Patents by Inventor Guy Lewin
Guy Lewin has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Publication number: 20240106802Abstract: The implementation of application layer-based and transport-layer based security rules via a reverse proxy server chain is described. Each reverse proxy server in the chain is configured to perform a particular function with respect to client messages intended for a destination server and/or convey contextual information pertaining to the messages to a subsequent reverse proxy server in the chain. For instance, a first reverse proxy server in the chain is configured to include client-specific metadata in the transport layer of the message. A second reverse proxy server in the chain enforces transport layer-based policy rules based on the metadata. This enables the second reverse proxy server to manage transport layer connections on a client-by-client basis, thereby enabling the second reverse proxy server to block unauthorized clients, while maintaining the transport layer connections for authorized clients. A third reverse proxy server in the chain enforces application layer-based policy rules.Type: ApplicationFiled: October 17, 2023Publication date: March 28, 2024Inventors: Guy LEWIN, Vitaly KHAIT, Yossi HABER
-
Publication number: 20240028757Abstract: A file is enabled to be downloaded from a web server on behalf of a client browser, via an isolated browser of an RBI server. An isolated browser engine detects the file download and notifies an isolated browser controller. The isolated browser controller determines whether the file download is permitted. Responsive to determining that the file download is not permitted, the file is deleted at the RBI server and a policy event is transmitted to the client browser. Responsive to determining that the file download is permitted, the file is transmitted to the client browser. The file may be streamed to the client browser, or it may be published via an independent web server and a notification is transmitted to the client browser. The client browser is controlled to issue a request to the independent web server to download the file to the client browser.Type: ApplicationFiled: June 15, 2023Publication date: January 25, 2024Inventors: Guy LEWIN, Vitaly KHAIT, Alexander ESIBOV
-
Patent number: 11876814Abstract: The disclosure is directed towards proxy services for the secure uploading of file-system tree structures. A method includes receiving, at a web security service, an indication that client device to upload content to a storage cloud provider. The proxy service performs a security scan of the content while the content is stored on the client device. A security and/or a privacy concern is identified in the content stored on the client device. A security and/or privacy mitigation action is performed in response to identifying the security and/or privacy concern.Type: GrantFiled: March 8, 2023Date of Patent: January 16, 2024Assignee: MICROSOFT TECHNOLOGY LICENSING, LLCInventors: Itamar Azulay, Guy Lewin, Sharon Lifshits
-
Publication number: 20230418692Abstract: Methods and systems are provided for a client computing device including a browser that renders a web page. Program code generates a mock upload event and a corresponding mock data transfer object for uploading data using the web page. The mock upload event and the corresponding mock data transfer object are propagated to an upload event listener of the web page and executed. Prior to generating the mock upload event and corresponding mock data transfer object, an embedded upload event listener may receive an upload event, read the upload event, drop the received upload event from an event handler pipeline, and call synchronously or asynchronously, code to perform logic on the received upload event for the generation of the mock upload event and a corresponding mock data transfer object.Type: ApplicationFiled: June 27, 2023Publication date: December 28, 2023Inventors: Guy LEWIN, Amir GERI, Yossi HABER
-
Publication number: 20230409680Abstract: Systems and methods are described for authenticating a client device through remote browser isolation (RBI). An RBI service determines that a remote browser thereof is configured to issue an authentication request to an identity provider to access a resource of a resource provider and, in response, transmits a command to an RBI frontend of a client browser executing on a client computing device. The RBI frontend receives the command and, in response, generates a browsing context that issues a client-side authentication request to the identity provider that includes information accessible to the client computing device. Responsive to issuing the client-side authentication request, the browsing context receives an authentication artifact from an access service and transmits the authentication artifact to the RBI service.Type: ApplicationFiled: June 15, 2022Publication date: December 21, 2023Inventors: Meir Baruch BLACHMAN, Guy LEWIN, Nir Mardiks RAPPAPORT
