Patents by Inventor Roy KATMOR
Roy KATMOR has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 11977494Abstract: Systems and methods for implementing a secure communication channel between kernel and user mode components are provided. According to an embodiment, a shared memory is provided through which a kernel mode process and a user mode process communicate. The kernel mode process is assigned read-write access to the shared memory. The user mode process is assigned read-only access to the shared memory. An offset-based linked list is implemented within the shared memory. Kernel-to-user messages are communicated from the kernel mode process to the user mode process by adding corresponding nodes to the offset-based linked list. One or more kernel-to-user messages are read by the user mode process following the offset-based linked list in order. The kernel mode process is signaled by the user mode process that a kernel-to-user message has been consumed by the user mode process through an input output control (ioctl) system call or an event object.Type: GrantFiled: April 12, 2022Date of Patent: May 7, 2024Assignee: Fortinet, Inc.Inventors: Udi Yavo, Roy Katmor, Ido Kelson
-
Patent number: 11930022Abstract: Systems and methods for performing multi-feed classification of security events to facilitate automated IR orchestration are provided. According to one embodiment a cloud-based security service protecting a private network provides a plurality of data feeds, wherein each data feed of the plurality of data feeds independently classify a given security event and produce a classification result. In response to an event associated with a process of an endpoint device that is part of the private network an endpoint protection platform running on the endpoint device performs an initial classification of the event and transmits the classification result to the cloud-based security service for final classification.Type: GrantFiled: October 3, 2022Date of Patent: March 12, 2024Assignee: Fortinet, Inc.Inventors: Udi Yavo, Roy Katmor, Ido Kelson
-
Patent number: 11924235Abstract: Systems and methods for improving security event classification by leveraging user-behavior analytics are provided. According to an embodiment, a UEBA-based security event classification service of a cloud-based security platform maintains information regarding historical user behavior of various users of an enterprise network. An endpoint protection platform running on an endpoint device that is part of the enterprise network performs an initial classification of the event, based on which the endpoint protection platform blocks activity by the process. The endpoint production platform requests input from the cloud-based security platform which causes the cloud-based security platform performs a reclassification of the event based on contextual information, multiple data feeds and the UEBA-based security event classification service.Type: GrantFiled: January 17, 2023Date of Patent: March 5, 2024Assignee: Fortinet, Inc.Inventors: Udi Yavo, Roy Katmor, Ido Kelson
-
Patent number: 11909761Abstract: Systems and methods for mitigating the impact of malware by reversing malware related modifications in a computing device are provided. According to an embodiment, a sandbox service running within a network security platform protecting an enterprise network receives a file containing malware and associated contextual information from an endpoint security solution running on an endpoint device, which has been infected by the malware. The sandbox service captures information regarding a first series of actions performed by the malware and based on the first series of actions generates a remediation script specifying a second series of actions that are configured to restore the endpoint device to a pre-infected state. The network security platform causes the endpoint device to be returned to the pre-infected state by causing the endpoint security solution to execute the remediation script on the endpoint device.Type: GrantFiled: February 2, 2022Date of Patent: February 20, 2024Assignee: Fortinet, Inc.Inventors: Udi Yavo, Roy Katmor, Ido Kelson
-
Improving incident classification and enrichment by leveraging context from multiple security agents
Patent number: 11882128Abstract: Systems and methods are described for synergistically combining network security technologies to improve incident classification and enrichment. According to one embodiment, an endpoint protection platform running on an endpoint device receives a request via an event management agent of the endpoint protection platform from an event management service for process information relating to an incident detected by the event management service. The request is caused to be processed by an endpoint detection and response (EDR) service by transmitting the request to an EDR agent of the endpoint protection platform corresponding to the EDR service. A response to the request is received from the EDR service via the EDR agent. The response includes the process information. Enrichment of an alert generated by the event management service based on the process information is facilitated by transmitting the response to the event management service via the event management agent.Type: GrantFiled: September 17, 2020Date of Patent: January 23, 2024Assignee: Fortinet, Inc.Inventors: Udi Yavo, Roy Katmor, Ido Kelson -
