Patents by Inventor Harinath Vishwanath Ramchetty
Harinath Vishwanath Ramchetty has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 11997139Abstract: Endpoints in a network execute a sensor module that intercepts commands to obtain information regarding a remote network resource. The sensor module compares a source of commands to a sanctioned list of applications. If the source is not sanctioned, then a simulated response can be provided to the source that references a decoy server.Type: GrantFiled: March 13, 2023Date of Patent: May 28, 2024Assignee: SENTINELONE, INC.Inventors: Venu Vissamsetty, Anil Gupta, Harinath Vishwanath Ramchetty
-
Patent number: 11899782Abstract: DLL hooks are protected by mapping the starting address of the new executable to a sample of the former executable. Attempts to read the starting address are responded to with the sample of the former executable. Attempts to write to the starting address are responded to with confirmation of success without actually writing data. Debuggers are detected upon launch or by evaluating an operating system. A component executing in the kernel denies debugging privileges to prevent inspection and modification of DLL hooks.Type: GrantFiled: July 13, 2021Date of Patent: February 13, 2024Assignee: SentinelOne, Inc.Inventors: Anil Gupta, Harinath Vishwanath Ramchetty
-
Publication number: 20240007503Abstract: Endpoints in a network execute a sensor module that intercepts commands. The sensor module compares a source of commands to a sanctioned list of applications received from a management server. If the source does not match a sanctioned application and the command is a write or delete command, the command is ignored and a simulated acknowledgment is sent. If the command is a read command, deception data is returned instead. In some embodiments, certain data is protected such that commands will be ignored or modified to refer to deception data where the source is not a sanctioned application. The source may be verified to be a sanctioned application by evaluating a certificate, hash, or path of the source. Responses from an active directory server may be intercepted and modified to reference a decoy server when not addressed to a sanctioned application. Requests to view network resources may be responded to with references to a decoy server.Type: ApplicationFiled: June 30, 2023Publication date: January 4, 2024Inventors: Venu Vissamsetty, ANIL GUPTA, HARINATH VISHWANATH RAMCHETTY
-
Publication number: 20230388344Abstract: Endpoints in a network execute a sensor module that intercepts commands. The sensor module compares a source of commands to a sanctioned list of applications received from a management server. If the source does not match a sanctioned application and the command is a write or delete command, the command is ignored and a simulated acknowledgment is sent. If the command is a read command, deception data is returned instead. In some embodiments, certain data is protected such that commands will be ignored or modified to refer to deception data where the source is not a sanctioned application. The source may be verified to be a sanctioned application by evaluating a certificate, hash, or path of the source. Responses from an active directory server may be intercepted and modified to reference a decoy server when not addressed to a sanctioned application.Type: ApplicationFiled: February 23, 2023Publication date: November 30, 2023Inventors: Venu Vissamsetty, Anil Gupta, Harinath Vishwanath Ramchetty
-
Publication number: 20230319087Abstract: In some embodiments, a computer-implemented method for preventing credential passing attacks comprising: receiving an input; determining whether the input is a credential access command, wherein the determination comprises searching for occurrences of references to executables related to adding, reading, copying, or performing actions with respect to a credential, if the input is determined to be a credential access command, performing anomaly detection, wherein performing the anomaly detection comprises evaluating whether a user is a valid domain user, whether an elapsed time of the credential is greater than a maximum lifetime of the credential, and whether a privilege attribute certificate of the credential is valid, determining that an anomaly exists if the command was generated by an invalid domain user; an elapsed time of a credential is greater than a maximum lifetime, or the privilege attribute certificate of the credential is invalid, and performing mitigation of the anomaly.Type: ApplicationFiled: March 13, 2023Publication date: October 5, 2023Inventors: Harinath Vishwanath Ramchetty, Anil Gupta
-
