Patents Assigned to Palo Alto Networks, Inc.
-
Patent number: 11805153Abstract: Techniques for location based security in service provider networks (e.g., service provider networks for mobile subscribers) are disclosed. A system/process/computer program product for location based security in service provider networks includes monitoring network traffic on a service provider network at a security platform to identify a location for a new session; associating the location with the new session at the security platform; and determining a security policy to apply at the security platform to the new session based on the location.Type: GrantFiled: April 29, 2021Date of Patent: October 31, 2023Assignee: Palo Alto Networks, Inc.Inventors: Sachin Verma, Leonid Burakovsky, Jesse C. Shu, Chang Li
-
Patent number: 11799858Abstract: A set of data packets transmitted by an IoT device is received at a system. At least one packet included in the set of data packets is analyzed. An Authentication, and Account (AAA) message, including contextual information associated with the IoT device, is transmitted on behalf of the IoT device.Type: GrantFiled: February 3, 2022Date of Patent: October 24, 2023Assignee: Palo Alto Networks, Inc.Inventor: Gong Cheng
-
Patent number: 11799914Abstract: Techniques for cellular Internet of Things (IoT) battery drain prevention in mobile networks (e.g., service provider networks for mobile subscribers) are disclosed. In some embodiments, a system/process/computer program product for cellular IoT battery drain prevention in mobile networks includes monitoring network traffic on a service provider network at a security platform to identify a misbehaving application based on a security policy, wherein the service provider network includes a 4G network or a 5G network; extracting subscription identifier information for network traffic associated with the misbehaving application at the security platform; and enforcing the security policy at the security platform to rate limit paging messages sent to an endpoint device using the subscription identifier information and based on the security policy.Type: GrantFiled: October 19, 2021Date of Patent: October 24, 2023Assignee: Palo Alto Networks, Inc.Inventors: Sachin Verma, Leonid Burakovsky
-
Patent number: 11792235Abstract: Techniques for providing network slice-based security in mobile networks (e.g., service provider networks for mobile subscribers) are disclosed. In some embodiments, a system/process/computer program product for network slice-based security in mobile networks in accordance with some embodiments includes monitoring network traffic on a service provider network at a security platform to identify a new session, wherein the service provider network includes a 5G network or a converged 5G network; extracting network slice information for user traffic associated with the new session at the security platform; and determining a security policy to apply at the security platform to the new session based on the network slice information.Type: GrantFiled: January 12, 2023Date of Patent: October 17, 2023Assignee: Palo Alto Networks, Inc.Inventors: Sachin Verma, Leonid Burakovsky
-
Patent number: 11783035Abstract: Techniques for multi-representational learning models for static analysis of source code are disclosed. In some embodiments, a system/process/computer program product for multi-representational learning models for static analysis of source code includes receiving at a networked device a set comprising one or more multi-representation learning (MRL) models for static analysis of source code; performing a static analysis of source code associated with a sample received at the network device, wherein performing the static analysis includes using at least one MRL model; and determining that the sample is malicious based at least in part on the static analysis of the source code associated with the sample and without performing dynamic analysis of the sample, and in response to determining that the sample is malicious, performing an action based on a security policy.Type: GrantFiled: November 15, 2022Date of Patent: October 10, 2023Assignee: Palo Alto Networks, Inc.Inventors: Brody James Kutt, William Redington Hewlett, II, Oleksii Starov, Yuchen Zhou, Fang Liu
-
Patent number: 11784972Abstract: Techniques for Diameter security with next generation firewall are disclosed. In some embodiments, a system/process/computer program product for Diameter security with next generation firewall includes monitoring Diameter protocol traffic on a service provider network at a security platform; and filtering the Diameter protocol traffic at the security platform based on a security policy.Type: GrantFiled: February 10, 2022Date of Patent: October 10, 2023Assignee: Palo Alto Networks, Inc.Inventors: Sachin Verma, Leonid Burakovsky, Mingxu Huo, Fengliang Hu
-
Patent number: 11785048Abstract: Techniques for providing consistent monitoring and analytics for security insights for network and security functions for a security service are disclosed. In some embodiments, a system/process/computer program product for providing consistent monitoring and analytics for security insights for network and security functions for a security service includes receiving a flow at a software-defined wide area network (SD-WAN) device; inspecting the flow to determine whether the flow is associated with a split tunnel; and monitoring the flow at the SD-WAN device to collect security information associated with the flow for reporting to a security service.Type: GrantFiled: October 30, 2020Date of Patent: October 10, 2023Assignee: Palo Alto Networks, Inc.Inventors: Anand Oswal, Arivu Mani Ramasamy, Kumar Ramachandran
-
