Patents by Inventor Leon Kuperman
Leon Kuperman has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Publication number: 20230108773Abstract: A system is configured to authorize client access to an application programming interface (API) of a host device. A proxy is configured to handle network traffic between a host and a client. Clients engage the host through the proxy to access an API of the host. An authorized client-side application permitted use of the API includes an API request to the proxy. The proxy determines whether an internet protocol (IP) address of the client and the token match an existing IP-token pair. If no match exists, the proxy determines whether the token matches an existing token. The proxy authorizes the client access to the API when the IP and token match an existing pair. In response to determining that the token exists in a token store but the token is associated with a different IP address, the API request may be denied.Type: ApplicationFiled: December 8, 2022Publication date: April 6, 2023Inventors: Leon Kuperman, Jose Hernandez
-
Patent number: 11546349Abstract: A system is configured to authorize client access to an application programming interface (API) of a host device. A proxy is configured to handle network traffic between a host and a client. Clients engage the host through the proxy to access an API of the host. An authorized client-side application permitted use of the API includes an API request to the proxy. The proxy determines whether an internet protocol (IP) address of the client and the token match an existing IP-token pair. If no match exists, the proxy determines whether the token matches an existing token. The proxy authorizes the client access to the API when the IP and token match an existing pair or if the token does not match an existing token and the token is verified by the proxy.Type: GrantFiled: December 16, 2020Date of Patent: January 3, 2023Assignee: Oracle Systems CorporationInventors: Leon Kuperman, Jose Hernandez
-
Publication number: 20220141233Abstract: A system is configured to authorize client access to an application programming interface (API) of a host device. A proxy is configured to handle network traffic between a host and a client device. The system determines that an API request lacks a form of authentication including a token where the first API request cannot be authenticated. The API request is denied, and a challenge is transmitted to the client device. A subsequent API request from the client device is determined to include a presented token as the form of authentication. The presented token of the second API request is verified based on attributes of the presented token. The system permits the second API request in response to the presented token being verified. An IP-token pair is stored and the permitted second API request is transmitted to the host device for servicing.Type: ApplicationFiled: January 12, 2022Publication date: May 5, 2022Inventors: Leon Kuperman, Jose Hernandez
-
Patent number: 11245706Abstract: A system is configured to authorize client access to an application programming interface (API) of a host device. A proxy is configured to handle network traffic between a host and a client. Clients engage the host through the proxy to access an API of the host. An authorized client-side application permitted use of the API is distributed to clients and includes a Software Development Kit configured to generate a unique token and provide the token in association with an API request when challenged by the proxy. For example, the proxy may challenge a client to present a token in response to receiving an API request lacking a token or when a token is expired. The proxy verifies the token to authenticate the client and permits authorized clients access to the API by passing API requests received from authenticated clients on to the host for servicing.Type: GrantFiled: March 22, 2018Date of Patent: February 8, 2022Assignee: Oracle Systems CorporationInventors: Leon Kuperman, Jose Hernandez
-
Publication number: 20210105286Abstract: A system is configured to authorize client access to an application programming interface (API) of a host device. A proxy is configured to handle network traffic between a host and a client. Clients engage the host through the proxy to access an API of the host. An authorized client-side application permitted use of the API includes an API request to the proxy. The proxy determines whether an internet protocol (IP) address of the client and the token match an existing IP-token pair. If no match exists, the proxy determines whether the token matches an existing token. The proxy authorizes the client access to the API when the IP and token match an existing pair or if the token does not match an existing token and the token is verified by the proxy.Type: ApplicationFiled: December 16, 2020Publication date: April 8, 2021Inventors: Leon Kuperman, Jose Hernandez
-
