Firewall Patents (Class 726/11)
  • Patent number: 10375027
    Abstract: An apparatus, method, system and computer-readable medium are provided for provisioning a user equipment device (UED). The UED may be configured to receive a generic configuration and (dynamically) derive settings specific to the UED that would otherwise have been received in the configuration. The UED may execute one or more applications to derive the settings specific to the UED. A first application may enable the UED to dynamically learn a fully qualified domain name (FQDN) and IP address of a node. A second application may enable the UED to generate authentication credentials for the UED. A third application may enable the UED to determine a port or ports that arc authorized for service and a port or ports that are not authorized for service. A fourth application may enable the UED to determine a number associated with the UED.
    Type: Grant
    Filed: October 20, 2016
    Date of Patent: August 6, 2019
    Assignee: Comcast Cable Communications, LLC
    Inventors: Carl Klatsky, Chris Wendt, Manoj Chaudhari, Christopher Zarcone
  • Patent number: 10375076
    Abstract: A system that includes a threat management server configured to store a device log identifying location information for endpoint devices that have passed authentication. The threat management server is configured to identify an endpoint device from the device log file and to identify a switch connected the endpoint device. The threat management server is further configured to send a location information request to the switch requesting location information for the endpoint device. The threat management server is configured to compare the received information to the information in the device log file. The threat management server is configured to block the endpoint device from accessing a communications network in response to determining the received location information does not match the information in the device log file.
    Type: Grant
    Filed: July 26, 2017
    Date of Patent: August 6, 2019
    Assignee: Bank of America Corporation
    Inventors: Rahul Isola, Jeremiah S. Nicholson
  • Patent number: 10375099
    Abstract: A system that includes a threat management server configured to store a device log identifying location information for endpoint devices that have passed authentication. The threat management server identifies a first instance and a second instance of an endpoint device in the device log file. The threat management server identifies a first switch connected to the first instance of the endpoint device and a second switch connected to the second instance of the endpoint device. The threat management server sends location information request to the first switch and the second switch requesting location information for the first instance and the second instance of the endpoint device, respectively. The threat management server compared the received location information to the information in the device log file to identify a spoofed instance of the endpoint device and blocks the spoofed instance of the endpoint device from accessing the communications network.
    Type: Grant
    Filed: July 26, 2017
    Date of Patent: August 6, 2019
    Assignee: Bank of America Corporation
    Inventors: Rahul Isola, Equettis Twantwalon Jenkins
  • Patent number: 10374941
    Abstract: A technique includes determining a network interface aggregation information for a given network device. Determining the aggregation includes determining whether the network device is capable of providing first data identifying an aggregation and selectively inferring the aggregation based at least in part on other data if a determination is made that the network device is incapable of providing the first data.
    Type: Grant
    Filed: October 30, 2013
    Date of Patent: August 6, 2019
    Assignee: ENTIT SOFTWARE LLC
    Inventors: Max C Knees, Joseph Elisha Taylor, Lawrence M Besaw
  • Patent number: 10375121
    Abstract: Example methods are provided for an entity to perform micro-segmentation in a virtualized computing environment that includes multiple hosts. The method may comprise obtaining application implementation information associated with one or more applications implemented by multiple virtualized computing instances, each of the multiple virtualized computing instances being supported by one of the multiple hosts. The method may further comprise detecting micro-segments by clustering the multiple virtualized computing instances based on the application implementation information, and determining security policies for respective detected micro-segments. Each of the detected micro-segments may include one or more of the multiple virtualized computing instances that have more similarity compared to those in a different detected micro-segment.
    Type: Grant
    Filed: June 22, 2017
    Date of Patent: August 6, 2019
    Assignee: VMWARE, INC.
    Inventors: Claude Hamou, Roman Brouk, Steven McAllister
  • Patent number: 10346277
    Abstract: In one embodiment, a node in a network reports, to a supervisory service, histograms of application-specific throughput metrics measured from the network. The node receives, from the supervisory service, a merged histogram of application-specific throughput metrics. The supervisory service generated the merged histogram based on a plurality of histograms reported to the supervisory service by a plurality of nodes. The node performs, using the merged histogram, application throughput anomaly detection on traffic in the network. The node causes performance of a mitigation action in the network when an application throughput anomaly is detected. The node adjusts, based on a control command sent by the supervisory service, a histogram reporting strategy used by the node to report the histograms of application-specific throughput metrics to the supervisory service.
    Type: Grant
    Filed: October 12, 2017
    Date of Patent: July 9, 2019
    Assignee: Cisco Technology, Inc.