Patent number: 11856008Abstract: Systems and methods are provided for synergistically combining network security technologies to detect compromised devices. According to one embodiment, an endpoint detection and response (EDR) agent of multiple endpoint security agents running on an endpoint device detects an incident. A security incident alert is generated by the EDR agent by proactively collecting data regarding the incident. Identification of a device coupled to a private network as potentially being compromised by a security service of a Managed Security Service Provider (MSSP) protecting the private network is facilitated by the EDR agent transmitting the security incident alert to the security service via a security agent of the multiple endpoint security agents corresponding to the security service.Type: GrantFiled: December 31, 2020Date of Patent: December 26, 2023Assignee: Fortinet, Inc.Inventors: Udi Yavo, Roy Katmor, Ido Kelson
-
Publication number: 20230179617Abstract: Systems and methods for improving security event classification by leveraging user-behavior analytics are provided. According to an embodiment, a UEBA-based security event classification service of a cloud-based security platform maintains information regarding historical user behavior of various users of an enterprise network. An endpoint protection platform running on an endpoint device that is part of the enterprise network performs an initial classification of the event, based on which the endpoint protection platform blocks activity by the process. The endpoint production platform requests input from the cloud-based security platform which causes the cloud-based security platform performs a reclassification of the event based on contextual information, multiple data feeds and the UEBA-based security event classification service.Type: ApplicationFiled: January 17, 2023Publication date: June 8, 2023Applicant: Fortinet, Inc.Inventors: UDI YAVO, Roy Katmor, Ido Kelson
-
Patent number: 11588839Abstract: Systems and methods for improving security event classification by leveraging user-behavior analytics are provided. According to an embodiment, a UEBA-based security event classification service of a cloud-based security platform maintains information regarding historical user behavior of various users of an enterprise network. An endpoint protection platform running on an endpoint device that is part of the enterprise network performs an initial classification of the event, based on which the endpoint protection platform blocks activity by the process. The endpoint production platform requests input from the cloud-based security platform which causes the cloud-based security platform performs a reclassification of the event based on contextual information, multiple data feeds and the UEBA-based security event classification service.Type: GrantFiled: December 10, 2019Date of Patent: February 21, 2023Assignee: Fortinet, Inc.Inventors: Udi Yavo, Roy Katmor, Ido Kelson
-
Publication number: 20230034035Abstract: Systems and methods for performing multi-feed classification of security events to facilitate automated IR orchestration are provided. According to one embodiment a cloud-based security service protecting a private network provides a plurality of data feeds, wherein each data feed of the plurality of data feeds independently classify a given security event and produce a classification result. In response to an event associated with a process of an endpoint device that is part of the private network an endpoint protection platform running on the endpoint device performs an initial classification of the event and transmits the classification result to the cloud-based security service for final classification.Type: ApplicationFiled: October 3, 2022Publication date: February 2, 2023Applicant: Fortinet, Inc.Inventors: Udi Yavo, Roy Katmor, Ido Kelson
-
Patent number: 11562068Abstract: Systems and methods are described for synergistically combining static file based detection and behavioral analysis to improve both threat detection time and accuracy. An endpoint security solution running on an endpoint device generates a static analysis score by performing a static file analysis on files associated with a process initiated on the endpoint device. When the static analysis score meets or exceeds a static analysis threshold, then a network security platform treats the process as malicious and blocks execution of the process. When the static analysis score is less than the static analysis threshold, then the endpoint security solution obtains a dynamic analysis score for the process. The network security platform treats the process as malicious and causes execution of the process to be blocked based on a function of the static analysis score and the dynamic analysis score.Type: GrantFiled: December 31, 2019Date of Patent: January 24, 2023Assignee: Fortinet, Inc.Inventors: Udi Yavo, Roy Katmor, Ido Kelson
-
