Patents by Inventor Hendrikus G.P. Bosch
Hendrikus G.P. Bosch has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Publication number: 20240298180Abstract: In one embodiment, a router includes one or more processors and one or more computer-readable non-transitory storage media coupled to the one or more processors. The one or more computer-readable non-transitory storage media include instructions that, when executed by the one or more processors, cause the router to perform operations including receiving software-defined networking in a wide area network (SD-WAN) policies from a component of an SD-WAN network. The operations also include establishing a session with a mobile device and receiving information associated with the mobile device in response to establishing the session with the mobile device. The operations further include filtering the SD-WAN policies based on the information associated with the mobile device to generate SD-WAN device-specific policies and communicating the SD-WAN device-specific policies to the mobile device.Type: ApplicationFiled: May 10, 2024Publication date: September 5, 2024Inventors: Stefan Olofsson, Ijsbrand Wijnands, Hendrikus G. P. Bosch, Jeffrey Napper, Anubhav Gupta
-
Publication number: 20240291734Abstract: Systems, methods, and computer-readable media for locally applying endpoint-specific policies to an endpoint in a network environment. A network device local to one or more endpoints in a network environment can receive from a centralized network controller one or more network-wide endpoint policies. A first endpoint of the one or more endpoints can be configured to inject policy metadata into first data traffic. Policy metadata injected into the first traffic data can be received from the first endpoint. The network device can determine one or more first endpoint-specific polices for the first endpoint by evaluation the first policy metadata with respect to the one or more network-wide endpoint policies. As follows, the one or more first endpoint-specific policies can be applied to control data traffic associated with the first endpoint.Type: ApplicationFiled: April 29, 2024Publication date: August 29, 2024Inventors: Alberto Rodriguez Natal, Hendrikus G.P. Bosch, Fabio Maino, Lars Olaf Stefan Olofsson, Jeffrey Napper, Anubhav Gupta
-
Publication number: 20240273203Abstract: In one embodiment, a method for detecting an unknown attack vector, by a system, includes receiving a marked span that has been flagged for inspection. The method further includes conducting a root cause analysis to determine if the marked span should be classified as an attack. In response to a determination that the marked span should be classified as an attack, the method further includes determining whether the marked span engaged with data corresponding to one or more application services defining the marked span. The method further includes designating the data corresponding to the one or more application services as compromised in response to a determination that the marked span did engage with said data.Type: ApplicationFiled: May 31, 2023Publication date: August 15, 2024Inventors: Mirko Raca, Marcelo Yannuzzi, Jeffrey M. Napper, Hendrikus G. P. Bosch
-
Publication number: 20240273187Abstract: In one embodiment, a method for storing auditable metadata, by a system, includes receiving incoming signals communicated from at least one application service to a first pod associated with a user space of a node. The method further includes extracting metadata associated with data provided by the received incoming signals. The method further includes receiving outgoing signals communicated from the first pod to an external entity, wherein the incoming signals and the outgoing signals are received by a listener module. The method further includes comparing the incoming signals to the outgoing signals to detect a variation and determining that the data has been transmitted to the external entity based on a determination that there is no detected variation from the comparison between the incoming signals and the outgoing signals.Type: ApplicationFiled: May 31, 2023Publication date: August 15, 2024Inventors: Marcelo Yannuzzi, Jean Diaconu, Jeffrey M. Napper, Herve Muyal, Hendrikus G. P. Bosch
-
Patent number: 12063228Abstract: In one embodiment, a method comprises: receiving, by a process, an executed function flow of a daisy chained serverless function-as-a-service (FaaS) function, the executed function flow having been injected with a particular trace identifier in response to an initial event trigger and span identifiers having been injected by each service that was executed; generating, by the process, a serverless flow graph associated with the particular trace identifier based on linking a path of serverless functions according to correlation of the span identifiers between the serverless functions; performing, by the process, a trace-based analysis of the serverless flow graph through comparison to a baseline of expectation; detecting, by the process, one or more anomalies in the serverless flow graph according to the trace-based analysis; and mitigating, by the process, the one or more anomalies in the serverless flow graph.Type: GrantFiled: December 22, 2021Date of Patent: August 13, 2024Assignee: Cisco Technology, Inc.Inventors: Akram Ismail Sheriff, Rajiv Asati, Nagendra Kumar Nainar, Ariel Shuper, Hendrikus G. P. Bosch