    Inventors: Grégory Mermoud, Jean-Philippe Vasseur, Pierre-André Savalle
  • Patent number: 10338560
    Abstract: A flight control system of an aircraft including a first processing unit, a second processing unit, communication means configured to establish a first two-way digital link and as second two-way digital link between the first processing unit and the second processing unit. The second link is redundant with the first link, and the first link and second link are likely to be active concomitantly. The system further includes backup communication means enabling data exchanges between the first processing unit and the second processing unit in the case of a failure in the first link and second link. The backup communication means includes an array of sensors or actuators and/or a secure onboard network for the avionics.
    Type: Grant
    Filed: September 4, 2015
    Date of Patent: July 2, 2019
    Assignees: SAFRAN ELECTRONICS & DEFENSE, SAFRAN HELICOPTER ENGINES
    Inventors: Celine Liu, Nicolas Marti, Stephen Langford
  • Patent number: 10320748
    Abstract: Concepts and technologies disclosed herein are directed to single packet authorization (“SPA”) in a cloud computing environment. A compute node can include a virtual switch operating on at least a portion of a plurality of hardware resources of a cloud computing environment, a virtual firewall, a cloud workload executing a cloud service, and a SPA service. The virtual switch can receive a SPA request from a SPA client executing on a computing device. The virtual switch can forward the SPA request to the virtual firewall and to the SPA service. The virtual firewall can deny the SPA request in accordance with a firewall policy. The SPA service can utilize a SPA validation scheme to validate the SPA request. The virtual firewall can implement a temporary firewall policy to allow incoming packets from the SPA client and directed to the cloud service.
    Type: Grant
    Filed: February 23, 2017
    Date of Patent: June 11, 2019
    Assignee: AT&T Intellectual Property I, L.P.
    Inventors: Michael Stair, Daniel Solero
  • Patent number: 10311477
    Abstract: A method for processing a mobile advertisement, a proxy server, and a terminal are provided.
    Type: Grant
    Filed: July 15, 2014
    Date of Patent: June 4, 2019
    Assignee: HUAWEI TECHNOLOGIES CO., LTD.
    Inventor: Guoyong Li
  • Patent number: 10311311
    Abstract: An apparatus comprises a detector and a processor. The processor may be configured to perform a two-stage object detection process utilizing the detector circuit. The detector circuit may be configured to implement a simple detection stage and a complex detection stage. In the simple detection stage, the two-stage object detection process comprises applying a first detector over a predefined region of interest. In the complex detection stage, the two-stage object detection process comprises applying a second detector on a set of best candidates identified by the simple detection stage.
    Type: Grant
    Filed: August 31, 2017
    Date of Patent: June 4, 2019
    Assignee: Ambarella, Inc.
    Inventors: Yu Wang, Leslie D. Kohn
  • Patent number: 10313304
    Abstract: A system for regulating dynamic implementation of exceptions in an onboard network firewall includes a client application interface receptive to a data link request from a client device. An onboard connectivity manager includes a firewall interface connected to the onboard network firewall to request the exceptions in response to a connection authorization, a client presence manager receptive to the data link request relayed by the client application interface from the client device, and a network load manager in communication with the firewall interface and the client presence manager. A remote connectivity manager is connected to a remote application service and is in communication with the onboard connectivity manager. The network load manager generates the connection authorization to the firewall interface in response to the connection authorization request and an evaluation of one or more access grant conditions.
    Type: Grant
    Filed: March 16, 2016
    Date of Patent: June 4, 2019
    Assignee: PANASONIC AVIONICS CORPORATION
    Inventors: James A. Haak, Kwok Liang Poo
  • Patent number: 10313377
    Abstract: A universal link to extract and classify log data is disclosed. In various embodiments, a set of candidate data values that match a top level pattern that is common to two or more types of data value of interest is identified. The candidate data values are processed through a plurality of successive filtering stages, each stage of which includes determining which, if any, of said candidates match a more specific pattern associated more specifically with a specific data value type. Candidates, if any, which match the more specific pattern are classified as being of a corresponding specific data type and are removed from the set of candidate data values. A structured data record that associates each candidate data value determined to be of a corresponding one of said types of data value of interest with said corresponding one of said types of data value of interest is generated and stored.
    Type: Grant
    Filed: October 19, 2016
    Date of Patent: June 4, 2019
    Assignee: Anomali Incorporated
    Inventors: Wei Huang, Yizheng Zhou, Hugh Seretse Njemanze, Zhong Deng
  • Patent number: 10298519
    Abstract: A SDN controller receives a forwarding request message including a header portion of a layer-2 packet. The SDN controller determines whether a source host and a destination host of the layer-2 packet are in the same virtual network according to a virtual network table.
