Firewall Patents (Class 726/11)
  • Patent number: 11366880
    Abstract: The invention comprises a playing memory management method, comprising: Step S1, creating a contiguous memory area: Step S2, dividing a contiguous first memory range from the memory area when digital rights management playing information is received; Step S3, setting, by a secure operating system, an access permission for the first memory range; Step S4, performing, by the secure operating system, a decoding operation in the first memory range until the decoding operation is completed; and Step S5, clearing, by the secure operating system, data in the first memory range, releasing the access permission for the first memory range, and releasing the first memory range. The present invention has the beneficial effects that the memory sharing is realized by creating one memory area, setting the access permission during use and clearing data and releasing the access permission after use, so that the manufacturing cost is reduced.
    Type: Grant
    Filed: December 9, 2019
    Date of Patent: June 21, 2022
    Inventor: Zhi Zhou
  • Patent number: 11360703
    Abstract: A method for managing data includes obtaining, by a local data manager, an actuation command request, performing a metadata analysis on confidence metadata associated with the actuation command request, making a determination that the actuation command request is valid, and in response to the determination, sending an actuation command to an actuation device based on the actuation command request.
    Type: Grant
    Filed: October 22, 2019
    Date of Patent: June 14, 2022
    Assignee: EMC IP Holding Company LLC
    Inventors: Stephen James Todd, Trevor Scott Conn
  • Patent number: 11363041
    Abstract: A method selectively installs a particular signature on a particular gateway based on the type of signature and the type of computer asset that is protected by that particular gateway. A system and/or analyst receives multiple signatures, where different signatures from the multiple signatures are specific for different types of computer assets. The system and/or analyst identifies and extracts a particular signature, from the multiple signatures, that will protect, if implemented on the appropriate gateway, a particular computer asset. The system and/or analyst identifies the appropriate gateway that protects the particular computer asset, and installs only the extracted particular signature from the multiple signatures on that appropriate gateway.
    Type: Grant
    Filed: May 15, 2020
    Date of Patent: June 14, 2022
    Assignee: International Business Machines Corporation
    Inventors: Adam Paquin, Peyton Duncan, Kevin Shen, Johathan Bees, Srinivas Babu Tummalapenta
  • Patent number: 11362994
    Abstract: A media flow transport security manager of a hybrid cloud-based media production system having a network orchestrator and an extensible resource manager (ERM) includes a firewall communicatively coupled to a computing platform having a hardware processor and a memory storing a security software code. The hardware processor executes the security software code to communicate with the network orchestrator to identify multicast production media flow(s) for processing in a cloud-based virtual production environment, and to communicate with the ERM to obtain an identifier of each cloud-based resource used for processing cloud production media flow(s) corresponding to the identified multicast production media flow(s).
    Type: Grant
    Filed: May 7, 2020
    Date of Patent: June 14, 2022
    Assignee: Disney Enterprises, Inc.
    Inventors: Michael J. Strein, Douglas R. Mason, Craig L. Beardsley, Benjamin H. Kepler
  • Patent number: 11356413
    Abstract: The present disclosure combines Software Defined Networks (SDN) concepts with Security concepts. The coordination between SDN and Security provides a myriad of advantageous use cases. One exemplary use case involves providing a fast path at network speeds using SDN by routing network traffic to bypass a security appliance once the security appliance determines that the security appliance no longer needs to inspect the network traffic. Another exemplary use case involves remote provisioning of security zones.
    Type: Grant
    Filed: February 21, 2020
    Date of Patent: June 7, 2022
    Assignee: McAfee, LLC
    Inventors: Geoffrey Howard Cooper, John Richard Guzik
  • Patent number: 11349742
    Abstract: The present disclosure provides a modem and a communication method. The modem includes a processor. The processor scans a first network channel of a plurality of network channels provided by the modem. The processor enters an idle scan time period and performs a packet forwarding operation during the idle scan period upon completion of scanning the first network channel. The processor scans a second network channel of the plurality of the network channels after the scanning idle period.