-
Patent number: 12063149Abstract: Systems, methods, and computer-readable media for locally applying endpoint-specific policies to an endpoint in a network environment. A network device local to one or more endpoints in a network environment can receive from a centralized network controller one or more network-wide endpoint policies. A first endpoint of the one or more endpoints can be configured to inject policy metadata into first data traffic. Policy metadata injected into the first traffic data can be received from the first endpoint. The network device can determine one or more first endpoint-specific polices for the first endpoint by evaluation the first policy metadata with respect to the one or more network-wide endpoint policies. As follows, the one or more first endpoint-specific policies can be applied to control data traffic associated with the first endpoint.Type: GrantFiled: July 17, 2023Date of Patent: August 13, 2024Assignee: Cisco Technology, Inc.Inventors: Alberto Rodriguez Natal, Hendrikus G. P. Bosch, Fabio Maino, Lars Olaf Stefan Olofsson, Jeffrey Napper, Anubhav Gupta
-
Publication number: 20240265112Abstract: A system and a method to map attack paths in a visualization interface may include storing in a memory asset inventory indicating application assets, attack vector parameters configured to indicate vulnerabilities of one or more of the application assets, and asset mapping information. A processor may determine multiple vulnerable assets in the application assets based at least in part upon the attack vector parameters. Further, the processor may obtain security parameters from a security framework indicating one or more attack techniques, associate each of the vulnerable assets to one or more of the security parameters, and generate a visual interface showing the vulnerable assets and the security parameters. The processor may determine an attack path connecting the vulnerable assets based at least in part upon the asset mapping information, and map the attack path to the application layers and the security parameters in the visual interface.Type: ApplicationFiled: June 6, 2023Publication date: August 8, 2024Inventors: Jeffrey M. Napper, Hendrikus G. P. Bosch, Jean Diaconu, Marcelo Yannuzzi, Alessandro Duminuco, Guillaume Sauvage De Saint Marc, Marc Scibelli
-
Publication number: 20240265113Abstract: A system and a method to determine attack paths to application assets may include storing in a memory asset inventory indicating multiple application assets, multiple attack vector parameters configured to indicate vulnerabilities of one or more of the application assets, and asset mapping information configured to associate each of the application assets to one or more of the application layers. A processor may determine multiple vulnerable assets in the application assets based at least in part upon the attack vector parameters. Further, the processor may determine feasibility parameters that indicate a likelihood of the attack path to occur in the system, generate a visual interface showing the vulnerable assets, determine an attack path connecting the vulnerable assets based at least in part upon the asset mapping information, and map the attack path to the application layers in the visual interface based at least in part upon the feasibility parameters.Type: ApplicationFiled: June 6, 2023Publication date: August 8, 2024Inventors: Jeffrey M. Napper, Hendrikus G. P. Bosch, Jean Diaconu, Marcelo Yannuzzi, Alessandro Duminuco
-
Patent number: 12052569Abstract: In one embodiment, a router includes one or more processors and one or more computer-readable non-transitory storage media coupled to the one or more processors. The one or more computer-readable non-transitory storage media include instructions that, when executed by the one or more processors, cause the router to perform operations including receiving software-defined networking in a wide area network (SD-WAN) policies from a component of an SD-WAN network. The operations also include establishing a session with a mobile device and receiving information associated with the mobile device in response to establishing the session with the mobile device. The operations further include filtering the SD-WAN policies based on the information associated with the mobile device to generate SD-WAN device-specific policies and communicating the SD-WAN device-specific policies to the mobile device.Type: GrantFiled: August 16, 2021Date of Patent: July 30, 2024Assignee: CISCO TECHNOLOGY, INC.Inventors: Stefan Olofsson, Ijsbrand Wijnands, Hendrikus G. P. Bosch, Jeffrey Napper, Anubhav Gupta