    Type: Grant
    Filed: June 27, 2014
    Date of Patent: May 21, 2019
    Assignee: Hewlett Packard Enterprise Development LP
    Inventors: Songbo Wang, Tao Lin, Yinfei Zhang, Weichun Ren
  • Patent number: 10278087
    Abstract: The subject matter described herein includes methods, systems, and computer readable media for correlating, load balancing and filtering tapped GTP and non-GTP packets. One method for correlating, load balancing and filtering tapped GTP and non-GTP packets includes receiving GTP packets tapped from a plurality of GTP network tap points. The method further includes receiving non-GTP packets tapped from at least one non-GTP network tap point. The method further includes correlating GTP packets with non-GTP packets for a particular subscriber. The method further includes forwarding the GTP packets and non-GTP packets correlated for the particular subscriber to a network monitoring tool.
    Type: Grant
    Filed: September 29, 2017
    Date of Patent: April 30, 2019
    Assignee: KEYSIGHT TECHNOLOGIES SINGAPORE (HOLDINGS) PTE. LTD.
    Inventors: Bogdan Ţenea, Robin Lee O'Connor, Shardendu Pandey, Alan Richard Schwenk
  • Patent number: 10264021
    Abstract: Some embodiments of the invention provide a novel method for specifying firewall rules. In some embodiments, the method provides the ability to specify for a particular firewall rule, a set of network nodes (also called a set of enforcement points) at which the particular firewall should be enforced. To provide this ability, the method of some embodiments adds an extra tuple (referred to below as the AppliedTo tuple) to a firewall rule. This added AppliedTo tuple lists the set of enforcement points at which the firewall rule has to be applied (i.e., enforced). As the AppliedTo tuples of the firewall rules can refer to dynamically modifiable constructs, the application of the AppliedTo firewall rules (i.e., rules that are specified to include an AppliedTo tuple) can be dynamically adjusted for different locations within a network by dynamically adjusting the membership of these modifiable constructs.
    Type: Grant
    Filed: December 14, 2015
    Date of Patent: April 16, 2019
    Assignee: NICIRA, INC.
    Inventors: Kaushal Bansal, Uday Masurekar, Aravind Srinivasan, Shadab Shah, Serge Maskalik
  • Patent number: 10257222
    Abstract: A cloud checking and killing method for combating an anti-antivirus test includes receiving, by a cloud sever, a cloud checking and killing request for performing virus checking and killing on a sample. The method further includes analyzing the cloud checking and killing request, and determining whether the cloud checking and killing request is a cloud checking and killing request of an anti-antivirus test. If the cloud checking and killing request is a cloud checking and killing request of an anti-antivirus test, returning, by the cloud server, to the client a cloud checking and killing result that the sample does not carry a virus. If the cloud checking and killing request is not a cloud checking and killing request of an anti-antivirus test, comparing the sample with a virus library of the cloud server to determine whether the sample carries a virus and performing corresponding virus checking and killing.
    Type: Grant
    Filed: December 29, 2017
    Date of Patent: April 9, 2019
    Assignee: Beijing Qihoo Technology Company Limited
    Inventor: Xu Zhang
  • Patent number: 10243971
    Abstract: A method is provided to monitor network traffic, including reserving a portion of a system memory for short-term storage of copied network traffic, wherein the system memory is volatile, receiving copied packets of intercepted network traffic traversing a network, wherein the packets are associated with a plurality of respective traffic streams included in the network traffic, storing the copied packets in the portion of the system memory, maintaining an ordered list per traffic stream of copied packets that are stored, removing copied packets selected, based on their positions in their respective ordered lists, from the portion of the system memory based on a storage constraint, receiving an attack alert identifying a packet that is involved in a network attack, identifying the traffic stream that includes the packet identified, and transferring stored copied packets that are included in the identified traffic stream from the portion of the system memory to a long-term storage device.
    Type: Grant
    Filed: March 25, 2016
    Date of Patent: March 26, 2019
    Assignee: Arbor Networks, Inc.
    Inventors: Aaron Campbell, Christopher R. Hand, Frank Murphy
  • Patent number: 10230741
    Abstract: A method is provided for securing a Signalling System No. 7 interface, SS7 interface, of a system, via which access to a local mobile radiocommunications network is carried out, in relation to an external system. The method protects the SS7 network access points of telecommunication providers from SS7/MAP attacks by detecting and filtering these attacks.
    Type: Grant
    Filed: December 1, 2015
    Date of Patent: March 12, 2019
    Assignee: GSMK GESELLSCHAFT FUER SICHERE MOBILE KOMMUNIKATION MBH
    Inventors: Tobias Engel, Holger Freyther
  • Patent number: 10230694
    Abstract: A media distribution network device connects to an online collaborative session between a first participant network device, a second participant network device, and a security participant network device. The security participant network device is configured to decrypt packets of the online collaborative session to apply security polices to the packets. An encrypted packet is received at the media distribution network device. The encrypted packet is received from the first participant network device containing data to be distributed as part of the online collaborative session. The encrypted packet is distributed to the security participant network device prior to distributing the encrypted packet to the second participant network device.
