Firewall Patents (Class 726/11)
  • Patent number: 11030310
    Abstract: There is provided a computer implemented method of disabling a malicious electronic control unit (ECU) of a plurality of ECUs in communication with a controller area network (CAN) bus network, the method executed by a computing device in communication with the plurality of ECUs and the CAN bus network, the method comprising: detecting a malicious message transmitted by the malicious ECU over the CAN bus network, and injecting a plurality of bits over the CAN bus network to trigger a predefined plurality of errors for disabling the malicious ECU before the malicious ECU makes an additional attempt to retransmit an additional instance of the malicious message.
    Type: Grant
    Filed: August 17, 2017
    Date of Patent: June 8, 2021
    Assignee: Red Bend Ltd.
    Inventors: Tomer Gilad, Shachar Rosen
  • Patent number: 11019514
    Abstract: A system and method that utilize data from co-sited cells that transmit and receive data on frequencies that are licensed to different operators facilitate sharing cellular configuration and performance data without revealing proprietary data to competing operators. Detection of external interference is enhanced by data from different operators.
    Type: Grant
    Filed: April 19, 2019
    Date of Patent: May 25, 2021
    Assignee: Spectrum Effect Inc.
    Inventors: Diego Ayala, Eamonn Gormley, David James Ryan, Charles Immendorf
  • Patent number: 11012420
    Abstract: A method of enforcing security rules for a packet on a host is provided. The method at a security service dispatcher, determines a dispatching action on a packet for each of a group of security services. Each security service is for enforcing a set of security rules on each packet. The method for each security service, sends the packet to the security service when the dispatch rule for the security service indicates that the set of security rules of the security service has to be enforced on the packet. The method for each security service, bypasses the enforcement of the security rules of the security service when the dispatch rule for the security service indicates that the set of security rules of the security service has to be bypassed for the packet.
    Type: Grant
    Filed: November 15, 2017
    Date of Patent: May 18, 2021
    Assignee: NICIRA, INC.
    Inventors: Soner Sevinc, Yang Song
  • Patent number: 11012419
    Abstract: A system including a network communication device, a storage device, and a controller is provided. The storage device stores first mappings between IP addresses and devices, and second mappings between software and devices. The controller obtains a connection log from the proxy server or the firewall device via the network communication device, uses the first mappings and the second mappings to analyze the connection log to determine one or more different connections between connections of devices on which first software is installed and connections of devices on which the first software is not installed, determines whether the first software functions normally on a first device blocking the different connections, and adds destination addresses of the different connections into a blocking list in response to the first software functioning normally on the first device, such that the proxy server or the firewall device blocks all connections towards the destination addresses.
    Type: Grant
    Filed: March 19, 2019
    Date of Patent: May 18, 2021
    Assignee: QUANTA COMPUTER INC.
    Inventors: Chen-Chung Lee, Chia-Hung Lin, Cheng-Yao Wang, Jen-Hung Chang, Ming-Jen Chen
  • Patent number: 11012370
    Abstract: Described herein is a system for automatically capturing configuration changes to the cloud computing resources. The system for automatically capturing configuration changes may detect changes to configurations of cloud computing resources across the geographic regions, in real-time. The changes may be stored in a central data storage device instantiated by a central cloud computing account. Furthermore, a relationship graph indicating the relationships between the different cloud computing resources may be generated.
    Type: Grant
    Filed: May 20, 2020
    Date of Patent: May 18, 2021
    Assignee: Capital One Services, LLC
    Inventor: Matthew Gladney
  • Patent number: 10999253
    Abstract: A network device identifies an Internet Protocol Security (IPsec) tunnel that connects the network device to a remote device and determines that dead peer detection (DPD) is enabled at the network device. The network device receives a first DPD request message from the remote device via the IPsec tunnel, and sends a first DPD response message to the remote device via the IPsec tunnel. The network device determines that a workload of the network device satisfies a threshold amount, and sends one or more encapsulating security payload (ESP) packets that include traffic flow confidentiality (TFC) payload data to the remote device via the IPsec tunnel. The network device determines that the workload of the network device does not satisfy the threshold amount. The network device receives a second DPD request message from the remote device and sends a second DPD response message to the remote device via the IPsec tunnel.
    Type: Grant
    Filed: July 26, 2018
    Date of Patent: May 4, 2021
    Assignee: Juniper Networks, Inc.
    Inventors: Naresh Chand, Ranjan Sinha
  • Patent number: 10999354
    Abstract: Systems and methods are disclosed herein for opening files via local applications. A first application on a local device receives a request to open a document specified by a user via a user interface associated with the first application, the document having a document identifier and associated with a first file stored on a server. The first application communicates the request to open the document associated with the first file to a second application on the local device, and receives, from the second application, information identifying one of the plurality of document processing applications that are on the local device and are capable of opening a second file that is stored on the local device and has the same document identifier as the document specified by the user, the second file being a local copy of the first file.
