Patents by Inventor Lebin Cheng
Lebin Cheng has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Publication number: 20240323233Abstract: The technology disclosed relates to accessing a hosted service on a client device. In particular, the technology disclosed relates to receiving, on a client device of an entity's user, from a network security system, a forwarding rule for modifying requests for accessing a hosted service, receiving on the client device a request for accessing the hosted service, using the forwarding rule to modify the request for accessing the hosted service and generating a modified request for accessing the hosted service, and receiving on the client device a response from the network security system.Type: ApplicationFiled: June 4, 2024Publication date: September 26, 2024Inventors: Krishna Narayanaswamy, Lebin Cheng, Ravi Ithal, Sanjay Beri
-
Publication number: 20240323232Abstract: The technology disclosed relates to a proxy receiving a request to manipulate a data object on an independent object store. The proxy is interposed between a user system from which the request originates and the independent object store. The technology disclosed further relates to the proxy accessing a metadata store that contains object metadata for the data object and retrieving the object metadata. The technology disclosed further relates to the proxy enforcing a policy on the request based on the object metadata. Enforcing the policy further includes enforcing malware detection policies and threat detection policies.Type: ApplicationFiled: June 3, 2024Publication date: September 26, 2024Inventors: Krishna Narayanaswamy, Lebin Cheng, Abhay Kulkarni, Ravi Ithal, Chetan Anand, Rajneesh Chopra
-
Patent number: 12074912Abstract: A dynamic API security policy is enforced at runtime. This can be done without having access to the API specification or code. A flow of execution initiated by the API is tracked at runtime, and a data object used by the API is identified. Specific data labels are assigned to specific fields of the data object used by the API. The specific data labels consistently identify data fields of specific types. The API security policy that is enforced prohibits specific actions concerning data fields of specific types, which are also consistently identified in the security policy. Actions in the tracked flow of execution that violate the API security policy are detected at runtime, and security actions are taken in response. In some implementations, these dynamic API security techniques are supplemented with static API security analysis of an API specification and a set of rules concerning API risk assessment.Type: GrantFiled: June 3, 2021Date of Patent: August 27, 2024Assignee: ArecaBay, Inc.Inventors: Lebin Cheng, Ravindra Balupari, Sekhar Babu Chintaginjala, Ankit Kumar, Sandeep Yadav
-
Patent number: 12041093Abstract: The technology disclosed relates to accessing a hosted service on a client device. In particular, the technology disclosed relates to receiving, on a client device of an entity's user, from a network security system, a forwarding rule for modifying requests for accessing a hosted service, receiving on the client device a request for accessing the hosted service, using the forwarding rule to modify the request for accessing the hosted service and generating a modified request for accessing the hosted service, and receiving on the client device a response from the network security system.Type: GrantFiled: November 22, 2021Date of Patent: July 16, 2024Assignee: Netskope, Inc.Inventors: Krishna Narayanaswamy, Lebin Cheng, Ravi Ithal, Sanjay Beri
-
Patent number: 12041090Abstract: The technology disclosed relates to a proxy receiving a request to manipulate a data object on an independent object store. The proxy is interposed between a user system from which the request originates and the independent object store. The technology disclosed further relates to the proxy accessing a metadata store that contains object metadata for the data object and retrieving the object metadata. The technology disclosed further relates to the proxy enforcing a policy on the request based on the object metadata. Enforcing the policy further includes enforcing malware detection policies and threat detection policies.Type: GrantFiled: April 9, 2021Date of Patent: July 16, 2024Assignee: Netskope, Inc.Inventors: Krishna Narayanaswamy, Lebin Cheng, Abhay Kulkarni, Ravi Ithal, Chetan Anand, Rajneesh Chopra
-
