Patents by Inventor Michael Cherny
Michael Cherny has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 11645392Abstract: A method by one or more electronic devices to notify an administrator when it is safe to mitigate a non-compliant database configuration of a database. The method includes responsive to identifying the non-compliant database configuration of the database, applying a security rule that detects occurrences of database operations that make use of the non-compliant database configuration and responsive to a determination that the security rule has not been invoked for at least a threshold length of time, causing a notification to be sent to the administrator that indicates that it is safe for the administrator to mitigate the non-compliant database configuration.Type: GrantFiled: March 31, 2021Date of Patent: May 9, 2023Assignee: Imperva, Inc.Inventors: Avidan Reich, Amichai Shulman, Michael Cherny
-
Publication number: 20230095747Abstract: An example computer-implemented method of providing security for a software container includes discovering credentials that a software container is expected to use at runtime. The discovering is performed prior to instantiation of the software container from a container image, and is based on one or more of credentials stored in the container image, credentials stored in runtime configuration data for the software container, and credentials from a secrets management service. An unsafe credential set is determined that includes one or more of the discovered credentials that do not meet predefined credential safety criteria. A runtime request is intercepted from the software container. A credential violation is detected based on the intercepted runtime request attempting to use a credential from the unsafe discovered credential set. A corrective action is performed for the software container based on the detected credential violation.Type: ApplicationFiled: December 7, 2022Publication date: March 30, 2023Inventors: Michael Cherny, Sagie Dulce
-
Patent number: 11580216Abstract: An example computer-implemented method of providing security for a software container includes discovering credentials that a software container is expected to use at runtime. The discovering is performed prior to instantiation of the software container from a container image, and is based on one or more of credentials stored in the container image, credentials stored in runtime configuration data for the software container, and credentials from a secrets management service. An unsafe credential set is determined that includes one or more of the discovered credentials that do not meet predefined credential safety criteria. A runtime request is intercepted from the software container. A credential violation is detected based on the intercepted runtime request attempting to use a credential from the unsafe discovered credential set. A corrective action is performed for the software container based on the detected credential violation.Type: GrantFiled: March 26, 2021Date of Patent: February 14, 2023Assignee: Aqua Security Software, Ltd.Inventors: Michael Cherny, Sagie Dulce
-
Publication number: 20210248237Abstract: A method by one or more electronic devices to notify an administrator when it is safe to mitigate a non-compliant database configuration of a database. The method includes responsive to identifying the non-compliant database configuration of the database, applying a security rule that detects occurrences of database operations that make use of the non-compliant database configuration and responsive to a determination that the security rule has not been invoked for at least a threshold length of time, causing a notification to be sent to the administrator that indicates that it is safe for the administrator to mitigate the non-compliant database configuration.Type: ApplicationFiled: March 31, 2021Publication date: August 12, 2021Applicant: Imperva, Inc.Inventors: Avidan REICH, Amichai SHULMAN, Michael CHERNY
-
Publication number: 20210216621Abstract: An example computer-implemented method of providing security for a software container includes discovering credentials that a software container is expected to use at runtime. The discovering is performed prior to instantiation of the software container from a container image, and is based on one or more of credentials stored in the container image, credentials stored in runtime configuration data for the software container, and credentials from a secrets management service. An unsafe credential set is determined that includes one or more of the discovered credentials that do not meet predefined credential safety criteria. A runtime request is intercepted from the software container. A credential violation is detected based on the intercepted runtime request attempting to use a credential from the unsafe discovered credential set. A corrective action is performed for the software container based on the detected credential violation.Type: ApplicationFiled: March 26, 2021Publication date: July 15, 2021Inventors: Michael Cherny, Sagie Dulce
-
Patent number: 11017074Abstract: An example computer-implemented method of providing security for a software container includes discovering credentials that a software container is expected to use at runtime. The discovering is performed prior to instantiation of the software container from a container image, and is based on one or more of credentials stored in the container image, credentials stored in runtime configuration data for the software container, and credentials from a secrets management service. An unsafe credential set is determined that includes one or more of the discovered credentials that do not meet predefined credential safety criteria. A runtime request is intercepted from the software container. A credential violation is detected based on the intercepted runtime request attempting to use a credential from the unsafe discovered credential set. A corrective action is performed for the software container based on the detected credential violation.Type: GrantFiled: September 12, 2018Date of Patent: May 25, 2021Assignee: Aqua Security Software, Ltd.Inventors: Michael Cherny, Sagie Dulce
-
