Patents by Inventor Liron Levin

Liron Levin has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).

  • Patent number: 11550050
    Abstract: A plurality of connection patterns is determined based on connectivity data collected by a plurality of agents. Each agent of the plurality of agents is installed on a respective compute node of a plurality of compute nodes. The connectivity data collected by each agent of the plurality of agents includes node-local connectivity data indicating node-local connections for the respective compute node on which the agent is installed. The node-local connections include communications with at least one application entity hosted by the respective compute node. A graph representation that is organized with respect to the at least one application entity hosted by each of the plurality of compute nodes is generated based on the plurality of connection patterns.
    Type: Grant
    Filed: February 27, 2019
    Date of Patent: January 10, 2023
    Assignee: Twistlock Ltd.
    Inventors: John Morello, Dima Stopel, Liron Levin, Nerya Agam, Reut Kravchook
  • Patent number: 11477168
    Abstract: To dynamically determine and apply WAF protections for an application deployed to the cloud, exposed entities, are identified. The identified entities are further evaluated to determine whether the application is eligible for WAF protection based on whether the application uses a protocol that is compatible with WAF protection. If the application is eligible for WAF protection, after instantiating a WAF, WAF protections that should be enabled or disabled are determined based on characteristics of the application that are identified at runtime. The WAF can then be configured based on the identified protections such that those which are pertinent to the application will be enabled, while those which are not applicable to the application and thus will not be used are disabled. As a result, security provided by the WAF for a cloud application is tailored to the application based on information about the application gathered in the cloud deployment environment.
    Type: Grant
    Filed: December 30, 2021
    Date of Patent: October 18, 2022
    Assignee: Palo Alto Networks, Inc.
    Inventors: Liron Levin, Isaac Schnitzer, Elad Shuster, Ory Segal
  • Publication number: 20220222351
    Abstract: A system and method for discovering vulnerabilities in software packages. A method includes identifying at least one potential source of vulnerability in at least one potentially vulnerable software package of a plurality of software packages, wherein each potential source of vulnerability is a change to one of the at least one potentially vulnerable software package; and identifying at least one vulnerability in the plurality of software packages by selecting and applying at least one vulnerability identification rule to data of each of the at least one potentially vulnerable software package, wherein the at least one vulnerability identification rule for each of the at least one potentially vulnerable software package is selected based on an availability of version identifiers for the potentially vulnerable software package.
    Type: Application
    Filed: January 11, 2021
    Publication date: July 14, 2022
    Applicant: Twistlock, Ltd.
    Inventors: Liron LEVIN, Alon ADLER, Michael KLETSELMAN, Dima STOPEL
  • Publication number: 20220217148
    Abstract: A system and method for method for protecting cloud native environments based on cloud resource access. The method includes determining a mapping of a plurality of cloud assets to a plurality of cloud resources based on resource access data for a cloud native environment, wherein the plurality of cloud assets and the plurality of cloud resources are deployed in the cloud native environment, wherein each of the plurality of cloud assets is mapped to at least one associated cloud resource of the plurality of cloud resources; detecting at least one improper resource access based on the mapping and a cloud access security stream for the cloud native environment, wherein each of the at least one improper resource access deviates from the mapping; and performing at least one mitigation action with respect to the detected at least one improper resource access.
    Type: Application
    Filed: March 25, 2022
    Publication date: July 7, 2022
    Inventors: Liron Levin, Michael Kletselman, Dima Stopel, John Morello
  • Publication number: 20220210122
    Abstract: A configuration of a cloud application exposed via a public IP address is duplicated with modifications to include a private IP address to expose the application internally. The original configuration is updated so that external network traffic sent to the application is redirected to and distributed across agents running on nodes of a cloud cluster by which web application firewalls (WAFs) are implemented. A set of agents for which the respective WAFs should inspect the redirected network traffic are selected based on cluster metrics, such as network and resource utilization metrics. The redirected network traffic targets a port allocated to the agents that is unique to the application, where ports are allocated on a per-application basis so each of the agents can support WAF protection for multiple applications. Network traffic which a WAF allows to pass is directed from the agent to the application via its private IP address.