Patent number: 10873587Abstract: A system is configured to authorize client access to an application programming interface (API) of a host device. A proxy is configured to handle network traffic between a host and a client. Clients engage the host through the proxy to access an API of the host. An authorized client-side application permitted use of the API includes a Software Development Kit configured to generate a unique token and provide the token in association with an API request to the proxy. The proxy determines whether an internet protocol (IP) address of the client and the token match an existing IP-token pair. If no match exists, the proxy determines whether the token matches an existing token. The proxy authorizes the client access to the API when the IP and token match an existing pair or if the token does not match an existing token and the token is verified by the proxy.Type: GrantFiled: March 22, 2018Date of Patent: December 22, 2020Assignee: Oracle Systems CorporationInventors: Leon Kuperman, Jose Hernandez
-
Patent number: 10735382Abstract: A system detects human activity through browser canvas events to mitigate the effects of an attack on a host, such as an application layer (layer 7) DDoS attack. A proxy, such as a HTTP/HTTPS “HTTP(S)” proxy server, configured to handle network traffic between a host and clients challenges clients engaging the host. The proxy challenges the clients by injecting code having a beacon and a shared encryption key into the content received from the host prior to transmission of the client. The code, when executed by the client, is configured to monitor user interactions (or lack thereof) with the content at the client in order to determine whether there is human activity at the client. The proxy receives and analyzes the information about interactions (or lack thereof) to determine whether a client is malicious (e.g., non-human activity) or non-malicious (e.g., human activity).Type: GrantFiled: January 27, 2017Date of Patent: August 4, 2020Assignee: Zenedge, Inc.Inventors: Leon Kuperman, Fausto Lendeborg, David Allen McKinney, Jose Enrique Hernandez
-
Patent number: 10652254Abstract: A system is configured for protecting web applications at a host by analyzing web application behavior to detect malicious client requests. Example embodiments described herein include a proxy configured to handle network traffic between a host and clients. The proxy includes two request classification mechanisms, first a list of known clients, malicious and non-malicious, for identifying known malicious and known non-malicious requests and second a web application firewall for determining a classification for unknown requests (e.g., not originating from a known client). The classification itself may be distributed. The proxy determines whether a request is known non-malicious, known malicious, or unknown. The proxy collects request attributes for the known malicious and known non-malicious requests for the generation of a model based on the attributes of the known requests. The proxy passes the unknown requests to the WAF for determining a classification based on their attributes using the model.Type: GrantFiled: February 23, 2017Date of Patent: May 12, 2020Assignee: ZENEDGE, INC.Inventors: Leon Kuperman, Kipras Mancevicius
-
Patent number: 10623376Abstract: A system (and method, and computer readable storage medium storing computer program instructions) is configured to determine a fingerprint of a client and qualify client behavior. For example, a proxy positioned between a host and the client may determine the fingerprint of the client and qualify the behavior of clients engaging the host. The client fingerprint provides a relatively stable representation of the client such that the client may be distinguished from the other clients engaging the host and the behavior of the client tracked. Clients engaging the host in a positive manner are prequalified to access the host based on the positive behavior they exhibit. During an attack on the host, such as a DDoS attack, prequalified clients retain access to features and functionality provided by the host to maintain legitimate user experience and better enable the proxy to handle malicious clients.Type: GrantFiled: January 27, 2017Date of Patent: April 14, 2020Assignee: ZENEDGE, INC.Inventors: Leon Kuperman, Fausto Lendeborg, David Allen McKinney, Jose Enrique Hernandez
-
Patent number: 10218810Abstract: A proxy server routes a request for online content from a user device to an origin server, which returns the requested online content to the proxy server. The proxy server passes the online content to the user device. In order to service subsequent user device requests with cached content, the proxy server, having received the initially requested online content from the origin server, parses out dynamic content specific to the user from static content common to many users within the web page content according to tags identifying the dynamic content. The proxy server stores the dynamic content within a personalized cache and also stores an association between the user/user device for the dynamic content stored. In this way, a subsequent request from the user device for the same online content may be serviced from cache, and include dynamic content specific to that user/user device by way of the personalized cache.Type: GrantFiled: December 28, 2017Date of Patent: February 26, 2019Assignee: ZENEDGE, INC.Inventors: Leon Kuperman, Kipras Mancevi{hacek over (c)}ius, Dmytro Bekinin
-