    Type: Grant
    Filed: July 15, 2016
    Date of Patent: March 12, 2019
    Assignee: Cisco Technology, Inc.
    Inventors: K. Tirumaleswar Reddy, Prashanth Patil, Daniel G. Wing, Ram Mohan Ravindranath
  • Patent number: 10225236
    Abstract: A system for dynamically implementing exceptions in an onboard network firewall has a client application interface receptive to a data link request from a client device. An onboard connectivity manager includes a firewall interface connected to the onboard network firewall to request the exceptions in response to a connection authorization, and a client presence manager receptive to the data link request relayed by the client application interface from the client device. A presence state for the client devices is activated and maintained following the data link request. A remote connectivity manager is connected to a remote application service and is in communication with the onboard connectivity manager. The remote connectivity manager generates a connection authorization based upon an evaluation of the presence state for the client device against the conditions set by the remote application service.
    Type: Grant
    Filed: November 4, 2015
    Date of Patent: March 5, 2019
    Assignee: PANASONIC AVIONICS CORPORATION
    Inventors: James A. Haak, Kwok Liang Poo
  • Patent number: 10225172
    Abstract: In one implementation, a method for tap technology can include identification of a plurality of network element primitives of a tap request, a determination of a set of selection criteria based on the plurality of network element primitives, a selection of a tap technology based on a comparison of the set of selection criteria to a tap technology profile, and a configuration of the tap domain to copy packets based on the set of selection criteria.
    Type: Grant
    Filed: April 3, 2015
    Date of Patent: March 5, 2019
    Assignee: Hewlett Packard Enterprise Development LP
    Inventors: Mohammed Javed Padinhakara, Santosh Kumar Singh, Pramod Shanbhag
  • Patent number: 10225288
    Abstract: This disclosure provides a network security architecture that permits installation of different software security products as virtual machines (VMs). By relying on a common data format and standardized communication structure (e.g., using pre-established, cross-platform messaging), a general architecture can be created and used to dynamically build and reconfigure interaction between both similar and dissimilar security products. Examples are provided where an intrusion monitoring system (IMS) can be used to detect network threats based on distributed threat analytics, passing detected threats to other security products (e.g., products with different capabilities from different vendors) to trigger automatic, dynamically configured communication and reaction. A network security provider using this infrastructure can provide hosted or managed boundary security to a diverse set of clients, each on a customized basis.
    Type: Grant
    Filed: January 21, 2016
    Date of Patent: March 5, 2019
    Assignee: ServiceNow, Inc.
    Inventor: Andreas Seip Haugsnes
  • Patent number: 10218650
    Abstract: An information processing system includes information terminals; an information processing apparatus; and an information storage apparatus connected to a network different from a network to which the information processing apparatus is connected. Further, the information processing apparatus includes a receiving unit receiving information from one of the information terminals, and a transmission unit transmitting the information to other information terminals and the information storage apparatus. Each of the information terminals includes a transmission unit transmitting the information to the information processing apparatus, and a receiving unit receiving information from the information processing apparatus. The information storage apparatus includes a storage unit storing the information from the information processing apparatus.
    Type: Grant
    Filed: March 30, 2015
    Date of Patent: February 26, 2019
    Assignee: Ricoh Company, Ltd.
    Inventor: Kyohsuke Kaminushi
  • Patent number: 10212123
    Abstract: A request is received at a local domain name system server (LDNS) from a client application to resolve a domain name. Responsive to the request a WHOIS information corresponding to the domain name is obtained, using which an age of registration of the domain name and a first weighted value based on the age are computed at the LDNS. A host associated with the domain name is accessed to determine whether a type of a service is configured at the host. A second weighted value is computed based on the configuration of the type of the service. A weighted score is computed using the first weighted value and the second weighted value. An action is selected according to the weighted score. The action is applied to a network component in a network where the client application is executing, to control a manner in which the client application communicates with the host.
    Type: Grant
    Filed: November 24, 2015
    Date of Patent: February 19, 2019
    Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATION
    Inventors: Aaron K. Baughman, Mauro Marzorati, Gregory A. Porpora
  • Patent number: 10185638
    Abstract: A security container of a container environment monitors a resource load in a container environment, the container environment including a container service providing operating system-level virtualization for one or more application containers connected to a virtual switch within the container environment, the one or more application containers having their traffic intercepted by the security container for inspection. The security container activates, in response to determining that the monitored resource load meets a condition in a network load policy, a new security container. The security container determines a subset of the one or more application containers to be associated with the new security container, and transfers the network connections and network sessions of the subset of the one or more application containers to the new security container.
    Type: Grant
    Filed: May 10, 2016
    Date of Patent: January 22, 2019
    Assignee: NEUVECTOR, INC.