-
Publication number: 20230412693Abstract: Methods for network aware endpoint data loss prevention (DLP) in web transactions are performed by systems and devices, which includes implementing DLP on endpoint devices and focuses on web traffic events from web browsers, while also associating the events to the network source entity. File download and upload events are intercepted from the operating system by a file system filter that determines the process creating events is a web browser based on process identifiers and comparing process names and process executable signatures. A uniform resource locator (URL) from a current tab or session is retrieved for the web browser. Policies for events are evaluated via a policy server or via cache, and additional data from the file is provided for policy decisions when necessary. DLP actions taken via the file system filter to block or allow events, including encrypting file data, are based on the policy decisions.Type: ApplicationFiled: June 15, 2022Publication date: December 21, 2023Inventors: Guy LEWIN, Yossi HABER, Meital BEN DAVID
-
Patent number: 11831542Abstract: Policy-based routing of internet protocol (IP) packets using flow context. A system intercepts an event associated with creation of a network connection by an operating system (OS). The system identifies a flow context, including a flow tuple, associated with the network connection. Based on the flow context, and based on a flow-based routing policy, the system determines a provider associated with the network connection. The system records, in a state database, an association between the flow tuple and the provider, and instructs the OS to initiate the network connection. After the creation of the network connection, the system intercepts an IP packet associated with the network connection. Based on a header of the IP packet, the system identifies the flow tuple and, based on a result of querying the state database for the flow tuple, and initiates a provider-based action for the IP packet.Type: GrantFiled: April 13, 2022Date of Patent: November 28, 2023Assignee: Microsoft Technology Licensing, LLCInventors: Guy Lewin, Vikrant Arora, Ofir Yakovian
-
Patent number: 11831616Abstract: The implementation of application layer-based and transport-layer based security rules via a reverse proxy server chain is described. Each reverse proxy server in the chain is configured to perform a particular function with respect to client messages intended for a destination server and/or convey contextual information pertaining to the messages to a subsequent reverse proxy server in the chain. For instance, a first reverse proxy server in the chain is configured to include client-specific metadata in the transport layer of the message. A second reverse proxy server in the chain enforces transport layer-based policy rules based on the metadata. This enables the second reverse proxy server to manage transport layer connections on a client-by-client basis, thereby enabling the second reverse proxy server to block unauthorized clients, while maintaining the transport layer connections for authorized clients. A third reverse proxy server in the chain enforces application layer-based policy rules.Type: GrantFiled: March 24, 2020Date of Patent: November 28, 2023Assignee: MICROSOFT TECHNOLOGY LICENSING, LLCInventors: Guy Lewin, Vitaly Khait, Yossi Haber
-
Patent number: 11831617Abstract: A computer-implemented method includes receiving, by a proxy device, a document from a service provider in response to a request to the service provider from a client device. The proxy device injects into the document event monitoring code for monitoring user actions on the client device. The proxy device sends the document with the event monitoring code to the client device. The event monitoring code intercepts a user request for a file upload event using a client-side application on the client device. The proxy device receives a client request including file information regarding the file upload event from the event monitoring code. The proxy device determines whether the file upload event should be allowed or blocked based on the received file information and stored policy data.Type: GrantFiled: July 11, 2022Date of Patent: November 28, 2023Assignee: Microsoft Technology Licensing, LLCInventors: Guy Lewin, Amir Geri
-
