Patents by Inventor Liron Levin

Liron Levin has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).

  • Patent number: 11102220
    Abstract: A method and system for runtime detection of botnets in containerized environments. The method includes creating a domain name system (DNS) policy for a software container, wherein the DNS policy defines at least a plurality of allowed domain names for the software container, wherein the DNS policy is created based on historical DNS queries by the software container; detecting a botnet based on traffic to and from the software container, wherein the botnet is detected when at least a portion of the traffic does not comply with the DNS policy, wherein the botnet is implemented via communication with a bot executed in the software container; and blocking at least one DNS query in the at least a portion of traffic, wherein each blocked DNS query is to a domain having a domain name that does not match any of the plurality of allowed domain names for the software container.
    Type: Grant
    Filed: December 10, 2018
    Date of Patent: August 24, 2021
    Assignee: Twistlock, Ltd.
    Inventors: Liron Levin, Dima Stopel, John Morello
  • Patent number: 11068585
    Abstract: A system and method for securing execution of software containers using security profiles. The method includes exporting a container image to a host device from a container image source, wherein the container image includes resources utilized to execute a corresponding application container; generating a security profile for the container image, wherein the generated security profile indicates at least a list of permissible filesystem actions, wherein each permissible filesystem action is an action performed with respect to at least one filesystem resource; monitoring an operation of a runtime execution of the application container; and detecting a violation of the security profile based on the monitored operation.
    Type: Grant
    Filed: February 20, 2020
    Date of Patent: July 20, 2021
    Assignee: TWISTLOCK, Ltd.
    Inventors: Liron Levin, Dima Stopel, Eran Yanay
  • Publication number: 20210209227
    Abstract: A system and method for defending an application configured to invoke anonymous functions. The method includes analyzing the application to determine at least one branch of the application, wherein each branch is an instruction that deviates from a default behavior of the application; identifying a potential threat branch based on the at least one branch of the application and an anonymous function, the potential threat branch including a call to an anonymous function; and creating a secured instance of the application, wherein creating the secured instance of the application further comprises embedding a policy within the anonymous function of the identified potential threat branch.
    Type: Application
    Filed: March 8, 2021
    Publication date: July 8, 2021
    Applicant: Twistlock, Ltd.
    Inventors: Liron LEVIN, Dima STOPEL, John MORELLO
  • Publication number: 20210192058
    Abstract: A method for securing execution of software containers using security profiles. The method includes generating a security profile for a container image, wherein the container image includes resources utilized to execute a corresponding application container, wherein the generated security profile includes at least a spawned processes profile, wherein the spawned processes profile includes, for each spawned process executed at runtime by the application container, a signature of an executable file of the spawned process; monitoring the operation of a runtime execution of the application container; and detecting a violation of the spawned processes profile based on the monitored operation.
    Type: Application
    Filed: March 8, 2021
    Publication date: June 24, 2021
    Applicant: Twistlock, Ltd.
    Inventors: Dima STOPEL, Liron LEVIN
  • Patent number: 11036534
    Abstract: A system and method for serverless runtime application self-protection.
    Type: Grant
    Filed: September 27, 2018
    Date of Patent: June 15, 2021
    Assignee: TWISTLOCK, Ltd.
    Inventors: Liron Levin, Dima Stopel, Michael Velbaum, Alon Adler, Michael Kletselman, John Morello
  • Publication number: 20210165887
    Abstract: A system and method for securing execution environments by quarantining software containers. A method includes: determining, based on configuration data for an application stored in the application software container, at least one intended behavior of the application when executed by the application software container; monitoring execution of the application software container in a first execution environment, wherein the monitoring further comprises comparing the execution of the application software container to the at least one intended behavior; detecting an unauthorized action by the application software container when the execution of the application software container is anomalous as compared to the at least one intended behavior; and quarantining the application software container by migrating the application software container from the first execution environment to a second execution environment when the unauthorized action is detected.
    Type: Application
    Filed: February 12, 2021
    Publication date: June 3, 2021
    Applicant: Twistlock, Ltd.
    Inventors: John MORELLO, Dima STOPEL, Liron LEVIN
  • Patent number: 10943014
    Abstract: A method for securing execution of software containers using security profiles. The method comprises receiving an event indicating that a container image requires profiling, wherein the container image includes resources utilized to execute a corresponding application container; generating a security profile for the container image, wherein the generated security profile includes at least a spawned processes profile, wherein the security profile is of the container image corresponding to the application container; monitoring the operation of a runtime execution of the application container; and detecting a violation of the spawned processes profile based on the monitored operation.
