公开(公告)号：US20200065130A1

公开(公告)日：2020-02-27

申请号：US16467748

申请日：2017-11-30

Applicant: ORANGE

Inventor： Ruan He ,  Jamil Chawki

IPC: G06F9/455 ,  H04L12/24 ,  G06F9/50

Abstract: A method for managing virtualized software functions in a communication network includes: receiving a data model describing the functionality of a virtualized software function; generating a configuration interface defining the functionality, the interface being intended to be used for invoking the virtualized software function; generating and installing a first software agent, which implements the configuration interface, the first agent being configured to allow, when it is invoked, the calling of a virtual machine implementing the virtualized software function.

公开(公告)号：US10375113B2

公开(公告)日：2019-08-06

申请号：US14752237

申请日：2015-06-26

Applicant: ORANGE

Inventor： Ruan He ,  Yu Zhou

IPC: H04L29/00 ,  H04L29/06

Abstract: A method which makes it possible to manage access control between a first entity and a second entity belonging to two security domains in a cloud network is disclosed. In one aspect the method comprises, if the entities belong to security domains implementing different access control policies, determining whether there exists a first access control rule between the first entity and a virtual entity within the security domain of the first entity, and a second access control second rule between the second entity and the virtual entity within the security domain of the second entity. If so, the method may comprise controlling access between the first and second entities as a function of the first and second rules.

公开(公告)号：US20150089572A1

公开(公告)日：2015-03-26

申请号：US14389191

申请日：2013-03-26

Applicant: ORANGE

Inventor： Ruan He ,  Marc Lacoste ,  Aurélien Wailly

IPC: H04L29/06

CPC classification number: H04L63/20 ,  H04L29/06 ,  H04L63/14 ,  H04L63/1408 ,  H04L63/1416 ,  H04L63/205

Abstract: A method is provided for supervising security of an architecture having a plurality of interconnected clouds. A cloud includes a plurality of resources and a security supervisor. The plurality of resources forms in the cloud a plurality of groups of resources associated respectively with a security domain. A security controller supervises the resources of the domain, and a plurality of physical machines contains the resources of the plurality of clouds. The method includes: receiving a security event by a security controller of a first cloud, originating from a first resource associated with a first security domain; dispatching said security event to the security supervisor of the first cloud; and dispatching by the security supervisor of the first cloud a security order in reaction to the security event to at least one second security controller of the first cloud and dispatching the security order by the second security controller to a second resource supervised by the second controller.

Abstract translation: 提供了一种用于监督具有多个互连云的架构的安全性的方法。 云包括多个资源和安全主管。 多个资源在云中形成分别与安全域相关联的多个资源组。 安全控制器监督域的资源，并且多个物理机器包含多个云的资源。 该方法包括：由第一云的安全控制器接收来自与第一安全域相关联的第一资源的安全事件; 将所述安全事件发送到第一云的安全主管; 以及由所述第一云的安全主管向所述第一云的至少一个第二安全控制器发出响应于所述安全事件的安全命令，并且由所述第二安全控制器将所述安全命令分派给由所述第二控制器监督的第二资源。

公开(公告)号：US09736029B2

公开(公告)日：2017-08-15

申请号：US14431638

申请日：2013-09-23

Applicant: Orange

Inventor： Ruan He ,  Jacques Lebourgeois ,  Julien Terrier

IPC: H04L12/24 ,  G06F9/50 ,  G06F21/62 ,  H04L12/911

CPC classification number: H04L41/145 ,  G06F9/5072 ,  G06F21/6218 ,  H04L47/781

Abstract: Disclosed is a method comprising updating a first model describing a pool of computer and network resources and a second multi-level hierarchical model describing an entity, each level having at least one element containing one or more users of the entity and associated with an algorithm for allocating at least a portion of the pool, the union of the elements at any level containing all of the users, such that the first and second models represent a current state of the pool of resources and a current state of the entity.Upon request from a user to access a resource specified in the request, resources may be identified by applying the algorithms of the second model to the current state of the pool represented by the first model, verifying compatibility between the identified resources and the resource specified in the request, and rejecting the request in the event of incompatibility.

