19 Pure Storage, Inc. Method for maintaining multiple fingerprint tables in a deduplicating storage system
WO2013086287A1 (en) 2011-12-07 2013-06-13 Adc Telecommunications, Inc. Systems and methods for using active optical cable segments
US9172624B1 (en) * 2011-12-23 2015-10-27 Google Inc. Determining physical connectivity of data center devices
US20130246336A1 (en) 2011-12-27 2013-09-19 Mcafee, Inc. System and method for providing data protection workflows in a network environment
US8719540B1 (en) 2012-03-15 2014-05-06 Pure Storage, Inc. Fractal layout of data blocks across multiple devices
JP2015531103A (en) 2012-06-25 2015-10-29 エーデーシー・テレコミュニケーションズ・インコーポレーテッド Physical layer management for active optical modules
US9351571B2 (en) 2012-07-11 2016-05-31 Manitowoc Foodservice Companies, Llc Connection assembly for a base and a cabinet assembly of an ice maker
US9473361B2 (en) 2012-07-11 2016-10-18 Commscope Technologies Llc Physical layer management at a wall plate device
CN102819571B (en) * 2012-07-19 2016-08-03 腾讯科技(深圳)有限公司 Content acquisition method and device
US11032259B1 (en) 2012-09-26 2021-06-08 Pure Storage, Inc. Data protection in a storage system
US10623386B1 (en) 2012-09-26 2020-04-14 Pure Storage, Inc. Secret sharing data protection in a storage system
US8745415B2 (en) 2012-09-26 2014-06-03 Pure Storage, Inc. Multi-drive cooperation to generate an encryption key
WO2014049361A1 (en) 2012-09-27 2014-04-03 Tyco Electronics Uk Ltd. Mobile application for assisting a technician in carrying out an electronic work order
US11733908B2 (en) 2013-01-10 2023-08-22 Pure Storage, Inc. Delaying deletion of a dataset
US11768623B2 (en) 2013-01-10 2023-09-26 Pure Storage, Inc. Optimizing generalized transfers between storage systems
US9063967B2 (en) 2013-01-10 2015-06-23 Pure Storage, Inc. Performing copies in a storage system
US10908835B1 (en) 2013-01-10 2021-02-02 Pure Storage, Inc. Reversing deletion of a virtual machine
WO2015023768A1 (en) 2013-08-14 2015-02-19 Adc Telecommunications, Inc. Inferring physical layer connection status of generic cables from planned single-end connection events
US9407510B2 (en) 2013-09-04 2016-08-02 Commscope Technologies Llc Physical layer system with support for multiple active work orders and/or multiple active technicians
WO2015047996A1 (en) 2013-09-24 2015-04-02 Adc Telecommunications, Inc. Pluggable active optical module with managed connectivity support and simulated memory table
US10263770B2 (en) 2013-11-06 2019-04-16 Pure Storage, Inc. Data protection in a storage system using external secrets
US11128448B1 (en) 2013-11-06 2021-09-21 Pure Storage, Inc. Quorum-aware secret sharing
US10365858B2 (en) 2013-11-06 2019-07-30 Pure Storage, Inc. Thin provisioning in a storage device
US9208086B1 (en) 2014-01-09 2015-12-08 Pure Storage, Inc. Using frequency domain to prioritize storage of metadata in a cache
US10656864B2 (en) 2014-03-20 2020-05-19 Pure Storage, Inc. Data replication within a flash storage array
US9369580B2 (en) * 2014-03-31 2016-06-14 Avaya Inc. System and method to detect and correct IP phone mismatch in a contact center
US9779268B1 (en) 2014-06-03 2017-10-03 Pure Storage, Inc. Utilizing a non-repeating identifier to encrypt data
US11399063B2 (en) 2014-06-04 2022-07-26 Pure Storage, Inc. Network authentication for a storage system
US9218244B1 (en) 2014-06-04 2015-12-22 Pure Storage, Inc. Rebuilding data across storage nodes
US10496556B1 (en) 2014-06-25 2019-12-03 Pure Storage, Inc. Dynamic data protection within a flash storage system
US9218407B1 (en) 2014-06-25 2015-12-22 Pure Storage, Inc. Replication and intermediate read-write state for mediums
US10296469B1 (en) 2014-07-24 2019-05-21 Pure Storage, Inc. Access control in a flash storage system
US9495255B2 (en) 2014-08-07 2016-11-15 Pure Storage, Inc. Error recovery in a storage cluster
US9558069B2 (en) 2014-08-07 2017-01-31 Pure Storage, Inc. Failure mapping in a storage array
US9864761B1 (en) 2014-08-08 2018-01-09 Pure Storage, Inc. Read optimization operations in a storage system
US10430079B2 (en) 2014-09-08 2019-10-01 Pure Storage, Inc. Adjusting storage capacity in a computing system
