Abstract: A processing blade is assigned from the plurality of processing blades to a session of data packets. The load balancing engine manages a session table and an IPsec routing table by updating the session table with a particular security engine card assigned to the session and by updating the IPsec routing table for storing a remote IP address for a particular session. Outbound raw data packets of a particular session are parsed for matching cleartext tuple information prior to IPsec encryption, and inbound encrypted data packets of the particular session are parsed for matching cipher tuple information prior to IPsec decryption. Inbound data packets assigned to the processing blade from the session table are parsed and forwarded to the station.
Abstract: A file copy is executed in a virtual runtime environment that tracks behavior using RNN taking runtime behavior of at least a first time into account with current runtime behavior at a second time. This is responsive to not finding a known signature for suspicious activity during virus scanning. A behavior sequence is identified on-the-fly during file copy execution that is indicative of malware, prior to completing the execution, the behavior sequence involving at least two actions taken at different times during file copy execution. Responsive to the identification, the execution is terminated and the virtual runtime environment is returned to the pool of available virtual runtime environments.
Abstract: Systems and methods for capturing and correlating multiple sources of debugging information relating to a network resource and a client device via a browser extension are provided. A browser extension integrated within a browser running on a client device, receives a request to initiate capturing of debugging information relating to a potential bug associated with a network resource with which an end user is interacting via the browser, and in response to the first request, starts capturing the debugging information from multiple sources and correlates the multiple sources to facilitate time-synchronized playback. On receipt of a second request, the browser extension stop capturing debugging information, and creates a single compressed file containing the debugging information collected from the multiple sources. The single compressed file may then be shared with a second device, which can playback the correlated debugging information.
Abstract: Various approaches for securing networks against access from off network devices. In some cases, embodiments discussed relate to systems and methods for identifying potential threats included in a remote network by a network access device prior to requesting access to a known secure network via the remote network.
Abstract: Systems and methods for remote monitoring of a Security Operations Center (SOC) via a mobile application are provided. According to one embodiment, a management service retrieves information regarding multiple network elements that are associated with an enterprise network and extracts parameters of the monitored network elements from the retrieved information. The management service prioritizes the monitored network elements by determining a severity level associated with security-related issues of the network elements and generates various monitoring views that summarize in real time various categories of potential security-related issues detected by the SOC. Further, the management service assigns a priority to each monitoring view and displays a video on the display device that cycles through monitoring views in accordance with their respective assigned priorities.
Abstract: Systems and methods for intent-based orchestration of independent automations are provided. Examples described herein alleviate the complexities and technical challenges associated with deploying, provisioning, configuring, and managing configurable endpoints, including network devices, network security systems, cloud-based security services (e.g., provided by or representing a Secure Access Service Edge (SASE) platform), and other infrastructure, on behalf of numerous customers (or tenants). For example, customer intent may be automatically translated into concrete jobs and tasks that operate to make changes to one or more of the configurable endpoints so as to insulate the user from being required to know which configurable endpoint(s) need(s) to change, which vendor supports a given configurable endpoint, and/or vendor specific issues involved in changing the configurable endpoints.
Abstract: Among a great deal of other disclosure and scope, systems and methods are enclosed that enable for highly efficient labeling of data. For example, in some of many cases, a novel methodology for ranking vectors most useful to label next is disclosed. In such an example, a neural network is trained to predict this ranking methodology upon being given a set of heuristics from which to assess the given problem space. A user can continue the cycle of identifying a set of candidate vectors to label, compiling relevant heuristics from said vectors, ranking vectors via the trained neural network, selecting a subset of the ranked vectors, inquiring an oracle regarding the true labels of the vectors, and then appending the subset of newly labelled vectors to the labelled set of vectors until satisfaction.
Abstract: A Wi-Fi controller identifies a mismatch between a first prefix of a first IPv6 address for a data packet corresponding to a first VLAN on which the data packet was sent from the station to the access point, and a prefix of a second IPv6 address for a second VLAN from which the data packet was transmitted from the access point to the Wi-Fi controller. Responsive to the VLAN mismatch identification, the Wi-Fi controller transmits an RA to the station with a preferred lifetime of 0, wherein subsequent communications use the second IPv6 address.