    Inventor: Gang Duan
  • Patent number: 10187414
    Abstract: A method is disclosed in which a system compares a first set of reports characterizing network traffic flows originating from an endpoint device with a second set of reports characterizing network traffic flows originating from the endpoint device and stored at an external network device to determine whether the first set and second set of reports characterizing network traffic flows originating from an endpoint device are different. In response to determining that the first and second reports characterizing network traffic flows are different, the system identifies the network traffic flows originating from the endpoint device and reported by an external network device, but not reported by the endpoint device, as possibly indicative of malware and forwards the network traffic flows originating from the endpoint device to an analyzer for further processing.
    Type: Grant
    Filed: July 20, 2016
    Date of Patent: January 22, 2019
    Assignee: Cisco Technology, Inc.
    Inventors: Vincent E. Parla, Andrey Zawadowskiy, Donovan O'Hara
  • Patent number: 10177988
    Abstract: A topology remediation method includes with a remediation engine, deriving a number of remediation actions based on a number of incidents within an instantiated topology, and with a lifecycle management engine, modifying the instantiated topology based on a number of lifecycle management actions (LCMAs) determined to remediate the incidents.
    Type: Grant
    Filed: October 30, 2013
    Date of Patent: January 8, 2019
    Assignee: Hewlett Packard Enterprise Development LP
    Inventor: Stephane Herman Maes
  • Patent number: 10169443
    Abstract: A process for automatic tuning a set of collectors and/or sensors includes: collecting first machine data by a first sensor in a collection framework, processing the first machine data by a first collector in the collection framework to yield first collected machine data, performing analytics on the first collected machine data to generate analytics output, and tuning, based, at least in part, on the analytics output, at least one of the following: the first sensor and the first collector.
    Type: Grant
    Filed: July 18, 2016
    Date of Patent: January 1, 2019
    Assignee: International Business Machines Corporation
    Inventors: Michael Beisiegel, Dinakaran Joseph, Devaprasad K. Nadgir
  • Patent number: 10164908
    Abstract: Ternary content-addressable memory (TCAM) of an ingress appliance in a visibility fabric may include rules for filtering traffic received by the ingress appliance. But the TCAM has limited space for rules and can become easily exhausted. By migrating rules to other visibility nodes in the visibility fabric, the techniques introduced here allow the TCAM to be virtually extended across multiple visibility nodes. More specifically, upon receiving a data packet at an ingress port, the ingress visibility node can tag the data packet with an identifier based on which ingress port received the data packet. The ingress visibility node can then determine, based on the identifier, whether the data packet should be filtered using a rule stored in the TCAM of the ingress visibility node or a rule stored in the TCAM of some visibility node in the visibility fabric.
    Type: Grant
    Filed: October 26, 2017
    Date of Patent: December 25, 2018
    Assignee: Gigamon Inc.
    Inventors: Avoy Nanda, Hoang Nguyen
  • Patent number: 10164993
    Abstract: Content inspection and analysis are described. A server stores a definition of sets of browser policies. A definition of one or more sets of users is stored. The server stores an association with a respective set of browser policies for the one or more sets of users. A request is received from a client browser associated with a user, wherein the client browser is configured to communicate with the server. The server determines which set of users the user is associated with. The server identifies a first set of browser policies that is associated with the determined set of users and applies the identified first set of browser policies to the request.
    Type: Grant
    Filed: February 21, 2017
    Date of Patent: December 25, 2018
    Assignee: Amazon Technologies, Inc.
    Inventors: Leon Robert Warman, Kurt Kufeld, Peter Sven Vosshall, Jesper Mikael Johansson, Kyle Bradley Peterson, Peter Frank Hill
  • Patent number: 10164971
    Abstract: Techniques are disclosed for enabling a user to validate the authenticity of a computing system (e.g., an access management system) such as one which controls access to one or more resources. A user can determine the authenticity of an access management system before the user provides credential information to the access management system. A user can be presented at a client system with an interface to request authentication of an access management system. The access management system may provide the user at the client system with temporary access information to submit back to the access management system. The access management system may provide recent personal information to the user at the client system to verify the access management system. Upon verification of the personal information, the access management system may prompt the user for credential information to establish a session.
    Type: Grant
    Filed: October 22, 2015
    Date of Patent: December 25, 2018
    Assignee: Oracle International Corporation
    Inventors: Stephen Mathew, Ramya Subramanya, Vipin Anaparakkal Koottayi
  • Patent number: 10154062
    Abstract: This disclosure describes an approach to handle packets that arrive at a network security device, such as a router. At a data plane of the security device, packet identifiers included in an incoming packet not currently belonging to an IP session of the device are compared to packet identifiers stored in a table stored in a memory of the security device. The incoming packet identifiers includes a source IP, a destination IP, a protocol, a destination port, and a source port while the identifiers stored in the table do not include the source port. A new session is established for the incoming packet in response to the set of packet identifiers matching one of the entries in the table.
