Patents by Inventor Yinnon Meshi

Yinnon Meshi has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).

  • Publication number: 20250097257
    Abstract: A method for protecting a computer system against malicious channels to fixed Internet Protocol (IP) addresses. The method includes collecting, by a processor, information extracted from data traffic transmitted between multiple local nodes on a private data network and public IP addresses outside the private data network. Ping packets are identified in the data traffic transmitted from one or more of the local nodes to a subset of the public IP addresses. A suspicious pattern of outgoing data packets transmitted from at least one of the local nodes and addressed to a given public IP address is detected in the collected information. The given public IP address is checked as to whether it belongs to the identified subset. A protective action is initiated with respect to the suspicious pattern upon ascertaining that the given public IP address does not belong to the identified subset.
    Type: Application
    Filed: November 27, 2024
    Publication date: March 20, 2025
    Inventors: Yinnon Meshi, Idan Amit, Jonathan Allon, Aviad Meyer
  • Publication number: 20250088530
    Abstract: A method for protecting a computer system against malicious channels to fixed Internet Protocol (IP) addresses. The method includes collecting, by a processor, information extracted from data traffic transmitted between multiple local nodes on a private data network and public IP addresses outside the private data network. Packets transmitted from one of the local nodes to one of the public IP addresses in accordance with a selected protocol are identified in the data traffic, among multiple protocols used in the data traffic. A volume of the identified packets is computed and compared to a permissible range that is defined for the selected protocol. A protective action with respect to the one of the local nodes is initiated upon finding that the computed volume is outside the permissible range.
    Type: Application
    Filed: November 27, 2024
    Publication date: March 13, 2025
    Inventors: Yinnon Meshi, Idan Amit, Jonathan Allon, Aviad Meyer
  • Patent number: 12218969
    Abstract: Methods, apparatus and computer software products implement embodiments of the present invention that include protecting a computer system, by collecting information from data traffic transmitted between multiple local nodes on a private data network and public IP addresses corresponding to multiple remote nodes on a public data network. DNS resolutions are detected in the collected information, each DNS resolution identifying a local node requesting the resolution with respect to a URI and a public IP address corresponding to the URI. Transmissions from the local nodes to the public IP addresses are detected in the collected information at respective times, and the detected DNS resolutions are compared to the detected transmissions so as to identify the transmissions from the local nodes to the public IP addresses that were not resolved by the DNS resolutions. Finally, a protective action is initiated with respect to at least some of the identified transmissions.
    Type: Grant
    Filed: July 17, 2023
    Date of Patent: February 4, 2025
    Assignee: Palo Alto Networks Israel Services Ltd
    Inventors: Yinnon Meshi, Idan Amit, Jonathan Allon, Aviad Meyer
  • Publication number: 20250030729
    Abstract: Methods, storage systems and computer program products implement embodiments of the present invention that include initially defining a set of protective actions. Upon detecting, by a security server on a network, an incident including one or more alerts indicating malicious activity by one or more computing devices on the network, extracting a set of features indicating measurable characteristics of the incident are extracted from the alerts. Based on the alerts, respective counts for the features for the detected incident are computed and based on the features and their respective counts, a score indicating a magnitude of malicious activity for the detected incident is computed. A given feature having a highest impact on the score is identified, and a given protective action is selected based on the score, the identified feature and its respective count. Finally, the selected protective action is initiated with respect to at least some of the devices.
    Type: Application
    Filed: July 23, 2023
    Publication date: January 23, 2025
    Inventors: Tuvia Newman, Yinnon Meshi, Gal Itzhak, Sharon Datner
  • Publication number: 20240022596
    Abstract: Methods, apparatus and computer software products implement embodiments of the present invention that include protecting a computer system, by collecting information from data traffic transmitted between multiple local nodes on a private data network and public IP addresses corresponding to multiple remote nodes on a public data network. DNS resolutions are detected in the collected information, each DNS resolution identifying a local node requesting the resolution with respect to a URI and a public IP address corresponding to the URI. Transmissions from the local nodes to the public IP addresses are detected in the collected information at respective times, and the detected DNS resolutions are compared to the detected transmissions so as to identify the transmissions from the local nodes to the public IP addresses that were not resolved by the DNS resolutions. Finally, a protective action is initiated with respect to at least some of the identified transmissions.
