Patents Assigned to Palo Alto Network, Inc.
-
Patent number: 12388874Abstract: Increasing use of web-based applications or Software-as-a-Service and IoT devices within enterprise networks increases the variety of network traffic and variables for consideration in managing security posture, which includes policy management. A security posture management system as disclosed herein leverages application identification and device discovery from ongoing collection and analysis of network traffic data to manage policies at device granularity allowing tailored security posture management. The system can tailor policies to handle network traffic depending on identified application and device type inputs obtained from the ongoing collection and analysis. The security posture management system can configure SD-WAN construct based parameters of a policy to tailor policies for different application traffic from different types of devices.Type: GrantFiled: April 28, 2023Date of Patent: August 12, 2025Assignee: Palo Alto Networks, Inc.Inventors: Arunkumar Mutharasanallur Desigan, Vamsidhar Valluri, Venkata Sarat Kumar Vajrapu, Gong Cheng, Madhusudhan Donthi Nagaraju, Anil Kumar Reddy Sirigiri
-
Patent number: 12380220Abstract: Automated attribute scraping for security feature implementation with a single trained machine model across security features improves prediction quality and efficiency of predictions. A security feature implementation prediction system (system) generates search engine queries for each security feature based on high importance tokens for the security feature. The system ranks URLs returned from each search engine query for relevance, then preprocess and inputs content for top-ranked URLs into the trained machine learning models. The system identifies implemented security features output based on confidence values output by the trained machine learning model and identifies sentences that describe the implementations in corresponding content for top-ranked URLs.Type: GrantFiled: March 2, 2023Date of Patent: August 5, 2025Assignee: Palo Alto Networks, Inc.Inventors: Nandini Ramanan, William Redington Hewlett, II, Manish Mradul
-
Patent number: 12381902Abstract: Techniques for providing Internet of Things (IoT) security are disclosed. An applicable system includes profiling IoT devices to limit the number of network signatures applicable to the IoT devices and performing pattern matching using a pattern that is appropriate for the profile of a given IoT device.Type: GrantFiled: July 25, 2023Date of Patent: August 5, 2025Assignee: Palo Alto Networks, Inc.Inventors: Jun Du, Mei Wang, Hector Daniel Regalado, Jianhong Xia
-
Patent number: 12381910Abstract: The present application discloses a method, system, and computer system for detecting malicious SQL or command injection strings. The method includes obtaining an SQL or command injection string and determining whether the command injection string is malicious based at least in part on a machine learning model.Type: GrantFiled: July 12, 2022Date of Patent: August 5, 2025Assignee: Palo Alto Networks, Inc.Inventors: Zhibin Zhang, Jin Chen, Yu Fu, Stefan Achleitner, Bo Qu, Lei Xu
-
Patent number: 12380212Abstract: The present application discloses a method, system, and computer system for detecting Return Oriented Programming (ROP) exploits. The method includes (i) intercepting, by one or more processors, a memory attribute change function for a sample; (ii) determining if a return address is associated with a shellcode address, and (iii) in response to determining that the return address is associated with the shellcode address, determining that the sample is an ROP exploit.Type: GrantFiled: March 16, 2023Date of Patent: August 5, 2025Assignee: Palo Alto Networks, Inc.Inventors: Tao Yan, Edouard Bochin, Bo Qu, Zhibin Zhang, Michael Harbison
-
Patent number: 12375471Abstract: An orchestrator that manages security appliances for an organization determines a sink configured for traffic mirroring and correspondingly configures components for secure conveyance of mirrored traffic to a sink. The orchestrator configures a VM associated with the mirroring sink to use correlated packets and tunnel keys to securely convey the packets to an organization. The virtual machine decrypts each set of packets with the correlated tunnel key in memory and then re-encrypts the packets with a cryptographic key (hereinafter “random key”) generated on-the-fly for use on the current set of decrypted packets in memory. The virtual machine then encrypts the random key with a public key of the organization that will monitor and/or analyze the traffic data and writes the encrypted packets and/or packet contents and encrypted random key to a specified repository of the organization.Type: GrantFiled: July 31, 2023Date of Patent: July 29, 2025Assignee: Palo Alto Networks, Inc.Inventors: Zhanglin He, Tripti Agarwal, Kavitha Sivagnanam, Tushar Vyankatesh Nargunde, Jose Carlos Sagrero Dominguez
-