Patent number: 11477214Abstract: Systems and methods for performing multi-feed classification of security events to facilitate automated IR orchestration are provided. According to one embodiment a cloud-based security service protecting a private network provides a plurality of data feeds, wherein each data feed of the plurality of data feeds independently classify a given security event and produce a classification result. In response to an event associated with a process of an endpoint device that is part of the private network an endpoint protection platform running on the endpoint device performs an initial classification of the event and transmits the classification result to the cloud-based security service for final classification to facilitate causing, by the cloud-based security service, the endpoint protection platform to perform an automated incident response, by providing an output of an automated response engine of the cloud-based security service to the endpoint protection platform.Type: GrantFiled: December 10, 2019Date of Patent: October 18, 2022Assignee: Fortinet, Inc.Inventors: Udi Yavo, Roy Katmor, Ido Kelson
-
Publication number: 20220237129Abstract: Systems and methods for implementing a secure communication channel between kernel and user mode components are provided. According to an embodiment, a shared memory is provided through which a kernel mode process and a user mode process communicate. The kernel mode process is assigned read-write access to the shared memory. The user mode process is assigned read-only access to the shared memory. An offset-based linked list is implemented within the shared memory. Kernel-to-user messages are communicated from the kernel mode process to the user mode process by adding corresponding nodes to the offset-based linked list. One or more kernel-to-user messages are read by the user mode process following the offset-based linked list in order. The kernel mode process is signaled by the user mode process that a kernel-to-user message has been consumed by the user mode process through an input output control (ioctl) system call or an event object.Type: ApplicationFiled: April 12, 2022Publication date: July 28, 2022Applicant: Fortinet, Inc.Inventors: Udi Yavo, Roy Katmor, Ido Kelson
-
Publication number: 20220210168Abstract: Systems and methods are provided for synergistically combining network security technologies to detect compromised devices. According to one embodiment, an endpoint detection and response (EDR) agent of multiple endpoint security agents running on an endpoint device detects an incident. A security incident alert is generated by the EDR agent by proactively collecting data regarding the incident. Identification of a device coupled to a private network as potentially being compromised by a security service of a Managed Security Service Provider (MSSP) protecting the private network is facilitated by the EDR agent transmitting the security incident alert to the security service via a security agent of the multiple endpoint security agents corresponding to the security service.Type: ApplicationFiled: December 31, 2020Publication date: June 30, 2022Applicant: Fortinet, Inc.Inventors: Udi Yavo, Roy Katmor, Ido Kelson
-
Publication number: 20220210173Abstract: Systems and methods for enabling context-aware zero-trust network access (ZTNA) using security posture insights received from an endpoint agent are provided. According to an embodiment, of a Zero Trust Network Access (ZTNA) service module receives from an endpoint device an access request to a protected object. An identity of a user of the endpoint device is verified via an identity management system. When the identify verification is affirmative: (i) receiving from an endpoint agent running on the endpoint device, security posture information associated with one or more of the endpoint device, the user, and the protected object; (ii) determining based on a set of ZTNA policies and the security posture information whether to allow the access request; and (iii) when the determination is affirmative, granting access to the protected object by the user via the endpoint device.Type: ApplicationFiled: December 31, 2020Publication date: June 30, 2022Applicant: Fortinet, Inc.Inventors: Roy Katmor, Udi Yavo, Ido Kelson
-
Publication number: 20220166783Abstract: Systems and methods are described for synergistically combining network security technologies to improve automated response to security incidents. An endpoint security agent running on the endpoint device detects an incident, generates a security incident alert by proactively collecting data regarding the incident, and causes a network access control (NAC) agent to execute an automated network operation based on the security incident alert. In an embodiment, a security device is operable to use EDR data and NAC data in combination to improve asset discovery. The security device may use the EDR data and the NAC data in combination for performing deep vulnerability assessment and taking remedial actions.Type: ApplicationFiled: November 26, 2020Publication date: May 26, 2022Applicant: Fortinet, Inc.Inventors: Udi Yavo, Roy Katmor, Ido Kelson
-