Patent number: 11003779Abstract: A method by a security system for selectively triggering different ones of a plurality of database assessment scans for a database and detecting when non-compliant database configurations of the database are being used. The method includes monitoring for occurrences of a first class of database operations, responsive to detecting an occurrence of one or more database operations of the first class, selecting one or more subsets of the plurality of database assessment scans to be rerun, triggering performance of only the selected one or more of the subsets, identifying one or more non-compliant database configurations of the database based on accessing results of the selected one or more of the subsets, determining one or more security rules for detecting occurrences of database operations that make use of the identified one or more non-compliant database configurations, and applying the determined one or more security rules.Type: GrantFiled: September 30, 2020Date of Patent: May 11, 2021Assignee: Imperva, Inc.Inventors: Avidan Reich, Amichai Shulman, Michael Cherny
-
Publication number: 20210012007Abstract: A method by a security system for selectively triggering different ones of a plurality of database assessment scans for a database and detecting when non-compliant database configurations of the database are being used. The method includes monitoring for occurrences of a first class of database operations, responsive to detecting an occurrence of one or more database operations of the first class, selecting one or more subsets of the plurality of database assessment scans to be rerun, triggering performance of only the selected one or more of the subsets, identifying one or more non-compliant database configurations of the database based on accessing results of the selected one or more of the subsets, determining one or more security rules for detecting occurrences of database operations that make use of the identified one or more non-compliant database configurations, and applying the determined one or more security rules.Type: ApplicationFiled: September 30, 2020Publication date: January 14, 2021Applicant: Imperva, Inc.Inventors: Avidan REICH, Amichai SHULMAN, Michael CHERNY
-
Patent number: 10824730Abstract: A method implemented by a security system for selectively triggering different ones of a plurality of database assessment scans for a database The method includes monitoring for occurrences of a first class of database operations that have been determined to require only rerunning subsets of the plurality of database assessment scans to determine whether results of the plurality of database assessment scan shave changed, responsive to detecting an occurrence of one or more database operations of the first class, selecting one or more of the subsets to be rerun based on which of the database operations of the first class occurred, and triggering performance of only the selected one or more of the subsets to determine whether the results of the plurality of database assessment scans have changed.Type: GrantFiled: August 22, 2018Date of Patent: November 3, 2020Assignee: Imperva, Inc.Inventors: Avidan Reich, Amichai Shulman, Michael Cherny
-
Publication number: 20200082071Abstract: An example computer-implemented method of providing security for a software container includes discovering credentials that a software container is expected to use at runtime. The discovering is performed prior to instantiation of the software container from a container image, and is based on one or more of credentials stored in the container image, credentials stored in runtime configuration data for the software container, and credentials from a secrets management service. An unsafe credential set is determined that includes one or more of the discovered credentials that do not meet predefined credential safety criteria. A runtime request is intercepted from the software container. A credential violation is detected based on the intercepted runtime request attempting to use a credential from the unsafe discovered credential set. A corrective action is performed for the software container based on the detected credential violation.Type: ApplicationFiled: September 12, 2018Publication date: March 12, 2020Inventors: Michael Cherny, Sagie Dulce
-
Publication number: 20200065494Abstract: A method implemented by a security system for selectively triggering different ones of a plurality of database assessment scans for a database The method includes monitoring for occurrences of a first class of database operations that have been determined to require only rerunning subsets of the plurality of database assessment scans to determine whether results of the plurality of database assessment scan shave changed, responsive to detecting an occurrence of one or more database operations of the first class, selecting one or more of the subsets to be rerun based on which of the database operations of the first class occurred, and triggering performance of only the selected one or more of the subsets to determine whether the results of the plurality of database assessment scans have changed.Type: ApplicationFiled: August 22, 2018Publication date: February 27, 2020Inventors: Avidan REICH, Amichai SHULMAN, Michael CHERNY
-
Patent number: 10534915Abstract: An example computer-implemented method of preventing exploitation of software vulnerabilities includes determining that a software container is susceptible to a vulnerability, determining one or more soft spots required to exploit the vulnerability, and analyzing runtime behavior of the software container to determine if the software container uses the one or more soft spots. The method includes automatically applying a security policy that prevents the software container from using the one or more soft spots based on the analyzing indicating that the software container does not use the one or more soft spots at runtime.Type: GrantFiled: June 29, 2017Date of Patent: January 14, 2020Assignee: AQUA SECURITY SOFTWARE, LTD.Inventors: Michael Cherny, Sagie Dulce
-
Publication number: 20190005246Abstract: An example computer-implemented method of preventing exploitation of software vulnerabilities includes determining that a software container is susceptible to a vulnerability, determining one or more soft spots required to exploit the vulnerability, and analyzing runtime behavior of the software container to determine if the software container uses the one or more soft spots. The method includes automatically applying a security policy that prevents the software container from using the one or more soft spots based on the analyzing indicating that the software container does not use the one or more soft spots at runtime.Type: ApplicationFiled: June 29, 2017Publication date: January 3, 2019Inventors: Michael Cherny, Sagie Dulce