    Type: Application
    Filed: July 17, 2023
    Publication date: January 18, 2024
    Inventors: Yinnon Meshi, Idan Amit, Jonathan Allon, Aviad Meyer
  • Patent number: 11811820
    Abstract: Methods, apparatus and computer software products implement embodiments of the present invention that include protecting a computer system, by collecting information from data traffic transmitted between multiple local nodes on a private data network and public IP addresses corresponding to multiple remote nodes on a public data network. DNS resolutions are detected in the collected information, each DNS resolution identifying a local node requesting the resolution with respect to a URI and a public IP address corresponding to the URI. Transmissions from the local nodes to the public IP addresses are detected in the collected information at respective times, and the detected DNS resolutions are compared to the detected transmissions so as to identify the transmissions from the local notes to the public IP addresses that were not resolved by the DNS resolutions. Finally, a protective action is initiated with respect to at least some of the identified transmissions.
    Type: Grant
    Filed: February 24, 2020
    Date of Patent: November 7, 2023
    Assignee: PALO ALTO NETWORKS (ISRAEL ANALYTICS) LTD.
    Inventors: Yinnon Meshi, Idan Amit, Jonathan Allon, Aviad Meyer
  • Patent number: 11799880
    Abstract: A method, including receiving, from multiple sources, respective sets of incidents, and respective suspiciousness labels for the incidents. A set of rules are applied so as to assign training labels to respective incidents in a subset of the incidents in the received sets. For each given incident in the subset, the respective training label is compared to the respective suspiciousness label so as to compute a respective quality score for each given source. Any sources having respective label quality scores meeting a predefined criterion are identified, and a model for computing predicted labels is fit to the incidents received from the identified sources and the respective suspiciousness labels of the incidents. The model is applied to an additional incident received from one of the sources to compute a predicted label for the additional incident, and a notification of the additional incident is prioritized in response to the predicted label.
    Type: Grant
    Filed: January 10, 2022
    Date of Patent: October 24, 2023
    Assignee: PALO ALTO NETWORKS (ISRAEL ANALYTICS) LTD.
    Inventors: Yinnon Meshi, Rony Brailovsky, Jonathan Allon, Asaf Dahan, Gal Itzhak, Niv Sela
  • Patent number: 11777971
    Abstract: Methods, apparatus and computer program products implement embodiments of the present invention that include collecting data packets transmitted between multiple entities over a network, and grouping the packets at least according to their source and destination entities and their times, into connections to which the packets belong. Pairs of the connections are identified having identical source and destination entities and times that are together within a specified time window, and sets of features are generated for the identified pairs of the connections. The features in the pairs are evaluated in order to detect a given pair of connections indicating malicious activity, and an alert is generated for the malicious activity.
    Type: Grant
    Filed: February 15, 2021
    Date of Patent: October 3, 2023
    Assignee: PALO ALTO NETWORKS (ISRAEL ANALYTICS) LTD.
    Inventors: Yinnon Meshi, Idan Amit, Eyal Firstenberg, Jonathan Allon, Yaron Neuman
  • Patent number: 11770397
    Abstract: A method, including identifying, in network traffic during multiple periods, scans, each scan including an access of multiple ports on a given destination node by a given source node, and computing, for each given source in the scans, an average of destinations whose ports were accessed by the given source during any scan by the given source, and a fraction of periods when the given source accessed at least one of the destinations in at least one scan performed by the given source node. A whitelist is assembled sources for which one or more of the following conditions applies: the average of destinations accessed in the scans was greater than a first threshold, and the fraction of periods during which at least one destination was accessed in at least one scan was greater than a second threshold. Upon detecting a scan by any non-whitelisted node, a preventive action is initiated.
    Type: Grant
    Filed: September 2, 2021
    Date of Patent: September 26, 2023
    Assignee: PALO ALTO NETWORKS (ISRAEL ANALYTICS) LTD.
    Inventors: Yinnon Meshi, Idan Amit, Jonathan Allon, Aviad Meyer
  • Patent number: 11770396
    Abstract: A method, including identifying, in network data traffic, a set of pairs of source and destination nodes, each pair having a given source node, a given destination node, and one or more ports accessed in the traffic between the nodes in each pair, and computing, for each pair, a respective baseline that indicates a first number of the ports that source nodes other than the given source node in the pair accessed on the given destination node during a first period. For each pair, a respective test score is computed that indicates a difference between a second number of the ports that the given source node in the pair accessed on the given destination node during a second period and the baseline, and a preventive action is initiated with respect to the given source node in any of the pairs for which the test score is greater than a threshold.
    Type: Grant
    Filed: September 2, 2021
    Date of Patent: September 26, 2023
    Assignee: PALO ALTO NETWORKS (ISRAEL ANALYTICS) LTD.