    Type: Grant
    Filed: September 25, 2015
    Date of Patent: December 11, 2018
    Assignee: NXP USA, Inc.
    Inventors: Subhashini A. Venkataramanan, Srinivasa R. Addepalli
  • Patent number: 10142212
    Abstract: Systems and methods are disclosed to provide on demand packet traffic monitoring for packet communications within virtual packet processing environments. Virtual TAPs (test access ports) within virtualization layers for VM (virtual machine) host hardware systems are controlled by external controllers to configure watch filters for VM platforms operating within the virtualization layer based upon trigger events determined within packet flow data and/or based upon other external trigger events. The virtual TAP controller then periodically receives watch filter packet data updates from the virtual TAP and further controls the virtual TAP to configure more detailed focus filters for the VM platforms based upon watch filter trigger events. The virtual TAP controller can further communicate one or more VM action commands (e.g., stop VM, stop application, etc.) to the virtual TAP for application to the VM platforms based upon trigger events associated with this more detailed focus filter data.
    Type: Grant
    Filed: October 26, 2015
    Date of Patent: November 27, 2018
    Assignee: Keysight Technologies Singapore (Holdings) Pte Ltd
    Inventors: Anirban Majumder, Marcel Desdier, Deepesh Arora
  • Patent number: 10135787
    Abstract: The present invention prevents all of the filter rules from leaking and the filter functions of an entire network from stopping, even if problems arise in a filter device, etc. performing filtering.
    Type: Grant
    Filed: March 8, 2016
    Date of Patent: November 20, 2018
    Assignee: NEC PLATFORMS, LTD.
    Inventor: Yoshiaki Suzuki
  • Patent number: 10129241
    Abstract: Systems, methods, and computer readable medium for virtualized computing environments. A method for providing a connection between a guest virtual machine and a service virtual machine uses driver code functions to establish a listening port on the service virtual machine without providing a listening port on the guest virtual machine. The guest virtual machine initiates a remote procedure call socket between itself and the service virtual machine over a secure, hardened port. The service virtual machine presents an authority certificate by encoding into the authority certificate identifying information received from the guest virtual machine. The service virtual machine makes available (e.g., as an ISO image) the authority certificate, which is used to establish new secure connections.
    Type: Grant
    Filed: March 26, 2018
    Date of Patent: November 13, 2018
    Assignee: Nutanix, Inc.
    Inventors: Parthasarathy Ramachandran, Karthik Chandrasekaran, Bharat Kumar Beedu, Akshay Anant Deodhar, Simon Martin Mijolovic
  • Patent number: 10129125
    Abstract: In an example, there is disclosed a computing apparatus, having: a network interface to communicatively couple to a software-defined network (SDN); first one or more logic elements providing an SDN controller engine to provide a control function for the SDN; and second one or more logic elements providing a route tracing engine to: receive a tunneling notification from a network device agent, the tunneling notification associated with a network flow; and perform a backtracking traceroute operation to deterministically identify a source device for the flow. There is also disclosed a method of providing the foregoing, and one or more tangible, non-transitory computer-readable storage mediums for providing the foregoing.
    Type: Grant
    Filed: December 18, 2015
    Date of Patent: November 13, 2018
    Assignee: McAfee, LLC
    Inventors: Gopal Agrawal, Shivakrishna Anandam Mulka
  • Patent number: 10129284
    Abstract: In a system for configuring a web application firewall, one or more parameters of the firewall are adjusted such that a test configured for exposing a vulnerability of an application protected by the application firewall is blocked by the firewall and another test configured to invoke functionality of the application but that does not expose or exploit any security vulnerability is not blocked by the firewall. A notification is provided to a user if such a firewall configuration is not found after a specified number of attempts.
    Type: Grant
    Filed: September 25, 2014
    Date of Patent: November 13, 2018
    Assignee: Veracode, Inc.
    Inventor: Erik J. Peterson
  • Patent number: 10122747
    Abstract: Data is collected from a set of devices according to a data collection policy. The data is associated with device configuration, device state, or device behavior. A norm is established using the collected data. A different data collection policy is established based on the norm. Data is collected from a particular device according to the different data collection policy. The norm is compared to the data collected from the particular device. If there is a deviation outside of a threshold deviation between the norm and the data collected from the particular device, a response is initiated.
    Type: Grant
    Filed: July 26, 2017
    Date of Patent: November 6, 2018
    Assignee: LOOKOUT, INC.
    Inventors: Kevin Patrick Mahaffey, Timothy Micheal Wyatt, Brian James Buck, John Gunther Hering, Amit Gupta, Alex Cameron Abey
  • Patent number: 10116671
    Abstract: A system and computer program product for detecting distributed denial-of-service (DDoS) attacks is provided. Current aggregated flow information for a defined period of time is analyzed. It is determined whether network flow increased above a defined flow threshold value to a second data processing system connected to a network within the defined period of time based on analyzing the current aggregated flow information. In response to determining that the network flow has increased above the defined flow threshold value to the second data processing system connected to the network within the defined period of time, it is determined that the second data processing system is under a DDoS attack.