Publication number: 20180278624Abstract: A system is configured to authorize client access to an application programming interface (API) of a host device. A proxy is configured to handle network traffic between a host and a client. Clients engage the host through the proxy to access an API of the host. An authorized client-side application permitted use of the API is distributed to clients and includes a Software Development Kit configured to generate a unique token and provide the token in association with an API request when challenged by the proxy. For example, the proxy may challenge a client to present a token in response to receiving an API request lacking a token or when a token is expired. The proxy verifies the token to authenticate the client and permits authorized clients access to the API by passing API requests received from authenticated clients on to the host for servicing.Type: ApplicationFiled: March 22, 2018Publication date: September 27, 2018Inventors: Leon Kuperman, Jose Hernandez
-
Publication number: 20180278584Abstract: A system is configured to authorize client access to an application programming interface (API) of a host device. A proxy is configured to handle network traffic between a host and a client. Clients engage the host through the proxy to access an API of the host. An authorized client-side application permitted use of the API includes a Software Development Kit configured to generate a unique token and provide the token in association with an API request to the proxy. The proxy determines whether an interne protocol (IP) address of the client and the token match an existing IP-token pair. If no match exists, the proxy determines whether the token matches an existing token. The proxy authorizes the client access to the API when the IP and token match an existing pair or if the token does not match an existing token and the token is verified by the proxy.Type: ApplicationFiled: March 22, 2018Publication date: September 27, 2018Inventors: Leon Kuperman, Jose Hernandez
-
Publication number: 20180124201Abstract: A proxy server routes a request for online content from a user device to an origin server, which returns the requested online content to the proxy server. The proxy server passes the online content to the user device. In order to service subsequent user device requests with cached content, the proxy server, having received the initially requested online content from the origin server, parses out dynamic content specific to the user from static content common to many users within the web page content according to tags identifying the dynamic content. The proxy server stores the dynamic content within a personalized cache and also stores an association between the user/user device for the dynamic content stored. In this way, a subsequent request from the user device for the same online content may be serviced from cache, and include dynamic content specific to that user/user device by way of the personalized cache.Type: ApplicationFiled: December 28, 2017Publication date: May 3, 2018Inventors: Leon Kuperman, Kipras Mancevicius, Dmytro Bekinin
-
Publication number: 20180124085Abstract: A network traffic hub extracts encryption metadata from messages establishing an encrypted connection between a smart appliance and a remote server and determines whether malicious behavior is present in the messages. For example, the network traffic hub can extract an encryption cipher suite, identified encryption algorithms, or a public certificate. The network traffic hub detects malicious behavior or security threats based on the encryption metadata. These security threats may include a man-in-the-middle attacker or a Padding Oracle On Downgraded Legacy Encryption attack. Upon detecting malicious behavior or security threats, the network traffic hub blocks the encrypted traffic or notifies a user.Type: ApplicationFiled: October 31, 2017Publication date: May 3, 2018Inventors: Yuri Frayman, Robert Beatty, Leon Kuperman, Gabor Takacs
-
Patent number: 9860334Abstract: A proxy server routes a request for online content from a user device to an origin server, which returns the requested online content to the proxy server. The proxy server passes the online content to the user device. In order to service subsequent user device requests with cached content, the proxy server, having received the initially requested online content from the origin server, parses out dynamic content specific to the user from static content common to many users within the web page content according to tags identifying the dynamic content. The proxy server stores the dynamic content within a personalized cache and also stores an association between the user/user device for the dynamic content stored. In this way, a subsequent request from the user device for the same online content may be serviced from cache, and include dynamic content specific to that user/user device by way of the personalized cache.Type: GrantFiled: December 18, 2015Date of Patent: January 2, 2018Assignee: Zenedge, Inc.Inventors: Leon Kuperman, Kipras Mancevi{hacek over (c)}ius, Dmytro Bekinin
-