Patent number: 11784971Abstract: Techniques for network layer signaling security with next generation firewall are disclosed. In some embodiments, a system/process/computer program product for network layer signaling security with next generation firewall includes monitoring a network layer signaling protocol traffic on a service provider network at a security platform; and filtering the network layer signaling protocol traffic at the security platform based on a security policy.Type: GrantFiled: February 10, 2022Date of Patent: October 10, 2023Assignee: Palo Alto Networks, Inc.Inventors: Sachin Verma, Leonid Burakovsky
-
Patent number: 11777994Abstract: Techniques for dynamic per subscriber policy enablement for security platforms within service provider network environments are disclosed. In some embodiments, a system/process/computer program product for dynamic per subscriber policy enablement for security platforms within service provider network environments includes monitoring network traffic on a service provider network at a security platform to identify a subscriber with a new IP flow; associating the subscriber with the new IP flow at the security platform; and determining a security policy to apply at the security platform to the new IP flow based on the subscriber.Type: GrantFiled: December 14, 2021Date of Patent: October 3, 2023Assignee: Palo Alto Networks, Inc.Inventors: Mitchell Rappard, Leonid Burakovsky
-
Patent number: 11777965Abstract: Techniques for providing Internet of Things (IoT) security are disclosed. An applicable system includes profiling IoT devices to limit the number of network signatures applicable to the IoT devices and performing pattern matching using a pattern that is appropriate for the profile of a given IoT device.Type: GrantFiled: June 18, 2019Date of Patent: October 3, 2023Assignee: Palo Alto Networks, Inc.Inventors: Jun Du, Mei Wang, Hector Daniel Regalado, Jianhong Xia
-
Patent number: 11777807Abstract: A set of identifying elements of a first network is determined from a set of data. For each identifying element of the set of identifying elements, a first frequency at which the identifying element is associated with a first set of systems connected to the first network is determined, and a second frequency at which the identifying element is associated with a second set of systems of other networks accessible via the Internet is determined. It is determined if each identifying element is associated with the first set of systems at a greater frequency than with the second set of systems based, at least in part, on the first frequency and the second frequency. If an identifying element is associated with the first set of systems at a greater frequency than with the second set of systems, the identifying element is indicated as a fingerprint of the first network.Type: GrantFiled: June 3, 2021Date of Patent: October 3, 2023Assignee: Palo Alto Networks, Inc.Inventors: Timothy Junio, Matthew Kraning
-
Patent number: 11777902Abstract: Techniques for application layer signaling security with next generation firewall are disclosed. In some embodiments, a system/process/computer program product for application layer signaling security with next generation firewall includes monitoring application layer signaling traffic on a service provider network at a security platform; and filtering the application layer signaling traffic at the security platform based on a security policy.Type: GrantFiled: February 9, 2022Date of Patent: October 3, 2023Assignee: Palo Alto Networks, Inc.Inventors: Sachin Verma, Leonid Burakovsky
-
Patent number: 11770311Abstract: The disclosure describes various aspects of crowdsourcing traffic data for automatic and dynamic benchmarking of applications. In an aspect, an intelligence layer, communicatively coupled to a data collection layer and a visualization layer, is configured to receive traffic data from data sources (e.g., physical appliances, probes) in the data collection layer, the data sources being associated with multiple customers, and the traffic data being associated with at least one application (e.g., word processing, video streaming) used by the multiple customers. The intelligence layer is a cloud-based layer further configured to process the traffic data to determine performance thresholds for the at least one application, and may send one or more of the performance thresholds to a data source for a different customer to be used for benchmarking the at least one application for the different customer.Type: GrantFiled: April 3, 2020Date of Patent: September 26, 2023Assignee: Palo Alto Networks, Inc.Inventors: John Bothe, Hristos Siakou, Con Nikolouzakis
-
Patent number: 11770359Abstract: Described herein are systems, methods, and software to enhance failover operations in a cloud computing environment. In one implementation, a method of operating a first service instance in a cloud computing environment includes obtaining a communication from a computing asset, wherein the communication comprises a first destination address. The method further provides replacing the first destination address with a second destination address in the communication, wherein the second destination address comprises a shared address for failover from a second service instance. After replacing the address, the method determines whether the communication is permitted based on the second destination address, and if permitted, processes the communication in accordance with a service executing on the service instance.Type: GrantFiled: February 15, 2022Date of Patent: September 26, 2023Assignee: Palo Alto Networks, Inc.Inventors: Shu Lin, Patrick Xu, Eswar Rao Sadaram, Hao Long
-