US10164841B2 (en) 2014-10-02 2018-12-25 Pure Storage, Inc. Cloud assist for storage systems
US10430282B2 (en) 2014-10-07 2019-10-01 Pure Storage, Inc. Optimizing replication by distinguishing user and system write activity
US9489132B2 (en) 2014-10-07 2016-11-08 Pure Storage, Inc. Utilizing unmapped and unknown states in a replicated storage system
US20160149766A1 (en) * 2014-11-21 2016-05-26 Pure Storage, Inc. Cloud based management of storage systems
US9727485B1 (en) 2014-11-24 2017-08-08 Pure Storage, Inc. Metadata rewrite and flatten optimization
US9773007B1 (en) 2014-12-01 2017-09-26 Pure Storage, Inc. Performance improvements in a storage system
US9552248B2 (en) 2014-12-11 2017-01-24 Pure Storage, Inc. Cloud alert to replica
US9588842B1 (en) 2014-12-11 2017-03-07 Pure Storage, Inc. Drive rebuild
US9864769B2 (en) 2014-12-12 2018-01-09 Pure Storage, Inc. Storing data utilizing repeating pattern detection
US10545987B2 (en) 2014-12-19 2020-01-28 Pure Storage, Inc. Replication to the cloud
WO2016114566A1 (en) * 2015-01-13 2016-07-21 부산대학교 산학협력단 Duplicate login detection method and duplicate login detection system
US10296354B1 (en) 2015-01-21 2019-05-21 Pure Storage, Inc. Optimized boot operations within a flash storage array
US11947968B2 (en) 2015-01-21 2024-04-02 Pure Storage, Inc. Efficient use of zone in a storage device
US9710165B1 (en) 2015-02-18 2017-07-18 Pure Storage, Inc. Identifying volume candidates for space reclamation
US10082985B2 (en) 2015-03-27 2018-09-25 Pure Storage, Inc. Data striping across storage nodes that are assigned to multiple logical arrays
US10178169B2 (en) 2015-04-09 2019-01-08 Pure Storage, Inc. Point to point based backend communication layer for storage processing
US10140149B1 (en) 2015-05-19 2018-11-27 Pure Storage, Inc. Transactional commits with hardware assists in remote memory
US10310740B2 (en) 2015-06-23 2019-06-04 Pure Storage, Inc. Aligning memory access operations to a geometry of a storage device
US9547441B1 (en) 2015-06-23 2017-01-17 Pure Storage, Inc. Exposing a geometry of a storage device
US11341136B2 (en) 2015-09-04 2022-05-24 Pure Storage, Inc. Dynamically resizable structures for approximate membership queries
US11269884B2 (en) 2015-09-04 2022-03-08 Pure Storage, Inc. Dynamically resizable structures for approximate membership queries
KR20170028825A (en) 2015-09-04 2017-03-14 퓨어 스토리지, 아이앤씨. Memory-efficient storage and searching in hash tables using compressed indexes
US9843453B2 (en) 2015-10-23 2017-12-12 Pure Storage, Inc. Authorizing I/O commands with I/O tokens
US10452297B1 (en) 2016-05-02 2019-10-22 Pure Storage, Inc. Generating and optimizing summary index levels in a deduplication storage system
US10133503B1 (en) 2016-05-02 2018-11-20 Pure Storage, Inc. Selecting a deduplication process based on a difference between performance metrics
US10203903B2 (en) 2016-07-26 2019-02-12 Pure Storage, Inc. Geometry based, space aware shelf/writegroup evacuation
US10756816B1 (en) 2016-10-04 2020-08-25 Pure Storage, Inc. Optimized fibre channel and non-volatile memory express access
US10191662B2 (en) 2016-10-04 2019-01-29 Pure Storage, Inc. Dynamic allocation of segments in a flash storage system
US10162523B2 (en) 2016-10-04 2018-12-25 Pure Storage, Inc. Migrating data between volumes using virtual copy operation
US10613974B2 (en) 2016-10-04 2020-04-07 Pure Storage, Inc. Peer-to-peer non-volatile random-access memory
US10481798B2 (en) 2016-10-28 2019-11-19 Pure Storage, Inc. Efficient flash management for multiple controllers
CN106656995B (en) * 2016-10-28 2020-03-03 美的智慧家居科技有限公司 Equipment control method and device
US10185505B1 (en) 2016-10-28 2019-01-22 Pure Storage, Inc. Reading a portion of data to replicate a volume based on sequence numbers
US10359942B2 (en) 2016-10-31 2019-07-23 Pure Storage, Inc. Deduplication aware scalable content placement
US10452290B2 (en) 2016-12-19 2019-10-22 Pure Storage, Inc. Block consolidation in a direct-mapped flash storage system
US11550481B2 (en) 2016-12-19 2023-01-10 Pure Storage, Inc. Efficiently writing data in a zoned drive storage system
US11093146B2 (en) 2017-01-12 2021-08-17 Pure Storage, Inc. Automatic load rebalancing of a write group