    Inventors: Yinnon Meshi, Idan Amit, Jonathan Allon, Aviad Meyer
  • Patent number: 11711389
    Abstract: A method, including identifying, in network data traffic, multiple scans, each of the scans including an access, in the traffic, of multiple ports on a given destination node by a given source node during a time period. A group of high-traffic ports are identified in the traffic that include one or more ports that receive respective volumes of the traffic that exceed a threshold, and respective signatures are generated for the identified port scans that indicate the ports other than the high-traffic ports that were accessed in each of the port scans. A respective frequency of occurrence of each of the signatures over the set of the port scans is computed, and a whitelist of the signatures for which the respective frequency of occurrence is greater than a threshold is assembled. Upon detecting a port scan for which the respective signature is not whitelisted, a preventive action is initiated.
    Type: Grant
    Filed: October 21, 2021
    Date of Patent: July 25, 2023
    Assignee: PALO ALTO NETWORKS (ISRAEL ANALYTICS) LTD.
    Inventors: Idan Amit, Yinnon Meshi, Jonathan Allon, Aviad Meyer
  • Publication number: 20230224311
    Abstract: A method, including receiving, from multiple sources, respective sets of incidents, and respective suspiciousness labels for the incidents. A set of rules are applied so as to assign training labels to respective incidents in a subset of the incidents in the received sets. For each given incident in the subset, the respective training label is compared to the respective suspiciousness label so as to compute a respective quality score for each given source. Any sources having respective label quality scores meeting a predefined criterion are identified, and a model for computing predicted labels is fit to the incidents received from the identified sources and the respective suspiciousness labels of the incidents. The model is applied to an additional incident received from one of the sources to compute a predicted label for the additional incident, and a notification of the additional incident is prioritized in response to the predicted label.
    Type: Application
    Filed: January 10, 2022
    Publication date: July 13, 2023
    Inventors: Yinnon Meshi, Rony Brailovsky, Jonathan Allon, Asaf Dahan, Gal Itzhak, Niv Sela
  • Patent number: 11468358
    Abstract: A method, including collecting communication sessions, and generating samples from the sessions. Classifiers are applied to the samples, thereby computing a classifier prediction for each sample, and based on the classifier predictions, respective aggregated predictions are determined for the samples. Based on the classifier and the aggregated predictions, a precision and a hit rate for each classifier and a positive rate are computed, and based on the aggregated predictions, a subset of the samples are selected. Using the selected subset, a model including the classifiers is computed based on the precisions, the hit rates and the positive rate, and the model is applied to the samples, thereby updating the classifier and the aggregate predictions. The steps of computing the precision and the hit rate, selecting the subset, computing the model and applying the model are repeated until meeting a halting condition, and using the model, additional communication sessions are scanned.
    Type: Grant
    Filed: June 12, 2018
    Date of Patent: October 11, 2022
    Assignee: PALO ALTO NETWORKS (ISRAEL ANALYTICS) LTD.
    Inventors: Idan Amit, Eyal Firstenberg, Yinnon Meshi
  • Publication number: 20220217162
    Abstract: Methods, apparatus and computer software products implement embodiments of the present invention that include defining, for a given software category, respective, disjoint sets of communication ports that are used by each of a plurality of software systems in the given software category, including at least first and second disjoint sets. A set of port scans are identified in data traffic transmitted between multiple nodes that communicate over a network, each of the port scans including an access, in the data traffic, of a plurality of the communication ports on a given destination node by a given source node during a predefined time period. Upon detecting a port scan by one of the nodes including accesses of at least one of the communication ports in the first set and at least one of the communication ports in the second set, a preventive action is initiated.
    Type: Application
    Filed: March 22, 2022
    Publication date: July 7, 2022
    Inventors: Yinnon Meshi, Idan Amit, Jonathan Allon, Aviad Meyer
  • Patent number: 11316872
    Abstract: Methods, apparatus and computer software products implement embodiments of the present invention that include defining, for a given software category, respective, disjoint sets of communication ports that are used by each of a plurality of software systems in the given software category, including at least first and second disjoint sets. A set of port scans are identified in data traffic transmitted between multiple nodes that communicate over a network, each of the port scans including an access, in the data traffic, of a plurality of the communication ports on a given destination node by a given source node during a predefined time period. Upon detecting a port scan by one of the nodes including accesses of at least one of the communication ports in the first set and at least one of the communication ports in the second set, a preventive action is initiated.
    Type: Grant
    Filed: January 30, 2019
    Date of Patent: April 26, 2022
    Assignee: PALO ALTO NETWORKS (ISRAEL ANALYTICS) LTD.