    Type: Grant
    Filed: December 18, 2019
    Date of Patent: May 31, 2022
    Assignee: PEGATRON CORPORATION
    Inventor: Wen-Ming Chen
  • Patent number: 11349877
    Abstract: Solution management systems and methods are presently disclosed that enable receiving, compiling, and analyzing vendor solutions, determining the vendor solutions that address a target vulnerability of a client network and/or client devices, determining additional vulnerabilities of the client network and/or client devices that the vendor solutions address, and selecting a vendor solution to remediate the target vulnerability. The presently disclosed systems and methods also enable scoring, risk evaluation, and additional metrics to facilitate determining the vendor solution(s) that have the largest impact and/or benefit to the various vulnerabilities of the client network and/or client devices.
    Type: Grant
    Filed: August 29, 2019
    Date of Patent: May 31, 2022
    Assignee: ServiceNow, Inc.
    Inventors: Brian James Waplington, David Victor Barkovic, Xuchang Chen, Karthika Gajjala, Giora Tamir
  • Patent number: 11347842
    Abstract: User input is collected that is received by a client device, where the client device provides access to a remotely hosted application. The client device analyzes the collected user input received by the client device in order to detect collected user input indicative of machine behavior that simulates inputs provided by a user. The client device prevents subsequent access to the hosted application through the client device in response to detection of collected user input received by the client device indicative of machine behavior that simulates inputs provided by a user, in order to protect the remotely hosted application from malicious attacks.
    Type: Grant
    Filed: April 3, 2019
    Date of Patent: May 31, 2022
    Assignee: Citrix Systems, Inc.
    Inventors: Zhipan Liu, Ke Xu
  • Patent number: 11343234
    Abstract: Presented herein are methodologies for implementing multi-domain cloud security and ways to partition end-points in data center/cloud network topologies into hierarchical domains to increase security and key negotiation efficiency. The methodology includes receiving, from a first endpoint, at a cloud security protocol stack, a packet encrypted in accordance with a cloud security key negotiated between the first endpoint and a second endpoint; extracting a cloud security globally unique domain-id from the packet; querying a cloud security domain repository using the cloud security globally unique domain-id as an index to identify a first cloud security domain, among a plurality of cloud security domains, to which the first endpoint and the second endpoint belong; and selecting the first cloud security domain to process the packet.
    Type: Grant
    Filed: December 10, 2019
    Date of Patent: May 24, 2022
    Assignee: CISCO TECHNOLOGY, INC.
    Inventors: Xueqiang Ma, Dave Persaud, Kalyan Ghosh
  • Patent number: 11341243
    Abstract: The portable peripheral (100) of communication with the data network (105) utilizing the internet protocol, comprises: a connector (110) to mechanically connect and establish a removable wired connection between the peripheral and a portable terminal, a first means (115) of wired bidirectional communication with the portable terminal, a second means (120) of bidirectional communication with a data network and a unit security (122) protecting the communication between the first and the second means of communication, this communication being established between the first and the second means of communication, the security unit (122) comprising a system (127) of autonomous DNS management, the means of communication and the security unit being embedded in a unique housing (130) removable from the portable terminal.
    Type: Grant
    Filed: May 2, 2017
    Date of Patent: May 24, 2022
    Inventor: Vladimir Mickael Leal Monteiro
  • Patent number: 11343275
    Abstract: Systems and methods are described for scanning or monitoring of Domain Name System (DNS) records of an entity for identifying anomalous changes to the DNS records that may be indicative of possible DNS hijacking. According to one embodiment, DNS monitoring engine running on a network security appliance protecting a private network, or implemented as a cloud-based service can be used for monitoring DNS records of the entity. Any modification in the monitored DNS record(s) can be detected within a pre-defined or configurable time-frame. The detected modification can be determined to be anomalous or not, by assigning a criticality value based on current value and previous value of one or more fields of the DNS record, one or more attributes of the DNS record and one or more derived attributes based on the DNS record.