    Type: Grant
    Filed: September 28, 2017
    Date of Patent: October 30, 2018
    Assignee: International Business Machines Corporation
    Inventors: Kuo-Chun Chen, Chih-Hung Chou, Wei-Hsiang Hsiung, Sheng-Tung Hsu
  • Patent number: 10116672
    Abstract: A method for detecting distributed denial-of-service (DDoS) attacks is provided. Current aggregated flow information for a defined period of time is analyzed. It is determined whether network flow increased above a defined flow threshold value to a second data processing system connected to a network within the defined period of time based on analyzing the current aggregated flow information. In response to determining that the network flow has increased above the defined flow threshold value to the second data processing system connected to the network within the defined period of time, it is determined that the second data processing system is under a DDoS attack.
    Type: Grant
    Filed: November 14, 2017
    Date of Patent: October 30, 2018
    Assignee: International Business Machines Corporation
    Inventors: Kuo-Chun Chen, Chih-Hung Chou, Wei-Hsiang Hsiung, Sheng-Tung Hsu
  • Patent number: 10110606
    Abstract: A system and method for providing a secured connection between servers on a local area network (LAN) and clients on a wide area network (WAN) via a de-militarized zone (DMZ). The system includes a Service, a LAN Server, a LAN Controller, a DMZ Server and a DMZ Stack Pool Service. The method includes establishing an outbound TCP-based connection to the DMZ Stack Pool Service based on a request; passing Client Connection Information to the LAN Server; generating a first connection to the Service and a second connection to the DMZ Server, wherein the LAN server creates a Connection Binder between the Service and the outbound connections; creating a Connection Binder that binds the incoming Request and the outbound connection to complete the route of the Request; streaming the Request through the DMZ Server and the LAN Server; and streaming the request data from the Service to the Client.
    Type: Grant
    Filed: February 14, 2018
    Date of Patent: October 23, 2018
    Assignee: SAFE-T DATA A.R LTD.
    Inventor: Amir Mizhar
  • Patent number: 10110559
    Abstract: Systems and methods for web application firewall tunneling are disclosed. In one embodiment, the method may include (1) receiving a plurality of characters entered by a user into a field of a HTML page that is executed in a client runtime environment of a client device; (2) executing a client tunneling application to encode at least some of the characters; (3) passing the plurality of characters through the web application firewall; (4) executing a server tunneling application to decode the encoded characters; and (5) providing the plurality of characters, including the decoded characters, to a host application. Parts of the method may be performed by at least one computer processor.
    Type: Grant
    Filed: April 27, 2015
    Date of Patent: October 23, 2018
    Assignee: JPMorgan Chase Bank, N.A.
    Inventors: Glenn Stuart Benson, Christiaan Paul Akre, Russell M. Logar
  • Patent number: 10110556
    Abstract: Methods, systems, and computer readable media for initiating and executing a performance test of a private network and/or components thereof are disclosed. Methods and systems include a receiver endpoint in a private network, and a sender endpoint in a public network. The receiver endpoint initiates a transport layer connection with the sender endpoint. The sender endpoint allocates a port, binds to the port, and sends an Internet Protocol (IP) address and a port number over the transport layer connection. The receiver endpoint then sends a hole punch datagram from the private network to the public network to create a hole in a firewall that is separating the public and private networks. The sender endpoint receives the hole punch datagram and uses IP address and port information in the hole punch datagram to send test traffic through the hole in the firewall.
    Type: Grant
    Filed: December 17, 2014
    Date of Patent: October 23, 2018
    Assignee: KEYSIGHT TECHNOLOGIES SINGAPORE (HOLDINGS) PTE. LTD.
    Inventor: Marius Pavel Nistor
  • Patent number: 10110632
    Abstract: Methods, machines, and systems manage security policies of heterogeneous infrastructure and computing devices of a network. Security policy repository houses security policies that are pushed over the network by a policy decision point PDP to appropriate security-enabled devices (policy enforcement points (PEPs)) for enforcement. Using a closed feedback loop, a policy feedback point (PFP) collects and processes data from intrusions, alerts, violations, and other abnormal behaviors from a variety of PEPs or logs produced from PEPs. This data is sent as feedback to the policy repository. The PDP detects the data and analyzes it to determine if policy updates (which can be dynamic and automatic) need to be adaptively made and dynamically pushed to PEPs. The PDP can also send console messages or alerts to consoles or administrators.