Patent number: 12373434Abstract: Dynamic partitioning of a search space of queries is implemented for flexible, heuristic database querying. Search space partitioning refers to dividing the search space for a submitted query into smaller parts by augmenting the queries to append thereto an additional predicate comprising a dynamic partition key and a value(s) selected based on heuristics (e.g., recency and/or relevancy of the value(s)). A plurality of candidate augmentations of the query and corresponding query plans are generated and evaluated based on additional heuristics to determine which can be executed to yield the best results in terms of result quality and latency. This query plan is selected and executed for retrieval of results that satisfy the query, with pagination utilized for presentation of the results. The procedure of generating candidate query plans, selecting one of the candidates for execution, and paginating results is repeated until a search termination criterion is satisfied.Type: GrantFiled: February 13, 2024Date of Patent: July 29, 2025Assignee: Palo Alto Networks, Inc.Inventors: Chandra Biksheswaran Mouleeswaran, Amit Agarwal, Prashant Kumar Pathak, Xiaoyan Wang
-
Patent number: 12375922Abstract: Techniques for selective intelligent enforcement for mobile networks using a security platform are disclosed.Type: GrantFiled: April 3, 2024Date of Patent: July 29, 2025Assignee: Palo Alto Networks, Inc.Inventors: Sachin Verma, Leonid Burakovsky, John Edward McDowall, Apoorva Jain
-
Patent number: 12368713Abstract: Mitigating multiple authentications for a geo-distributed security service is disclosed. A request to access a web service from a client device is received. The request is redirected to a geo-distributed authentication service including a distributed cache for storing a user's authentication authorization. An authorization token included in a distributed authentication cache cookie and uniform resource locator (URL) for the web service to facilitate secure access to the web service from the client device are returned.Type: GrantFiled: September 13, 2021Date of Patent: July 22, 2025Assignee: Palo Alto Networks, Inc.Inventors: Suraj Kumar Jaiswal, Krishna Murthy Pokuri, Manish Pathak, Aditya Srinivasa Ivaturi
-
Patent number: 12361130Abstract: Methods, storage systems and computer program products implement embodiments of the present invention for protecting a computing device, which includes a processor and a memory and is coupled to a storage device storing a set of one or more files. In embodiments of the present invention, a call to a specified function for execution by the processor is detected, and a stack trace for the call to the specified function is generated in the memory. Upon detecting, in the stack trace, a stack frame including a return address referencing a shellcode region in the memory, wherein the shellcode region includes executable code that was not loaded from any given file on the storage device, then the referenced executable code is compared to a list of malicious shellcode. Finally, a preventive action is initiated upon detecting a match between the referenced executable code and one of malicious shellcodes in the list.Type: GrantFiled: April 17, 2023Date of Patent: July 15, 2025Assignee: Palo Alto Networks, Inc.Inventors: Or Chechik, Liav Zigelbaum, Eldar Aharoni, Bar Lahav
-
Patent number: 12355819Abstract: Techniques for mobile user identity and/or SIM-based IoT identity and application identity based security enforcement in service provider networks (e.g., service provider networks for mobile subscribers) are disclosed. In some embodiments, a system/process/computer program product for mobile user identity and/or SIM-based IOT identity and application identity based security enforcement in service provider networks includes monitoring network traffic on a service provider network at a security platform to identify a subscriber identity for a new session; determining an application identifier for user traffic associated with the new session at the security platform; and determining a security policy to apply at the security platform to the new session based on the subscriber identity and the application identifier.Type: GrantFiled: January 19, 2024Date of Patent: July 8, 2025Assignee: Palo Alto Networks, Inc.Inventors: Sachin Verma, Leonid Burakovsky, Jesse C. Shu, Lei Chang
-
Patent number: 12355792Abstract: Detection of strategically aged domains is detected. A list of aged dormant domains is determined, including by evaluating passive Domain Name System (DNS) information. The list of aged dormant domains is monitored for a change by an aged dormant domain from a dormant domain status to an active status. In response to determining the change to active status of the aged dormant domain, an action is taken with respect to the aged dormant domain.Type: GrantFiled: November 30, 2022Date of Patent: July 8, 2025Assignee: Palo Alto Networks, Inc.Inventors: Zhanhao Chen, Daiping Liu, Wanjin Li, Fan Fei
-
Patent number: 12348513Abstract: Zero trust network security is provided without modifying the underlying network infrastructure. A first entity at a first node in a network environment obtains an entity identifier and host certificate from a second entity installed on a second node. A determination is made as to whether the host certificate is valid based on a firewall policy and an intermediate certificate that was issued to the first entity. A determination is also made as to whether the entity identifier is valid based on a known infrastructure of the network environment. If the host certificate and entity identifier are valid, communications between the first and second entities can be allowed, while communications are blocked if at least one of the host certificate and the entity identifier is not valid.Type: GrantFiled: March 8, 2024Date of Patent: July 1, 2025Assignee: Palo Alto Networks, Inc.Inventors: Liron Levin, Eran Yanay, Dima Stopel
-
