Patents by Inventor Yair Tor
Yair Tor has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Publication number: 20240250929Abstract: A computing system is configured to perform zero-trust domain name resolution. The computing system includes applications coupled to a zero-trust client. The zero-trust client is configured to receive requests for IP addresses corresponding to endpoint identifiers for internet connected endpoints. The zero-trust client includes a synthetic DNS service configured to identify synthetic IP addresses for the endpoint identifiers. The zero-trust client provides the synthetic IP addresses for the endpoint identifiers to the applications. The zero-trust client sends data traffic from the applications to a zero-trust service with the synthetic IP addresses where corresponding synthetic IP addresses are correlated to the endpoint identifiers at the zero-trust service.Type: ApplicationFiled: January 18, 2024Publication date: July 25, 2024Inventors: Ashish JAIN, Mordhai GENDELMAN, Or MORAN, Omer KATTAN, Yair TOR, Ronen Shmuel GOLDSMITH, Liraz BARAK
-
Patent number: 11943195Abstract: A computing system is configured to perform zero-trust domain name resolution. The computing system includes applications coupled to a zero-trust client. The zero-trust client is configured to receive requests for IP addresses corresponding to endpoint identifiers for internet connected endpoints. The zero-trust client includes a synthetic DNS service configured to identify synthetic IP addresses for the endpoint identifiers. The zero-trust client provides the synthetic IP addresses for the endpoint identifiers to the applications. The zero-trust client sends data traffic from the applications to a zero-trust service with the synthetic IP addresses and sends corresponding endpoint identifiers to the zero-trust service in a fashion that allows the synthetic IP addresses to be correlated to the endpoint identifiers at the zero-trust service.Type: GrantFiled: January 20, 2023Date of Patent: March 26, 2024Assignee: Microsoft Technology Licensing, LLCInventors: Ashish Jain, Mordhai Gendelman, Or Moran, Omer Kattan, Yair Tor, Ronen Shmuel Goldsmith, Liraz Barak
-
Publication number: 20240064147Abstract: Methods, systems and computer program products are provided for granular secure user access to private resources. Increased granularity of security policies for user access may reduce security threats to resources. Security policies indicating user access to secure resources may be based on various combinations of user identities, client-side process (e.g., sub-process) identities, device identities, device types, device locations, resource access types, intelligent access (e.g., selective traffic routing), etc. For example, a security policy may indicate user A, using computing device B executing process C with process signature S (e.g., a signing signature thumbprint, etc.) may access private resource D. A process identity may be indicated by at least one of a process name, a code signing signature, a thumbprint, a process version, or a process publisher. Resource access security policy determinations and/or enforcement may be performed by security clients and/or security engines (e.g.Type: ApplicationFiled: August 16, 2022Publication date: February 22, 2024Inventors: Ashish JAIN, Ronnie GREENSTEIN, Mordhai GENDELMAN, Avraham CARMON, Sinead C. O'DONOVAN, Yair TOR
-
Publication number: 20240064138Abstract: Methods, systems and computer program products are provided for intelligent secure access to private resources. A security service (e.g., SASE ZTNA) may maintain the same or similar security posture for users who work remotely and/or locally by providing authentication, authorization, and/or ongoing conditional access via a security service (e.g., private or public SASE) while intelligently routing remote client traffic to private resources through the security service and routing local client traffic to private resources locally. A traffic routing determination may be made by a security client and/or security server. A traffic routing determination may be based on the location of a client computing device, such as a trusted network detection for a private/trusted network. Traffic routing determinations may be based on conditions alternative or in addition to location, such as the type of private resource or information being accessed by a client computing device.Type: ApplicationFiled: August 16, 2022Publication date: February 22, 2024Inventors: Ashish JAIN, Mordhai GENDELMAN, Jeevan Singh BISHT, Avraham CARMON, Sinead C. O'DONOVAN, Yair TOR
-