    Type: Grant
    Filed: January 3, 2017
    Date of Patent: March 9, 2021
    Assignee: Twistlock, Ltd
    Inventors: Dima Stopel, Liron Levin
  • Patent number: 10943007
    Abstract: A system and method for defending an application configured to invoke anonymous functions. The method includes analyzing the application to determine at least one branch of the application, wherein each branch is an instruction that deviates from a default behavior of the application; identifying, based on the at least one branch of the application and at least one first anonymous function, at least one potential threat branch, each potential threat branch including a call to one of the at least one first anonymous function; and rewiring at least one first function call of the application to create a secured instance of the application, wherein each of the at least one first function call is to one of the at least one first anonymous function prior to rewiring.
    Type: Grant
    Filed: September 18, 2018
    Date of Patent: March 9, 2021
    Assignee: Twistlock, Ltd
    Inventors: Liron Levin, Dima Stopel, John Morello
  • Patent number: 10922418
    Abstract: A system and method for runtime detection of vulnerabilities in an application software container that is configured to execute an application.
    Type: Grant
    Filed: May 9, 2018
    Date of Patent: February 16, 2021
    Assignee: Twistlock, Ltd.
    Inventors: John Morello, Dima Stopel, Liron Levin
  • Publication number: 20200382544
    Abstract: Techniques for providing contextual forensic data based on user activities. A first method includes identifying a user action in user activity data, wherein the user action is a discrete event initiated by a user, wherein the user action is performed with respect to a portion of a system; and correlating the identified user action with at least one system change, wherein the at least one system change is related to the portion of the system, wherein the at least one system change occurred after the user action. A second method includes taking a first snapshot before a user action occurs, wherein the user action is a discrete event initiated by a user, wherein the first snapshot is taken of at least a portion of a system; and taking a second snapshot after the user action occurs, wherein the second snapshot is taken of the at least a portion of the system.
    Type: Application
    Filed: May 29, 2019
    Publication date: December 3, 2020
    Applicant: Twistlock, Ltd.
    Inventors: Liron LEVIN, Michael KLETSELMAN, Ami BIZAMCHER, Dima STOPEL, John MORELLO
  • Patent number: 10796023
    Abstract: A system and method for maintaining image integrity in a containerized environment. Image layers of a software container are scanned for metadata. The metadata is indexed and contextual metadata is added. Execution of the containerized environment is monitored to detect new image layers being executed. Integrity of images in the environment is maintained based on integrity rules and the metadata of each image layer. The integrity rules ensure image integrity by ensuring that pulled images are composed from trusted images, image layers are pushed by trusted users, image layers do not include potential vulnerabilities, and image layers do not override specific file paths. Trusted image layers may be automatically detected using a machine learning model trained based on historical image layer metadata.
    Type: Grant
    Filed: July 3, 2018
    Date of Patent: October 6, 2020
    Assignee: Twistlock, Ltd
    Inventors: Liron Levin, John Morello, Dima Stopel
  • Publication number: 20200301728
    Abstract: A host device and methods for efficient distributed security forensics. The method includes creating, at a first host device configured to run a first virtualization entity, a first event index for the first virtualization entity; encoding at least one event related to the first virtualization entity, wherein each event includes a process having a process path, wherein encoding the at least one event includes replacing at least a portion of each event with at least one code representing at least the process path of the respective process; updating the first event index based on the encoded at least one event; and sending the first event index to a master console, wherein the master console is configured to receive a plurality of event indices created by a plurality of host devices with respect to a plurality of virtualization entities.
    Type: Application
    Filed: June 10, 2020
    Publication date: September 24, 2020
    Applicant: Twistlock, Ltd.
    Inventors: Liron LEVIN, Dima STOPEL, Ami BIZAMCHER, Michael KLETSELMAN, John MORELLO
  • Patent number: 10778446
    Abstract: A method and system for detecting vulnerable root certificates in container images are provided. The method includes receiving an event to scan at least one container image hosted in a host device, wherein the least one container image includes resources utilized to execute, by the host device, at least a respective software application container; extracting contents of layers of the at least one container image; scanning the extracted contents to generate a first list designating all root certificates included in the at least one container image; generating a second list designating all root certificates trusted by the host device; comparing the first list to the second list to detect at least one root certificate designated in the first list but not in the second; and determining the at least one detected root certificate as vulnerable.
    Type: Grant
    Filed: February 16, 2017
    Date of Patent: September 15, 2020
    Assignee: Twistlock, Ltd.
    Inventors: Dima Stopel, John Morello, Liron Levin
  • Publication number: 20200271774
    Abstract: A system and method for radar visualization of a cloud native environment. The method includes determining a plurality of connection patterns based on connectivity data collected by a plurality of agents, wherein each agent of the plurality of agents is installed on a respective compute node of a plurality of compute nodes, wherein the connectivity data collected by each agent of the plurality of agents includes node-local connectivity data indicating node-local connections for the respective compute node on which the agent is installed, wherein the node-local connections include communications with at least one application entity hosted by the respective compute node; and generating, based on the plurality of connection patterns, a topological graph, wherein the topological graph is organized with respect to the at least one application entity hosted by each of the plurality of compute nodes.