    Type: Grant
    Filed: September 17, 2019
    Date of Patent: May 24, 2022
    Assignee: Fortinet, Inc.
    Inventor: Oleksii Mandrychenko
  • Patent number: 11343334
    Abstract: A method for configuring, via a website, a device to provide printing services to a local network is described. The method includes creating, via a website, a service host object that comprises a network address of a device on a local network and a service host name. The method also includes configuring, via the website, one or more printing settings for one or more printing services. The method further includes sending an indication to the device on the local network to run a service manager. The method additionally includes sending an indication to the service manager to run the one or more printing services on the local network based on the one or more printing service settings.
    Type: Grant
    Filed: March 2, 2021
    Date of Patent: May 24, 2022
    Assignee: PrinterLogic, Inc.
    Inventors: Chad Steven Sillitoe, Corey Clint Ercanbrack, Joshua Aaron Harrison
  • Patent number: 11336620
    Abstract: A segmentation firewall executing on a host enforces a segmentation policy. In a co-existence mode, the segmentation firewall operates in co-existence with a system firewall that enforces a security policy. The segmentation firewall is configured to either drop packets that do not match any permissive rule or pass packets that match a permissive rule to the system firewall to enable the system firewall to determine whether to drop or accept the passed packets. To enable efficient operation of the segmentation firewall when operating in co-existence with the system firewall, the segmentation firewall may include a plurality of rule chains and may be configured to exit a chain and bypass remaining rule chains upon an input packet matching a permissive rule of the segmentation policy.
    Type: Grant
    Filed: December 18, 2018
    Date of Patent: May 17, 2022
    Assignee: Illumio, Inc.
    Inventors: Daniel Richard Cook, Anish Vinodkumar Desai, Thomas Michael McCormick
  • Patent number: 11336645
    Abstract: A computing system may include at least one client computing device and a server configured to authenticate the at least one client computing device based upon a user account, with the user account having an enterprise persona and a private persona associated therewith. The server may be further configured to determine whether the enterprise persona or the private persona is active based upon a context associated with the at least one client computing device. When the enterprise persona is active, the server may provide access to a Software as a Service (SaaS) application with a first set of capabilities enabled, and when the private persona is active, the server may provide access to the SaaS application with a second set of capabilities enabled that is different than the first set of capabilities.
    Type: Grant
    Filed: October 10, 2018
    Date of Patent: May 17, 2022
    Assignee: CITRIX SYSTEMS, INC.
    Inventors: Jeroen Van Rotterdam, Georgy Momchilov
  • Patent number: 11330017
    Abstract: Embodiments of the present disclosure relate to a method and a device for providing a security service. For example, the method comprises: in response to receiving, at a first controller, a first request to create a first service chain for an application in a network, obtaining configuration information associated with the security service from the first request; generating, based on the configuration information, a second request to create a sequence of security functions associated with the first service chain; sending the second request to a second controller so as to create the sequence of security functions in the network; and in response to receiving from the second controller an acknowledgement for the sequence of security functions, creating the first service chain based on the sequence of security functions. Embodiments of the device are capable of implementing the above method.
    Type: Grant
    Filed: February 6, 2018
    Date of Patent: May 10, 2022
    Assignee: Alcatel Lucent
    Inventors: Zhiyuan Hu, Lina Wang, Zhigang Luo
  • Patent number: 11329955
    Abstract: The disclosure provides an approach for implementing a distributed firewall within a data center. The firewall is implemented as a kernel space filter driver within the operating system of virtual machines. Each virtual machine hosts several user sessions. The firewall may be dynamically updated with new security policies, either by an administrator or a component of the data center.
    Type: Grant
    Filed: January 24, 2018
    Date of Patent: May 10, 2022
    Assignee: VMware, Inc.