    Type: Grant
    Filed: January 13, 2020
    Date of Patent: May 4, 2021
    Assignee: Google LLC
    Inventors: Jessie Lynne Newman, Frank Pape, III, Ali Akhavan Bitaghsir, Brian Schneider, James Michael McCollum, Eric Huayu Zhang, Rachel Werner Barton, Marc Miller, Rishi Sharma
  • Patent number: 10999220
    Abstract: Some embodiments of the invention provide a novel architecture for capturing contextual attributes on host computers that execute one or more machines and providing the captured contextual attributes to middlebox service engines executing at the edge of a physical datacenter. In some embodiments, the middlebox service engines run in an edge host (e.g., an NSX Edge) that provides routing services and connectivity to external networks (e.g., networks external to an NSX-T deployment). Some embodiments execute a context header insertion processor that receives contextual attributes relating to network events and/or process events on the machines collected using a guest-introspection (GI) agent on each machine. In some embodiments, the context header insertion processor uses these contextual attributes to generate a header including data regarding the contextual attributes (a “context header”) that is used to encapsulate a data message that is processed by the SFE.
    Type: Grant
    Filed: July 5, 2018
    Date of Patent: May 4, 2021
    Assignee: VMWARE, INC.
    Inventors: Tori Chen, Sirisha Myneni, Arijit Chanda, Arnold Poon, Farzad Ghannadian, Venkat Rajagopalan
  • Patent number: 10992702
    Abstract: In example implementations, a method is provided that is executed by a processor. A multiplexed data stream is received over a single transmission control protocol (TCP) connection that uses a SPDY protocol. The multiplexed data stream contains data packets associated with a plurality of different data streams. A plurality of sub-contexts are generated. Each one of the sub-contexts is associated with a different one of the plurality of different data streams. The data packets are demultiplexed from the multiplexed data stream into a respective one of the plurality of sub-contexts. The plurality of different data streams in the respective one of the plurality of sub-contexts are examined to detect a malware.
    Type: Grant
    Filed: January 27, 2016
    Date of Patent: April 27, 2021
    Assignee: Hewlett Packard Enterprise Development LP
    Inventors: Ramesh Ardeli, Hari Krishna Kurmala
  • Patent number: 10992691
    Abstract: A method and an apparatus to perform multi-connection traffic analysis and management are described. In one embodiment, the method includes analyzing data packets in the first data flow of a client application for a pattern of interest, where the client application communicates data using first and second data flows. In response to the method detecting a pattern of interest in the first data flow, the method identifies the second data flow and identifies a traffic policy for the second data flow. The method applies the identified traffic policy to the second data flow. Other embodiments have been claimed and described.
    Type: Grant
    Filed: September 17, 2019
    Date of Patent: April 27, 2021
    Assignee: SONICWALL INC.
    Inventors: Aleksandr Dubrovsky, Boris Yanovsky, Shunhui Zhu
  • Patent number: 10979317
    Abstract: A service registration method and usage method, and a related apparatus are used to reduce risks generated when a service of an AP-type service providing node cannot be registered and a CP-type service providing node provides a service since distributed characteristics of a service providing node are not distinguished in a network partition scenario. The method is: obtaining, by a registration service node, network partition information, and receiving a registration request of a service providing node, where the registration request carries a distributed characteristic of the service providing node, and the distributed characteristic meets both consistency and partition tolerance, or meets both availability and partition tolerance; and determining, by the registration service node according to the network partition information and the distributed characteristic of the service providing node, whether registration of a service provided by the service providing node is allowed.
    Type: Grant
    Filed: January 22, 2018
    Date of Patent: April 13, 2021
    Assignee: HUAWEI TECHNOLOGIES CO., LTD.
    Inventors: Haifeng Zhou, Long Li, Jianqing Yuan
  • Patent number: 10972553
    Abstract: A method for configuring, via a website, a device to provide printing services to a local network is described. The method includes creating, via a website, a service host object that comprises a network address of a device on a local network and a service host name. The method also includes configuring, via the website, one or more printing settings for one or more printing services. The method further includes sending an indication to the device on the local network to run a service manager. The method additionally includes sending an indication to the service manager to run the one or more printing services on the local network based on the one or more printing service settings.
    Type: Grant
    Filed: September 27, 2018
    Date of Patent: April 6, 2021
    Assignee: PrinterLogic, Inc.
    Inventors: Chad Steven Sillitoe, Corey Clint Ercanbrack, Joshua Aaron Harrison
  • Patent number: 10965716
    Abstract: A request to establish a session with a first server is received from a client device. The first server is associated with a first hostname, and the request includes information identifying a second hostname purported to correspond to the first server. A Domain Name System (DNS) lookup using the second hostname is performed. A determination that the second hostname was spoofed by the client device is determined based on a response to the DNS lookup. In response to the determination being made that the request received from the client device includes the spoofed second hostname, a determination that the client device has injected or overridden at least one of an HTTP Host header and a Server Name Indicator in the request is made, and an action to take with respect to the client device is determined.