Publication number: 20240171615Abstract: A multi-API security policy that covers multiple API calls of a transaction is dynamically enforced at runtime, without access to the specification or code of the APIs. Calls made to APIs of the transaction are logged, and the logs are read. Data objects used by the APIs are identified. Specific data labels are assigned to specific fields of the data objects, consistently identifying data fields of specific types. Linkages are identified between specific ones of the multiple APIs, based on the consistent identification of specific types of data fields. An API call graph is constructed, identifying a sequence of API calls made during the transaction. The call graph is used to enforce the security policy, by tracking the flow of execution of the multi-API transaction at runtime, and detecting actions that violate the security policy. Security actions are taken responsive to the detected actions that violate the policy.Type: ApplicationFiled: February 1, 2024Publication date: May 23, 2024Inventors: Lebin Cheng, Ravindra K. Balupari, Sekhar Babu Chintaginjala, Ankit Kumar, Sandeep Yadav
-
Patent number: 11916964Abstract: A multi-API security policy that covers multiple API calls of a transaction is dynamically enforced at runtime, without access to the specification or code of the APIs. Calls made to APIs of the transaction are logged, and the logs are read. Data objects used by the APIs are identified. Specific data labels are assigned to specific fields of the data objects, consistently identifying data fields of specific types. Linkages are identified between specific ones of the multiple APIs, based on the consistent identification of specific types of data fields. An API call graph is constructed, identifying a sequence of API calls made during the transaction. The call graph is used to enforce the security policy, by tracking the flow of execution of the multi-API transaction at runtime, and detecting actions that violate the security policy. Security actions are taken responsive to the detected actions that violate the policy.Type: GrantFiled: June 3, 2021Date of Patent: February 27, 2024Assignee: ArecaBay, Inc.Inventors: Lebin Cheng, Ravindra Balupari, Sekhar Babu Chintaginjala, Ankit Kumar, Sandeep Yadav
-
Publication number: 20230370442Abstract: A network security system and method provide dynamic access control for a protected resource using a client-initiated ticket generation scheme. A client application receives, from an access control manager, a limited-use access ticket and may include the limited-use access ticket within application program interface (API) calls to a service application. The service application may forward the limited-use access ticket as a service access ticket to a ticket-based access control layer. A transaction monitor monitors run-time transaction information generated by the API calls to the service application and if the limited-use access ticket is detected in the run-time transaction information, forward the limited-use access ticket to the access control manager to perform validation of the limited-use access ticket.Type: ApplicationFiled: May 16, 2023Publication date: November 16, 2023Inventors: Robert Dykes, Lebin Cheng, Ravindra K. Balupari
-
Patent number: 11652812Abstract: A network security system and method implements dynamic access control for a protected resource using run-time contextual information. In some embodiments, the network security system and method implements a dynamic access ticket scheme for access control where the access ticket is based on run-time application context. In other embodiments, the network security system and method implements policy enforcement actions in response to detected violations using application programming interface (API) to effectively block detected policy violations without negatively impacting the operation of the application or the user of the application. In some embodiments, the network security system uses enterprise social collaboration tools to interact with the end-user or with the system administrator in the event of detected security incidents.Type: GrantFiled: June 17, 2021Date of Patent: May 16, 2023Assignee: ARECABAY, INC.Inventors: Robert Dykes, Lebin Cheng, Ravindra K. Balupari
-
Patent number: 11647010Abstract: The technology disclosed relates to non-intrusively enforcing security during federated single sign-on (SSO) authentication without modifying a trust relationship between a service provider (SP) and an identity provider (IDP). In particular, it relates to an assertion proxy receiving a verified assertion from an IDP obtained from an assertion that is generated when a user logs into a service provider (SP) and is verified in dependence upon the IDP's public key. It also relates to evaluating the verified assertion against one or more security policies. It further relates to forwarding the verified assertion evaluated to the SP and causing establishment of a single sign-on (SSO) authenticated session without modifying the assertion.Type: GrantFiled: July 2, 2021Date of Patent: May 9, 2023Assignee: Netskope, Inc.Inventors: Lebin Cheng, Krishna Narayanaswamy, Kartik Kumar Chatnalli Deshpande Sridhar
-