Publication number: 20230283635Abstract: Endpoints in a network execute a sensor module that intercepts commands. The sensor module compares a source of commands to a sanctioned list of applications received from a management server. If the source does not match a sanctioned application and the command is a write or delete command, the command is ignored and a simulated acknowledgment is sent. If the command is a read command, deception data is returned instead. In some embodiments, certain data is protected such that commands will be ignored or modified to refer to deception data where the source is not a sanctioned application. The source may be verified to be a sanctioned application by evaluating a certificate, hash, or path of the source. Responses from an active directory server may be intercepted and modified to reference a decoy server when not addressed to a sanctioned application. Requests to view network resources may be responded to with references to a decoy server.Type: ApplicationFiled: March 13, 2023Publication date: September 7, 2023Inventors: Venu Vissamsetty, Anil Gupta, Harinath Vishwanath Ramchetty
-
Patent number: 11695800Abstract: Endpoints in a network execute a sensor module that intercepts commands. The sensor module compares a source of commands to a sanctioned list of applications received from a management server. If the source does not match a sanctioned application the command is ignored and a simulated acknowledgment is sent or, deception data is returned instead. In some embodiments, certain data is protected such that commands will be ignored or modified to refer to deception data where the source is not a sanctioned application. The source may be verified to be a sanctioned application by evaluating a certificate, hash, or path of the source. Responses from an active directory server may be intercepted and modified to reference a decoy server when not addressed to a sanctioned application. Requests to view network resources may be responded to with references to a decoy server.Type: GrantFiled: April 15, 2020Date of Patent: July 4, 2023Assignee: SENTINELONE, INC.Inventors: Venu Vissamsetty, Anil Gupta, Harinath Vishwanath Ramchetty
-
Patent number: 11616812Abstract: Endpoints in a network execute a sensor module that intercepts commands. The sensor module compares a source of commands to a sanctioned list of applications received from a management server. If the source does not match a sanctioned application and the command is a write or delete command, the command is ignored and a simulated acknowledgment is sent. If the command is a read command, deception data is returned instead. In some embodiments, certain data is protected such that commands will be ignored or modified to refer to deception data where the source is not a sanctioned application. The source may be verified to be a sanctioned application by evaluating a certificate, hash, or path of the source. Responses from an active directory server may be intercepted and modified to reference a decoy server when not addressed to a sanctioned application.Type: GrantFiled: August 16, 2019Date of Patent: March 28, 2023Assignee: Attivo Networks Inc.Inventors: Venu Vissamsetty, Anil Gupta, Harinath Vishwanath Ramchetty
-
Publication number: 20200252429Abstract: Endpoints in a network execute a sensor module that intercepts commands. The sensor module compares a source of commands to a sanctioned list of applications received from a management server. If the source does not match a sanctioned application and the command is a write or delete command, the command is ignored and a simulated acknowledgment is sent. If the command is a read command, deception data is returned instead. In some embodiments, certain data is protected such that commands will be ignored or modified to refer to deception data where the source is not a sanctioned application. The source may be verified to be a sanctioned application by evaluating a certificate, hash, or path of the source. Responses from an active directory server may be intercepted and modified to reference a decoy server when not addressed to a sanctioned application. Requests to view network resources may be responded to with references to a decoy server.Type: ApplicationFiled: April 15, 2020Publication date: August 6, 2020Inventors: Venu Vissamsetty, Anil Gupta, Harinath Vishwanath Ramchetty
-
Patent number: 10609074Abstract: Endpoints of various domains implement forwarding modules as well as perform various production tasks. The endpoints of a domain participate in an election process by which one or more endpoints are selected to operate as honeypots. The forwarding modules of non-selected endpoints become inactive, but wake up periodically to determine whether an election process is occurring. Selected endpoints obtain configuration data from a management server. The endpoints then acquire IP addresses and implement one or more services according to the configuration data. The management server may configure the services based on a location of the selected endpoint. Traffic received by the selected endpoints is forwarded to the management server, which engages an attacker system using one or more VMs. When an endpoint moves to a different domain, it releases acquired IP addresses and attempts to participate in the election process in the different domain.Type: GrantFiled: November 23, 2016Date of Patent: March 31, 2020Assignee: ATTIVO NETWORKS INC.Inventors: Venu Vissamsetty, Muthukumar Lakshmanan, Harinath Vishwanath Ramchetty, Vinod Kumar A. Porwal