-
Publication number: 20240232354Abstract: In one embodiment, a method includes generating an application programming interface (API) definition by observing traffic. The API definition is associated with an API definition name and an API specification. The method also includes mounting the API definition with an application and deploying the application by a Continuous Integration/Continuous Delivery (CI/CD) pipeline. The method further includes implementing a runtime API and mapping the runtime API to the API definition.Type: ApplicationFiled: May 15, 2023Publication date: July 11, 2024Inventors: Alexei Kravtsov, Giovanni Conte, Hendrikus G. P. Bosch
-
Publication number: 20240231973Abstract: In one embodiment, a method includes generating an application stack. The application stack includes an application logic module. The method also includes embedding a service mesh module into the application stack. The method further includes managing, by the service mesh module, security of a network packet while maintaining separation of memory regions between the application logic module and the service mesh module.Type: ApplicationFiled: April 28, 2023Publication date: July 11, 2024Inventors: Hendrikus G. P. Bosch, Jeffrey M. Napper, Zsolt Varga, Nándor István Krácser, Krisztián Gacsal
-
Patent number: 12033010Abstract: In one embodiment, a method includes generating an application stack. The application stack includes an application logic module. The method also includes embedding a service mesh module into the application stack. The method further includes managing, by the service mesh module, security of a network packet while maintaining separation of memory regions between the application logic module and the service mesh module.Type: GrantFiled: April 28, 2023Date of Patent: July 9, 2024Assignee: CISCO TECHNOLOGY, INC.Inventors: Hendrikus G. P. Bosch, Jeffrey M. Napper, Zsolt Varga, Nándor István Krácser, Krisztián Gacsal
-
Publication number: 20240146770Abstract: Dynamically tailored trust for secure application-server networking and advanced enterprise security is provided. A system can individually assess the security posture of each application connecting to the Internet from each client device in an enterprise. For each application, the system tailors a security mode of the Internet connection based on the security posture of the application. Assessment of the security posture of an application is a comprehensive inventory of the security of the application, the security of the device hosting the application, the rights and security of the user, security attributes of the intended service or website being accessed, the security of the communication channel, and so forth. A network-based controller communicates with an agent running within a secure boot mode of each client device to select a security mode for application-service connection, including lean-trust direct access to the Internet, secure VPN-like access, or no access to the Internet.Type: ApplicationFiled: December 22, 2023Publication date: May 2, 2024Inventors: Hendrikus G.P. Bosch, Sape Jurrien Mullender, Jeffrey Michael Napper, Alessandro Duminuco, Shivani Raghav
-
Publication number: 20240134725Abstract: In one embodiment, a method includes generating an application stack. The application stack includes an application logic module. The method also includes embedding a service mesh module into the application stack. The method further includes managing, by the service mesh module, security of a network packet while maintaining separation of memory regions between the application logic module and the service mesh module.Type: ApplicationFiled: April 27, 2023Publication date: April 25, 2024Inventors: Hendrikus G. P. Bosch, Jeffrey M. Napper, Zsolt Varga, Nándor István Krácser, Krisztián Gacsal
-
Publication number: 20240134979Abstract: In one embodiment, a method includes generating an application programming interface (API) definition by observing traffic. The API definition is associated with an API definition name and an API specification. The method also includes mounting the API definition with an application and deploying the application by a Continuous Integration/Continuous Delivery (CI/CD) pipeline. The method further includes implementing a runtime API and mapping the runtime API to the API definition.Type: ApplicationFiled: May 14, 2023Publication date: April 25, 2024Inventors: Alexei Kravtsov, Giovanni Conte, Hendrikus G. P. Bosch
-