Publication number: 20170244737Abstract: A system is configured for protecting web applications at a host by analyzing web application behavior to detect malicious client requests. Example embodiments described herein include a proxy configured to handle network traffic between a host and clients. The proxy includes two request classification mechanisms, first a list of known clients, malicious and non-malicious, for identifying known malicious and known non-malicious requests and second a web application firewall for determining a classification for unknown requests (e.g., not originating from a known client). The classification itself may be distributed. The proxy determines whether a request is known non-malicious, known malicious, or unknown. The proxy collects request attributes for the known malicious and known non-malicious requests for the generation of a model based on the attributes of the known requests. The proxy passes the unknown requests to the WAF for determining a classification based on their attributes using the model.Type: ApplicationFiled: February 23, 2017Publication date: August 24, 2017Inventors: Leon Kuperman, Kipras Mancevicius
-
Publication number: 20170222979Abstract: A system (and method, and computer readable storage medium storing computer program instructions) is configured to determine a fingerprint of a client and qualify client behavior. For example, a proxy positioned between a host and the client may determine the fingerprint of the client and qualify the behavior of clients engaging the host. The client fingerprint provides a relatively stable representation of the client such that the client may be distinguished from the other clients engaging the host and the behavior of the client tracked. Clients engaging the host in a positive manner are prequalified to access the host based on the positive behavior they exhibit. During an attack on the host, such as a DDoS attack, prequalified clients retain access to features and functionality provided by the host to maintain legitimate user experience and better enable the proxy to handle malicious clients.Type: ApplicationFiled: January 27, 2017Publication date: August 3, 2017Inventors: Leon Kuperman, Fausto Lendeborg, David Allen McKinney, Jose Enrique Hernandez
-
Publication number: 20170223049Abstract: A system detects human activity through browser canvas events to mitigate the effects of an attack on a host, such as an application layer (layer 7) DDoS attack. A proxy, such as a HTTP/HTTPS “HTTP(S)” proxy server, configured to handle network traffic between a host and clients challenges clients engaging the host. The proxy challenges the clients by injecting code into the content received from the host prior to transmission of the client. The code, when executed by the client, is configured to monitor user interactions (or lack thereof) with the content at the client in order to determine whether there is human activity at the client. The proxy receives and analyzes the information about interactions (or lack thereof) to determine whether a client is malicious (e.g., non-human activity) or non-malicious (e.g., human activity).Type: ApplicationFiled: January 27, 2017Publication date: August 3, 2017Inventors: Leon Kuperman, Fausto Lendeborg, David Allen McKinney, Jose Enrique Hernandez
-
Publication number: 20160182672Abstract: A proxy server routes a request for online content from a user device to an origin server, which returns the requested online content to the proxy server. The proxy server passes the online content to the user device. In order to service subsequent user device requests with cached content, the proxy server, having received the initially requested online content from the origin server, parses out dynamic content specific to the user from static content common to many users within the web page content according to tags identifying the dynamic content. The proxy server stores the dynamic content within a personalized cache and also stores an association between the user/user device for the dynamic content stored. In this way, a subsequent request from the user device for the same online content may be serviced from cache, and include dynamic content specific to that user/user device by way of the personalized cache.Type: ApplicationFiled: December 18, 2015Publication date: June 23, 2016Inventors: Leon Kuperman, Kipras Mancevicius, Dmytro Bekinin
-
Publication number: 20100318433Abstract: A system for diverting motivated bidders from a publisher's webpage to an on-line auction site comprises an auction website server hosting an on-line auction and having an xml file with which a potential bidder's web browser can communicate via a banner ad displayed at a publisher's website to request a list of authorized domains having access rights to communicate with the on-line auction server. Means are provided for permitting the potential bidder's web browser to open a channel of communication to the auction website's webpage in http or https format to obtain a listing from the on-line auction website of at least one auction at the on-line auction website that is ending soon and which meets search criteria specific to the publisher's webpage as previously selected by one or both of the on-line website and the publisher. The listing is in http or https format and is displayed as real-time content within the banner ad.Type: ApplicationFiled: June 15, 2009Publication date: December 16, 2010Applicant: Bidz.com Inc.Inventor: Leon Kuperman