Patents Assigned to Netskope, Inc.
-
Publication number: 20250055783Abstract: A method and system for mediating non-compliance of residency policies associated with multiple routes within a cloud-based multi-tenant system. The system includes several routes for delivering services to various end user devices, with each route connecting to different cloud services across the Internet. A telemetry beacon is deployed to monitor compliance with pre-configured residency, routing, and performance settings, which link to multiple residency policies of the routes. An application running on an end user device requests a residency policy from the available residency policies, where residency policies control residency requirements for cloud services and routes. The telemetry beacon transmits compliance data related to the selected residency policy to an Application Resource Server (ARS). The ARS detects non-compliance with the residency policy based on this telemetry data and updates the route to resolve the issue.Type: ApplicationFiled: August 19, 2024Publication date: February 13, 2025Applicant: Netskope, Inc.Inventors: Jacob S. Roersma, Bryan D. Black
-
Patent number: 12225039Abstract: A system for policy based vulnerability management of a network equipment of an enterprise is disclosed. A plurality of vulnerabilities associated with an end user device and a plurality of policies associated with the plurality of vulnerabilities is identified. Security risks associated with the plurality of vulnerabilities based on a type of the plurality of vulnerabilities are identified. Remediation for the plurality of vulnerabilities is determined based on the plurality of policies and prioritized based on the vulnerabilities, the security risks, and the policies. The plurality of policies is based on a cloud service selected from the end user device, a tenant, and a role associated with the end user device. A route corresponding to the plurality of policies and the cloud service is identified. The route specifies the end user device or a mid-link server. The cloud service is provided to the end user device via the route.Type: GrantFiled: December 17, 2021Date of Patent: February 11, 2025Assignee: Netskope, Inc.Inventor: Brandon Edward Rose
-
Patent number: 12219360Abstract: A cellular security system that uses multiple policies to protect a cellular network against various threats in a cloud-based environment. The cellular security system includes a tenant with multiple cellular devices, multiple tunnels that receive and route traffic, monitor traffic, capture real-time traffic attributes, and detect anomalies. The cellular security system further includes an anomaly detection model, an alert generator, and an anomaly reporter. The anomaly detection model retrieves baseline profiles from a threat database, loads policies related to a threat, and compares real-time traffic features with baseline profiles. The anomaly detection model further applies an anomaly detection algorithm to a traffic instance, assigns an anomaly score, and raises a flag for anomaly detection. The alert generator sends an alert to the tenant in the cloud-based environment, and the anomaly reporter notifies a management plane for further remediation of the anomaly.Type: GrantFiled: July 24, 2024Date of Patent: February 4, 2025Assignee: Netskope, Inc.Inventors: Milind Gunjan, Kallol Banerjee, Jonathan Bosanac
-
Patent number: 12197583Abstract: A key management system for providing encryption of a disk in a client device is provided. The system comprises a trusted platform module (TPM) having a first fragment of a key, a remote storage having a second fragment of the key, and a processing unit to partially boot instructions relating to booting of the client device, send a request for validation to the TPM, receive the first fragment of the key from the TPM on successful validation, request for the second fragment of the key with credentials to access the remote storage. The credentials and a network of the request are verified, the second fragment of the key is transmitted on successful validation. The first fragment and the second fragment of the key are combined to generate an encryption key for booting the client device. The first fragment of the key and the second fragment of the key are rotatable.Type: GrantFiled: July 18, 2022Date of Patent: January 14, 2025Assignee: Netskope, Inc.Inventor: Jason Lee Wolfe
-
Patent number: 12197590Abstract: A scoring system to assign an exposure metric to a service accessed by multiple end-user devices in an application layer of a cloud-based system. The scoring system includes multiple tenants comprising multiple end-user devices and a scoring server. The scoring server configures dimensions that are functions of the service. The scoring server identifies a resource and determines a resource metric that is a weight of the resource in a dimension. The scoring server further receives a policy and calculates a policy metric that is distance of the policy from origin of a vector space. The scoring server also aggregates the policies and/or the dimensions based on the policy metric, retrieves a dimension metric, and computes the exposure metric for the service. Finally, the scoring server stores the exposure metric of the services and alerts the end-user device about the status of the service.Type: GrantFiled: January 29, 2024Date of Patent: January 14, 2025Assignee: Netskope, Inc.Inventor: Prahalad Deshpande