Patent number: 12348560Abstract: The detection of phishing Portable Document Format (PDF) files using an image-based deep learning approach is disclosed. A PDF document that includes a Universal Resource Locator is received. A likelihood that the received PDF document represents a phishing threat is determined, at least in part, by using an image based model. A verdict for the PDF document is provided as output based at least in part on the determined likelihood.Type: GrantFiled: May 2, 2022Date of Patent: July 1, 2025Assignee: Palo Alto Networks, Inc.Inventors: Min Du, Hao Huang, Curtis Leland Carmony, Wenjun Hu, Daniel Raygoza, Tyler Pals Halfpop, Jeff White, Esmid Idrizovic
-
Patent number: 12348563Abstract: Detection of squatting domains is disclosed. A set of new fully qualified domain names (FQDNs) is received. The set of new FQDNs is analyzed to detect domain squatting by identifying a subset of the new FQDNs as candidate squatting domains. The candidate squatting domains are distributed to a security device/service.Type: GrantFiled: March 19, 2024Date of Patent: July 1, 2025Assignee: Palo Alto Networks, Inc.Inventors: Zhanhao Chen, Jun Wang, Daiping Liu
-
Patent number: 12335290Abstract: A system has been designed that examines details of a security advisory against informal vulnerability records. The system generates a vulnerability match confidence value based on comparison of different details in the security advisory against the informal vulnerability records. Based on the comparisons, the system determines similarity of different details between the security advisory and the informal vulnerability records and cumulatively updates a vulnerability match confidence value with various detail similarity weights according to the determined similarities. Based on the vulnerability match confidence value, the system can classify or designate a security advisory for automatic merging or for manual examination. This reduces the burden on cybersecurity personnel and allows cybersecurity personnel to focus their limited resources on analyzing new vulnerabilities.Type: GrantFiled: May 31, 2022Date of Patent: June 17, 2025Assignee: Palo Alto Networks, Inc.Inventors: Ariel M. Zelivansky, Sharon Ben Zeev, Shaul Ben Hai, Liron Levin
-
Patent number: 12335231Abstract: A configuration of a cloud application exposed via a public IP address is duplicated with modifications to include a private IP address to expose the application internally. The original configuration is updated so that external network traffic sent to the application is redirected to and distributed across agents running on nodes of a cloud cluster by which web application firewalls (WAFs) are implemented. A set of agents for which the respective WAFs should inspect the redirected network traffic are selected based on cluster metrics, such as network and resource utilization metrics. The redirected network traffic targets a port allocated to the agents that is unique to the application, where ports are allocated on a per-application basis so each of the agents can support WAF protection for multiple applications. Network traffic which a WAF allows to pass is directed from the agent to the application via its private IP address.Type: GrantFiled: December 27, 2022Date of Patent: June 17, 2025Assignee: Palo Alto Networks, Inc.Inventors: Liron Levin, Isaac Schnitzer, Elad Shuster, Ory Segal
-
Patent number: 12328329Abstract: A system and methods for protecting a serverless application, the system including: (a) a serverless application firewall configured to inspect input of the serverless function so as to ascertain whether the input contains malicious, suspicious or abnormal data; and (b) a behavioral protection engine configured to monitor behaviors and actions of the serverless functions during execution thereof.Type: GrantFiled: March 12, 2024Date of Patent: June 10, 2025Assignee: Palo Alto Networks, Inc.Inventors: Avraham Shulman, Ory Segal, Shaked Yosef Zin
-
Patent number: 12328625Abstract: Techniques for applying context-based security over interfaces in NG-RAN environments in mobile networks are disclosed. In some embodiments, a system/process/computer program product for applying context-based security over interfaces in NG-RAN environments in mobile networks includes monitoring network traffic on a mobile network at a security platform to identify a GTP-U tunnel session setup message associated with a new session; extracting a plurality of parameters from the GTP-U tunnel session setup message and from XnAP traffic to extract contextual information at the security platform; and enforcing a security policy at the security platform on the new session based on one or more of the plurality of parameters to apply context-based security to the network traffic transported between NG-RAN nodes in an NG-RAN environment in the mobile network.Type: GrantFiled: February 27, 2024Date of Patent: June 10, 2025Assignee: Palo Alto Networks, Inc.Inventors: Sachin Verma, Leonid Burakovsky
-
Patent number: 12328256Abstract: Techniques for supporting overlapping network addresses universally are disclosed. A system, process, and/or computer program product for supporting overlapping network addresses universally includes generating at least two virtual routers for a cloud security service, the at least two virtual routers including a first virtual router and a second virtual router, routing cloud security service packets using the first virtual router, and routing enterprise subscriber packets using the second virtual router.Type: GrantFiled: August 10, 2022Date of Patent: June 10, 2025Assignee: Palo Alto Networks, Inc.Inventors: Jia Chen, Hao Long, Shu Lin