Patents by Inventor Liav Zigelbaum

Liav Zigelbaum has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).

  • Patent number: 12603896
    Abstract: A method, including collecting, by a security server, reports from multiple computing devices of events belonging to a set of specified event types occurring in execution of software processes on the devices, and collating the reports in the server to extract context information with respect to each of the events. Upon detecting an event occurring in execution of a process on a given device and matching one of the types, a software agent executing on the given device extracts, one or more features from the detected event, and conveys a query with respect to the detected event from the agent to the server. Upon receiving, from the server in response to the query, the context information with respect to the detected event, the agent decides to initiate a protective action on the given device based on the received context information and the one or more features extracted by the agent.
    Type: Grant
    Filed: February 21, 2022
    Date of Patent: April 14, 2026
    Assignee: Palo Alto Networks, Inc.
    Inventors: Jonathan Allon, Niv Sela, Liav Zigelbaum, Guy Pilosof, Ori Beck
  • Patent number: 12361130
    Abstract: Methods, storage systems and computer program products implement embodiments of the present invention for protecting a computing device, which includes a processor and a memory and is coupled to a storage device storing a set of one or more files. In embodiments of the present invention, a call to a specified function for execution by the processor is detected, and a stack trace for the call to the specified function is generated in the memory. Upon detecting, in the stack trace, a stack frame including a return address referencing a shellcode region in the memory, wherein the shellcode region includes executable code that was not loaded from any given file on the storage device, then the referenced executable code is compared to a list of malicious shellcode. Finally, a preventive action is initiated upon detecting a match between the referenced executable code and one of malicious shellcodes in the list.
    Type: Grant
    Filed: April 17, 2023
    Date of Patent: July 15, 2025
    Assignee: Palo Alto Networks, Inc.
    Inventors: Or Chechik, Liav Zigelbaum, Eldar Aharoni, Bar Lahav
  • Publication number: 20240346145
    Abstract: Methods, storage systems and computer program products implement embodiments of the present invention for protecting a computing device, which includes a processor and a memory and is coupled to a storage device storing a set of one or more files. In embodiments of the present invention, a call to a specified function for execution by the processor is detected, and a stack trace for the call to the specified function is generated in the memory. Upon detecting, in the stack trace, a stack frame including a return address referencing a shellcode region in the memory, wherein the shellcode region includes executable code that was not loaded from any given file on the storage device, then the referenced executable code is compared to a list of malicious shellcode. Finally, a preventive action is initiated upon detecting a match between the referenced executable code and one of malicious shellcodes in the list.
    Type: Application
    Filed: April 17, 2023
    Publication date: October 17, 2024
    Inventors: Or Chechik, Liav Zigelbaum, Eldar Aharoni, Bar Lahav
  • Publication number: 20230269256
    Abstract: A method, including collecting, by a security server, reports from multiple computing devices of events belonging to a set of specified event types occurring in execution of software processes on the devices, and collating the reports in the server to extract context information with respect to each of the events. Upon detecting an event occurring in execution of a process on a given device and matching one of the types, a software agent executing on the given device extracts, one or more features from the detected event, and conveys a query with respect to the detected event from the agent to the server. Upon receiving, from the server in response to the query, the context information with respect to the detected event, the agent decides to initiate a protective action on the given device based on the received context information and the one or more features extracted by the agent.
    Type: Application
    Filed: February 21, 2022
    Publication date: August 24, 2023
    Inventors: Jonathan Allon, Niv Sela, Liav Zigelbaum, Guy Pilosof, Ori Beck
  • Publication number: 20230084691
    Abstract: Methods, apparatuses and computer program products implement embodiments of the present invention that include protecting a computer system coupled to a storage device by detecting an executing process that performed a specific type of modification to a number of files stored on the storage device. A processor compares the detected number to a specified threshold and initiates, on the executing process, a preventive action in response to determining that the detected number exceeds the specified threshold.
    Type: Application
    Filed: November 2, 2022
    Publication date: March 16, 2023
    Inventors: Erez Levy, Or Chechik, Liav Zigelbaum, Eldar Aharoni
  • Patent number: 11520886
    Abstract: Methods, apparatuses and computer program products implement embodiments of the present invention that include protecting a computer system coupled to a storage device by storing, to the storage device, a set of protected files and one or more decoy files, wherein any modification to the decoy file indicates a cyber-attack on the computer system. Upon receiving a request from a process executing on the computing device to enumerate files stored on the storage device, the process is analyzed so as to classify the process as benign or suspicious. The protected files are enumerated to the process whether the process was classified as benign or suspicious. However, the one or more decoy files are enumerated to the process only upon process being classified as suspicious.
    Type: Grant
    Filed: July 26, 2020
    Date of Patent: December 6, 2022
    Assignee: PALO ALTO NETWORKS (ISRAEL ANALYTICS) LTD.
    Inventors: Erez Levy, Or Chechik, Liav Zigelbaum, Eldar Aharoni
  • Publication number: 20220027471
    Abstract: Methods, apparatuses and computer program products implement embodiments of the present invention that include protecting a computer system coupled to a storage device by storing, to the storage device, a set of protected files and one or more decoy files, wherein any modification to the decoy file indicates a cyber-attack on the computer system. Upon receiving a request from a process executing on the computing device to enumerate files stored on the storage device, the process is analyzed so as to classify the process as benign or suspicious. The protected files are enumerated to the process whether the process was classified as benign or suspicious. However, the one or more decoy files are enumerated to the process only upon process being classified as suspicious.
    Type: Application
    Filed: July 26, 2020
    Publication date: January 27, 2022
    Inventors: Erez Levy, Or Chechik, Liav Zigelbaum, Eldar Aharoni