Patent number: 11575735Abstract: The technology disclosed applies data loss prevention (DLP) to those cloud-applications for which no application-specific parser is available. Known cloud applications can be arranged in categories of services such as “personal pages and blog,” “news websites,” “cloud-based storage services,” and “social media services.” A category includes a list of uniform resource locators (URLs) of providers of cloud applications that allow users to perform similar activities. The various providers in a category use different syntaxes to implement services in the category. The disclosed category-directed parsers synthesize interaction syntax patterns of a sample of providers in the category. A category-directed parser collects metadata from known cloud applications using multiple category-directed match rules synthesized from syntaxes used by the sample providers in the category.Type: GrantFiled: July 12, 2021Date of Patent: February 7, 2023Assignee: NETSKOPE, INC.Inventors: Lebin Cheng, Krishna Narayanaswamy
-
Publication number: 20220086192Abstract: The technology disclosed relates to accessing a hosted service on a client device. In particular, the technology disclosed relates to receiving, on a client device of an entity's user, from a network security system, a forwarding rule for modifying requests for accessing a hosted service, receiving on the client device a request for accessing the hosted service, using the forwarding rule to modify the request for accessing the hosted service and generating a modified request for accessing the hosted service, and receiving on the client device a response from the network security system.Type: ApplicationFiled: November 22, 2021Publication date: March 17, 2022Applicant: Netskope, Inc.Inventors: Krishna NARAYANASWAMY, Lebin CHENG, Ravi ITHAL, Sanjay BERI
-
Publication number: 20210367935Abstract: A network security system and method implements dynamic access control for a protected resource using run-time contextual information. In some embodiments, the network security system and method implements a dynamic access ticket scheme for access control where the access ticket is based on run-time application context. In other embodiments, the network security system and method implements policy enforcement actions in response to detected violations using application programming interface (API) to effectively block detected policy violations without negatively impacting the operation of the application or the user of the application. In some embodiments, the network security system uses enterprise social collaboration tools to interact with the end-user or with the system administrator in the event of detected security incidents.Type: ApplicationFiled: June 17, 2021Publication date: November 25, 2021Inventors: Robert Dykes, Lebin Cheng, Ravindra K. Balupari
-
Patent number: 11184398Abstract: A computer-implemented method for accessing a hosted service on client devices is described. The client devices include client software that uses a remotely delivered policy to redirect network requests for hosted services to a server to enforce visibility, policy and data security for network delivered services. The method can be used in conjunction with existing VPN and proxy solutions, but provides distinct additional functionality, particularly suited to corporate needs. Policies allow entities to centralize enforcement of service-specific restrictions across networks and communication channels, e.g. only certain users can download client records from a service—irrespective of the network used to access the service.Type: GrantFiled: August 28, 2019Date of Patent: November 23, 2021Assignee: Netskope, Inc.Inventors: Krishna Narayanaswamy, Lebin Cheng, Ravi Ithal, Sanjay Beri
-
Publication number: 20210344746Abstract: The technology disclosed applies data loss prevention (DLP) to those cloud-applications for which no application-specific parser is available. Known cloud applications can be arranged in categories of services such as “personal pages and blog,” “news websites,” “cloud-based storage services,” and “social media services.” A category includes a list of uniform resource locators (URLs) of providers of cloud applications that allow users to perform similar activities. The various providers in a category use different syntaxes to implement services in the category. The disclosed category-directed parsers synthesize interaction syntax patterns of a sample of providers in the category. A category-directed parser collects metadata from known cloud applications using multiple category-directed match rules synthesized from syntaxes used by the sample providers in the category.Type: ApplicationFiled: July 12, 2021Publication date: November 4, 2021Applicant: Netskope, Inc.Inventors: Lebin CHENG, Krishna NARAYANASWAMY
-