Patent number: 11968201Abstract: Operations include transmitting, on behalf of a first application, a first request to a first service provider, the first request requesting first services from the first service provider, intercepting, at a local agent, a first redirect message from the first service provider to an identity provider, receiving an identity provider cookie from the identity provider based on a validation of credentials during the authentication process, storing a copy of the identity provider cookie, transmitting, on behalf of a second application, a second request to a second service provider, the second request requesting second services from the second service provider, intercepting a second redirect message from the second service provider to the identity provider, adding the identity provider cookie to the second redirect message, and receiving validation to access the second service provider from the identity provider based on the identity provider cookie stored by the local agent.Type: GrantFiled: January 4, 2021Date of Patent: April 23, 2024Assignee: Cisco Technology, Inc.Inventors: Ahmed Bakry Helmy Ahmed, Sape Jurrien Mullender, Hendrikus G. P. Bosch, Alessandro Duminuco, Jeffrey Michael Napper
-
Publication number: 20240098090Abstract: A system and method for an extended security scheme for reducing the prevalence of broken object level authorization. In one embodiment, a method includes receiving code associated with an application programming interface (API), wherein the code includes one of an API definition and an API server stub, and parsing the code for one or more keywords associated with an extended security scheme. If the code includes the API definition, the method further includes generating an associated API server stub based on at least one of the one or more keywords and the API definition. If the code includes the API server stub, the method further includes generating an associated API definition based on at least one of the one or more keywords and the API server stub.Type: ApplicationFiled: November 18, 2022Publication date: March 21, 2024Inventors: Rami Haddad, Rim El Malki, Daniel-Serban Cozma, Hendrikus G. P. Bosch
-
Patent number: 11902168Abstract: A method of defining priority of a number of data packets within a queue includes generating a policy. The policy defines a first multiplexed channel of a plurality of multiplexed channels. The first multiplexed channel having a first priority. The policy also defines a second multiplexed channel of the plurality of multiplexed channels. The second multiplexed channel having a second priority. The first priority is defined as being of a higher priority relative to the second priority. The method further includes receiving the number of data packets over the plurality of multiplexed channels associated with a session based at least in part on the policy.Type: GrantFiled: June 24, 2021Date of Patent: February 13, 2024Assignee: Cisco Technology, Inc.Inventors: Vincent Parla, Andrew Zawadowskiy, Oleg Bessonov, Hendrikus G. P. Bosch
-
Patent number: 11899780Abstract: The present disclosure is directed to assessing API service security and may include the steps of identifying an API service called by an application based on information provided by an agent embedded within the application; collecting telemetry associated with the API service, the telemetry collected from one or more telemetry sources and indicating any deficiencies in the API service; generating a reputation score for the API service based on analysis of the collected telemetry; and transmitting the reputation score to at least one of the following: the agent embedded within the application, wherein the reputation score is associated with at least one policy having at least one policy action, and wherein the reputation score is operable to be used by the agent to invoke the at least one policy action relating to use of the API service by the application; or a continuous integration/continuous delivery pipeline associated with the application.Type: GrantFiled: April 9, 2021Date of Patent: February 13, 2024Assignee: CISCO TECHNOLOGY, INC.Inventors: Hendrikus G. P. Bosch, Alessandro Duminuco, Sape Jurriën Mullender, Jaffar Alaoui
-
Publication number: 20240015140Abstract: A system of one embodiment allows for redirecting service and API calls for containerized applications in a computer network. The system includes a memory and a processor. The system processes a plurality of application workflows of a containerized application workload. The system then identifies at least one application workflow of the plurality of application workflows and at least one workflow-specific routing rule associated with the at least one application workflow. The system then determines at least one proxy server address for each identified application workflow based on the at least one associated workflow-specific routing rule. Then the system determines at least one proxy server address for each identified application workflow based on the at least one associated workflow-specific routing rule. The system then may communicate the at least one identified application workflow to the at least one proxy server using the at least one determined proxy server addresses.Type: ApplicationFiled: July 5, 2022Publication date: January 11, 2024Inventors: Hendrikus G. P. Bosch, Alessandro Duminuco, Zohar Kaufman