US10218712B2 (en) * 2017-01-25 2019-02-26 International Business Machines Corporation Access control using information on devices and access locations
US10528488B1 (en) 2017-03-30 2020-01-07 Pure Storage, Inc. Efficient name coding
US12045487B2 (en) 2017-04-21 2024-07-23 Pure Storage, Inc. Preserving data deduplication in a multi-tenant storage system
US11403019B2 (en) 2017-04-21 2022-08-02 Pure Storage, Inc. Deduplication-aware per-tenant encryption
US10944671B2 (en) 2017-04-27 2021-03-09 Pure Storage, Inc. Efficient data forwarding in a networked device
US10402266B1 (en) 2017-07-31 2019-09-03 Pure Storage, Inc. Redundant array of independent disks in a direct-mapped flash storage system
US10831935B2 (en) 2017-08-31 2020-11-10 Pure Storage, Inc. Encryption management with host-side data reduction
US10776202B1 (en) 2017-09-22 2020-09-15 Pure Storage, Inc. Drive, blade, or data shard decommission via RAID geometry shrinkage
US10789211B1 (en) 2017-10-04 2020-09-29 Pure Storage, Inc. Feature-based deduplication
US10884919B2 (en) 2017-10-31 2021-01-05 Pure Storage, Inc. Memory management in a storage system
US10860475B1 (en) 2017-11-17 2020-12-08 Pure Storage, Inc. Hybrid flash translation layer
US10970395B1 (en) 2018-01-18 2021-04-06 Pure Storage, Inc Security threat monitoring for a storage system
US11144638B1 (en) 2018-01-18 2021-10-12 Pure Storage, Inc. Method for storage system detection and alerting on potential malicious action
US11010233B1 (en) 2018-01-18 2021-05-18 Pure Storage, Inc Hardware-based system monitoring
US10467527B1 (en) 2018-01-31 2019-11-05 Pure Storage, Inc. Method and apparatus for artificial intelligence acceleration
US11036596B1 (en) 2018-02-18 2021-06-15 Pure Storage, Inc. System for delaying acknowledgements on open NAND locations until durability has been confirmed
US11494109B1 (en) 2018-02-22 2022-11-08 Pure Storage, Inc. Erase block trimming for heterogenous flash memory storage devices
US11934322B1 (en) 2018-04-05 2024-03-19 Pure Storage, Inc. Multiple encryption keys on storage drives
US11995336B2 (en) 2018-04-25 2024-05-28 Pure Storage, Inc. Bucket views
US10678433B1 (en) 2018-04-27 2020-06-09 Pure Storage, Inc. Resource-preserving system upgrade
US11385792B2 (en) 2018-04-27 2022-07-12 Pure Storage, Inc. High availability controller pair transitioning
US10678436B1 (en) 2018-05-29 2020-06-09 Pure Storage, Inc. Using a PID controller to opportunistically compress more data during garbage collection
US11436023B2 (en) 2018-05-31 2022-09-06 Pure Storage, Inc. Mechanism for updating host file system and flash translation layer based on underlying NAND technology
US10776046B1 (en) 2018-06-08 2020-09-15 Pure Storage, Inc. Optimized non-uniform memory access
US11281577B1 (en) 2018-06-19 2022-03-22 Pure Storage, Inc. Garbage collection tuning for low drive wear
US11869586B2 (en) 2018-07-11 2024-01-09 Pure Storage, Inc. Increased data protection by recovering data from partially-failed solid-state devices
US11133076B2 (en) 2018-09-06 2021-09-28 Pure Storage, Inc. Efficient relocation of data between storage devices of a storage system
US11194759B2 (en) 2018-09-06 2021-12-07 Pure Storage, Inc. Optimizing local data relocation operations of a storage device of a storage system
US11227252B1 (en) 2018-09-28 2022-01-18 The Descartes Systems Group Inc. Token-based transport rules
US10846216B2 (en) 2018-10-25 2020-11-24 Pure Storage, Inc. Scalable garbage collection
US11113409B2 (en) 2018-10-26 2021-09-07 Pure Storage, Inc. Efficient rekey in a transparent decrypting storage array
US11044253B2 (en) * 2018-10-31 2021-06-22 Bank Of America Corporation MAC authentication bypass endpoint database access control
US11194473B1 (en) 2019-01-23 2021-12-07 Pure Storage, Inc. Programming frequently read data to low latency portions of a solid-state storage array
US11588633B1 (en) 2019-03-15 2023-02-21 Pure Storage, Inc. Decommissioning keys in a decryption storage system
US11334254B2 (en) 2019-03-29 2022-05-17 Pure Storage, Inc. Reliability based flash page sizing
US11397674B1 (en) 2019-04-03 2022-07-26 Pure Storage, Inc. Optimizing garbage collection across heterogeneous flash devices
US11775189B2 (en) 2019-04-03 2023-10-03 Pure Storage, Inc. Segment level heterogeneity