    Type: Application
    Filed: December 31, 2020
    Publication date: June 30, 2022
    Inventors: Liron Levin, Isaac Schnitzer, Elad Shuster, Ory Segal
  • Patent number: 11366680
    Abstract: A system and method for cloud native virtual machine (VM) runtime protection. The method includes creating a normal behavior model for a cloud native VM by training a machine learning model using a training data set including a plurality of training activities performed by the cloud native VM, the cloud native VM being configured to provide at least one service, wherein the normal behavior model defines at least one capability of each of the at least one service, wherein each capability of a service indicates a plurality of discrete behaviors required by the service; and monitoring an execution of the cloud native VM to detect a deviation from the normal behavior model, wherein the deviation is caused by at least one abnormal behavior of one of the at least one service that is not among the discrete behaviors defined in the at least one capability for the service.
    Type: Grant
    Filed: August 22, 2018
    Date of Patent: June 21, 2022
    Assignee: Twistlock, Ltd.
    Inventors: Liron Levin, John Morello, Dima Stopel, Michael Velbaum, Itay Abramowsky, Isaac Schnitzer
  • Publication number: 20220182360
    Abstract: To dynamically determine and apply WAF protections for an application deployed to the cloud, exposed entities, are identified. The identified entities are further evaluated to determine whether the application is eligible for WAF protection based on whether the application uses a protocol that is compatible with WAF protection. If the application is eligible for WAF protection, after instantiating a WAF, WAF protections that should be enabled or disabled are determined based on characteristics of the application that are identified at runtime. The WAF can then be configured based on the identified protections such that those which are pertinent to the application will be enabled, while those which are not applicable to the application and thus will not be used are disabled. As a result, security provided by the WAF for a cloud application is tailored to the application based on information about the application gathered in the cloud deployment environment.
    Type: Application
    Filed: December 30, 2021
    Publication date: June 9, 2022
    Inventors: Liron Levin, Isaac Schnitzer, Elad Shuster, Ory Segal
  • Patent number: 11290460
    Abstract: A system and method for method for protecting cloud native environments based on cloud resource access. The method includes determining a mapping of a plurality of cloud assets to a plurality of cloud resources based on resource access data for a cloud native environment, wherein the plurality of cloud assets and the plurality of cloud resources are deployed in the cloud native environment, wherein each of the plurality of cloud assets is mapped to at least one associated cloud resource of the plurality of cloud resources; detecting at least one improper resource access based on the mapping and a cloud access security stream for the cloud native environment, wherein each of the at least one improper resource access deviates from the mapping; and performing at least one mitigation action with respect to the detected at least one improper resource access.
    Type: Grant
    Filed: December 26, 2018
    Date of Patent: March 29, 2022
    Assignee: Twistlock, Ltd.
    Inventors: Liron Levin, Michael Kletselman, Dima Stopel, John Morello
  • Publication number: 20220091875
    Abstract: A system and method for cloud native virtual machine (VM) runtime protection. The method includes creating a normal behavior model for a cloud native VM by training a machine learning model using a training data set including training activities performed by the cloud native VM, the cloud native VM being configured to provide at least one service, wherein the normal behavior model defines at least one capability of each service based on a set of capabilities for respective known services stored within a library of service-to-capability mappings, wherein each capability of a service indicates a plurality of discrete behaviors required by the service; and monitoring an execution of the cloud native VM to detect a deviation from the normal behavior model, wherein the deviation is caused by at least one abnormal behavior of one of the services that is not among the discrete behaviors defined in capabilities for the service.
    Type: Application
    Filed: December 1, 2021
    Publication date: March 24, 2022
    Applicant: Twistlock, Ltd.
    Inventors: Liron LEVIN, John MORELLO, Dima STOPEL, Michael VELBAUM, Itay ABRAMOWSKY, Isaac SCHNITZER
  • Publication number: 20220058050
    Abstract: A host device and methods for efficient distributed security forensics. The method includes creating, at a host device configured to run a virtualization entity, an event index for the virtualization entity; encoding a plurality of events related to the virtualization entity, wherein each event includes a process having a process path; and updating the event index based on the encoded plurality of events.
    Type: Application
    Filed: October 15, 2021
    Publication date: February 24, 2022
    Applicant: Twistlock, Ltd.