Publication number: 20230336465Abstract: Policy-based routing of internet protocol (IP) packets using flow context. A system intercepts an event associated with creation of a network connection by an operating system (OS). The system identifies a flow context, including a flow tuple, associated with the network connection. Based on the flow context, and based on a flow-based routing policy, the system determines a provider associated with the network connection. The system records, in a state database, an association between the flow tuple and the provider, and instructs the OS to initiate the network connection. After the creation of the network connection, the system intercepts an IP packet associated with the network connection. Based on a header of the IP packet, the system identifies the flow tuple and, based on a result of querying the state database for the flow tuple, and initiates a provider-based action for the IP packet.Type: ApplicationFiled: April 13, 2022Publication date: October 19, 2023Inventors: Guy LEWIN, Vikrant ARORA, Ofir YAKOVIAN
-
Publication number: 20230319072Abstract: The disclosure is directed towards proxy services for the secure uploading of file-system tree structures. A method includes receiving, at a web security service, an indication that client device to upload content to a storage cloud provider. The proxy service performs a security scan of the content while the content is stored on the client device. A security and/or a privacy concern is identified in the content stored on the client device. A security and/or privacy mitigation action is performed in response to identifying the security and/or privacy concern.Type: ApplicationFiled: March 8, 2023Publication date: October 5, 2023Inventors: Itamar AZULAY, Guy LEWIN, Sharon LIFSHITS
-
Patent number: 11770439Abstract: A proxy server to receive a request from a client to a webserver and a response corresponding with the request from the webserver to the client is disclosed. The request is wrapped, and a wrapped request is received at the proxy server. The wrapped request is read at the proxy server. Metadata is added to a response corresponding with the wrapped request at the proxy server. The metadata can be based on the read wrapped request or the corresponding response.Type: GrantFiled: June 14, 2022Date of Patent: September 26, 2023Assignee: Microsoft Technology Licensing, LLCInventors: Guy Lewin, Itamar Azulay, Yossi Haber
-
Patent number: 11726843Abstract: Methods and systems are provided for a client computing device including a browser that renders a web page. Program code generates a mock upload event and a corresponding mock data transfer object for uploading data using the web page. The mock upload event and the corresponding mock data transfer object are propagated to an upload event listener of the web page and executed. Prior to generating the mock upload event and corresponding mock data transfer object, an embedded upload event listener may receive an upload event, read the upload event, drop the received upload event from an event handler pipeline, and call synchronously or asynchronously, code to perform logic on the received upload event for the generation of the mock upload event and a corresponding mock data transfer object.Type: GrantFiled: March 30, 2022Date of Patent: August 15, 2023Assignee: MICROSOFT TECHNOLOGY LICENSING, LLCInventors: Guy Lewin, Amir Geri, Yossi Haber
-
Patent number: 11720699Abstract: A file is enabled to be downloaded from a web server on behalf of a client browser, via an isolated browser of an RBI server. An isolated browser engine detects the file download and notifies an isolated browser controller. The isolated browser controller determines whether the file download is permitted. Responsive to determining that the file download is not permitted, the file is deleted at the RBI server and a policy event is transmitted to the client browser. Responsive to determining that the file download is permitted, the file is transmitted to the client browser. The file may be streamed to the client browser, or it may be published via an independent web server and a notification is transmitted to the client browser. The client browser is controlled to issue a request to the independent web server to download the file to the client browser.Type: GrantFiled: December 15, 2020Date of Patent: August 8, 2023Assignee: MICROSOFT TECHNOLOGY LICENSING, LLCInventors: Guy Lewin, Vitaly Khait, Alexander Esibov
-
Publication number: 20230236853Abstract: Methods and systems are provided for a browser in a client device that receives a user interface script-code snippet from a web page. A chain logic engine determines whether an in-memory map indicates an output value of prior execution of the UI script-code snippet. If the in-memory map does indicate the output value, it is returned from the in-memory map to generate the user interface. If not, the engine determines whether an in-local storage map indicates the prior executed snippet output. If the in-local storage map indicates the prior executed snippet output, it is returned from the in-local storage map to generate the user interface, and it is stored in the in-memory map. If not, the UI script-code snippet is executed to generate the output value, which is used to generate the user interface, and is stored in the in-memory map and in the in-local storage map.Type: ApplicationFiled: March 31, 2023Publication date: July 27, 2023Inventors: Itamar AZULAY, Amir GERI, Guy LEWIN, Yossi HABER, Meir Baruch BLACHMAN