Publication number: 20230071347Abstract: A recommendation system for recommending a target feature value for a target feature for a target deployment is provided. The recommendation system, for each of a plurality of deployments, collects feature values for the features of that deployment. The recommendation system then generates a model for recommending a target feature value for the target feature based on the collected feature values of the features for the deployments. The recommendation system applies the model to the features of the target deployment to identify a target feature value for the target feature. The recommendation system then provides the identified target feature value as a recommendation for the target feature for the target deployment.Type: ApplicationFiled: November 14, 2022Publication date: March 9, 2023Inventors: Efim HUDIS, Hani-Hana NEUVIRTH, Daniel ALON, Royi RONEN, Yair TOR, Gilad Michael ELYASHAR
-
Patent number: 11595352Abstract: The devices and methods relate to web categorization of web requests. The devices and methods may perform a two-step classification of the web requests. The first classification may provide potential web categories for web request based on a fully qualified domain name (FQDN) of the web request. The first classification may be used to determine whether transport layer security (TLS) termination may be performed on the web request. The second classification may provide a web category for a uniform resource locator (URL) of the web request after performing the TLS termination. The web category may be used by a firewall in filtering web traffic for the web request.Type: GrantFiled: December 21, 2020Date of Patent: February 28, 2023Assignee: MICROSOFT TECHNOLOGY LICENSING, LLCInventors: Suren Jamiyanaa, Yair Tor, Sudharsan Balakrishnan Sripadham, Daniel Manesku, Andrey Terentyev, Murali Krishna Sangubhatla
-
Patent number: 11533240Abstract: A recommendation system for recommending a target feature value for a target feature for a target deployment is provided. The recommendation system, for each of a plurality of deployments, collects feature values for the features of that deployment. The recommendation system then generates a model for recommending a target feature value for the target feature based on the collected feature values of the features for the deployments. The recommendation system applies the model to the features of the target deployment to identify a target feature value for the target feature. The recommendation system then provides the identified target feature value as a recommendation for the target feature for the target deployment.Type: GrantFiled: May 16, 2016Date of Patent: December 20, 2022Assignee: Microsoft Technology Licensing, LLCInventors: Efim Hudis, Hani-Hana Neuvirth, Daniel Alon, Royi Ronen, Yair Tor, Gilad Michael Elyashar
-
Publication number: 20220200955Abstract: The devices and methods relate to web categorization of web requests. The devices and methods may perform a two-step classification of the web requests. The first classification may provide potential web categories for web request based on a fully qualified domain name (FQDN) of the web request. The first classification may be used to determine whether transport layer security (TLS) termination may be performed on the web request. The second classification may provide a web category for a uniform resource locator (URL) of the web request after performing the TLS termination. The web category may be used by a firewall in filtering web traffic for the web request.Type: ApplicationFiled: December 21, 2020Publication date: June 23, 2022Inventors: Suren JAMIYANAA, Yair TOR, Sudharsan Balakrishnan SRIPADHAM, Daniel MANESKU, Andrey TERENTYEV, Murali Krishna SANGUBHATLA
-
Patent number: 10943181Abstract: Disclosed herein is a system and method that can be used with any underlying classification technique. The method receives a test dataset and determines the features in that test dataset that are present. From these features the training dataset is modified to only have those features that are present in the test dataset. This modified test dataset is then used to calibrate the classifier for the particular incoming data set. The process repeats itself for each different incoming dataset providing a just in time calibration of the classifier.Type: GrantFiled: June 26, 2015Date of Patent: March 9, 2021Assignee: Microsoft Technology Licensing, LLCInventors: Hanan Shteingart, Yair Tor, Eli Koreh, Amit Hilbuch, Yifat Schacter
-