    Inventors: Liron LEVIN, Dima STOPEL, Ami BIZAMCHER, Michael KLETSELMAN, John MORELLO
  • Publication number: 20220046051
    Abstract: A method and system for protecting an application from unsecure network exposure. The method includes identifying an at-risk application, wherein identifying the at-risk application further comprises determining that the application is configured incorrectly; identifying at least one port through which the at-risk application is accessible when the at-risk application is determined to be configured incorrectly; and determining, based on the identified at least one port through which the at-risk application is accessible, whether an exposure vulnerability exists, wherein the exposure vulnerability is an unapproved exposure of at least one of the at least one port to external resources.
    Type: Application
    Filed: October 20, 2021
    Publication date: February 10, 2022
    Applicant: Twistlock, Ltd.
    Inventors: Dima STOPEL, Liron LEVIN, Daniel SHAPIRA, Nitsan BEN NUN, John MORELLO
  • Publication number: 20220038423
    Abstract: Systems and methods for learning behavioral activity correlations. A method includes intercepting a plurality of requests, wherein each of the plurality of requests is directed to a respective destination entity of a plurality of destination entities; creating a request queue by queueing the plurality of requests; inspecting contents of the plurality of requests; separately forwarding each intercepted request to its respective destination entity based on the request queue; monitoring runtime output of each of the plurality of destination entities, wherein the runtime output includes behavioral activities of the plurality of destination entities; and training a machine learning model based on the contents of the plurality of requests the runtime output of each of the plurality of destination entities, wherein the machine learning model is trained to output request-output correlations between groups of requests and subsequent behavioral activities.
    Type: Application
    Filed: July 28, 2020
    Publication date: February 3, 2022
    Applicant: Twistlock, Ltd.
    Inventors: Liron LEVIN, Isaac SCHNITZER, Ory SEGAL, Dima STOPEL
  • Publication number: 20220029988
    Abstract: Systems and methods for zero trust network security. A method includes sending a unique intermediate certificate authority (CA) certificate to each of a plurality of entities, wherein each entity of the plurality of entities is installed on a respective node of a plurality of nodes in a network environment; and causing deployment of an agent on each of the plurality of nodes, each agent corresponding to the entity installed on the same node as the agent is configured to enforce at least one network firewall policy based on the intermediate CA certificate sent to the corresponding entity.
    Type: Application
    Filed: July 27, 2020
    Publication date: January 27, 2022
    Applicant: Twistlock, Ltd.
    Inventors: Liron LEVIN, Eran YANAY, Dima STOPEL
  • Publication number: 20220021648
    Abstract: Methods and systems for identity-based firewall policy evaluation and for encoding entity identifiers for use in identity-based firewall policy evaluation. A method includes intercepting a packet from a sender entity to a recipient entity; determining whether the sender entity is permitted to communicate with the recipient entity according to a firewall policy, wherein the firewall policy indicates a plurality of entity identifiers, wherein each entity identifier is unique among the plurality of entity identifiers, wherein the rules for communications among the plurality of entities include a list of pairs of entities which are permitted to communicate with each other; forwarding the packet to the recipient entity when it is determined that the sender entity is permitted to communicate with the recipient entity; and performing at least one mitigation action when it is determined that the recipient entity is not permitted to communicate with the sender entity.
    Type: Application
    Filed: July 16, 2020
    Publication date: January 20, 2022
    Applicant: Twistlock, Ltd.
    Inventors: Liron LEVIN, Eran YANAY, Dima STOPEL
  • Publication number: 20220019452
    Abstract: A system and method for scanning of virtual machine images. The method includes creating a virtual machine instance of a virtual machine based on a virtual machine image of the virtual machine and an application programming interface (API) of an environment in which the virtual machine is to be deployed, wherein the virtual machine image has an entry point such that the virtual machine instance executes the entry point; and replacing the entry point of the virtual machine instance with a lightweight script, wherein the lightweight script is configured to retrieve a static scanner executable, to execute the static scanner executable, and to send results of the scanning.
    Type: Application
    Filed: July 16, 2020
    Publication date: January 20, 2022
    Applicant: Twistlock, Ltd.
