Patents by Inventor Partha Bhattacharya
Partha Bhattacharya has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Publication number: 20240070267Abstract: Systems and methods for detecting malicious behavior in a network by analyzing process interaction ratios (PIRs) are provided. According to one embodiment, information regarding historical process activity is maintained. The historical process activity includes information regarding various processes hosted by computing devices of a private network. Information regarding process activity within the private network is received for a current observation period. For each process, for each testing time period of a number of testing time periods within the current observation period, a PIR is determined based on (i) a number of unique computing devices that hosted the process and (ii) a number of unique users that executed the process. A particular process is identified as potentially malicious when a measure of deviation of the PIR of the particular process from a historical PIR mean of the particular process exceeds a pre-defined or configurable threshold during a testing time period.Type: ApplicationFiled: October 31, 2023Publication date: February 29, 2024Applicant: Fortinet, Inc.Inventors: Ernest Mugambi, Partha Bhattacharya, Gun Sumlut
-
Patent number: 11836247Abstract: Systems and methods for detecting malicious behavior in a network by analyzing process interaction ratios (PIRs) are provided. According to one embodiment, information regarding historical process activity is maintained. The historical process activity includes information regarding various processes hosted by computing devices of a private network. Information regarding process activity within the private network is received for a current observation period. For each process, for each testing time period of a number of testing time periods within the current observation period, a PIR is determined based on (i) a number of unique computing devices that host the process and (ii) a number of unique users that have executed the process. A particular process is identified as potentially malicious when a measure of deviation of the PIR of the particular process from a historical PIR mean of the particular process exceeds a pre-defined or configurable threshold during a testing time period.Type: GrantFiled: March 30, 2020Date of Patent: December 5, 2023Assignee: Fortinet, Inc.Inventors: Ernest Mugambi, Partha Bhattacharya, Gun Sumlut
-
Patent number: 11700269Abstract: Systems and methods for analyzing user behavior patterns to detect compromised computing devices in an enterprise network are provided. According to one embodiment, an enforcement engine running on a network security device, identifies top users of a network exhibiting a suspicious behavior relating to login failures by determining a first set of users having a number of login failure events during a given time duration exceeding a threshold. The enforcement engine identifies from the first set of computers associated with the top users, a second set of computers exhibiting a suspicious behavior relating to new connections exceeding a threshold. The enforcement engine classifies a third set of computers, representing a subset of the second set exhibiting a suspicious behavior relating to consecutive new connections, as compromised source computers when their respective new connections are in a sequence that results in a Shannon entropy measure exceeding a threshold.Type: GrantFiled: December 18, 2018Date of Patent: July 11, 2023Assignee: Fortinet, Inc.Inventors: Ernest Mugambi, Partha Bhattacharya
-
Publication number: 20230124404Abstract: Systems and methods for adaptively provisioning a distributed event data store of a multi-tenant architecture are provided. According to one embodiment, a managed security service provider (MSSP) maintains a distributed event data store on behalf of each tenant of the MSSP. For each tenant, the MSSP periodically determines a provisioning status for a current active partition of the distributed event data store of the tenant. Further, when the determining indicates an under-provisioning condition exits, the MSSP dynamically increases number of resource provision units (RPUs) to be used for a new partition to be added to the partitions for the tenant by a first adjustment ratio. While, when the determining indicates an over-provisioning condition exists, the MSSP dynamically decreases the number of RPUs to be used for subsequent partitions added to the partitions for the tenant by a second adjustment ratio.Type: ApplicationFiled: December 2, 2022Publication date: April 20, 2023Applicant: Fortinet, Inc.Inventors: Jun He, Partha Bhattacharya, Jae Yoo
-