    Inventor: Sisimon Soman
  • Patent number: 11310242
    Abstract: A system for performing security functions in a service-oriented computer system includes a router node configured to forward at least one packet of at least one service request to at least one server computer adapted to process the at least one service request; a first server node configured to execute, for the at least one packet, a first protocol layer of a network protocol stack, determine whether the at least one packet is compliant at the first protocol layer, and provide the at least one packet to a second server node responsive to determining that the at least one packet is compliant at the first protocol layer. The second server node is configured to execute, for the at least one packet, a second protocol layer of the network protocol stack, and determine whether the at least one packet is compliant at the second protocol layer.
    Type: Grant
    Filed: January 15, 2019
    Date of Patent: April 19, 2022
    Assignee: Raytheon BBN Technologies Corp.
    Inventors: Nathaniel Benjamin Soule, Partha Pal, Aaron Paulos
  • Patent number: 11310844
    Abstract: In response to receiving a primary wireless LAN connection request from a computing device, a wireless access point (WAP) establishes a temporary wireless LAN associated with a temporary service set identifier (SSID) of a computing device. WAP stores a computing device identifier of the computing device in association with the temporary SSID. WAP communicates to the computing device, a CAPTCHA challenge-response test requesting connection to the temporary wireless LAN. WAP awaits, for a timeout period, a temporary wireless LAN connection request by the computing device to communicate over the temporary wireless LAN. In response to receiving or failing to receive the temporary wireless LAN connection request from the computing device within a timeout period, WAP classifies the computing device as a human or machine user. WAP applies network policies to communications of the pending computing device over the primary wireless LAN based on the machine or human user classification.
    Type: Grant
    Filed: December 26, 2018
    Date of Patent: April 19, 2022
    Assignee: ARRIS Enterprises LLC
    Inventors: Subash Tirupachur Comerica, Sudip Ghosal, Wenge Ren
  • Patent number: 11303575
    Abstract: A network device may receive network traffic associated with a network and determine that the network traffic is associated with a dynamic application. The network device may determine, based on the network traffic being associated with a dynamic application, an application feature associated with the network traffic. The network device may perform a lookup operation associated with the application feature to identify policy information associated with the application feature. The network device may selectively permit communication of the network traffic via the network based on the policy information associated with the application feature, wherein the network traffic is to be permitted to be communicated via the network or prevented from being communicated via the network based on an indication from the policy information.
    Type: Grant
    Filed: March 25, 2020
    Date of Patent: April 12, 2022
    Assignee: Juniper Networks, Inc.
    Inventors: Rajeev Chaubey, Sravanthi Arimanda, Ashok Kumar
  • Patent number: 11297036
    Abstract: Disclosed herein are methods, systems, and processes for implementing a single whitelisted ingress endpoint on both one-way and two-way Transport Layer Security (TLS) connections and performing load balancing. Both two-way TLS agent-based traffic and one-way TLS non-agent-based traffic is routed through a single whitelisted internet protocol (IP) endpoint. A TLS connection is transmitted from a network load balancer and to a platform gateway service that operates as a Server Name Indication (SNI) reverse proxy server. The platform gateway service separates out the one-way TLS non-agent-based traffic that is part of the TLS connection based on a TLS header of the TLS connection. The one-way TLS non-agent-based traffic is then selectively terminated on an elastic load balancer.
    Type: Grant
    Filed: May 29, 2020
    Date of Patent: April 5, 2022
    Assignee: Rapid7, Inc.
    Inventors: Xi Yang, Paul Miseiko, Bingbin Li
  • Patent number: 11286906
    Abstract: A security apparatus for data exchange of a component of a wind turbine or a wind farm, in particular a wind farm controller, with a remote computer. In that case the security apparatus includes a first data interface for connecting a component by way of a first data connection and a second data interface for connection to the remote computer by way of second data connection. In addition the security apparatus includes a third data interface for receiving a switching signal by way of a third data connection, a separable internal data connection between the first data interface and the second data interface and a switching unit which is adapted in dependence on the switching signal to separate and/or make a physical connection of the internal data connection. A system having such a security apparatus and a method of data exchange with a component of a wind turbine and/or a wind farm.