Publication number: 20200396207Abstract: A solution for firewall auto-learning in in zero trust environments, such as cloud environments, includes: based at least on a first trigger event, determining a first set of restricted dependencies for a cloud service firewall to learn for a first application; during a first learning phase, learning a first set of candidate rules corresponding to at least a portion of the first set of restricted dependencies; receiving an indication of verifying, blocking, or tailoring one or more candidate rules within the first set of candidate rules, to generate a first set of verified rules; and operating the firewall with the first set of verified rules for the first application. Some examples include receiving a set of constraints, such as a selection from a set of preset constraints and/or a custom constraint. Some examples include retraining based at least on a second trigger event and/or learning rules for a second application.Type: ApplicationFiled: June 17, 2019Publication date: December 17, 2020Inventors: Girish M. MOTWANI, Yair TOR, Sinead C. O'DONOVAN, Murali K. SANGUBHATLA, Andrey TERENTYEV, Madhusudhan RAVI
-
Patent number: 10504035Abstract: Disclosed herein is a system and method that can be used with any underlying classification technique. The method takes into account both the value of the current feature vector. It is based on evaluating the effect of perturbing each feature by bootstrapping it with the negative samples and measuring the change in the classifier output. To assess the importance of a given feature value in the classified feature vector, a random negatively labeled instance is taken out of the training set and replaces the feature at question with a corresponding feature from this set. Then, by classifying the modified feature vector and comparing its predicted label and classifier output a user is able measure and observe the effect of changing each feature.Type: GrantFiled: June 23, 2015Date of Patent: December 10, 2019Assignee: MICROSOFT TECHNOLOGY LICENSING, LLCInventors: Hanan Shteingart, Yair Tor, Eli Koreh, Amit Hilbuch, Yifat Schacter
-
Publication number: 20170207980Abstract: A recommendation system for recommending a target feature value for a target feature for a target deployment is provided. The recommendation system, for each of a plurality of deployments, collects feature values for the features of that deployment. The recommendation system then generates a model for recommending a target feature value for the target feature based on the collected feature values of the features for the deployments. The recommendation system applies the model to the features of the target deployment to identify a target feature value for the target feature. The recommendation system then provides the identified target feature value as a recommendation for the target feature for the target deployment.Type: ApplicationFiled: May 16, 2016Publication date: July 20, 2017Inventors: Efim Hudis, Hani-Hana Neuvirth, Daniel Alon, Royi Ronen, Yair Tor, Gilad Michael Elyashar
-
Publication number: 20160379133Abstract: Disclosed herein is a system and method that can be used with any underlying classification technique. The method takes into account both the value of the current feature vector. It is based on evaluating the effect of perturbing each feature by bootstrapping it with the negative samples and measuring the change in the classifier output. To assess the importance of a given feature value in the classified feature vector, a random negatively labeled instance is taken out of the training set and replaces the feature at question with a corresponding feature from this set. Then, by classifying the modified feature vector and comparing its predicted label and classifier output a user is able measure and observe the effect of changing each feature.Type: ApplicationFiled: June 23, 2015Publication date: December 29, 2016Inventors: Hanan Shteingart, Yair Tor, Eli Koreh, Amit Hilbuch, Yifat Schacter
-
Publication number: 20160379135Abstract: Disclosed herein is a system and method that can be used with any underlying classification technique. The method receives a test dataset and determines the features in that test dataset that are present. From these features the training dataset is modified to only have those features that are present in the test dataset. This modified test dataset is then used to calibrate the classifier for the particular incoming data set. The process repeats itself for each different incoming dataset providing a just in time calibration of the classifier.Type: ApplicationFiled: June 26, 2015Publication date: December 29, 2016Inventors: Hanan Shteingart, Yair Tor, Eli Koreh, Amit Hilbuch, Yifat Schacter
-
Patent number: 9344432Abstract: Embodiments of the invention provide techniques for basing access control decisions at the network layer at least in part on information provided in claims, which may describe attributes of a computer requesting access, one or more resources to which access is requested, the user, the circumstances surrounding the requested access, and/or other information. The information may be evaluated based on one or more access control policies, which may be pre-set or dynamically generated, and used in making a decision whether to grant or deny the computer access to the specified resource(s).Type: GrantFiled: June 24, 2010Date of Patent: May 17, 2016Assignee: Microsoft Technology Licensing, LLCInventors: Yair Tor, Daniel Rose, Eugene (John) Neystadt, Patrik Schnell, Moshe Sapir, Oleg Ananiev, Arthur Zavalkovsky, Anat Eyal