    Inventors: Liron LEVIN, Eran YANAY, Gilad ASTRIN, Dima STOPEL
  • Patent number: 11228565
    Abstract: To dynamically determine and apply WAF protections for an application deployed to the cloud, exposed entities, are identified. The identified entities are further evaluated to determine whether the application is eligible for WAF protection based on whether the application uses a protocol that is compatible with WAF protection. If the application is eligible for WAF protection, after instantiating a WAF, WAF protections that should be enabled or disabled are determined based on characteristics of the application that are identified at runtime. The WAF can then be configured based on the identified protections such that those which are pertinent to the application will be enabled, while those which are not applicable to the application and thus will not be used are disabled. As a result, security provided by the WAF for a cloud application is tailored to the application based on information about the application gathered in the cloud deployment environment.
    Type: Grant
    Filed: December 4, 2020
    Date of Patent: January 18, 2022
    Assignee: Palo Alto Networks, Inc.
    Inventors: Liron Levin, Isaac Schnitzer, Elad Shuster, Ory Segal
  • Publication number: 20220014563
    Abstract: A system and method for cloud native discovery and protection. The method includes discovering instances of a plurality of cloud assets in a cloud native environment based on a plurality of application programming interface (API) endpoints in the cloud native environment, wherein the plurality of API endpoints is identified based on cloud credentials for each of the plurality of cloud assets; determining at least one cloud asset instance that lacks active security protection based on a configuration of at least one entity deployed in the cloud native environment; and reconfiguring at least a portion of the cloud native environment with respect to the at least one cloud asset instance that lacks active security protection.
    Type: Application
    Filed: September 24, 2021
    Publication date: January 13, 2022
    Applicant: Twistlock, Ltd.
    Inventors: Liron LEVIN, Michael KLETSELMAN, Dima STOPEL, John MORELLO, Itay ABRAMOWSKY, Ami BIZAMCHER
  • Patent number: 11184382
    Abstract: A method and system for protecting an application from unsecure network exposure. The method includes identifying at least one port through which the application is accessible when the application is not configured correctly, wherein the application is executed at a host device connected to at least one network, the host device having the at least one port; sending, to an external resource, connection data for connecting to the application via the at least one port, wherein the external resource is configured to attempt to connect to the application based on the connection data and to return results of the connection attempt; determining, based on the results of the connection attempt, whether an exposure vulnerability exists; and performing at least one mitigation action when an exposure vulnerability exists.
    Type: Grant
    Filed: October 17, 2018
    Date of Patent: November 23, 2021
    Assignee: Twistlock, LTD.
    Inventors: Dima Stopel, Liron Levin, Daniel Shapira, Nitsan Ben Nun, John Morello
  • Patent number: 11175945
    Abstract: A host device and methods for efficient distributed security forensics. The method includes creating, at a first host device configured to run a first virtualization entity, a first event index for the first virtualization entity; encoding at least one event related to the first virtualization entity, wherein each event includes a process having a process path, wherein encoding the at least one event includes replacing at least a portion of each event with at least one code representing at least the process path of the respective process; updating the first event index based on the encoded at least one event; and sending the first event index to a master console, wherein the master console is configured to receive a plurality of event indices created by a plurality of host devices with respect to a plurality of virtualization entities.
    Type: Grant
    Filed: June 10, 2020
    Date of Patent: November 16, 2021
    Assignee: Twistlock, Ltd.
    Inventors: Liron Levin, Dima Stopel, Ami Bizamcher, Michael Kletselman, John Morello
  • Patent number: 11159570
    Abstract: A system and method for cloud native discovery and protection. The method includes identifying a plurality of cloud assets in a cloud native environment based on cloud credentials for each of the plurality of cloud assets; determining at least one cloud asset instance that lacks active security protection based on a configuration of at least one of: each of the at least one cloud asset, and at least one security solution deployed in the cloud native environment, wherein each cloud asset instance is an instance of one of the plurality of cloud assets; and reconfiguring at least a portion of the cloud native environment with respect to the at least one cloud asset instance that lacks active security protection.
    Type: Grant
    Filed: December 26, 2018
    Date of Patent: October 26, 2021
    Assignee: Twistlock, Ltd.
    Inventors: Liron Levin, Michael Kletselman, Dima Stopel, John Morello, Itay Abramowsky, Ami Bizamcher