    Type: Grant
    Filed: October 30, 2019
    Date of Patent: March 30, 2021
    Assignee: Palo Alto Networks, Inc.
    Inventors: Martin Walter, Charles Bransi, Suiqiang Deng
  • Patent number: 10958625
    Abstract: Methods, non-transitory computer readable media, rendezvous gateway (RG) apparatuses, and network security systems that send an RG synchronization message (SYN) to an application in a secure domain following receipt, from a client, of a client SYN comprising an indication of the application. A rendezvous agent (RA) SYN is received, via a firewall coupled to the security domain and in response to the RG SYN, from an RA in the secure domain. A first RG synchronization-acknowledgement message (SYN+ACK) is sent to the client in response to the client SYN. A second RG SYN+ACK is sent, via the firewall, to the RA in response to the RA SYN. The RA is notified of receipt of a client acknowledgement message (ACK) from the client. An RA ACK is received, from the RA and via the firewall, in response to the notification, to thereby establish a full connection between the client and the application.
    Type: Grant
    Filed: March 6, 2019
    Date of Patent: March 23, 2021
    Assignee: F5 Networks, Inc.
    Inventors: Peter M. Thornewell, David D. Schmitt, Alan Mimms, Saxon Amdahl, Bill Baumann
  • Patent number: 10951605
    Abstract: In an embodiment, a computer-implemented method comprises receiving, by at least one broker computing devices, identity awareness data from a plurality of directory services in a federation; posting, by the at least one broker computing device, the identity awareness data to a distributed data repository; establishing, at a networking hardware device having a first type, firewall rules using the identity awareness data from the distributed data repository; controlling, by the networking hardware device having the first type, network traffic based on the identity awareness data.
    Type: Grant
    Filed: February 20, 2019
    Date of Patent: March 16, 2021
    Assignee: Xage Security, Inc.
    Inventors: Susanto Junaidi Irwan, Roman M. Arutyunov, Andy Sugiarto, Ganesh B. Jampani
  • Patent number: 10951674
    Abstract: Access to transactional multimedia content may be based on network routing. Some multimedia content may be best delivered via a private network. Other multimedia content may be best delivered via a public network. A type of the multimedia content may thus determine network routing.
    Type: Grant
    Filed: July 19, 2019
    Date of Patent: March 16, 2021
    Assignee: AT&T Intellectual Property I, L.P.
    Inventors: David J. Piepenbrink, Lee M. Chow, James T. Sofos
  • Patent number: 10951583
    Abstract: Apparatus and methods for controlling access by a browser to one or more Internet servers are disclosed. Access control is performed by ascertaining an IP address of an internet server that the user is trying to access and performing lookup of the IP address in an IP address rating database. If the lookup reveals that the IP address to be suspicious and data received from the internet server is encrypted, block the access to the internet server. Alternatively, if the lookup reveals the IP address to be suspicious, block the access to the first internet server by the browser without first performing content analysis on the data from the internet server.
    Type: Grant
    Filed: August 22, 2019
    Date of Patent: March 16, 2021
    Assignee: Trend Micro Incorporated
    Inventors: Bharath Kumar Chandrasekhar, Narasimham Kodukula
  • Patent number: 10951582
    Abstract: Disclosed are systems and methods for firewall configuration. A request can be transmitted to a DNS server. A response to the DNS request can include an Internet Protocol (IP) address. A firewall rule can be generated permitting access to the IP address. The firewall rule can be configured to be valid until expiration of a time-to-live value in the response to the DNS request. Thus, firewall rules can be automatically created as needed by executed processes, eliminating the need for manual firewall rule creation. As the firewall rule is invalid after the expiration of the time-to-live value, risks associated with maintaining out-of-date firewall rules are eliminated, as is the requirement to manually remove or modify out-of-date firewall rules.
    Type: Grant
    Filed: February 9, 2018
    Date of Patent: March 16, 2021
    Assignee: Comcast Cable Communications, LLC
    Inventor: Alexander Gurney
  • Patent number: 10951660
    Abstract: Methods and systems for protecting a secured network are presented. For example, one or more packet security gateways may be associated with a security policy management server. At each packet security gateway, a dynamic security policy may be received from the security policy management server, packets associated with a network protected by the packet security gateway may be received, and at least one of multiple packet transformation functions specified by the dynamic security policy may be performed on the packets.
    Type: Grant
    Filed: June 23, 2020
    Date of Patent: March 16, 2021
    Assignee: Centripetal Networks, Inc.
    Inventors: Steven Rogers, Sean Moore, David K. Ahn, Peter P. Geremia
  • Patent number: 10944820
    Abstract: A method, computer program product, and computer system for utilizing a first plurality of APIs operating on a first module, wherein the first module may be transportable during operation. A second plurality of APIs operating on a second module may be utilized, wherein the second module may be transportable during operation, wherein the second module may include kernel level binary validation and restoration software, and wherein at least one of the first module and the second module may be interconnected to a mesh topology that maintains asymmetric redundancy. An asset may be interfaced with the second module. It may be determined whether the asset is end-to-end secure based upon, at least in part, the kernel level binary validation and restoration software. An interface may be established between the asset and the first module based upon, at least in part, determining that the asset is secure.