Type:
Grant
Filed:
June 30, 2021
Date of Patent:
March 12, 2024
Assignee:
Fortinet, Inc.
Inventors:
PC Sridhar, Pradeep Mohan, Mohan Jayaraman
Abstract: Systems and methods for performing multi-feed classification of security events to facilitate automated IR orchestration are provided. According to one embodiment a cloud-based security service protecting a private network provides a plurality of data feeds, wherein each data feed of the plurality of data feeds independently classify a given security event and produce a classification result. In response to an event associated with a process of an endpoint device that is part of the private network an endpoint protection platform running on the endpoint device performs an initial classification of the event and transmits the classification result to the cloud-based security service for final classification.
Abstract: Systems and methods for improving security event classification by leveraging user-behavior analytics are provided. According to an embodiment, a UEBA-based security event classification service of a cloud-based security platform maintains information regarding historical user behavior of various users of an enterprise network. An endpoint protection platform running on an endpoint device that is part of the enterprise network performs an initial classification of the event, based on which the endpoint protection platform blocks activity by the process. The endpoint production platform requests input from the cloud-based security platform which causes the cloud-based security platform performs a reclassification of the event based on contextual information, multiple data feeds and the UEBA-based security event classification service.
Abstract: Systems and methods are described for training a machine learning model using intelligently selected multiclass vectors. According to an embodiment, a set of un-labeled feature vectors are received. The set of feature vectors are grouped into clusters within a vector space having fewer dimensions than the first set of feature vectors by applying a homomorphic dimensionality reduction algorithm to the set of feature vectors and performing centroid-based clustering. An optimal set of clusters among the clusters is identified by performing a convex optimization process on the clusters. Vector labeling is minimized by selecting ground truth representative vectors including a representative vector from each cluster of the optimal set of clusters. A set of labeled feature vectors is created based on labels received from an oracle for each of the representative vectors. A machine-learning model is trained for multiclass classification based on the set of labeled feature vectors.
Abstract: Systems and methods for detecting malicious behavior in a network by analyzing process interaction ratios (PIRs) are provided. According to one embodiment, information regarding historical process activity is maintained. The historical process activity includes information regarding various processes hosted by computing devices of a private network. Information regarding process activity within the private network is received for a current observation period. For each process, for each testing time period of a number of testing time periods within the current observation period, a PIR is determined based on (i) a number of unique computing devices that hosted the process and (ii) a number of unique users that executed the process. A particular process is identified as potentially malicious when a measure of deviation of the PIR of the particular process from a historical PIR mean of the particular process exceeds a pre-defined or configurable threshold during a testing time period.
Type:
Application
Filed:
October 31, 2023
Publication date:
February 29, 2024
Applicant:
Fortinet, Inc.
Inventors:
Ernest Mugambi, Partha Bhattacharya, Gun Sumlut
Abstract: Various approaches for securing networks against access from off network devices. In some cases, embodiments discussed relate to systems and methods for identifying potential threats included in a remote network by a network access device prior to requesting access to a known secure network via the remote network.
Abstract: In network devices, during manufacturing, input for designation of a region code to be a non-specific region code is stored in a BIOS memory of the network device, and a specific region code is stored off the BIOS. During boot up, the BIOS is checked for a specific region code to regulate wireless transmissions at a physical location of operation. Responsive to receiving the non-specific region code from BIOS, the specific region code is requested from a region code server based on a network device identifier. Once received, the region code is stored in flash memory, until rebooted or otherwise reset, rather than BIOS.
Type:
Grant
Filed:
December 9, 2020
Date of Patent:
February 20, 2024
Assignee:
Fortinet, Inc.
Inventors:
Yong Zhang, Peter Yongchun Liu, Koroush Akhavan-Saraf, Xin Wang, Andrew Q Ji, Ben Wilson