Publication number: 20210336946Abstract: The technology disclosed relates to non-intrusively enforcing security during federated single sign-on (SSO) authentication without modifying a trust relationship between a service provider (SP) and an identity provider (IDP). In particular, it relates to an assertion proxy receiving a verified assertion from an IDP obtained from an assertion that is generated when a user logs into a service provider (SP) and is verified in dependence upon the IDP's public key. It also relates to evaluating the verified assertion against one or more security policies. It further relates to forwarding the verified assertion evaluated to the SP and causing establishment of a single sign-on (SSO) authenticated session without modifying the assertion.Type: ApplicationFiled: July 2, 2021Publication date: October 28, 2021Applicant: Netskope, Inc.Inventors: Lebin CHENG, Krishna NARAYANASWAMY, Kartik Kumar Chatnalli Deshpande Sridhar
-
Publication number: 20210226998Abstract: The technology disclosed relates to a proxy receiving a request to manipulate a data object on an independent object store. The proxy is interposed between a user system from which the request originates and the independent object store. The technology disclosed further relates to the proxy accessing a metadata store that contains object metadata for the data object and retrieving the object metadata. The technology disclosed further relates to the proxy enforcing a policy on the request based on the object metadata. Enforcing the policy further includes enforcing malware detection policies and threat detection policies.Type: ApplicationFiled: April 9, 2021Publication date: July 22, 2021Applicant: Netskope, Inc.Inventors: Krishna NARAYANASWAMY, Lebin CHENG, Abhay KULKARNI, Ravi ITHAL, Chetan ANAND, Rajneesh CHOPRA
-
Patent number: 11070539Abstract: A network security system and method implements dynamic access control for a protected resource using run-time contextual information. In some embodiments, the network security system and method implements a dynamic access ticket scheme for access control where the access ticket is based on run-time application context. In other embodiments, the network security system and method implements policy enforcement actions in response to detected violations using application programming interface (API) to effectively block detected policy violations without negatively impacting the operation of the application or the user of the application. In some embodiments, the network security system uses enterprise social collaboration tools to interact with the end-user or with the system administrator in the event of detected security incidents.Type: GrantFiled: April 4, 2019Date of Patent: July 20, 2021Assignee: ArecaBay, Inc.Inventors: Robert Dykes, Lebin Cheng, Ravindra K. Balupari
-
Patent number: 11064013Abstract: The technology disclosed includes a system to apply data loss prevention (DLP) to cloud-based services for which no service-specific parser is available. The system determines that a known cloud-based service is being accessed via an application programming interface (API) and no service-specific parser is available for the API being accessed. The system applies a category-directed parser to the API being accessed. The category-directed parser includes multiple category-directed match rules derived from multiple syntaxes used by numerous known providers to implement a category of service. The category-directed parser collects metadata from content being conveyed via the API and assigns the collected metadata to variables. The system invokes a DLP processor and sends the collected metadata to the DLP processor for use in focusing analysis of content being conveyed via the API.Type: GrantFiled: May 22, 2018Date of Patent: July 13, 2021Assignee: Netskope, Inc.Inventors: Lebin Cheng, Krishna Narayanaswamy
-
Patent number: 11064016Abstract: The technology disclosed includes a system to apply data loss prevention (DLP) to cloud-based services for which no service-specific parser is available. The system determines that a known cloud-based service is being accessed via an application programming interface (API) and no service-specific parser is available for the API being accessed. The system applies a category-directed parser to the API being accessed. The category-directed parser includes multiple category-directed match rules derived from multiple syntaxes used by numerous known providers to implement a category of service. The category-directed parser collects metadata from content being conveyed via the API and assigns the collected metadata to variables. The system invokes a DLP processor and sends the collected metadata to the DLP processor for use in focusing analysis of content being conveyed via the API.Type: GrantFiled: June 11, 2019Date of Patent: July 13, 2021Assignee: Netskope, Inc.Inventors: Lebin Cheng, Krishna Narayanaswamy