Patents by Inventor Kand Ly
Kand Ly has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 11848949Abstract: The technology discloses a method applied by a policy manager to a cloud-based security system that unifies functions of access control and traffic inspection, threat detection and activity contextualization on inspectable and non-inspectable traffic, with a data manager coupled to the policy manager storing a superset of fields used to specify security policies across the cloud-based unified functions, including common fields shared by two or more of the functions.Type: GrantFiled: January 30, 2021Date of Patent: December 19, 2023Assignee: Netskope, Inc.Inventors: Amit Ganesh Datar, Kartik Subbanna, Kand Ly
-
Patent number: 11777993Abstract: Disclosed is a unified security system of cloud-based components configured for (a) packet-level and (b) protocol-level access control and traffic inspection, (c) threat detection and (d) activity contextualization. Packet-level inspects and classifies headers in requests or responses, sets a first restrictive state or passes the request or response. Protocol-level performs deep packet inspection for malicious signatures then sets a second state or passes. Threat detection, when the request or response is an HTTP/S stream, classifies as directed to a threat destination or not, then sets a third state or passes the request or response and activity contextualization, when the request is an HTTP/S stream seeking access to a cloud-based application, recognizes, processes and classifies content-containing activity as compromising or not, then sets a fourth state or passes.Type: GrantFiled: January 30, 2021Date of Patent: October 3, 2023Assignee: Netskope, Inc.Inventors: Kand Ly, Amit Ganesh Datar, Kartik Subbanna
-
Publication number: 20220247788Abstract: The technology discloses a computer-implemented policy manager device for a cloud-based security system that manages cloud-based unified functions of packet-level and protocol-level access control and traffic inspection, threat detection and activity contextualization on inspectable and non-inspectable traffic. Packet-level access control inspects packet headers for malformation, protocol-level access control performs deep packet inspection for malicious signatures, threat detection determines whether traffic in an HTTP/S stream as directed to a threat destination, and activity contextualization recognizes whether an activity in an HTTP/S stream accessing a cloud-based application is a compromising activity.Type: ApplicationFiled: July 23, 2021Publication date: August 4, 2022Applicant: NetSkope, Inc.Inventors: Kartik SUBBANNA, Kand LY, Amit Ganesh DATAR
-
Publication number: 20220247785Abstract: Disclosed is a unified security system of cloud-based components configured for (a) packet-level and (b) protocol-level access control and traffic inspection, (c) threat detection and (d) activity contextualization. Packet-level inspects and classifies headers in requests or responses, sets a first restrictive state or passes the request or response. Protocol-level performs deep packet inspection for malicious signatures then sets a second state or passes. Threat detection, when the request or response is an HTTP/S stream, classifies as directed to a threat destination or not, then sets a third state or passes the request or response and activity contextualization, when the request is an HTTP/S stream seeking access to a cloud-based application, recognizes, processes and classifies content-containing activity as compromising or not, then sets a fourth state or passes.Type: ApplicationFiled: January 30, 2021Publication date: August 4, 2022Applicant: NetSkope, Inc.Inventors: Kand LY, Amit Ganesh DATAR, Kartik SUBBANNA
-
Publication number: 20220247761Abstract: The technology discloses processing incoming access requests of packets through cloud-based components that perform (a) packet-level access control and traffic inspection, (b) protocol-level access control and traffic inspection, (c) threat detection, and (d) activity contextualization, including a packet and stream router conveying each incoming access request of packets through all of components (a)-(d) that apply, at least until one of the components sets a restrictive state on at least one object corresponding to the incoming access request or until all of the components that apply have passed the incoming access request.Type: ApplicationFiled: January 30, 2021Publication date: August 4, 2022Applicant: NetSkope, Inc.Inventors: Kartik SUBBANNA, Amit Ganesh DATAR, Kand LY
-
Publication number: 20220247768Abstract: The technology discloses a method applied by a policy manager to a cloud-based security system that unifies functions of access control and traffic inspection, threat detection and activity contextualization on inspectable and non-inspectable traffic, with a data manager coupled to the policy manager storing a superset of fields used to specify security policies across the cloud-based unified functions, including common fields shared by two or more of the functions.Type: ApplicationFiled: January 30, 2021Publication date: August 4, 2022Applicant: NetSkope, Inc.Inventors: Amit Ganesh DATAR, Kartik SUBBANNA, Kand LY