    Type: Grant
    Filed: November 19, 2018
    Date of Patent: March 29, 2022
    Assignee: Wobben Properties GmbH
    Inventors: Stefan Gertjegerdes, Kai Busker
  • Patent number: 11290496
    Abstract: The disclosure relates generally to methods, systems, and apparatuses for managing network connections. A method may include identifying a first state of a first end-point connection of a first networked machine and a second state of a second endpoint connection of a second network machine, and confirming the first state and the second state based on expected states for the first networked machine and the second network machine, wherein the expected states includes a list of expected connections.
    Type: Grant
    Filed: July 24, 2020
    Date of Patent: March 29, 2022
    Assignee: SNOWFLAKE INC.
    Inventors: James Calvin Armstrong, Jonathan Claybaugh
  • Patent number: 11283830
    Abstract: In various embodiments, a device classification service clusters devices in a network into a device type cluster based on attributes associated with the devices. The device classification service tracks changes to the device type cluster over time. The device classification service detects an attack on the device classification service by one or more of the devices based on the tracked changes to the device type cluster. The device classification service initiates a mitigation action for the detected attack on the device classification service.
    Type: Grant
    Filed: March 19, 2020
    Date of Patent: March 22, 2022
    Assignee: Cisco Technology, Inc.
    Inventors: Jean-Philippe Vasseur, Grégory Mermoud, Pierre-André Savalle, David Tedaldi
  • Patent number: 11283643
    Abstract: Systems, methods, and computer program products to provide direct external network access at an access point (AP) in a managed wide area network (WAN). The method may include establishing an application host interface (AHI) at an access point and receiving application data from one or more client devices connected to the access point. The method may also include determining that the application data is received from a permitted application as shown in a list of applications permitted to use the AHI and routing, using the AHI, the received application data to the data destination via the external network thereby bypassing the WLC.
    Type: Grant
    Filed: August 31, 2018
    Date of Patent: March 22, 2022
    Assignee: Cisco Technology, Inc.
    Inventors: Shashank Kota Sathish, Robert C. Meier, Rahul Dasgupta, Manoj Gupta
  • Patent number: 11275522
    Abstract: An efficient data storage system is described. An agent software application on computing devices in a first tier processes snapshot backups and pushes them to an appliance software application on a server in a second tier. The appliance software application processes archive backups and pushes them to cloud storage in a third tier. A cloud application on a management server receives storage policy specifications from customers and promulgates the policies to the agent software application and the appliance software application. The policy specifications include a snapshot specification including a snapshot time period for backups in the second tier and an archive specification including an archive time period for backups in the third tier. The backups are created efficiently such that if a file has not changed, a reference to a file is included in a storage set rather than the data file itself. This reduces the size of storage sets.
    Type: Grant
    Filed: August 13, 2020
    Date of Patent: March 15, 2022
    Assignee: Aparavi Software AG
    Inventor: Rod Christensen
  • Patent number: 11269808
    Abstract: A computerized method is disclosed. Operations of the method include obtaining, by a data retrieval component, the data from a remote electronic device, storing a copy of the data in a first data store, providing an acknowledgement to the remote electronic device based on storage of the copy of the data in the first data store, parsing the data into one or more time-based events, storing the one or more time-based events in a second data store, and deleting the copy of at least the portion of the data from the first data store.
    Type: Grant
    Filed: December 17, 2019
    Date of Patent: March 8, 2022
    Assignee: SPLUNK INC.
    Inventors: Hong Yuan, Alexander Binkin, Zi Liang Chen, Bradford Lovering, Dinesh Sharma
  • Patent number: 11271901
    Abstract: In overview, an integrated circuit in accordance with the disclosure comprises first and second network interface processors which are separate processors and which are connected by a first unidirectional interconnect. The first unidirectional interconnect allows data transfer from the first network interface processor to the second network interface processor, while preventing data transfer in the reverse direction. The first network interface processor is for communication with a first network which may be a secure network and the second network interface processor is for communication with second network which may be a public network, for example an insecure public network. In this way, the processing of data received from each of the first and second networks is performed by separate processors and data can only be sent from the first network to the second network, thereby protecting the first network from the second network.