US10990480B1 (en) 2019-04-05 2021-04-27 Pure Storage, Inc. Performance of RAID rebuild operations by a storage group controller of a storage system
US12087382B2 (en) 2019-04-11 2024-09-10 Pure Storage, Inc. Adaptive threshold for bad flash memory blocks
US11099986B2 (en) 2019-04-12 2021-08-24 Pure Storage, Inc. Efficient transfer of memory contents
US11487665B2 (en) 2019-06-05 2022-11-01 Pure Storage, Inc. Tiered caching of data in a storage system
US11281394B2 (en) 2019-06-24 2022-03-22 Pure Storage, Inc. Replication across partitioning schemes in a distributed storage system
US10929046B2 (en) 2019-07-09 2021-02-23 Pure Storage, Inc. Identifying and relocating hot data to a cache determined with read velocity based on a threshold stored at a storage device
US11422751B2 (en) 2019-07-18 2022-08-23 Pure Storage, Inc. Creating a virtual storage system
US11086713B1 (en) 2019-07-23 2021-08-10 Pure Storage, Inc. Optimized end-to-end integrity storage system
US11963321B2 (en) 2019-09-11 2024-04-16 Pure Storage, Inc. Low profile latching mechanism
US11403043B2 (en) 2019-10-15 2022-08-02 Pure Storage, Inc. Efficient data compression by grouping similar data within a data segment
US11625481B2 (en) 2019-11-22 2023-04-11 Pure Storage, Inc. Selective throttling of operations potentially related to a security threat to a storage system
US11520907B1 (en) 2019-11-22 2022-12-06 Pure Storage, Inc. Storage system snapshot retention based on encrypted data
US11720714B2 (en) 2019-11-22 2023-08-08 Pure Storage, Inc. Inter-I/O relationship based detection of a security threat to a storage system
US12067118B2 (en) 2019-11-22 2024-08-20 Pure Storage, Inc. Detection of writing to a non-header portion of a file as an indicator of a possible ransomware attack against a storage system
US11615185B2 (en) 2019-11-22 2023-03-28 Pure Storage, Inc. Multi-layer security threat detection for a storage system
US11341236B2 (en) 2019-11-22 2022-05-24 Pure Storage, Inc. Traffic-based detection of a security threat to a storage system
US11941116B2 (en) 2019-11-22 2024-03-26 Pure Storage, Inc. Ransomware-based data protection parameter modification
US11500788B2 (en) 2019-11-22 2022-11-15 Pure Storage, Inc. Logical address based authorization of operations with respect to a storage system
US11675898B2 (en) 2019-11-22 2023-06-13 Pure Storage, Inc. Recovery dataset management for security threat monitoring
US11651075B2 (en) 2019-11-22 2023-05-16 Pure Storage, Inc. Extensible attack monitoring by a storage system
US12079502B2 (en) 2019-11-22 2024-09-03 Pure Storage, Inc. Storage element attribute-based determination of a data protection policy for use within a storage system
US11755751B2 (en) 2019-11-22 2023-09-12 Pure Storage, Inc. Modify access restrictions in response to a possible attack against data stored by a storage system
US12079356B2 (en) 2019-11-22 2024-09-03 Pure Storage, Inc. Measurement interval anomaly detection-based generation of snapshots
US11687418B2 (en) 2019-11-22 2023-06-27 Pure Storage, Inc. Automatic generation of recovery plans specific to individual storage elements
US12050683B2 (en) * 2019-11-22 2024-07-30 Pure Storage, Inc. Selective control of a data synchronization setting of a storage system based on a possible ransomware attack against the storage system
US11645162B2 (en) 2019-11-22 2023-05-09 Pure Storage, Inc. Recovery point determination for data restoration in a storage system
US12050689B2 (en) 2019-11-22 2024-07-30 Pure Storage, Inc. Host anomaly-based generation of snapshots
US11657155B2 (en) 2019-11-22 2023-05-23 Pure Storage, Inc Snapshot delta metric based determination of a possible ransomware attack against data maintained by a storage system
US11720692B2 (en) 2019-11-22 2023-08-08 Pure Storage, Inc. Hardware token based management of recovery datasets for a storage system
US12079333B2 (en) 2019-11-22 2024-09-03 Pure Storage, Inc. Independent security threat detection and remediation by storage systems in a synchronous replication arrangement
KR102332040B1 (en) * 2020-09-22 2021-12-01 배재대학교 산학협력단 Real-time responses system and method for protecting specific computers from offline surrogate users and hackers