Publication number: 20220159014Abstract: Systems and methods for mitigating the impact of malware by reversing malware related modifications in a computing device are provided. According to an embodiment, a sandbox service running within a network security platform protecting an enterprise network receives a file containing malware and associated contextual information from an endpoint security solution running on an endpoint device, which has been infected by the malware. The sandbox service captures information regarding a first series of actions performed by the malware and based on the first series of actions generates a remediation script specifying a second series of actions that are configured to restore the endpoint device to a pre-infected state. The network security platform causes the endpoint device to be returned to the pre-infected state by causing the endpoint security solution to execute the remediation script on the endpoint device.Type: ApplicationFiled: February 2, 2022Publication date: May 19, 2022Applicant: Fortinet, Inc.Inventors: Udi Yavo, Roy Katmor, Ido Kelson
-
Patent number: 11314662Abstract: Systems and methods for implementing a secure communication channel between kernel and user mode components are provided. According to an embodiment, a shared memory is provided through which a kernel mode process and a user mode process communicate. The kernel mode process is assigned read-write access to the shared memory. The user mode process is assigned read-only access to the shared memory. An offset-based linked list is implemented within the shared memory. Kernel-to-user messages are communicated from the kernel mode process to the user mode process by adding corresponding nodes to the offset-based linked list. One or more kernel-to-user messages are read by the user mode process following the offset-based linked list in order. The kernel mode process is signaled by the user mode process that a kernel-to-user message has been consumed by the user mode process through an input output control (ioctl) system call or an event object.Type: GrantFiled: March 5, 2020Date of Patent: April 26, 2022Assignee: Fortinet, Inc.Inventors: Udi Yavo, Roy Katmor, Ido Kelson
-
IMPROVING INCIDENT CLASSIFICATION AND ENRICHMENT BY LEVERAGING CONTEXT FROM MULTIPLE SECURITY AGENTS
Publication number: 20220086173Abstract: Systems and methods are described for synergistically combining network security technologies to improve incident classification and enrichment. According to one embodiment, an endpoint protection platform running on an endpoint device receives a request via an event management agent of the endpoint protection platform from an event management service for process information relating to an incident detected by the event management service. The request is caused to be processed by an endpoint detection and response (EDR) service by transmitting the request to an EDR agent of the endpoint protection platform corresponding to the EDR service. A response to the request is received from the EDR service via the EDR agent. The response includes the process information. Enrichment of an alert generated by the event management service based on the process information is facilitated by transmitting the response to the event management service via the event management agent.Type: ApplicationFiled: September 17, 2020Publication date: March 17, 2022Applicant: Fortinet, Inc.Inventors: Udi Yavo, Roy Katmor, Ido Kelson -
Patent number: 11277438Abstract: Systems and methods for mitigating the impact of malware by reversing malware related modifications in a computing device are provided. According to an embodiment, a sandbox service running within a network security platform protecting an enterprise network receives a file containing malware and associated contextual information from an endpoint security solution running on an endpoint device, which has been infected by the malware. The sandbox service captures information regarding a first series of actions performed by the malware and based on the first series of actions generates a remediation script specifying a second series of actions that are configured to restore the endpoint device to a pre-infected state. The network security platform causes the endpoint device to be returned to the pre-infected state by causing the endpoint security solution to execute the remediation script on the endpoint device.Type: GrantFiled: December 10, 2019Date of Patent: March 15, 2022Assignee: Fortinet, Inc.Inventors: Udi Yavo, Roy Katmor, Ido Kelson
-
Publication number: 20210279184Abstract: Systems and methods for implementing a secure communication channel between kernel and user mode components are provided. According to an embodiment, a shared memory is provided through which a kernel mode process and a user mode process communicate. The kernel mode process is assigned read-write access to the shared memory. The user mode process is assigned read-only access to the shared memory. An offset-based linked list is implemented within the shared memory. Kernel-to-user messages are communicated from the kernel mode process to the user mode process by adding corresponding nodes to the offset-based linked list. One or more kernel-to-user messages are read by the user mode process following the offset-based linked list in order. The kernel mode process is signaled by the user mode process that a kernel-to-user message has been consumed by the user mode process through an input output control (ioctl) system call or an event object.Type: ApplicationFiled: March 5, 2020Publication date: September 9, 2021Applicant: Fortinet, Inc.Inventors: Udi Yavo, Roy Katmor, Ido Kelson