-
Patent number: 12184696Abstract: The technology discloses a computer-implemented policy manager device for a cloud-based security system that manages cloud-based unified functions of packet-level and protocol-level access control and traffic inspection, threat detection and activity contextualization on inspectable and non-inspectable traffic. Packet-level access control inspects packet headers for malformation, protocol-level access control performs deep packet inspection for malicious signatures, threat detection determines whether traffic in an HTTP/S stream as directed to a threat destination, and activity contextualization recognizes whether an activity in an HTTP/S stream accessing a cloud-based application is a compromising activity.Type: GrantFiled: July 23, 2021Date of Patent: December 31, 2024Assignee: NetSkope, Inc.Inventors: Kartik Subbanna, Kand Ly, Amit Ganesh Datar
-
Patent number: 12166776Abstract: A system uses an artificial intelligence (AI) engine to generate a response for end-user devices using services and to provide threat protection in a cloud-based network. The system consists of tenants, tunnels, the AI engine, and an AI reporter. A tenant includes the end-user devices. The tunnels transmit and segregate traffic between the end-user devices and the services. The AI engine intercepts traffic within tunnels, receives a request from a user, and determines a context. The AI engine further retrieves a user score for policy violations, analyzes the request, and applies functions to manage it. The context is built by analyzing interactions of users for similar requests. The AI engine generates the response based on the context and the user score and sends it to the user to fulfill the request. The AI reporter transmits information corresponding to the request and response across the tenants of the cloud-based network.Type: GrantFiled: January 31, 2024Date of Patent: December 10, 2024Assignee: Netskope, Inc.Inventors: Stevan W. Pierce, Jr., Damian Charles Chung, Robert Wayne Butler, II, Madhura Sridhar
-
Patent number: 12166782Abstract: An Internet Protocol (IP) address assignment method in a cloud-based multi-tenant system for assigning unique IP addresses to a plurality of client devices of a plurality of users. Network traffic including a data request from a client device to a cloud provider via an ingress tunnel is monitored by a mid-link server. A user of the client device is identified from the data request. A policy is identified based on the tenant of the user and a plurality of applications for the client device. An IP address is assigned to the client device of the user based on the policy. Each client device is assigned a unique IP address. The network traffic egresses via an egress tunnel from the mid-link server. The data request is routed from the client device to the cloud provider using the IP address of the client device.Type: GrantFiled: December 5, 2023Date of Patent: December 10, 2024Assignee: Netskope, Inc.Inventors: Jason Hofmann, Jason Eggleston, Piyush Patel, Lonhyn T. Jasinskyj
-
Publication number: 20240394544Abstract: Disclosed are methods and systems for customizing a deep learning (“DL”) stack to detect organization sensitive data in images, referred to as image-borne organization sensitive documents, and protecting against loss of the image-borne organization sensitive documents. The methods and systems include distributing a trained master DL stack with stored parameters to a plurality of organizations. Providing at least some of the organizations with a DL stack update trainer, under the organizations' control, configured to save, during generation of updated DL stacks, non-invertible features derived from images of organization-sensitive training examples, ground truth labels for the images, and parameters of the updated DL stacks. Receiving, from at least one of the DL stack update trainers, organization-specific examples including the non-invertible features and the ground truth labels, without receiving images of the organization-specific examples.Type: ApplicationFiled: August 7, 2024Publication date: November 28, 2024Applicant: Netskope, Inc.Inventors: Xiaolin Wang, Siying Yang, Krishna Narayanaswamy, Yi Zhang
-
Publication number: 20240396837Abstract: A method and system for reducing triggering of throughput penalties imposed on a group of users by a software-as-a-service (SaaS) server due to Application Programming Interface (API) calls exceeding limits of the SaaS server. The approaches include intercepting requests to the SaaS server from a user group and monitoring a rate of API calls the API calls forwarded to the SaaS server, identifying one or more power users based on a notification threshold value for the user group, and managing the rate of the API calls for the requests submitted by the identified power users of the user group in accordance with an API call throttle limit, thus remediating triggering of the throughput penalty.Type: ApplicationFiled: August 5, 2024Publication date: November 28, 2024Applicant: Netskope, Inc.Inventors: Chandrasekaran Rajagopalan, Brian Miller