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE4010094A1 (en) * 1990-03-29 1991-10-02 Standard Elektrik Lorenz Ag User password identification for data processing network access - generating multiple-parameter key from single password per user to enable access to many routines
US5684957A (en) * 1993-03-29 1997-11-04 Hitachi Software Engineering Co., Ltd. Network management system for detecting and displaying a security hole
US5721780A (en) * 1995-05-31 1998-02-24 Lucent Technologies, Inc. User-transparent security method and apparatus for authenticating user terminal access to a network
EP0851335A2 (en) * 1996-12-31 1998-07-01 Compaq Computer Corporation Secure two-piece user authentication in a computer network
US6311274B1 (en) * 1997-12-15 2001-10-30 Intel Corporation Network alert handling system and method

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE4010094A1 (en) * 1990-03-29 1991-10-02 Standard Elektrik Lorenz Ag User password identification for data processing network access - generating multiple-parameter key from single password per user to enable access to many routines
US5684957A (en) * 1993-03-29 1997-11-04 Hitachi Software Engineering Co., Ltd. Network management system for detecting and displaying a security hole
US5721780A (en) * 1995-05-31 1998-02-24 Lucent Technologies, Inc. User-transparent security method and apparatus for authenticating user terminal access to a network
EP0851335A2 (en) * 1996-12-31 1998-07-01 Compaq Computer Corporation Secure two-piece user authentication in a computer network
US6311274B1 (en) * 1997-12-15 2001-10-30 Intel Corporation Network alert handling system and method