公开(公告)号：US09729531B2

公开(公告)日：2017-08-08

申请号：US14313993

申请日：2014-06-24

Applicant: ORANGE

Inventor： Ruan He ,  Xiangjun Qian

IPC: H04L9/32 ,  G06F21/31 ,  H04L29/06 ,  G06F21/41 ,  G06F21/44 ,  G06F21/60 ,  G06F21/62 ,  G06F21/34

CPC classification number: H04L63/08 ,  G06F21/31 ,  G06F21/34 ,  G06F21/41 ,  G06F21/44 ,  G06F21/604 ,  G06F21/6218 ,  H04L9/3226 ,  H04L63/0815 ,  H04L63/083 ,  H04L2209/24

Abstract: In one embodiment disclosed herein is a method of processing a request made by a terminal of a user to access a resource made available to a client entity by a platform of a cloud computer service supplier. The method is performed by a server situated between the terminal and the platform utilizing distinct instructions for each client entity. The method comprises verifying that the user is authorized to access the computer resource via the terminal by applying to the user and to the resource an access control model and an access control policy corresponding to the model.

公开(公告)号：US09380075B2

公开(公告)日：2016-06-28

申请号：US14389191

申请日：2013-03-26

Applicant: ORANGE

Inventor： Ruan He ,  Marc Lacoste ,  Aurélien Wailly

IPC: G06F17/00 ,  H04L29/06

CPC classification number: H04L63/20 ,  H04L29/06 ,  H04L63/14 ,  H04L63/1408 ,  H04L63/1416 ,  H04L63/205

Abstract: A method is provided for supervising security of an architecture having a plurality of interconnected clouds. A cloud includes a plurality of resources and a security supervisor. The plurality of resources forms in the cloud a plurality of groups of resources associated respectively with a security domain. A security controller supervises the resources of the domain, and a plurality of physical machines contains the resources of the plurality of clouds. The method includes: receiving a security event by a security controller of a first cloud, originating from a first resource associated with a first security domain; dispatching said security event to the security supervisor of the first cloud; and dispatching by the security supervisor of the first cloud a security order in reaction to the security event to at least one second security controller of the first cloud and dispatching the security order by the second security controller to a second resource supervised by the second controller.

Abstract translation: 提供了一种用于监督具有多个互连云的架构的安全性的方法。 云包括多个资源和安全主管。 多个资源在云中形成分别与安全域相关联的多个资源组。 安全控制器监督域的资源，并且多个物理机器包含多个云的资源。 该方法包括：由第一云的安全控制器接收来自与第一安全域相关联的第一资源的安全事件; 将所述安全事件发送到第一云的安全主管; 以及由所述第一云的安全主管向所述第一云的至少一个第二安全控制器发出响应于所述安全事件的安全命令，并且由所述第二安全控制器将所述安全命令分派给由所述第二控制器监督的第二资源。

公开(公告)号：US20170054639A1

公开(公告)日：2017-02-23

申请号：US15306992

申请日：2015-04-13

Applicant: ORANGE

Inventor： Yu Zhou ,  Ruan He

IPC: H04L12/741 ,  H04L12/66

Abstract: Method of processing a data packet relating to a service, said packet being conveyed by an interconnection gateway between a mobile communication network and a packet communication network, destined for said packet communication network, said method comprising a step of obtaining by a virtualized node an identifier of the service to which the packet relates, characterized in that said method furthermore comprises: —a step of obtaining on the basis of the service identifier a sequence of at least one elementary network function for processing said packet; —for processing the packet, the first function of the sequence corresponding at the first iteration to a current function, the packet being transmitted at the input of a virtualized node able to implement a current function: —application of the current function to the input packet so as to obtain an output packet by the virtualized node; —if there exists a function following the current function in the sequence; —selection of a next virtualized node able to implement said function following the current function in the sequence, said function then becoming current function; —dispatching of the output packet to the selected node, the output packet thus becoming input packet for the application of the current function; —if no function following the current function in the sequence exists, transmission of the output packet to the packet communication network.