    Type: Grant
    Filed: December 21, 2018
    Date of Patent: March 8, 2022
    Assignee: NAGRAVISION S.A.
    Inventors: Fabien Gremaud, Brecht Wyseur
  • Patent number: 11263335
    Abstract: A system and a method are provided for integrating a sensitive data discovery engine (SDDE), a data anonymization engine (DAE), a data monitoring module (DMM), and a data retirement module (DRM) and managing sensitive data security across its lifecycle. The SDDE determines sensitive data in similar and variant data sources and applications, identifies their operating application codes, and generates sensitive data discovery intelligence (SDDI). The system generates and distributes one or more templates including the SDDI with metadata, discovery results, and data security rules to the DAE, the DMM, and the DRM deployed on each data source.
    Type: Grant
    Filed: October 17, 2019
    Date of Patent: March 1, 2022
    Assignee: MENTIS INC
    Inventor: Rajesh Krishnaswami Parthasarathy
  • Patent number: 11258762
    Abstract: A method at a system including a firewall and at least one application, the method including obtaining, at the at least one application, a new address for a service provider for the at least one application; triggering a firewall update; obtaining a new firewall configuration; and updating the firewall, wherein the updating the firewall allows a connection from the at least one application to the new address for the service provider.
    Type: Grant
    Filed: June 26, 2019
    Date of Patent: February 22, 2022
    Assignee: BlackBerry Limited
    Inventors: Michaela Vanderveen, Stephen John Barrett
  • Patent number: 11256828
    Abstract: Various systems, methods, and apparatuses relate to managing data transmissions from one or more Internet of Things (IoT) devices. A method includes discovering, by a discovery engine, one or more Internet of Things (IoT) devices; tracking, by the discovery engine, data transmission from the one or more IoT devices; generating, by a privacy lens communicably coupled to the discovery engine, a privacy rule regarding the data transmission from the one or more IoT devices; and applying, by the privacy lens, the privacy rule to the one or more IoT devices, the privacy rule configured to control data transmission from the one or more IoT devices.
    Type: Grant
    Filed: August 9, 2016
    Date of Patent: February 22, 2022
    Assignee: Wells Fargo Bank, N.A.
    Inventors: Caroline Machado, Nishant Usapkar, Dominik Vltavsky
  • Patent number: 11258761
    Abstract: A novel method for managing firewall configuration of a software defined data center is provided. Such a firewall configuration is divided into multiple sections that each contains a set of firewall rules. Each tenant of the software defined data center has a corresponding set of sections in the firewall configuration. The method allows each tenant to independently access and update/manage its own corresponding set of sections. Multiple tenants or users are allowed to make changes to the firewall configuration simultaneously.
    Type: Grant
    Filed: June 29, 2016
    Date of Patent: February 22, 2022
    Assignee: NICIRA, INC.
    Inventors: Kaushal Bansal, Uday Masurekar
  • Patent number: 11252188
    Abstract: In some embodiments, a method can include identifying detection coverage of a set of adversarial techniques based on telemetry data and a detection instance of an environment. The method can further include determining a subset of detection coverage that has a metric value below a metric value threshold and among the detection coverage for the set of adversarial techniques. The method may further include identifying at least one detection instance associated with the subset of detection coverage. The method can further include presenting, via a graphical user interface, a representation of at least one of the subset of detection coverage or the at least one detection instance associated with the subset of detection coverage. The method can further include updating the subset of detection coverage based on the telemetry data, the detection instance, or the at least one detection instance to improve the metric value.
    Type: Grant
    Filed: March 10, 2021
    Date of Patent: February 15, 2022
    Assignee: Room40 Labs, Inc.