    Type: Grant
    Filed: March 31, 2003
    Date of Patent: October 23, 2018
    Assignee: Intel Corporation
    Inventors: Hong C. Li, Ravi Sahita, Satyendra Yadav
  • Patent number: 10104116
    Abstract: A system for determining whether a website is an illegitimate website, the system comprising: a requester module configured to request one or more rules from a host server for a website and to receive a response from the host server in response to a request; an analysis module configured to determine whether a response or lack of a response received by the requester module indicates that the website is an illegitimate website; and a record module configured to store an indication that the website is an illegitimate website, wherein the one or more rules provide one or more instructions to a robot computer program regarding access of the website by the robot computer program.
    Type: Grant
    Filed: February 9, 2016
    Date of Patent: October 16, 2018
    Assignee: MAJESTIC-12 LTD
    Inventors: Alexey Chudnovskiy, Steve Pitchford
  • Patent number: 10104215
    Abstract: Embodiments of the present invention provide a blacklist management method and a device, relate to the field of communications, and are used for rapidly and conveniently adding a number to a blacklist, thereby improving operation efficiency of a terminal. The method includes: detecting, by a first terminal, an acceleration of the first terminal; when it is determined that the acceleration is greater than or equal to a first preset value, acquiring identification information of a second terminal; and adding the identification information to a blacklist. Embodiments of the method are used for blacklist management.
    Type: Grant
    Filed: April 16, 2014
    Date of Patent: October 16, 2018
    Assignee: HUAWEI TECHNOLOGIES CO., LTD.
    Inventors: Wenhu Zhang, Faliang Yang
  • Patent number: 10091028
    Abstract: Some embodiments provide a novel network control system for managing a set of switching elements in a network. The network control system includes a first set of network controllers for managing a first set of switching elements that enable communication between a first set of machines. The network control system includes a second set of network controllers for managing a second set of switching elements that enable communication between a second set of machines. The second set of switching elements is separate from the first set of switching elements and the second set of machines is separate from the first set of machines. The network control system includes a third set of network controllers for managing the first and second sets of network controllers in order to enable communication between machines in the first set of machines and machines in the second set of machines.
    Type: Grant
    Filed: August 17, 2012
    Date of Patent: October 2, 2018
    Assignee: NICIRA, INC.
    Inventors: Teemu Koponen, Martin Casado, Pankaj Thakkar, Ronghua Zhang, Daniel J. Wendlandt
  • Patent number: 10089462
    Abstract: A small piece of hardware connects to a mobile device and filters out attacks and malicious code. Using the piece of hardware, a mobile device can be protected by greater security and possibly by the same level of security offered by its associated corporation/enterprise. In one embodiment, a mobile security system includes a connection mechanism for connecting to a data port of a mobile device and for communicating with the mobile device; a network connection module for acting as a gateway to a network; a security policy for determining whether to forward content intended for the mobile device to the mobile device; and a security engine for executing the security policy.
    Type: Grant
    Filed: August 29, 2017
    Date of Patent: October 2, 2018
    Assignee: CUPP Computing AS
    Inventor: Shlomo Touboul
  • Patent number: 10091238
    Abstract: Methods and systems for deception using distributed threat detection are provided. Exemplary methods by an enforcement point, the enforcement point communicatively coupled to a first data network and a second data network, the enforcement point not providing services in the second data network, include: receiving, from a first workload in the second data network, a data packet addressed to a second workload in the second data network, the data packet requesting a service from the second workload; determining the data packet is for unauthorized access of the second workload, the determining using at least some of a 5-tuple of the data packet; identifying a deception point using the service, the deception point being in the first data network and including a decoy for the service; and redirecting the data packet to the deception point in the first data network.
    Type: Grant
    Filed: March 2, 2017
    Date of Patent: October 2, 2018
    Assignee: vArmour Networks, Inc.
    Inventors: Choung-Yaw Shieh, Marc Woolward, Zhiping Liu, Cheng-Lin Hou, Matthew M. Williamson, Yi Hung Cheng, Chien Yang Hsu, Hsin Tien Tseng
  • Patent number: 10084703
    Abstract: A method is provided in one example embodiment and includes receiving at a network element a packet including a Network Services Header (“NSH”), in which the NSH includes an Infrastructure (“I”) flag and a service path header comprising a Service Index (“SI”), and a Service Path ID (“SPI”) and determining whether the I flag is set to a first value. The method further includes, if the I flag is set to the first value, setting the I flag to a second value and forwarding the packet to the service function that corresponds to the SI for processing. The method still further includes, if the I flag is not set to the first value, decrementing the SI and making a forwarding decision based on a new value of the SI and the SPI.
    Type: Grant
    Filed: April 29, 2016
    Date of Patent: September 25, 2018
    Assignee: CISCO TECHNOLOGY, INC.
    Inventors: Surendra M. Kumar, Hendrikus G. P. Bosch, Kent K. Leung, Abhijit Patra