Patent number: 11770413Abstract: A resource database which stores structured data describing resources from a diverse array of origins (e.g., an application or cloud environment) is built and maintained to support querying, policy enforcement, and remediation of resources from any origin. Structured data representing resources are obtained from any origin for insertion and categorized based on their type and/or origin. Resources within a category have a shared set of potential object paths as defined by the hierarchical tree structure of their structured data. Resources may be correlated across categories based on having values at different object paths in common. Queries and rules/policies can thus reference resources of any category and also resources across different categories based on correlations between the resources, thereby extending rule/policy enforcement and incident remediation across multiple different origins of resources.Type: GrantFiled: April 5, 2021Date of Patent: September 26, 2023Assignee: Palo Alto Networks, Inc.Inventors: Angad Abhay Mehata, Chandra Biksheswaran Mouleeswaran, Varun Badhwar, Wayne Jens Jensen
-
Patent number: 11770361Abstract: Techniques for Cobalt Strike Beacon HTTP C2 heuristic detection are disclosed. In some embodiments, a system/process/computer program product for Cobalt Strike Beacon HTTP C2 heuristic detection includes monitoring HyperText Transfer Protocol (HTTP) network traffic at a firewall; prefiltering the monitored HTTP network traffic at the firewall to select a subset of the HTTP network traffic to forward to a cloud security service; determining whether the subset of the HTTP network traffic is associated with Cobalt Strike Beacon HTTP C2 traffic activity based on a plurality of heuristics; and performing an action in response to detecting the Cobalt Strike Beacon HTTP C2 traffic activity.Type: GrantFiled: July 29, 2022Date of Patent: September 26, 2023Assignee: Palo Alto Networks, Inc.Inventors: Yanhui Jia, Christian Elihu Navarrete Discua, Durgesh Madhavrao Sangvikar, Ajaya Neupane, Yu Fu, Shengming Xu
-
Patent number: 11762922Abstract: A native web storage function call is received at a client device. A modified browser storage function call is executed, to facilitate browser storage associated with a clientless VPN. The modified browser storage function call executes a call to the native browser storage function call to facilitate access to the browser storage.Type: GrantFiled: September 23, 2020Date of Patent: September 19, 2023Assignee: Palo Alto Networks, Inc.Inventors: Qi Zhang, Jiangxia Liu
-
Patent number: 11763091Abstract: Dynamic content tags are generated as content is received by a dynamic content tagging system. A natural language processor (NLP) tokenizes the content and extracts contextual N-grams based on local or global context for the tokens in each document in the content. The contextual N-grams are used as input to a generative model that computes a weighted vector of likelihood values that each contextual N-gram corresponds to one of a set of unlabeled topics. A tag is generated for each unlabeled topic comprising the contextual N-gram having a highest likelihood to correspond to that unlabeled topic. Topic-based deep learning models having tag predictions below a threshold confidence level are retrained using the generated tags, and the retrained topic-based deep learning models dynamically tag the content.Type: GrantFiled: February 25, 2020Date of Patent: September 19, 2023Assignee: Palo Alto Networks, Inc.Inventors: Nandan Gautam Thor, Vasiliki Arvaniti, Jere Armas Michael Helenius, Erik Michael Bower
-
Patent number: 11764964Abstract: Each tenant of a secure web gateway (SWG) is issued a secret key. A user accesses a unique secret key derived from the tenant's secret key and loads the secret key into an application which generates time-based one time passwords (TOTPs). When the SWG receives a connection request from a client and cannot decrypt the network traffic, the SWG challenges the client request and indicates an authentication scheme to be used. The client obtains user credentials, constructs a response to the challenge based on the authentication scheme, and issues a connection request to the SWG which indicates the response. The SWG determines an expected response based on a locally generated TOTP and the secret key of the corresponding tenant. If the expected response matches the provided response, the SWG authenticates the user, allows the connection request, and whitelists the client for a period longer than the lifetime of the TOTP.Type: GrantFiled: May 7, 2021Date of Patent: September 19, 2023Assignee: Palo Alto Networks, Inc.Inventor: Mohit Sahni
-
Patent number: 11757826Abstract: A controller can securely publish an application of a tenant by securely extending a network fabric into the networks of the tenant with virtual private networks and NAT. After a tenant deploys an application into one or more networks of the tenant, the tenant can indicate select applications to publish. The network controller assigns a network address from the routable address space of the network fabric to the application and a network address aggregate to each application connector that will front an instance of the application, which securely extends the network fabric into the tenant network. The network controller configures NAT rules in the network fabric and on the application connector to create a route for traffic of the application through the network fabric to the application instance using a fully qualified domain name assigned to the application without exposing a private network address of the application instance and preserving security of other resource on the tenant network.Type: GrantFiled: December 1, 2022Date of Patent: September 12, 2023Assignee: Palo Alto Networks, Inc.Inventors: Jayant Jain, Brian Russell Kean, Aditya Srinivasa Ivaturi, Mohit Sahni, Mingfei Peng