-
Patent number: 10599842Abstract: Endpoints in a network execute a sensor module that intercepts commands. The sensor module compares a source of commands to a sanctioned list of applications received from a management server. If the source does not match a sanctioned application and the command is a write or delete command, the command is ignored and a simulated acknowledgment is sent. If the command is a read command, deception data is returned instead. In some embodiments, certain data is protected such that commands will be ignored or modified to refer to deception data where the source is not a sanctioned application. The source may be verified to be a sanctioned application by evaluating a certificate, hash, or path of the source.Type: GrantFiled: December 19, 2016Date of Patent: March 24, 2020Assignee: ATTIVO NETWORKS INC.Inventors: Venu Vissametty, Muthukumar Lakshmanan, Harinath Vishwanath Ramchetty, Vinod Kumar A. Porwal
-
Patent number: 10542044Abstract: A system reports credentials on nodes of a network. Nodes are assigned to security silos. If a credential reported from a node is found to match a credential found on a node outside of its security silo or be for authentication with a node outside the its security an alert is generated, unless proper precautions are generated. Credentials may be reported as one-way hashes of credentials. Security silos may be automatically generated to segregate at-risk nodes from critical servers based on the presence or use of email clients and browsers. Precautions that may be used to suppress alerts, such as using KERBEROS TGT.Type: GrantFiled: April 29, 2016Date of Patent: January 21, 2020Assignee: ATTIVO NETWORKS INC.Inventors: Venu Vissamsetty, Srikant Vissamsetti, Nitin Jyoti, Harinath Vishwanath Ramchetty
-
Patent number: 10509905Abstract: Endpoints in a network environment include remote file systems mounted thereto that reference a file system generator that responds to file system commands with deception data. Requests to list the contents of a directory are intercepted, such as while a response is passed up through an IO stack. The response is modified to include references to deception files and directories that do not actually exist on the system hosting the file system generator. The number of the deception files and directories may be randomly selected. Requests to read deception files are answered by generating a file having a file type corresponding to the deception file. Deception files may be written back to the system by an attacker and then deleted.Type: GrantFiled: September 5, 2017Date of Patent: December 17, 2019Assignee: ATTIVO NETWORKS INC.Inventors: Anil Gupta, Harinath Vishwanath Ramchetty, Venu Vissamsetty
-
Publication number: 20190379697Abstract: Endpoints in a network execute a sensor module that intercepts commands. The sensor module compares a source of commands to a sanctioned list of applications received from a management server. If the source does not match a sanctioned application and the command is a write or delete command, the command is ignored and a simulated acknowledgment is sent. If the command is a read command, deception data is returned instead. In some embodiments, certain data is protected such that commands will be ignored or modified to refer to deception data where the source is not a sanctioned application. The source may be verified to be a sanctioned application by evaluating a certificate, hash, or path of the source. Responses from an active directory server may be intercepted and modified to reference a decoy server when not addressed to a sanctioned application.Type: ApplicationFiled: August 16, 2019Publication date: December 12, 2019Inventors: Venu Vissamsetty, Anil Gupta, Harinath Vishwanath Ramchetty
-
Patent number: 10375110Abstract: Endpoints in a computer network create connections to a deception server without sending any payload data. The connections create records of the connection on the endpoints, by which an attacker accesses the deception server. Received packets that include payload data are determined to be unauthorized. The deception server acquires IP addresses in various VLANS and provides these IP addresses to the endpoints over a secure channel. The connections from the endpoints to the deception server are not performed on the secure channel. IP addresses acquired by the deception server are not assigned to an interface. Instead, NAT is used to route packets including the IP addresses to various engagement servers. Each IP address is assigned a unique hostname in order to appear as multiple distinct servers. The deception server further generates broadcast traffic to generate other records that may be used to lure an attacker to the deception server.Type: GrantFiled: May 12, 2016Date of Patent: August 6, 2019Assignee: ATTIVO NETWORKS INC.Inventors: Venu Vissamsetty, Srikant Vissamsetti, Muthukumar Lakshmanan, Harinath Vishwanath Ramchetty, Vinod Kumar A. Porwal