-
Patent number: 11232227Abstract: Systems and techniques are described for preventing data leaks from a network. A set of sensitive files or sensitive data that includes sensitive information can be received, and a first set of labels can be determined based on the set of sensitive files or sensitive data. An apparatus can then receive data that is to be checked for sensitive information, and determine a second set of labels based on the data. Next, the apparatus can match the second set of labels with the first set of labels. The apparatus can then determine whether or not the data includes sensitive information based on a result of said matching, and perform a data leak prevention action if it is determined that the data includes sensitive information.Type: GrantFiled: November 28, 2018Date of Patent: January 25, 2022Assignee: Riverbed Technology, Inc.Inventors: Bill Y. Chin, Arthur L. Jones, Kand Ly
-
Patent number: 11159576Abstract: The technology discloses a computer-implemented policy manager device for a cloud-based security system that unifies functions of packet-level and protocol-level access control and traffic inspection, threat detection and activity contextualization on inspectable and non-inspectable traffic. The device includes a data manager for a superset of fields that specify security policies across the cloud-based unified functions, including common fields shared by two or more of the unified functions, means for receiving and storing policy specifications in a common format for values of the common fields as applied to each of the unified functions, whereby a user interacting with the means for receiving can specify security policies governing the cloud-based unified functions of access control and traffic inspection, threat detection and activity contextualization on inspectable and non-inspectable traffic.Type: GrantFiled: January 30, 2021Date of Patent: October 26, 2021Assignee: NetSkope, Inc.Inventors: Kand Ly, Kartik Subbanna, Amit Ganesh Datar
-
Patent number: 10841192Abstract: Systems and techniques are described for calculating performance improvement achieved and/or expected to be achieved by optimizing a network connection. Network characteristics can be measured for non-optimized network connections. Next, the network characteristics can be analyzed to obtain a set of non-optimized connection groups, wherein each non-optimized connection group corresponds to non-optimized network connections that have similar network characteristics. Network characteristics for an optimized network connection can be measured. Next, a non-optimized connection group can be identified based on the network characteristics that were measured for the optimized network connection. A performance improvement metric can then be calculated based on a throughput of the optimized network connection and corresponding throughputs of non-optimized network connections in the identified non-optimized connection group.Type: GrantFiled: November 28, 2018Date of Patent: November 17, 2020Assignee: Riverbed Technology, Inc.Inventors: Ahmet Can Babaoglu, Kand Ly
-
Publication number: 20170171045Abstract: Systems and techniques are described for optimizing network traffic by transparently intercepting a transport layer connection after connection establishment. Specifically, an intermediary device can monitor communications between two computers while a transport layer connection that uses a transport layer protocol is being established between the two computers. While monitoring communications, the intermediary device can save transport layer protocol state information associated with the transport layer connection that is being established. The intermediary device can then use the saved transport layer protocol state information to transparently intercept the transport connection.Type: ApplicationFiled: December 11, 2015Publication date: June 15, 2017Applicant: Riverbed Technology, Inc.Inventor: Kand Ly
-
Patent number: 9332091Abstract: In address-manipulation enabled transaction accelerators, the transaction accelerators include outer-connection addressing information in packets emitted over an inner connection between transaction accelerators and inner-connection addressing information is added in packets sent over the inner connection. The inner-connection addressing information can be carried in TCP option fields, directly in other fields, or indirectly through data structures maintained by the endpoints processing the connection. Address information can be encoded into header fields originally intended for other purposes but that are unused or encoded into used fields, overlaid in combination with other data that is being carried in those used fields. The existence of inner-connection addressing information in a packet can be signaled by a flag in the packet, by a bit or other designated encoding. The flag can be in an unused header field or overlaid.Type: GrantFiled: April 22, 2013Date of Patent: May 3, 2016Assignee: RIVERBED TECHNOLOGY, INC.Inventors: Alfred Landrum, Kand Ly, Steven McCanne