-
Publication number: 20230198938Abstract: Techniques are described herein that are capable of using entity name mapping for routing network traffic having encrypted SNI headers. A name resolution request that specifies an entity name is intercepted. Translation of the entity name to a representation of an IP address associated with the entity name is caused. A mapping that cross-references the representation of the IP address to the entity name is stored. A data transfer request that requests establishment of a connection to a destination corresponding to the representation of the IP address is intercepted. The data transfer request includes an encrypted SNI header and a payload. Establishment of the connection to the destination is initiated by providing the encrypted SNI header, the payload, and metadata toward the destination. The metadata includes the entity name based on the mapping.Type: ApplicationFiled: December 18, 2021Publication date: June 22, 2023Inventors: Murali Krishna SANGUBHATLA, Shyamshankar DHARMARAJAN, Guy LEWIN
-
Patent number: 11677722Abstract: Techniques are described herein that are capable of implementing a client-side policy on client-side logic. The client-side policy is configured to support client-side hooks by configuring a rule in the client-side policy to be applied to the client-side logic, which is configured to be executed in a browser of a client device in a network-based system. The rule indicates an administrator-defined action to be performed in response to a request to execute the client-side logic. The request to execute the client-side logic in the browser is received. The administrator-defined action is performed based at least in part on the rule in the client-side policy in response to receipt of the request.Type: GrantFiled: October 8, 2021Date of Patent: June 13, 2023Assignee: Microsoft Technology Licensing, LLCInventors: Guy Lewin, Yossef Haber, Vitaly Khait
-
Patent number: 11637812Abstract: Methods for dynamic forward proxy chaining are performed by systems and devices. A forward proxy server receives an electronic communication message that includes destination information in a header and payload information. Destination information includes an ordered set of subsequent destination identifiers associated with subsequent forward proxy servers and an ultimate destination identifier for the electronic communication message. The destination information in the electronic communication message is modified by the forward proxy server to generate a modified electronic communication message. Based on proxy operations performed by the forward proxy server, destination information is modified by removing destinations, adding destinations, altering ports for destinations, and other modifications.Type: GrantFiled: October 13, 2020Date of Patent: April 25, 2023Assignee: MICROSOFT TECHNOLOGY LICENSING, LLCInventors: Guy Lewin, Michel Peterson
-
Patent number: 11627150Abstract: The disclosure is directed towards proxy services for the secure uploading of file-system tree structures. A method includes receiving, at a web security service, an indication that client device to upload content to a storage cloud provider. The proxy service performs a security scan of the content while the content is stored on the client device. A security and/or a privacy concern is identified in the content stored on the client device. A security and/or privacy mitigation action is performed in response to identifying the security and/or privacy concern.Type: GrantFiled: June 30, 2021Date of Patent: April 11, 2023Assignee: MICROSOFT TECHNOLOGY LICENSING, LLCInventors: Itamar Azulay, Guy Lewin, Sharon Lifshits
-
Patent number: 11620141Abstract: Methods and systems are provided for a browser in a client device that receives a user interface script-code snippet from a web page. A chain logic engine determines whether an in-memory map indicates an output value of prior execution of the UI script-code snippet. If the in-memory map does indicate the output value, it is returned from the in-memory map to generate the user interface. If not, the engine determines whether an in-local storage map indicates the prior executed snippet output. If the in-local storage map indicates the prior executed snippet output, it is returned from the in-local storage map to generate the user interface, and it is stored in the in-memory map. If not, the UI script-code snippet is executed to generate the output value, which is used to generate the user interface, and is stored in the in-memory map and in the in-local storage map.Type: GrantFiled: July 9, 2020Date of Patent: April 4, 2023Assignee: MICROSOFT TECHNOLOGY LICENSING, LLCInventors: Itamar Azulay, Amir Geri, Guy Lewin, Yossi Haber, Meir Baruch Blachman