    Type: Grant
    Filed: January 18, 2019
    Date of Patent: March 9, 2021
    Assignee: Phacil, LLC
    Inventor: Roger Joseph Morin
  • Patent number: 10942500
    Abstract: A system architecture encoded on a non-transitory computer readable medium, the system architecture includes a first protocol. The first protocol is configured to receive a plurality of outputs from an ICS used in controlling an industrial system. The first protocol is configured to receive a plurality of inputs from a physical module. The physical module includes at least one of a component, a sensor, or the ICS. Additionally, the system architecture includes a second protocol, wherein the second protocol is configured to validate the plurality of inputs from the first protocol. Moreover, the system architectures includes a third protocol, wherein the third protocol is configured to validate the plurality of outputs from the first protocol. Further, the system architecture includes a fourth protocol, wherein the fourth protocol is configured to manage the ICS based on the second protocol and the third protocol.
    Type: Grant
    Filed: March 25, 2019
    Date of Patent: March 9, 2021
    Assignee: Purdue Research Foundation
    Inventor: Hany S. Abdel-Khalik
  • Patent number: 10938846
    Abstract: A server hosted by a server computer is protected against anomalous logons. A working time profile is generated from an access log that has a record of logons to the server. Counts of access events per time period (e.g., per hour) are parsed from the access log, and processed using statistical procedures to find candidate working hours. A working time range includes candidate working hours. An account logging on the server is detected. The logon by the account is deemed to be anomalous when the logon is at a time outside the candidate working hours.
    Type: Grant
    Filed: November 20, 2018
    Date of Patent: March 2, 2021
    Assignee: Trend Micro Incorporated
    Inventors: Chih-Hsun Hsiao, Yin-Tzu Lin, Yen-Ying Lee
  • Patent number: 10938819
    Abstract: A smart process control switch can implement a lockdown routine to lockdown its communication ports exclusively for use by devices having known physical addresses, enabling the smart process control switch to prevent new, potentially hostile, devices from communicating with other devices to which the smart process control switch is connected. Further, the smart process control switch can implement an address mapping routine to identify “known pairs” of physical and network addresses for each device communicating via a port of the smart process control switch. Thus, even if a new hostile device is able to spoof a known physical address in an attempt to bypass locked ports, the smart process control switch can detect the hostile device by checking the network address of the hostile device against the expected network address for the “known pair.
    Type: Grant
    Filed: April 10, 2018
    Date of Patent: March 2, 2021
    Assignee: FISHER-ROSEMOUNT SYSTEMS, INC.
    Inventors: Alexandre Da Silva Peixoto, Neil J. Peterson
  • Patent number: 10938847
    Abstract: A method includes obtaining usage metrics for assets of an enterprise system and extracting sets of features from the obtained usage metrics, the sets of features characterizing relative importance of each of the assets for each of two or more designated time windows. The method also includes determining, utilizing the extracted features, an importance of each of the assets. The method further includes establishing a baseline behavior of the assets based on the extracted features, monitoring behavior of the assets during at least one additional time window, and modifying a configuration of a given asset responsive to detecting that the monitored behavior of the given asset during the at least one additional time window exhibits a threshold difference from the established baseline behavior of the given asset, wherein the modification is based at least in part on the importance of the given asset relative to one or more other assets.
    Type: Grant
    Filed: December 21, 2018
    Date of Patent: March 2, 2021
    Assignee: EMC IP Holding Company LLC
    Inventors: Sashka T. Davis, Kevin T. Douglas, Zulfikar A. Ramzan
  • Patent number: 10924457
    Abstract: The present disclosure discloses a packet cleaning method and apparatus. The method includes: acquiring a packet type and a destination address of a target packet; acquiring, from a configuration file, a first attack type set according to the packet type and a second attack type set according to the destination address, wherein the second attack type set comprises types of attacks that a device corresponding to the destination address receives from within a period of time; generating a cleaning strategy chain corresponding to the target packet according to the first attack type set and the second attack type set; and cleaning the target packet based on the cleaning strategy chain.
    Type: Grant
    Filed: June 29, 2018
    Date of Patent: February 16, 2021
    Assignee: ALIBABA GROUP HOLDING LIMITED
    Inventor: Weibin He
  • Patent number: 10917439
    Abstract: A method and a system for contextually managing and executing a change in security behavior of a target user are provided. The system extracts multiple context attributes including activity telemetry, skill, etc., from multiple external applications. The system dynamically generates one or more security behavioral models for each user based on behavior modeling criteria. The system dynamically generates a security behavior score for each user by scoring a selection of the context attributes from their security behavioral models. The system dynamically generates targeted, contextual control elements specific to a target user identified from among the users using the security behavioral models, the security behavior score, and one or more context libraries. The system dynamically renders one or more of the targeted, contextual control elements on a user device of the target user through one or more delivery channels for executing a change in the security behavior of the target user.