Patent number: 11531570Abstract: Systems and methods for adaptively provisioning a distributed event data store of a multi-tenant architecture are provided. According to one embodiment, a managed security service provider (MSSP) maintains a distributed event data store on behalf of each tenant of the MSSP. For each tenant, the MSSP periodically determines a provisioning status for a current active partition of the distributed event data store of the tenant. Further, when the determining indicates an under-provisioning condition exits, the MSSP dynamically increases number of resource provision units (RPUs) to be used for a new partition to be added to the partitions for the tenant by a first adjustment ratio. While, when the determining indicates an over-provisioning condition exists, the MSSP dynamically decreases the number of RPUs to be used for subsequent partitions added to the partitions for the tenant by a second adjustment ratio.Type: GrantFiled: March 11, 2020Date of Patent: December 20, 2022Assignee: Fortinet, Inc.Inventors: Jun He, Partha Bhattacharya, Jae Yoo
-
Publication number: 20210303682Abstract: Systems and methods for detecting malicious behavior in a network by analyzing process interaction ratios (PIRs) are provided. According to one embodiment, information regarding historical process activity is maintained. The historical process activity includes information regarding various processes hosted by computing devices of a private network. Information regarding process activity within the private network is received for a current observation period. For each process, for each testing time period of a number of testing time periods within the current observation period, a PIR is determined based on (i) a number of unique computing devices that host the process and (ii) a number of unique users that have executed the process. A particular process is identified as potentially malicious when a measure of deviation of the PIR of the particular process from a historical PIR mean of the particular process exceeds a pre-defined or configurable threshold during a testing time period.Type: ApplicationFiled: March 30, 2020Publication date: September 30, 2021Applicant: Fortinet, Inc.Inventors: Ernest Mugambi, Partha Bhattacharya, Gun Sumlut
-
Publication number: 20210286652Abstract: Systems and methods for adaptively provisioning a distributed event data store of a multi-tenant architecture are provided. According to one embodiment, a managed security service provider (MSSP) maintains a distributed event data store on behalf of each tenant of the MSSP. For each tenant, the MSSP periodically determines a provisioning status for a current active partition of the distributed event data store of the tenant. Further, when the determining indicates an under-provisioning condition exits, the MSSP dynamically increases number of resource provision units (RPUs) to be used for a new partition to be added to the partitions for the tenant by a first adjustment ratio. While, when the determining indicates an over-provisioning condition exists, the MSSP dynamically decreases the number of RPUs to be used for subsequent partitions added to the partitions for the tenant by a second adjustment ratio.Type: ApplicationFiled: March 11, 2020Publication date: September 16, 2021Applicant: Fortinet, Inc.Inventors: Jun He, Partha Bhattacharya, Jae Yoo
-
Patent number: 10938926Abstract: Network identity to User Identity and location mapping information can be found in various logs (such as Active Directory logs, DHCP logs, VPN logs, and WLAN authentication logs) and certain files such as router Layer 2 or 3 forwarding tables. For a large organization, this mapping can be dynamic. Accurate user identity and location information is crucial to assessing the security risk associated with a host and take corrective action. This invention discloses a distributed in-memory user database update methodology for keeping track of large scale dynamically updating network to user identity mappings. The technique is further configurable for specific users, specific devices or for specific attributes in the metadata.Type: GrantFiled: December 30, 2016Date of Patent: March 2, 2021Assignee: Fortinet, Inc.Inventors: Partha Bhattacharya, Santosh Rao
-
Publication number: 20200195672Abstract: Systems and methods for analyzing user behavior patterns to detect compromised computing devices in an enterprise network are provided. According to one embodiment, an enforcement engine running on a network security device, identifies top users of a network exhibiting a suspicious behavior relating to login failures by determining a first set of users having a number of login failure events during a given time duration exceeding a threshold. The enforcement engine identifies from the first set of computers associated with the top users, a second set of computers exhibiting a suspicious behavior relating to new connections exceeding a threshold. The enforcement engine classifies a third set of computers, representing a subset of the second set exhibiting a suspicious behavior relating to consecutive new connections, as compromised source computers when their respective new connections are in a sequence that results in a Shannon entropy measure exceeding a threshold.Type: ApplicationFiled: December 18, 2018Publication date: June 18, 2020Applicant: Fortinet, Inc.Inventors: Ernest Mugambi, Partha Bhattacharya