-
Patent number: 9111079Abstract: Embodiments of the invention make the issuance of trustworthy device claims available to client devices as a service, so that a client device to which device claims are issued may use the device claims in relation to an attempt to access a network application. The service may conduct an assessment of the device's characteristics and/or state, characterize the results of this assessment in device claims, and issue the device claims to the device. The service may be accessible to a client device from outside administrative boundaries of an entity that makes a network application accessible, and thus may be useful to entities making network applications accessible in business-to-consumer (B2C) and business-to-business (B2B) topologies, such as over the publicly accessible Internet.Type: GrantFiled: January 27, 2011Date of Patent: August 18, 2015Assignee: Microsoft Technology Licensing, LLCInventors: Eugene (John) Neystadt, Daniel Alon, Yair Tor, Mark Novak, Khaja E. Ahmed, Yoav Yassour
-
Patent number: 8918856Abstract: Embodiments of the invention provide a trusted intermediary for use in a system in which access control decisions may be based at least in part on information provided in claims. The intermediary may request claims on behalf of a network resource to which access is requested, and submit the claims for a decision whether to grant or deny access. The decision may be based at least in part on one or more access control policies, which may be pre-set or dynamically generated. Because the intermediary requests the claims and submits the claims for an access control decision, the network resource (e.g., a server application) need not be configured to process claims information.Type: GrantFiled: June 24, 2010Date of Patent: December 23, 2014Assignee: Microsoft CorporationInventors: Yair Tor, Eugene (John) Neystadt, Patrik Schnell, Oleg Ananiev, Arthur Zavalkovsky, Daniel Rose
-
Patent number: 8880667Abstract: Attestation by a self-regulating attestation client. The attestation client requests a credential of health from an attestation service, which includes an ordered attestation log and proof of integrity and freshness of the log. The attestation client receives the requested credential of health, which certifies the attestation client was healthy when it requested the credential of health and that the attestation service trusts the attestation client to be healthy each time the attestation client authenticates using the credential of health. The attestation client receives a request to authenticate that it is healthy using the credential of health, verifies that it is currently healthy, and performs the requested authentication.Type: GrantFiled: February 9, 2011Date of Patent: November 4, 2014Assignee: Microsoft CorporationInventors: Mark F. Novak, Stefan Thom, Yair Tor, Alexey Efron, Amos Ortal
-
Patent number: 8799985Abstract: Architecture that provides additional data that can be obtained and employed in security models in order to provide security to services over the service lifecycle. The architecture automatically propagates security classifications throughout the lifecycle of the service, which can include initial deployment, expansion, moving servers, monitoring, and reporting, for example, and further include classification propagation from the workload (computer), classification propagation in the model, classification propagation according to the lineage of the storage location (e.g., virtual hard drive), status propagation in the model and classification based on data stored in the machine.Type: GrantFiled: March 19, 2010Date of Patent: August 5, 2014Assignee: Microsoft CorporationInventors: Anders B. Vinberg, John Neystadt, Yair Tor, Oleg Ananiev
-
Patent number: 8528069Abstract: Embodiments of the invention enable a client device to procure trustworthy device claims describing one or more attributes of the client device, have those device claims included in a data structure having a format suitable for processing by an application, and use the data structure which includes the device claims in connection with a request to access the application. The application may use the device claims to drive any of numerous types of application functionality, such as security-related and/or other functionality.Type: GrantFiled: January 27, 2011Date of Patent: September 3, 2013Assignee: Microsoft CorporationInventors: Mark Novak, Yair Tor, Eugene Neystadt, Yoav Yassour, Alexey Efron, Amos Ortal, Daniel Alon, Ran Didi