Abstract translation: 一种处理涉及服务的数据分组的方法，所述分组由移动通信网络和分组通信网络之间的互连网关传送，目的地是所述分组通信网络，所述方法包括以下步骤：由虚拟化节点获取标识符 所述方法还包括： - 基于所述服务标识符获得用于处理所述分组的至少一个基本网络功能的序列的步骤; - 用于处理所述分组，所述序列在第一次迭代时对应的第一功能为当前功能，所述分组在能够实现当前功能的虚拟化节点的输入端处发送： - 将当前功能应用于所述输入分组 以便由虚拟化节点获得输出分组; - 如果在序列中存在跟随当前函数的函数; - 选择能够按照序列中的当前功能实现所述功能的下一个虚拟化节点，然后所述功能变为当前功能; 将输出分组分派到所选节点，输出分组因此成为用于应用当前功能的输入分组; - 如果序列中没有当前功能的功能存在，则将输出分组传输到分组通信网络。

公开(公告)号：US20160142914A1

公开(公告)日：2016-05-19

申请号：US14898100

申请日：2014-06-13

Applicant: ORANGE

Inventor： Ruan He ,  Jamil Chawki

IPC: H04W12/06 ,  H04L29/06

CPC classification number: H04W12/06 ,  H04L63/0281 ,  H04L63/029 ,  H04L63/067 ,  H04L63/08 ,  H04L63/0838 ,  H04L63/0884 ,  H04L67/02 ,  H04L67/34

Abstract: One embodiment is an authentication method comprising on receiving a request from the web browser of the terminal, the request including a user identifier, obtaining authentication data that is associated with the user identifier and that is stored in a database of the internal network, configuring a proxy server authorizing access via the access security entity to the internal network for a determined set of connection parameters, generating a first application from the connection parameters of the set, which application is protected using at least one determined portion of the authentication data and being configured to, on being executed by the web browser, set up a connection between the terminal and the proxy server using the parameters, this being done in response to the at least determined portion of the authentication data being supplied and transmitting the first application to the web browser of the terminal.

Abstract translation: 一个实施例是一种认证方法，包括：从所述终端的web浏览器接收请求，所述请求包括用户标识符，获得与所述用户标识符相关联并且存储在所述内部网络的数据库中的认证数据， 代理服务器授权通过访问安全实体到内部网络访问确定的一组连接参数，从集合的连接参数生成第一应用程序，该应用程序使用认证数据的至少一个确定部分进行保护并被配置 在由网络浏览器执行时，使用参数在终端和代理服务器之间建立连接，这是根据被提供的认证数据的至少确定部分完成的，并将第一应用传送到网络 终端浏览器。

公开(公告)号：US20150163225A1

公开(公告)日：2015-06-11

申请号：US14561099

申请日：2014-12-04

Applicant: Orange

Inventor： Ruan He ,  Xiangjun Qian

IPC: H04L29/06 ,  H04L12/911

CPC classification number: H04L63/10 ,  G06F21/604 ,  G06F21/6218 ,  H04L47/70 ,  H04L63/08

Abstract: One embodiment disclosed herein serves to establish a trust relationship for sharing resources between a trustee tenant and a trustor tenant in a cloud network. It comprises receiving a requirement file (REQ) from the trustee tenant said file including at least one permission desired by the tenant, searching for and identifying at least one opportunity file sent by a trustor tenant, this file including at least the permissions, and storing information representative of a trust relationship for sharing resources between the tenants.

Abstract translation: 本文公开的一个实施例用于建立信任关系以在云网络中的受托承租人和信托承租人之间共享资源。 它包括从受托人承租人所述文件接收包括租户期望的至少一个许可的搜索和标识由托管承租人发送的至少一个机会文件的要求文件（REQ），该文件至少包括权限和存储 代表信托关系的信息，用于分担租户之间的资源。

公开(公告)号：US10897421B2

公开(公告)日：2021-01-19

申请号：US15306992

申请日：2015-04-13

Applicant: ORANGE

Inventor： Yu Zhou ,  Ruan He

IPC: H04L12/741 ,  H04W92/02 ,  H04L12/725 ,  H04L12/66 ,  H04W76/12

Abstract: Method of processing a data packet relating to a service, said packet being conveyed by an interconnection gateway between a mobile communication network and a packet communication network, destined for said packet communication network The method comprises a step of obtaining by a virtualized node an identifier of the service to which the packet relates and a step of obtaining on the basis of the service identifier a sequence of at least one elementary network function for processing said packet The packet is transmitted to a virtualized node in order to apply the current function and if there exists a function following the current function in the sequence selection of selecting a next virtualized node able to implement said following function. If no function following the current function in the sequence exists, the virtualized node transmits the output packet to the packet communication network.