    Inventors: Yinnon Meshi, Idan Amit, Jonathan Allon, Aviad Meyer
  • Publication number: 20220046042
    Abstract: A method, including identifying, in network data traffic, multiple scans, each of the scans including an access, in the traffic, of multiple ports on a given destination node by a given source node during a time period. A group of high-traffic ports are identified in the traffic that include one or more ports that receive respective volumes of the traffic that exceed a threshold, and respective signatures are generated for the identified port scans that indicate the ports other than the high-traffic ports that were accessed in each of the port scans. A respective frequency of occurrence of each of the signatures over the set of the port scans is computed, and a whitelist of the signatures for which the respective frequency of occurrence is greater than a threshold is assembled. Upon detecting a port scan for which the respective signature is not whitelisted, a preventive action is initiated.
    Type: Application
    Filed: October 21, 2021
    Publication date: February 10, 2022
    Inventors: Idan Amit, Yinnon Meshi, Jonathan Allon, Aviad Meyer
  • Publication number: 20210400073
    Abstract: A method, including identifying, in network traffic during multiple periods, scans, each scan including an access of multiple ports on a given destination node by a given source node, and computing, for each given source in the scans, an average of destinations whose ports were accessed by the given source during any scan by the given source, and a fraction of periods when the given source accessed at least one of the destinations in at least one scan performed by the given source node. A whitelist is assembled sources for which one or more of the following conditions applies: the average of destinations accessed in the scans was greater than a first threshold, and the fraction of periods during which at least one destination was accessed in at least one scan was greater than a second threshold. Upon detecting a scan by any non-whitelisted node, a preventive action is initiated.
    Type: Application
    Filed: September 2, 2021
    Publication date: December 23, 2021
    Inventors: Yinnon Meshi, Idan Amit, Jonathan Allon, Aviad Meyer
  • Publication number: 20210400072
    Abstract: A method, including identifying, in network data traffic, a set of pairs of source and destination nodes, each pair having a given source node, a given destination node, and one or more ports accessed in the traffic between the nodes in each pair, and computing, for each pair, a respective baseline that indicates a first number of the ports that source nodes other than the given source node in the pair accessed on the given destination node during a first period. For each pair, a respective test score is computed that indicates a difference between a second number of the ports that the given source node in the pair accessed on the given destination node during a second period and the baseline, and a preventive action is initiated with respect to the given source node in any of the pairs for which the test score is greater than a threshold.
    Type: Application
    Filed: September 2, 2021
    Publication date: December 23, 2021
    Inventors: Yinnon Meshi, Idan Amit, Jonathan Allon, Aviad Meyer
  • Patent number: 11184376
    Abstract: A method, including identifying, in network data traffic, a set of pairs of source and destination nodes, each pair having a given source node, a given destination node, and one or more ports accessed in the traffic between the nodes in each pair, and computing, for each pair, a respective baseline that indicates a first number of the ports that source nodes other than the given source node in the pair accessed on the given destination node during a first period. For each pair, a respective test score is computed that indicates a difference between a second number of the ports that the given source node in the pair accessed on the given destination node during a second period and the baseline, and a preventive action is initiated with respect to the given source node in any of the pairs for which the test score is greater than a threshold.
    Type: Grant
    Filed: January 30, 2019
    Date of Patent: November 23, 2021
    Assignee: PALO ALTO NETWORKS (ISRAEL ANALYTICS) LTD.
    Inventors: Yinnon Meshi, Idan Amit, Jonathan Allon, Aviad Meyer
  • Patent number: 11184377
    Abstract: A method, including identifying, in network traffic during multiple periods, scans, each scan including an access of multiple ports on a given destination node by a given source node, and computing, for each given source in the scans, an average of destinations whose ports were accessed by the given source during any scan by the given source, and a fraction of periods when the given source accessed at least one of the destinations in at least one scan performed by the given source node. A whitelist is assembled sources for which one or more of the following conditions applies: the average of destinations accessed in the scans was greater than a first threshold, and the fraction of periods during which at least one destination was accessed in at least one scan was greater than a second threshold. Upon detecting a scan by any non-whitelisted node, a preventive action is initiated.
    Type: Grant
    Filed: January 30, 2019
    Date of Patent: November 23, 2021
    Assignee: PALO ALTO NETWORKS (ISRAEL ANALYTICS) LTD.
    Inventors: Yinnon Meshi, Idan Amit, Jonathan Allon, Aviad Meyer