-
Patent number: 9007912Abstract: Serial clustering uses two or more network devices connected in series via a local and/or wide-area network to provide additional capacity when network traffic exceeds the processing capabilities of a single network device. When a first network device reaches its capacity limit, any excess network traffic beyond that limit is passed through the first network device unchanged. A network device connected in series with the first network device intercepts and will process the excess network traffic provided that it has sufficient processing capacity. Additional network devices can process remaining network traffic in a similar manner until all of the excess network traffic has been processed or until there are no more additional network devices. Network devices may use rules to determine how to handle network traffic. Rules may be based on the attributes of received network packets, attributes of the network device, or attributes of the network.Type: GrantFiled: February 27, 2013Date of Patent: April 14, 2015Assignee: Riverbed Technology, Inc.Inventors: David Tze-Si Wu, Nitin Gupta, Kand Ly
-
Patent number: 8954957Abstract: Network devices include hosted virtual machines and virtual machine applications. Hosted virtual machines and their applications implement additional functions and services in network devices. Network devices include data taps for directing network traffic to hosted virtual machines and allowing hosted virtual machines to inject network traffic. Network devices include unidirectional data flow specifications, referred to as hyperswitches. Each hyperswitch is associated with a hosted virtual machine and receives network traffic received by the network device from a single direction. Each hyperswitch processes network traffic according to rules and rule criteria. A hosted virtual machine can be associated with multiple hyperswitches, thereby independently specifying the data flow of network traffic to and from the hosted virtual machine from multiple networks.Type: GrantFiled: July 1, 2009Date of Patent: February 10, 2015Assignee: Riverbed Technology, Inc.Inventors: David Tze-Si Wu, Kand Ly, Lap Nathan Trac, Alexei Potashnik
-
Patent number: 8938553Abstract: Proxy devices associate their direct connection with a client/server connection passing through one or more NAT devices. First proxy device receives a network connection request from a client. First proxy device stores connection information in association with a connection identifier. Connection information may reflect the usage of NAT devices between the two proxy devices. First proxy device sends a connection response including the connection identifier to the client. Second proxy device sends a direct connection request to first proxy device to establish a direct connection. Direct connection request includes the connection identifier, which is used by first proxy device to associate the direct connection with stored connection information. First proxy device may use the connection information to direct network traffic received via this direct connection to the correct destination and to divert network traffic from the server to the client through the direct connection and first and second proxy devices.Type: GrantFiled: March 31, 2012Date of Patent: January 20, 2015Assignee: Riverbed Technology, Inc.Inventors: Kand Ly, Michael J. Demmer, Steven McCanne, Alfred Landrum
-
Patent number: 8843636Abstract: Digital certificates are distributed to WAN optimization modules in organization and content delivery networks to securely optimize network traffic. The content delivery network identifies edge WAN optimization modules for use with each combination of organizations and their cloud services and distributes digital certificates accordingly. Peering digital certificates for establishing inner connections between organization and edge WAN optimization modules are exchanged via one or more management portals. Shadow digital certificates for establishing outer connections between WAN optimization modules and clients are generated in the form of certificate signing requests. Configuration information identifies any additional cloud services associated with a given cloud service and generate corresponding additional certificate signing requests.Type: GrantFiled: December 30, 2011Date of Patent: September 23, 2014Assignee: Riverbed Technology, Inc.Inventors: David Tze-Si Wu, John S. Cho, Kand Ly
-