-
Patent number: 10445479Abstract: Metadata is received for different log events, from a plurality of regional controller nodes, implemented at least partially in hardware and geographically-dispersed around the data communication network for proximity to network devices. Each of the log events is reported by the network devices to a regional collector node of the plurality of regional controller nodes. Log events concerning a user authenticating to a network device that is geographically proximate to the user and comprising at least user identity aspect and a location aspect for specific users of stations serviced by the network devices, are detected. Feasibility of location changes can be determined to identify possible identity theft.Type: GrantFiled: September 30, 2017Date of Patent: October 15, 2019Assignee: Fortinet, Inc.Inventors: Santosh Rao, Wenjun Cai, Partha Bhattacharya
-
Patent number: 10404558Abstract: Dynamic reporting rates for a log management system are adaptively allocated. Each individual controller node device of plurality of controller nodes is initially allocated an EPS rate limit for submitting event records to a log management system (e.g., an SIEM log management system) out of a licensed EPS rate. When surges are detected, the log management system dynamically reallocates proportions of EPS rates, within the licensed EPS rate. The individual EPS rate limit for at least one collector node is adjusted in real-time for a specific controller node based on under usage by other collector nodes. Another technique is to prioritize or weight events causing the surge to determine adjustments to EPS rate.Type: GrantFiled: June 6, 2018Date of Patent: September 3, 2019Assignee: Fortinet, Inc.Inventors: Jun He, Partha Bhattacharya
-
Publication number: 20180375746Abstract: Dynamic reporting rates for a log management system are adaptively allocated. Each individual controller node device of plurality of controller nodes is initially allocated an EPS rate limit for submitting event records to a log management system (e.g., an SIEM log management system) out of a licensed EPS rate. When surges are detected, the log management system dynamically reallocates proportions of EPS rates, within the licensed EPS rate. The individual EPS rate limit for at least one collector node is adjusted in real-time for a specific controller node based on under usage by other collector nodes. Another technique is to prioritize or weight events causing the surge to determine adjustments to EPS rate.Type: ApplicationFiled: June 6, 2018Publication date: December 27, 2018Inventors: Jun He, Partha Bhattacharya
-
Patent number: 10148698Abstract: Event record purging is selectively enforced in a high volume log system. A plurality of data retention policies is received for one or more data types. Each data retention policy can describe a retention duration for enforcement of different data types with respect to online retention and offline retention. Only online compressed file from a period of time potentially containing event records with an expiring retention duration are uncompressed. Other files are ignored to save I/O bandwidth for supporting queries of event records. Some implementations search records using the index as well.Type: GrantFiled: September 30, 2016Date of Patent: December 4, 2018Assignee: Fortinet, Inc.Inventors: Santosh Rao, Partha Bhattacharya
-
Patent number: 10044578Abstract: Dynamic reporting rates for a log management system are adaptively allocated. Each individual controller node device of plurality of controller nodes is initially allocated an EPS rate limit for submitting event records to a log management system (e.g., an SIEM log management system) out of a licensed EPS rate. When surges are detected, the log management system dynamically reallocates proportions of EPS rates, within the licensed EPS rate. The individual EPS rate limit for at least one collector node is adjusted in real-time for a specific controller node based on under usage by other collector nodes. Another technique is to prioritize or weight events causing the surge to determine adjustments to EPS rate.Type: GrantFiled: September 27, 2016Date of Patent: August 7, 2018Assignee: Fortinet, Inc.Inventors: Jun He, Partha Bhattacharya
-