    Type: Grant
    Filed: July 15, 2019
    Date of Patent: February 9, 2021
    Inventors: Santhosh Kunjappan Purathepparambil, Sairamkumar Venkataraman, Rohan Puri
  • Patent number: 10915628
    Abstract: A system and method for detecting vulnerabilities in software containers at runtime are provided. The method includes monitoring events triggered as a result of changes to an application layer of a software container; based on the monitored events, determining if at least one file has been changed; upon determination that at least one file has been changed, scanning the at least one file to detect at least one type of vulnerability; and upon determination of at least one type of known vulnerability, generating a detection event.
    Type: Grant
    Filed: September 28, 2016
    Date of Patent: February 9, 2021
    Assignee: Twistlock, Ltd.
    Inventors: Dima Stopel, Ben Bernstein
  • Patent number: 10904271
    Abstract: In one embodiment, a device analyzes network traffic data using a clustering process, to identify a cluster of addresses associated with the network traffic data for which the associated network traffic has similar behavioral characteristics. The device calculates a set of rankings for the cluster by comparing the cluster to different sets of malicious addresses. The device aggregates the set of rankings into a final ranking by setting the rankings in the set as current rankings and iteratively calculating an average of any subset of the current rankings that comprises correlated rankings. The calculated average replaces the rankings in the subset as a current ranking. When none of the current rankings are correlated, the device performs an aggregation across all of the current rankings to form the final ranking. The device provides data indicative of the cluster for review by a supervisor, based on the final ranking.
    Type: Grant
    Filed: October 20, 2017
    Date of Patent: January 26, 2021
    Assignee: Cisco Technology, Inc.
    Inventors: Jan Jusko, Jan Stiborek, Tomas Pevny
  • Patent number: 10904215
    Abstract: An application server environment that uses connection pooling is augmented to include a database access control system having a database firewall. When the database firewall detects a security violation with respect to a request received via a pooled connection, the firewall skips over (i.e. do not forward) the violating request and instead creates an artificial error database protocol packet corresponding to the application request. The database firewall then sends the error database protocol packet as a response back to the application, using the pool connection. The application receives the database error as a response to the security violating request, and it responds by releasing the connection of the policy violation database user. By releasing the pool connection is this manner, the performance of other applications (or other clients) using the connection pool is not impacted. Preferably, the error packets include no sensitive information.
    Type: Grant
    Filed: November 9, 2018
    Date of Patent: January 26, 2021
    Assignee: International Business Machines Corporation
    Inventors: Leonid Rodniansky, Tania Butovsky
  • Patent number: 10887347
    Abstract: A method and system for perimeter defense of a network are provided. The method comprises receiving, at a system deployed in a perimeter of the network, traffic to or from the network, wherein the network includes a plurality of protection resources; determining, based on the received traffic, at least one potential cyber-attack; and upon determining the at least one potential cyber-attack, causing a mitigation reconfiguration of at least one protection resource of the plurality of protection resources, wherein the mitigation reconfiguration includes reconfiguring each of the at least one protection resource to mitigate the at least one potential cyber-attack.
    Type: Grant
    Filed: October 27, 2016
    Date of Patent: January 5, 2021
    Assignee: Radware, Ltd.
    Inventors: Yaron Koren, Oren Ben Yoav
  • Patent number: 10878119
    Abstract: Disclosed embodiments relate to systems and methods for securely provisioning sensitive data elements to virtualized execution instances. The techniques may include: identifying a request to provision a new virtualized execution instance; determining, in association with the request, that the new virtualized execution instance will require a prohibited data element in order to communicate with a target network resource; without providing the new virtualized execution instance the prohibited data element, registering the new virtualized execution instance; identifying a request from the new virtualized execution instance to communicate with the target network resource; performing a verification process for the request to communicate with the target network resource; and conditional on the verification process, provisioning the prohibited data element to the new virtualized execution instance.
    Type: Grant
    Filed: April 1, 2020
    Date of Patent: December 29, 2020
    Assignee: CYBERARK SOFTWARE LTD.
    Inventors: Nimrod Stoler, Lavi Lazarovitz
  • Patent number: 10873565
    Abstract: The technology disclosed herein enables micro-segmentation of virtual computing elements. In a particular embodiment, a method provides identifying one or more multi-tier applications comprising a plurality of virtual machines. Each application tier of the one or more multi-tier applications comprises at least one of the plurality of virtual machines. The method further provides maintaining information about the one or more multi-tier applications. The information at least indicates a security group for each virtual machine of the plurality of virtual machines. Additionally, the method provides identifying communication traffic flows between virtual machines of the plurality of virtual machines and identifying one or more removable traffic flows of the communication traffic flows based, at least in part, on the information. The method then provides blocking the one or more removable traffic flows.