Patent number: 8782395Abstract: Content delivery networks may associate each WAN optimized network connection with a specific client-to-cloud-service connection using connection identifiers. When an edge node of a content delivery network receives or intercepts a network connection request from a client device including an auto-discovery indicator from an upstream WAN optimization module, the edge node stores a connection identifier for this network connection. The edge node sends a connection response back to the client device including an auto-discovery response indicator. In response, the WAN optimization module sends one or more inner connection setup messages including the connection identifier to a second WAN optimization module in the content delivery network to establish a direct connection, referred to as an inner connection. The connection identifier is matched with the previously stored connection identifier to associate an inner connection with the network connection between the client and the cloud service.Type: GrantFiled: March 31, 2012Date of Patent: July 15, 2014Assignee: Riverbed Technology, Inc.Inventor: Kand Ly
-
Patent number: 8762569Abstract: Network devices include proxies and where multiple proxies are present on a network, they can probe to determine the existence of other proxies. Where more than two proxies are present and thus different proxy pairings are possible, the proxies are programmed to determine which proxies should form a proxy pair. Marked probe packets are used by proxies to discover each other and probing is done such a connection can be eventually formed even if some probe packets fail due to the marking. Asymmetric routing can be detected and proxies configured for connection forwarding as necessary.Type: GrantFiled: January 17, 2013Date of Patent: June 24, 2014Assignee: Riverbed Technology, Inc.Inventors: Kand Ly, Maksim Ioffe, Alfred Landrum, Mark Stuart Day
-
Patent number: 8739244Abstract: WAN optimization devices and content delivery networks together optimize network traffic on both private networks and public WANs such as the internet. A WAN optimization device intercepts and optimizes network traffic from clients within a private network. The WAN optimization device communicates this first optimized network traffic to the nearest edge computer in the content delivery network via a public WAN, such as the internet. This edge computer further optimizes the network traffic and communicates the doubly optimized network traffic via the content delivery network to a second edge computer nearest to the network traffic destination. The second edge computer converts the doubly optimized network traffic back to its original format and communicates the reconstructed network traffic from the second edge computer to the destination via a public WAN.Type: GrantFiled: September 29, 2011Date of Patent: May 27, 2014Assignee: Riverbed Technology, Inc.Inventors: David Tze-Si Wu, John S. Cho, Kand Ly
-
Publication number: 20140143306Abstract: In address-manipulation enabled transaction accelerators, the transaction accelerators include outer-connection addressing information in packets emitted over an inner connection between transaction accelerators and inner-connection addressing information is added in packets sent over the inner connection. The inner-connection addressing information can be carried in TCP option fields, directly in other fields, or indirectly through data structures maintained by the endpoints processing the connection. Address information can be encoded into header fields originally intended for other purposes but that are unused or encoded into used fields, overlaid in combination with other data that is being carried in those used fields. The existence of inner-connection addressing information in a packet can be signaled by a flag in the packet, by a bit or other designated encoding. The flag can be in an unused header field or overlaid.Type: ApplicationFiled: April 22, 2013Publication date: May 22, 2014Applicant: Riverbed Technology, Inc.Inventors: Alfred Landrum, Kand Ly, Steven McCanne
-
Publication number: 20140071824Abstract: Serial clustering uses two or more network devices connected in series via a local and/or wide-area network to provide additional capacity when network traffic exceeds the processing capabilities of a single network device. When a first network device reaches its capacity limit, any excess network traffic beyond that limit is passed through the first network device unchanged. A network device connected in series with the first network device intercepts and will process the excess network traffic provided that it has sufficient processing capacity. Additional network devices can process remaining network traffic in a similar manner until all of the excess network traffic has been processed or until there are no more additional network devices. Network devices may use rules to determine how to handle network traffic. Rules may be based on the attributes of received network packets, attributes of the network device, or attributes of the network.Type: ApplicationFiled: February 27, 2013Publication date: March 13, 2014Applicant: Riverbed Technology, Inc.Inventors: David Tze-Si Wu, Nitin Gupta, Kand Ly