-
Publication number: 20240396873Abstract: A controlled content system for providing a controlled and contained environment that is remotely accessible is disclosed. A third-party application on the end user device is modified to allow certain sites and services to be mediated in a mid-link server. The app uses policies to know when to access the mid-link server for the controlled and contained environment. Policies can specify the type of processing performed on the mid-link server. Some embodiments support the app selectively using the mid-link server for mediated sites and services. A mediation switch of a mediated program of the third-party application determines whether the network packet traffic is mediated through a mid-link server using the policy cache. The mediation switch includes algorithms that determines the mediated network packet traffic based on one or more parameters.Type: ApplicationFiled: May 28, 2024Publication date: November 28, 2024Applicant: Netskope, Inc.Inventor: Bradley B. Harvell
-
Publication number: 20240396961Abstract: A method and system for switching routes based on conditions in cloud-based multi-tenant systems is disclosed. Routes delivers services to end user devices. The routes are specified for policies. The policies specify residencies for the routes, cloud services, and data storage. An application running on an end user device selects a policy and a cloud service. A route corresponding to the policy, and the cloud service is returned to the application.Type: ApplicationFiled: July 1, 2024Publication date: November 28, 2024Applicant: Netskope, Inc.Inventors: Bryan D. Black, Jacob S. Roersma
-
Publication number: 20240372908Abstract: Disclosed is distributed routing and load balancing in a dynamic service chain, receiving a packet at a first service instance, including a NSH imposed on the by a service classifier. The NSH includes a stream affinity code consistent for packets in a stream. The method also includes processing the packet at the first instance where the instance performs a first service in a service chain that includes second and third services. The first service instance accesses a flow table using the stream affinity code to select a second service instance performing the second service from among service instances performing the second service, and the first instance routes the packet to the selected second service instance upon egress from the first service instance. The method can include hashing the stream affinity code to access the flow table and access an available instance using the hash as a key to a CHT.Type: ApplicationFiled: December 26, 2023Publication date: November 7, 2024Applicant: Netskope, Inc.Inventors: Umesh Bangalore Muniyappa, Ravi Ithal
-
Patent number: 12137389Abstract: Systems and methods for computing device association are described. One aspect includes receiving first and second network communication data for a first and second computing device over a communication network, respectively. For each computing device, a first and second data set are extracted from the first and second network communication data, respectively. The first data set includes first spatial data and first temporal data associated with the first computing device. The second data set includes second spatial data and second temporal data associated with the second computing device. The first and second data sets are correlated. A first geometric distance between the first temporal data and the second temporal data and a second geometric distance between the first spatial data and the second spatial data are computed. The method identifies that the first computing device and the second computing device belong to a common user.Type: GrantFiled: December 15, 2021Date of Patent: November 5, 2024Assignee: NETSKOPE, INC.Inventors: Shahab Sheikh-Bahaei, Srinivas Akella
-
Patent number: 12132757Abstract: The technology disclosed prevents phishing attacks where a malicious attacker creates a malicious file in a cloud-based store and shares it with endpoint users. A user, opening the shared document, is redirected to a malicious website where a corporation's critical data may be compromised. The cloud-based method applies a set of rules and policies to allow the shared document or block the shared document from the network, based on identifying the ownership or originator of the shared document. Documents from blacklisted websites are blocked. Documents from trusted sources are allowed access to the network. Unknown documents are blocked and threat-scanned to determine if they contain malicious content. If analysis proves a blocked document to be safe, it may be released into the network along with subsequent documents having the same ownership or originator.Type: GrantFiled: July 30, 2021Date of Patent: October 29, 2024Assignee: NetSkope, Inc.Inventors: Anupam Kumar, Prasenna Ravi, Muhammed Shafeek, Venkataswamy Pathapati
-