Publication number: 20180189467Abstract: Metadata is received for different log events, from a plurality of regional controller nodes, implemented at least partially in hardware and geographically-dispersed around the data communication network for proximity to network devices. Each of the log events is reported by the network devices to a regional collector node of the plurality of regional controller nodes. Log events concerning a user authenticating to a network device that is geographically proximate to the user and comprising at least user identity aspect and a location aspect for specific users of stations serviced by the network devices, are detected. Feasibility of location changes can be determined to identify possible identity theft.Type: ApplicationFiled: September 30, 2017Publication date: July 5, 2018Inventors: Santosh Rao, Wenjun Cai, Partha Bhattacharya
-
Publication number: 20180191848Abstract: Network identity to User Identity and location mapping information can be found in various logs (such as Active Directory logs, DHCP logs, VPN logs, and WLAN authentication logs) and certain files such as router Layer 2 or 3 forwarding tables. For a large organization, this mapping can be dynamic. Accurate user identity and location information is crucial to assessing the security risk associated with a host and take corrective action. This invention discloses a distributed in-memory user database update methodology for keeping track of large scale dynamically updating network to user identity mappings. The technique is further configurable for specific users, specific devices or for specific attributes in the metadata.Type: ApplicationFiled: December 30, 2016Publication date: July 5, 2018Inventors: Partha Bhattacharya, Santosh Rao
-
Publication number: 20180097844Abstract: Event record purging is selectively enforced in a high volume log system. A plurality of data retention policies is received for one or more data types. Each data retention policy can describe a retention duration for enforcement of different data types with respect to online retention and offline retention. Only online compressed file from a period of time potentially containing event records with an expiring retention duration are uncompressed. Other files are ignored to save I/O bandwidth for supporting queries of event records. Some implementations search records using the index as well.Type: ApplicationFiled: September 30, 2016Publication date: April 5, 2018Inventors: Santosh Rao, Partha Bhattacharya
-
Publication number: 20180091393Abstract: Dynamic reporting rates for a log management system are adaptively allocated. Each individual controller node device of plurality of controller nodes is initially allocated an EPS rate limit for submitting event records to a log management system (e.g., an SIEM log management system) out of a licensed EPS rate. When surges are detected, the log management system dynamically reallocates proportions of EPS rates, within the licensed EPS rate. The individual EPS rate limit for at least one collector node is adjusted in real-time for a specific controller node based on under usage by other collector nodes. Another technique is to prioritize or weight events causing the surge to determine adjustments to EPS rate.Type: ApplicationFiled: September 27, 2016Publication date: March 29, 2018Inventors: Jun He, Partha Bhattacharya
-
Patent number: 8510432Abstract: In a method and system for aggregating event information, events are received at a first plurality of nodes in a distributed system. For the events received at each node aggregated attribute information is determined in accordance with two or more rules and stored in distinct first tables, each table storing aggregated attribute information for a respective rule of the two or more rules. At each node of the first plurality of nodes, the two or more distinct first tables are transmitted to a respective node of a second set of nodes in the distributed system. At each node of the second set of nodes, two or more distinct second tables are generated by merging the aggregated attribute information in the tables transmitted to the node. Each rule of the two or more rules is evaluating using the aggregated attribute information obtained from a corresponding table of the second tables.Type: GrantFiled: June 24, 2010Date of Patent: August 13, 2013Assignee: Accelops, Inc.Inventors: Partha Bhattacharya, Sheng Chen, Hongbo Zhu
-
Patent number: 8423894Abstract: A network security monitor system groups a plurality of security events into network sessions, correlates the network sessions according to a set of predefined network security event correlation rules and generates a security incident for the network sessions that satisfy one of the network security event correlation rules. The system then presents the information of the network sessions and security incidents to a user of the system in an intuitive form. The user is able to not only learn the details of a possible network attack, but also creates new security event correlation rules intuitively, including drop rules for dropping a particular type of events.Type: GrantFiled: November 16, 2009Date of Patent: April 16, 2013Assignee: Cisco Technology, Inc.Inventors: Partha Bhattacharya, Imin T. Lee, Aji Joseph, Eli Stevens, Diwakar Naramreddy