    Type: Grant
    Filed: October 23, 2017
    Date of Patent: December 22, 2020
    Assignee: Nicira, Inc.
    Inventors: Laxmikant Gunda, Rajiv Krishnamurthy
  • Patent number: 10873388
    Abstract: The present disclosure provides communication systems, switching devices and methods for switching air-to-ground (ATG) antennas of an aircraft. An air-to-ground (ATG) communication unit has a first set of ports for in-flight ATG communication and a second set of ports for ground communication comprising terrestrial communication and accessing fixed base operator (FBO) services. A switching device is configured to switch connectivity of at least one antenna to the first set of ports of the ATG communication unit when the aircraft is in-flight and is configured to switch connectivity of the at least one antenna to the second set of ports when the aircraft is not in-flight.
    Type: Grant
    Filed: June 11, 2019
    Date of Patent: December 22, 2020
    Assignee: BOMBARDIER INC.
    Inventor: Nikolay Trunov
  • Patent number: 10873607
    Abstract: Systems and methods for NAC access policy creation and reconfiguration of access points to enforce same are provided. According to one embodiment, access policies are decoupled from underlying implementation details of access points by: (i) maintaining by a NAC device an access point model that maps logical networks to corresponding enforcement action implementations for the access points; and (ii) representing the access policies in a form of a current state of a particular endpoint device and an enforcement action specified with reference to a logical network. An attribute of an endpoint is received by the NAC device based upon which a matching access policy is identified. The corresponding enforcement action implementation for the access point to which the endpoint is connected is retrieved based on the logical network specified in the matching access policy and is used to reconfigure the access point to perform the enforcement action.
    Type: Grant
    Filed: June 16, 2020
    Date of Patent: December 22, 2020
    Assignee: Fortinet, Inc.
    Inventor: Bradley J. Trimby
  • Patent number: 10868687
    Abstract: Disclosed are a traffic delivery method, apparatus and system, and a relevant computer storage medium. The method may include: determining the number of traffic flows according to a traffic bandwidth of a traffic to be transmitted; grouping the traffic flows of the traffic to be transmitted according to the number of the traffic flows and a preset grouping policy to obtain a plurality of traffic groups of the traffic to be transmitted; where the number of the traffic groups is equal to the number of physical layer (PHY) transport channels; and determining a PHY transport channel corresponding to each of the traffic groups of the traffic to be transmitted according to a matching relationship between traffic bandwidths of the traffic groups and transmission rates of the PHY transport channels, and sending the each of the traffic groups of the traffic to be transmitted through the PHY transport channel corresponding to the each of the traffic groups of the traffic to be transmitted.
    Type: Grant
    Filed: January 16, 2018
    Date of Patent: December 15, 2020
    Assignee: ZTE CORPORATION
    Inventor: Feng Liu
  • Patent number: 10860336
    Abstract: A system comprises data processing hardware and memory hardware. The memory hardware is in communication with the data processing hardware, and stores instructions that, when executed on the data processing hardware, cause the data processing hardware to perform a plurality of operations. In some examples, one of the operations may include receiving instance management configuration data for a single-tenant software-as-a-service (SaaS) application. Another operation may include further include receiving an image of the single-tenant SaaS application. Yet another operation can include generating, by the control plane manager, a control plane based on the instance management configuration data. The control plane is configured to create multiple instances of the single-tenant SaaS application based on the received image, and to manage the instances of the single-tenant SaaS application based on the received instance management configuration data.
    Type: Grant
    Filed: October 27, 2017
    Date of Patent: December 8, 2020
    Assignee: Google LLC
    Inventors: Roy Peterkofsky, William Earl, Martin Taillefer, Michael Dahlin, Chandra Prasad, Jaroslaw Kowalski, Anna Berenberg, Kristian Kennaway, Alexander Mohr, Jaidev Haridas
  • Patent number: 10862940
    Abstract: A video sender loads sender video processing JavaScript into a browser, the sender video processing JavaScript being configured to receive video from a source connected to the first computer, encode images of the video into a H.26x encoded video format, package the encoded video into WebM or FMP4 format, and output the packaged/encoded video on the communication network. A video receiver loads receiver video JavaScript in its browser, the receiver video JavaScript comprising a video format detector, a WebM deboxer, a FMP4 deboxer, a H.26x video decoder, and a rendering engine. The video format detector determines whether received video is packaged using WebM or FMP4 and sends the video to the respective deboxer. The deboxed video is then decoded using the H.26x decoder and the images are rendered by the rendering engine. Timestamps and byte counts are inserted into the video packages, and acknowledgments are used to determine excess latency.
    Type: Grant
    Filed: July 31, 2019
    Date of Patent: December 8, 2020
    Assignee: Glance Networks, Inc.