-
Patent number: 9667651Abstract: According to one embodiment, a method for setting a trap to detect that an intruder has compromised a client end station (CES) in an attempt to gain unauthorized access to enterprise data provided by a server is described. The method includes causing a honey token to be placed on the CES secluded within a configuration repository, wherein the honey token is metadata and/or instructions indicating how applications can seemingly access the enterprise data but that is actually invalid, and the honey token is placed on the CES and not on the server. The method also includes causing attribute values to be installed on a security gateway for a security rule causing the security gateway to monitor network traffic for attempted use of the honey token, and to generate an alert when a set of one or more packets that include the honey token are received.Type: GrantFiled: June 16, 2016Date of Patent: May 30, 2017Assignee: Imperva, Inc.Inventors: Amichai Shulman, Michael Cherny, Sagie Dulce
-
Publication number: 20160301712Abstract: According to one embodiment, a method for setting a trap to detect that an intruder has compromised a client end station (CES) in an attempt to gain unauthorized access to enterprise data provided by a server is described. The method includes causing a honey token to be placed on the CES secluded within a configuration repository, wherein the honey token is metadata and/or instructions indicating how applications can seemingly access the enterprise data but that is actually invalid, and the honey token is placed on the CES and not on the server. The method also includes causing attribute values to be installed on a security gateway for a security rule causing the security gateway to monitor network traffic for attempted use of the honey token, and to generate an alert when a set of one or more packets that include the honey token are received.Type: ApplicationFiled: June 16, 2016Publication date: October 13, 2016Inventors: Amichai SHULMAN, Michael CHERNY, Sagie DULCE
-
Patent number: 9401927Abstract: According to one embodiment, a method for setting a trap to detect that an intruder has compromised a client end station (CES) in an attempt to gain unauthorized access to enterprise data provided by a server is described. The method includes causing a honey token to be placed on the CES secluded within a configuration repository, wherein the honey token is metadata and/or instructions indicating how applications can seemingly access the enterprise data but that is actually invalid, and the honey token is placed on the CES and not on the server. The method also includes causing attribute values to be installed on a security gateway for a security rule causing the security gateway to monitor network traffic for attempted use of the honey token, and to generate an alert when a set of one or more packets that include the honey token are received.Type: GrantFiled: January 20, 2015Date of Patent: July 26, 2016Assignee: Imperva, Inc.Inventors: Amichai Shulman, Michael Cherny, Sagie Dulce
-
Publication number: 20150135266Abstract: According to one embodiment, a method for setting a trap to detect that an intruder has compromised a client end station (CES) in an attempt to gain unauthorized access to enterprise data provided by a server is described. The method includes causing a honey token to be placed on the CES secluded within a configuration repository, wherein the honey token is metadata and/or instructions indicating how applications can seemingly access the enterprise data but that is actually invalid, and the honey token is placed on the CES and not on the server. The method also includes causing attribute values to be installed on a security gateway for a security rule causing the security gateway to monitor network traffic for attempted use of the honey token, and to generate an alert when a set of one or more packets that include the honey token are received.Type: ApplicationFiled: January 20, 2015Publication date: May 14, 2015Inventors: Amichai Shulman, Michael Cherny, Sagie Dulce
-
Patent number: 8973142Abstract: According to one embodiment, a method for setting a trap to detect that an intruder has compromised a client end station (CES) in an attempt to gain unauthorized access to enterprise data provided by a server is described. The method includes causing a honey token to be placed on the CES secluded within a configuration repository, wherein the honey token is metadata and/or instructions indicating how applications can seemingly access the enterprise data but that is actually invalid, and the honey token is placed on the CES and not on the server. The method also includes causing attribute values to be installed on a security gateway for a security rule causing the security gateway to monitor network traffic for attempted use of the honey token, and to generate an alert when a set of one or more packets that include the honey token are received.Type: GrantFiled: July 2, 2013Date of Patent: March 3, 2015Assignee: Imperva, Inc.Inventors: Amichai Shulman, Michael Cherny, Sagie Dulce
-
Publication number: 20150013006Abstract: According to one embodiment, a method for setting a trap to detect that an intruder has compromised a client end station (CES) in an attempt to gain unauthorized access to enterprise data provided by a server is described. The method includes causing a honey token to be placed on the CES secluded within a configuration repository, wherein the honey token is metadata and/or instructions indicating how applications can seemingly access the enterprise data but that is actually invalid, and the honey token is placed on the CES and not on the server. The method also includes causing attribute values to be installed on a security gateway for a security rule causing the security gateway to monitor network traffic for attempted use of the honey token, and to generate an alert when a set of one or more packets that include the honey token are received.Type: ApplicationFiled: July 2, 2013Publication date: January 8, 2015Applicant: Imperva Inc.Inventors: Amichai Shulman, Michael Cherny, Sagie Dulce