-
Publication number: 20190073475Abstract: Endpoints in a network environment include remote file systems mounted thereto that reference a file system generator that responds to file system commands with deception data. Requests to list the contents of a directory are intercepted, such as while a response is passed up through an IO stack. The response is modified to include references to deception files and directories that do not actually exist on the system hosting the file system generator. The number of the deception files and directories may be randomly selected. Requests to read deception files are answered by generating a file having a file type corresponding to the deception file. Deception files may be written back to the system by an attacker and then deleted.Type: ApplicationFiled: September 5, 2017Publication date: March 7, 2019Inventors: Anil Gupta, Harinath Vishwanath Ramchetty, Venu Vissamsetty
-
Publication number: 20180173876Abstract: Endpoints in a network execute a sensor module that intercepts commands. The sensor module compares a source of commands to a sanctioned list of applications received from a management server. If the source does not match a sanctioned application and the command is a write or delete command, the command is ignored and a simulated acknowledgment is sent. If the command is a read command, deception data is returned instead. In some embodiments, certain data is protected such that commands will be ignored or modified to refer to deception data where the source is not a sanctioned application. The source may be verified to be a sanctioned application by evaluating a certificate, hash, or path of the source.Type: ApplicationFiled: December 19, 2016Publication date: June 21, 2018Inventors: Venu Vissamsetty, Muthukumar Lakshmanan, Harinath Vishwanath Ramchetty, Vinod Kumar A. Porwal
-
Publication number: 20180146008Abstract: Endpoints of various domains implement forwarding modules as well as perform various production tasks. The endpoints of a domain participate in an election process by which one or more endpoints are selected to operate as honeypots. The forwarding modules of non-selected endpoints become inactive, but wake up periodically to determine whether an election process is occurring. Selected endpoints obtain configuration data from a management server. The endpoints then acquire IP addresses and implement one or more services according to the configuration data. The management server may configure the services based on a location of the selected endpoint. Traffic received by the selected endpoints is forwarded to the management server, which engages an attacker system using one or more VMs. When an endpoint moves to a different domain, it releases acquired IP addresses and attempts to participate in the election process in the different domain.Type: ApplicationFiled: November 23, 2016Publication date: May 24, 2018Inventors: Venu Vissamsetty, Muthukumar Lakshmanan, Harinath Vishwanath Ramchetty, Vinod Kumar A. Porwal
-
Publication number: 20170331856Abstract: Endpoints in a computer network create connections to a deception server without sending any payload data. The connections create records of the connection on the endpoints, by which an attacker accesses the deception server. Received packets that include payload data are determined to be unauthorized. The deception server acquires IP addresses in various VLANS and provides these IP addresses to the endpoints over a secure channel. The connections from the endpoints to the deception server are not performed on the secure channel. IP addresses acquired by the deception server are not assigned to an interface. Instead, NAT is used to route packets including the IP addresses to various engagement servers. Each IP address is assigned a unique hostname in order to appear as multiple distinct servers. The deception server further generates broadcast traffic to generate other records that may be used to lure an attacker to the deception server.Type: ApplicationFiled: May 12, 2016Publication date: November 16, 2017Inventors: Venu Vissamsetty, Srikant Vissamsetti, Muthukumar Lakshmanan, Harinath Vishwanath Ramchetty, Vinod Kumar A. Porwal
-
Publication number: 20170318054Abstract: A system reports credentials on nodes of a network. Nodes are assigned to security silos. If a credential reported from a node is found to match a credential found on a node outside of its security silo or be for authentication with a node outside the its security an alert is generated, unless proper precautions are generated. Credentials may be reported as one-way hashes of credentials. Security silos may be automatically generated to segregate at-risk nodes from critical servers based on the presence or use of email clients and browsers. Precautions that may be used to suppress alerts, such as using KERBEROS TGT.Type: ApplicationFiled: April 29, 2016Publication date: November 2, 2017Inventors: Venu Vissamsetty, Srikant Vissamsetti, Nitin Jyoti, Harinath Vishwanath Ramchetty