    Inventors: Ellis Oliver Jones, Richard L. Baker
  • Patent number: 10855540
    Abstract: Example implementations described herein are directed to systems and methods for policy based management of access to networked applications in compliance with rules or policies. An example implementation includes a method to manage access to a program where in response to receiving a request, the method identifies a source location indicated by program information and a destination location indicated by user information, determines a rule type based on the source location and the destination location, determines a rule for the program based on the source location, the destination location, and the rule type, applies a procedure to approve access based on the rule; and allows access to the program based on successful completion of the procedure.
    Type: Grant
    Filed: May 2, 2018
    Date of Patent: December 1, 2020
    Assignee: Hitachi, Ltd.
    Inventor: Satoshi Kaneko
  • Patent number: 10848512
    Abstract: A computer-implemented method, computer program product and computing system for: receiving updated threat event information concerning a computing platform; enabling the updated threat event information for use with one or more security-relevant subsystems within the computing platform; and retroactively applying the updated threat event information to previously-generated information associated with the one or more security-relevant subsystems.
    Type: Grant
    Filed: June 5, 2019
    Date of Patent: November 24, 2020
    Assignee: ReliaQuest Holdings, LLC
    Inventors: Brian P. Murphy, Joe Partlow, Colin O'Connor, Jason Pfeiffer
  • Patent number: 10839075
    Abstract: A small piece of hardware connects to a mobile device and filters out attacks and malicious code. Using the piece of hardware, a mobile device can be protected by greater security and possibly by the same level of security offered by its associated corporation/enterprise. In one embodiment, a mobile security system includes a connection mechanism for connecting to a data port of a mobile device and for communicating with the mobile device; a network connection module for acting as a gateway to a network; a security policy for determining whether to forward content intended for the mobile device to the mobile device; and a security engine for executing the security policy.
    Type: Grant
    Filed: September 17, 2019
    Date of Patent: November 17, 2020
    Assignee: CUPP Computing AS
    Inventor: Shlomo Touboul
  • Patent number: 10834114
    Abstract: A processing system having at least one processor may obtain domain name system (DNS) traffic records of a DNS platform, the DNS traffic records associated with a source device having a first status and that is submitting DNS queries, where a first-tier DNS authoritative server of the DNS platform is configured to forward the DNS queries from the source device to at least a first second-tier DNS authoritative server of the DNS platform designated for the first status. The processing system may further detect anomalous DNS traffic records from the DNS traffic records, identify a change of the source device from a first status to a second status, based upon the detecting the anomalous DNS traffic records, and reconfigure the first-tier DNS authoritative server to redirect the DNS queries from the source device to at least a second second-tier DNS authoritative server designated for the second status.
    Type: Grant
    Filed: December 13, 2018
    Date of Patent: November 10, 2020
    Assignee: AT&T INTELLECTUAL PROPERTY I, L.P.
    Inventors: Anestis Karasaridis, Eric Noel, Stephen Chou, Patrick Velardo
  • Patent number: 10834261
    Abstract: In the field of government engagement management, an agent guide or script-flow in an employee desktop web client is implemented. In such a system and method, when agents create interactions with clients they can follow a script-flow which will guide the agent through the interaction through a series of menu selections and automated sets of instructions. This feature of the government engagement management system allows existing customer investment from the rich desktop client or non-web client in developing specific scripts, that can also now function in the web client atmosphere. This system and method also enables an agent to handle calls with the web client more efficiently, and allows agents on the web client to automatically classify.
    Type: Grant
    Filed: December 6, 2018
    Date of Patent: November 10, 2020
    Assignee: Verint Systems UK Limited
    Inventors: Conor Adams, Raymond Campbell
  • Patent number: 10812524
    Abstract: The present disclosure provides a method and devices for defending against distributed denial of service attacks. The method comprises: intercepting, by a defending device, a service message transmitted by a client to a server; obtaining, by the defending device, information carried in a first preset field of the service message and information carried in a second preset field of the service message according to a rule agreed on with the client; processing, by the defending device, the information carried in the second preset field and a preset key according to a hash algorithm agreed on with the client, and obtaining a hash value; and discarding, by the defending device, the service message upon determining that the hash value is different from the information carried in the first preset field.
    Type: Grant
    Filed: June 29, 2018
    Date of Patent: October 20, 2020
    Assignees: NSFOCUS INFORMATION TECHNOLOGY CO., LTD., NSFOCUS TECHNOLOGIES, INC.
    Inventors: Tao Chen, Kun He
  • Patent number: 10805303
    Abstract: Various embodiments provide an approach to controlled access of websites based on website content, and profile for the person consuming the data. In operation, machine learning techniques are used to classify the websites based on community and social media inputs, crowdsourced data, as well as access rules implemented by parents or system administrators. Feedback from users/admins of the system, including the instances of allowed or denied access to websites, in conjunction with other relevant parameters, is used for iterative machine learning techniques.
    Type: Grant
    Filed: January 3, 2019
    Date of Patent: October 13, 2020
    Assignee: Gryphon Online Safety Inc.