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9237139B2 (en) 2006-11-29 2016-01-12 British Telecommunications Public Limited Company Controlling access to a secure resource based on user credentials and location
EP3337125A1 (en) * 2016-12-16 2018-06-20 BlackBerry Limited Authenticating for an enterprise service
US10454929B2 (en) 2016-12-16 2019-10-22 Blackberry Limited Authenticating for an enterprise service

Also Published As

Publication number Publication date
AU2004230005A1 (en) 2004-10-28
JP2006522420A (en) 2006-09-28
CA2520882A1 (en) 2004-10-28
CN1795440A (en) 2006-06-28
KR20060010741A (en) 2006-02-02
EA200501559A1 (en) 2006-04-28
EP1611518A1 (en) 2006-01-04
US20070162954A1 (en) 2007-07-12

Similar Documents

Publication Publication Date Title
US20070162954A1 (en) Network security system based on physical location
US11503043B2 (en) System and method for providing an in-line and sniffer mode network based identity centric firewall
US9338176B2 (en) Systems and methods of identity and access management
EP2076078B1 (en) Defining a boundary for wireless network using physical access control systems
EP1315065B1 (en) Method for intrusion detection in a database system
US7448067B2 (en) Method and apparatus for enforcing network security policies
US8880893B2 (en) Enterprise information asset protection through insider attack specification, monitoring and mitigation
US7673147B2 (en) Real-time mitigation of data access insider intrusions
US20060179472A1 (en) System and method for effectuating computer network usage
US7032026B1 (en) Method and apparatus to facilitate individual and global lockouts to network applications
US20060248599A1 (en) Cross-domain security for data vault
US20090216587A1 (en) Mapping of physical and logical coordinates of users with that of the network elements
US20020112186A1 (en) Authentication and authorization for access to remote production devices
US20050138417A1 (en) Trusted network access control system and method
KR102611045B1 (en) Various trust factor based access control system
CA2509842A1 (en) Method and system for enforcing secure network connection
JP3973563B2 (en) Login request receiving apparatus, login request receiving method, and program therefor
US7167958B2 (en) Second storage system equipped with security system and a method of controlling the second storage system
JP3934062B2 (en) Unauthorized access detection device
JP2007226827A (en) Log-in request receiving device and access management device
JP2002342284A (en) Security protective device and method of security protection
Cisco Security Overview
US20230179595A1 (en) Systems and methods for biometric aided network access control
KR102131991B1 (en) Method for controlling an access to a network using position information of a user and authentication information and network security device for performing the method
Nelson et al. Mutual suspicion for network security

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): BW GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

DPEN Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed from 20040101)
121 Ep: the epo has been informed by wipo that ep was designated in this application
WWE Wipo information: entry into national phase

Ref document number: 2520882

Country of ref document: CA

WWE Wipo information: entry into national phase

Ref document number: 2004230005

Country of ref document: AU

WWE Wipo information: entry into national phase

Ref document number: 2004759140

Country of ref document: EP

Ref document number: 4526/DELNP/2005

Country of ref document: IN

WWE Wipo information: entry into national phase

Ref document number: 2006509723

Country of ref document: JP

Ref document number: 1020057019161

Country of ref document: KR

ENP Entry into the national phase

Ref document number: 2004230005

Country of ref document: AU

Date of ref document: 20040405

Kind code of ref document: A

WWP Wipo information: published in national office

Ref document number: 2004230005

Country of ref document: AU

WWE Wipo information: entry into national phase

Ref document number: 200501559

Country of ref document: EA

WWE Wipo information: entry into national phase

Ref document number: 20048145645

Country of ref document: CN

WWP Wipo information: published in national office

Ref document number: 2004759140

Country of ref document: EP

WWP Wipo information: published in national office

Ref document number: 1020057019161

Country of ref document: KR

WWE Wipo information: entry into national phase

Ref document number: 2007162954

Country of ref document: US

Ref document number: 10551568

Country of ref document: US

WWP Wipo information: published in national office

Ref document number: 10551568

Country of ref document: US