    Type: Application
    Filed: February 27, 2019
    Publication date: August 27, 2020
    Applicant: Twistlock, Ltd.
    Inventors: John MORELLO, Dima STOPEL, Liron LEVIN, Nerya AGAM, Reut KRAVCHOOK
  • Patent number: 10740135
    Abstract: A host device and method for efficient distributed security forensics. The method includes creating, at a first host device configured to run a first virtualization entity, a first event index for the first virtualization entity; encoding at least one event related to the first virtualization entity; updating the first event index based on the encoded at least one event; and sending the first event index to a master console, wherein the master console is configured to receive a plurality of event indices created by a plurality of host devices with respect to a plurality of virtualization entities.
    Type: Grant
    Filed: September 27, 2018
    Date of Patent: August 11, 2020
    Assignee: Twistlock, Ltd
    Inventors: Liron Levin, Dima Stopel, Ami Bizamcher, Michael Kletselman, John Morello
  • Publication number: 20200213357
    Abstract: A system and method for cloud native discovery and protection. The method includes identifying a plurality of cloud assets in a cloud native environment based on cloud credentials for each of the plurality of cloud assets; determining at least one cloud asset instance that lacks active security protection based on a configuration of at least one of: each of the at least one cloud asset, and at least one security solution deployed in the cloud native environment, wherein each cloud asset instance is an instance of one of the plurality of cloud assets; and reconfiguring at least a portion of the cloud native environment with respect to the at least one cloud asset instance that lacks active security protection.
    Type: Application
    Filed: December 26, 2018
    Publication date: July 2, 2020
    Applicant: Twistlock, Ltd.
    Inventors: Liron LEVIN, Michael KLETSELMAN, Dima STOPEL, John MORELLO, Itay ABRAMOWSKY, Ami BIZAMCHER
  • Publication number: 20200213320
    Abstract: A system and method for method for protecting cloud native environments based on cloud resource access. The method includes determining a mapping of a plurality of cloud assets to a plurality of cloud resources based on resource access data for a cloud native environment, wherein the plurality of cloud assets and the plurality of cloud resources are deployed in the cloud native environment, wherein each of the plurality of cloud assets is mapped to at least one associated cloud resource of the plurality of cloud resources; detecting at least one improper resource access based on the mapping and a cloud access security stream for the cloud native environment, wherein each of the at least one improper resource access deviates from the mapping; and performing at least one mitigation action with respect to the detected at least one improper resource access.
    Type: Application
    Filed: December 26, 2018
    Publication date: July 2, 2020
    Applicant: Twistlock, Ltd.
    Inventors: Liron LEVIN, Michael KLETSELMAN, Dima STOPEL, John MORELLO
  • Patent number: 10693899
    Abstract: A system and method for traffic enforcement in containerized environments. The method includes analyzing contents of a container image to determine a type of application to be executed by a first container, wherein the first container is a runtime instance of the container image; determining, based on the type of application to be executed by the first container, a filtering profile for the first container, wherein the filtering profile defines a configuration for inspecting and filtering traffic directed to the first container; and filtering, based on the filtering profile, malicious traffic directed to the first container.
    Type: Grant
    Filed: October 22, 2018
    Date of Patent: June 23, 2020
    Assignee: TWISTLOCK, LTD.
    Inventors: Liron Levin, Dima Stopel, John Morello, Eran Yanay
  • Publication number: 20200193015
    Abstract: A system and method for securing execution of software containers using security profiles. The method includes exporting a container image to a host device from a container image source, wherein the container image includes resources utilized to execute a corresponding application container; generating a security profile for the container image, wherein the generated security profile indicates at least a list of permissible filesystem actions, wherein each permissible filesystem action is an action performed with respect to at least one filesystem resource; monitoring an operation of a runtime execution of the application container; and detecting a violation of the security profile based on the monitored operation.
    Type: Application
    Filed: February 20, 2020
    Publication date: June 18, 2020
    Applicant: Twistlock, Ltd.
    Inventors: Liron LEVIN, Dima STOPEL, Eran YANAY
  • Patent number: 10664590
    Abstract: A system and method for securing execution of software containers using security profiles. The method includes receiving an event indicating that a container image requires profiling, wherein the container image includes resources utilized to execute a corresponding application container; generating a security profile for the container image when the event is received, wherein the generated security profile indicates at least a list of permissible filesystem actions, wherein each permissible filesystem action is an action performed with respect to at least one filesystem resource; monitoring an operation of a runtime execution of the application container; and detecting a violation of the security profile based on the monitored operation.
    Type: Grant
    Filed: January 9, 2018
    Date of Patent: May 26, 2020
    Assignee: TWISTLOCK, LTD.
    Inventors: Liron Levin, Dima Stopel, Eran Yanay