    Inventors: Arup Bhattacharya, John Jun Wu
  • Patent number: 10791024
    Abstract: Within a data center, network interfaces may vary greatly. Network controllers from various manufacturers may support different capabilities and may be implemented as different types of hardware devices. Embodiments provide techniques for adaptive configuration of a network interface that is migrated from a source IHS to a target IHS. A network migration tool evaluates discrepancies between the source network interface configuration and the target network interface configuration. Based on the identified discrepancies, the network migration tool determines whether the target network interface may be adapted to be compatible, or at least not incompatible, with the source network interface. Multiple IHSs may be evaluated as potential targets for migration to identify a target IHS that utilizes a target network interface that most closely aligns with the configuration of the source network interface, where this alignment includes adaptive modifications of the target network interface.
    Type: Grant
    Filed: March 13, 2019
    Date of Patent: September 29, 2020
    Assignee: Dell Products, L.P.
    Inventors: Sudhir Vittal Shetty, Pushkala Iyer, Reginald H. Stumpe, Jr., Rakesh Kumar Ayolasomyajula, David Matthew Sisson
  • Patent number: 10791095
    Abstract: A user may access resources within a secure network through an agent stored on a first computing device within the secure network which then opens an outbound secure channel through a firewall of the secure network to a request collector stored on a second computing device outside the secure network. The agent waits until the request collector has rendered available on the outbound secure channel a request from the user for access to the resources in the secure network. The agent then reads the request rendered available on the outbound secure channel by the request collector and causes the request to be executed utilizing the resources within the secure network. The agent responds back to the request collector on the outbound secure channel which then responds to the user.
    Type: Grant
    Filed: October 6, 2017
    Date of Patent: September 29, 2020
    Inventors: Guido Pellizzer, Federico Simonetti
  • Patent number: 10785190
    Abstract: A network system is provided between at least a first client site and a second client site, the first and the second client site are at a distance from one another. A client site network component is implemented at least at the first client site, the client site network component bonding or aggregating one or more diverse network connections so as to configure a bonded/aggregated connection that has increased throughput. At least one network server component may be configured to connect to the client site network component using the bonded/aggregated connection. A cloud network controller may be configured to manage the data traffic and a virtual edge providing transparent lower-link encryption for the bonded/aggregated connection between the client site network component and the network server component.
    Type: Grant
    Filed: December 13, 2017
    Date of Patent: September 22, 2020
    Assignee: Adaptiv Networks Inc.
    Inventors: Patricio Humberto Saavedra, Jie Xiao, Yan Wang, Arun Pereira
  • Patent number: 10778797
    Abstract: Systems, computer-implemented methods, and computer program products that facilitate orchestration engine components for a cloud computing environment are provided. According to an embodiment, a system can comprise a memory that stores computer executable components and a processor that executes the computer executable components stored in the memory. The computer executable components can comprise a blueprint component that can, based on one or more dependencies between respective resource components of a cloud-based computing platform, declare a steady state action to be executed in response to a steady state event indicative of an event associated with steady state operation of a resource component of the cloud-based computing platform. The computer executable components can further comprise an orchestration engine component that can, based on the blueprint component, execute the steady state action in response to the steady state event.
    Type: Grant
    Filed: April 5, 2018
    Date of Patent: September 15, 2020
    Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATION
    Inventors: Thomas E. Chefalas, Neeraj Asthana, Alexei Karve, Clifford A. Pickover
  • Patent number: 10776499
    Abstract: Various embodiments provide an approach to controlled access to online content. Such control may be based on a multitude of factors including but not limited to website content, profile for the person consuming the data. In operation, machine-learning techniques are used to classify the websites based on community and social media inputs, crowd-sourced data, as well as access rules implemented by parents or system administrators. Feedback from users/admins of the system, including the instances of allowed or denied access to websites, in conjunction with other relevant parameters, is used for iterative machine-learning techniques. Embodiments may also allow for real, or near real-time, approval or denial of access to websites by registered admins.
    Type: Grant
    Filed: September 4, 2019
    Date of Patent: September 15, 2020
    Assignee: Gryphon Online Safety, Inc
    Inventors: John Jun Wu, John S Yi
  • Patent number: 10778722
    Abstract: System and methods for communicating across a network comprise: a database containing high level security rules for the network; computing devices communicating on the network; a security rule translation module; event sensors configured to monitor and detect one or more events occurring on or relating to the network, and in response thereto, provide to the security rule translation module an indication of occurrence for each of the one or more security events. The security rule translation module may associate the security rules with the security events corresponding to the received indication, and produce a low-level security rule based on data from the high-level security rule and the received indication of occurrence of the security events. The system may also include switches coupled to receive the low-level security rules from the security rule translation module and enforce the low-level security rules on the network.
    Type: Grant
    Filed: November 8, 2016
    Date of Patent: September 15, 2020
    Assignee: Massachusetts Institute of Technology
    Inventors: Thomas R. Hobson, William W. Streilein, Hamed Okhravi, Richard W. Skowyra, Kevin S. Bauer, Veer S. Dedhia, David O. Bigelow