Patent number: 12126655Abstract: A policy-controlled access system comprising a client device running a local application, A mid-link server monitors network traffic from the client device. The network traffic includes third-party content accessed by a user on the client device. A request for data from the end-user is received using the local application, a category associated with the request for the data is determined, and a plurality of policies associated with access to the data is determined based on the category. A machine-learning based Uniform Resource Locator (URL) score associated with the data is determined based on URLs extracted from user activities. A machine learning based policy engine preference is generated based on priority levels of the plurality of policies. The access to the data is provided based on the machine-learning based URL score in accordance with the machine learning based policy engine preference.Type: GrantFiled: May 18, 2023Date of Patent: October 22, 2024Assignee: Netskope, Inc.Inventors: Siva Prasad Badana, Naiming Chu
-
Publication number: 20240348691Abstract: A multi-tenant cloud native system for providing network connections between a plurality of gateway endpoints using prioritized tags and secure tunnels. An end-user device includes a client endpoint for sending a request to a cloud control plane for establishing a network connection with a service endpoint of the gateway endpoint. Tags are assigned to the gateway endpoints in the network and are classified into one or more categories based on tag policies. One or more tags are prioritized for network connection in a prioritizing order. Connectivity of the tags and tunnels between the gateway endpoint are identified from network traffic of devices corresponding to the gateway endpoints. A database of devices with device addresses is identified to determine routes between the gateway endpoints. A secure tunnel is determined from the tunnels based on the tags and the network connection is established via the secure tunnel using the routes.Type: ApplicationFiled: April 22, 2024Publication date: October 17, 2024Applicant: Netskope, Inc.Inventors: Parag Pritam Thakore, Sunil Mukundan, Anupam Rai
-
Publication number: 20240348459Abstract: The disclosed technology teaches a method of operating an inspection proxy for encrypted sessions between users in an organization serviced by the inspection proxy and cloud-based services accessed by the users. The method comprises providing the inspection proxy comprising an intermediate certificate authority that holds a certificate authority (CA) certificate that browsers, operated by the users in the organization, recognize to be authorized to sign end-entity certificates, by virtue of being chained to a root certificate recognized by the browsers.Type: ApplicationFiled: April 13, 2024Publication date: October 17, 2024Applicant: Netskope, Inc.Inventors: Krishna NARAYANASWAMY, Siming WU, Sridhar B. VENKATAGOWDA
-
Publication number: 20240333626Abstract: A method for providing data exchange using secure tunnel in a multi-tenant cloud native control plane system. A request is received by cloud control plane for accessing data. The cloud control plane provisions network connection to service endpoint at cloud provider for providing access using data plane and control plane. The control plane identifies routing information of network traffic from multiple end-user devices to establish the connection. Resiliency of the network is identified based on control plane or data plane failure and maintains the connection. Network patterns are identified for network traffic. These patterns are used by the cloud control plane to determine network policy for data access and routing. The secure tunnel is chosen from multiple tunnels based on the network policy, routing information. Data packets are forwarded by the data plane on the secure tunnel and data access is provided to the client endpoint using the secure tunnel.Type: ApplicationFiled: February 26, 2024Publication date: October 3, 2024Applicant: Netskope, Inc.Inventors: Parag Pritam Thakore, Sunil Mukundan, Anupam Rai
-
Patent number: 12107828Abstract: A cloud network for delivering local content to a user at a user location. The cloud network includes a client device comprising a local application, a mid-link server and a cloud provider. The mid-link server receives from the client device a request for local data from the user at the user location. The user has provided the request for the local data from the user location without a data center. A sub-data center for the user location is identified and assigned an Internet Protocol (IP) address for the user location. The sub-data center is a data center nearest to the user location. Each data center has IP addresses for different locations to deliver the local content to the respective IP address for the location. The request is routed to the sub-data center which is used to provide the local data to the user by the cloud provider.Type: GrantFiled: December 5, 2023Date of Patent: October 1, 2024Assignee: Netskope, Inc.Inventors: Jason Hofmann, Jason Eggleston, Piyush Patel, Lonhyn T. Jasinskyj