    Inventors: Nick Lantuh, Michael Jenks, Ian Roth, Michael Maurer, Richard Bowman
  • Patent number: 11244049
    Abstract: In embodiments of the present invention, a framework for an extensible, file-based security system is described for determining an appropriate application, application environment, and/or access or security control measure based at least in part on a file's reputation. In response to the selection of a file, an application controller may be used to select a software application from two or more software applications to open the selected file, based at least in part on the selected file's reputation. If launched, a software application may be configured to open the file in an environment, such as a virtual machine, quarantined environment, and the like, that is appropriate for the file based at least in part on the reputation information. A software application may be a secure software application configured to manage secure files, or an insecure software application configured to manage insecure files.
    Type: Grant
    Filed: November 22, 2019
    Date of Patent: February 8, 2022
    Assignee: Sophos Limited
    Inventor: Andrew J. Thomas
  • Patent number: 11245752
    Abstract: A first network device may configure a high-availability cluster associated with a network that includes the first network device and a second network device. The first network device may identify a plurality of devices communicatively coupled to the network and determine a set of tasks for the plurality of devices. The first network device may queue the set of tasks in a task queue that is accessible to the second network device. The second network device may perform a first task and the first network device may perform a second task of the set of tasks. The first network device may receive first result information that is associated with a performance of the first task. The first network device may determine a result associated with performing the second task. The first network device may synchronize the first result information and the second result information with the second network device.
    Type: Grant
    Filed: June 30, 2020
    Date of Patent: February 8, 2022
    Assignee: Juniper Networks, Inc.
    Inventors: Fei Chen, Weisong Peng, Xia Zhu, Tiejun Zhang, Na Liu
  • Patent number: 11245668
    Abstract: A network device may detect, from an application associated with a user space of the network device, a request to configure a firewall provided by a kernel of the network device with a rule. The network device may intercept the request to configure the firewall before the firewall is configured with the rule. The network device, based on intercepting the request to configure the firewall, may analyze the rule to determine whether the rule modifies a critical functionality of the firewall. The network device may reject the request to configure the firewall based on determining that the rule modifies the critical functionality of the firewall.
    Type: Grant
    Filed: March 6, 2019
    Date of Patent: February 8, 2022
    Assignee: Juniper Networks, Inc.
    Inventors: Sreekanth Rupavatharam, Prashant Singh, Erin C. MacNeil
  • Patent number: 11240205
    Abstract: This disclosure describes systems, devices, and techniques for implementing master rules in firewalls. In some cases, at least one master rule is identified. The at least one master rule can be associated with performing at least one first operation on a first type of data traffic that satisfies at least one first condition. Multiple firewalls may implement the at least one master rule. In addition, a first firewall among the multiple firewalls may implement at least one application-specific rule in addition to the at least one master rule. The at least one application-specific rule may be associated with performing at least one second operation on a second type of data traffic that satisfies at least one second condition. The multiple firewalls may be between multiple applications and at least one network. Specifically, the first firewall may be deployed between a first application among the multiple applications and the network(s).
    Type: Grant
    Filed: May 6, 2019
    Date of Patent: February 1, 2022
    Assignee: Amazon Technologies, Inc.
    Inventor: Umesh Kumar Ramesh
  • Patent number: 11240257
    Abstract: Techniques for providing domain name and URL visual verifications to increase security of operations on a device. The techniques include a visual indicator and/or warning to a user on the user's computing device that a domain or URL requested by the user and the device is unpopular, new, unknown, inauthentic, associated with malware or phishing, or in some other way, risky. The techniques include identifying a domain name in a communication received by a computing device and then determining a popularity ranking and/or an age of the domain name. The device can render, for display on a screen of the device, a visual indicator having the popularity ranking and/or the age of the domain name. Also, the techniques can include identifying a URL in a communication received by a computing device and then rendering, for display on a screen of the device, a visual indicator having the entire URL.
    Type: Grant
    Filed: March 7, 2019
    Date of Patent: February 1, 2022
    Assignee: Lookout, Inc.
    Inventor: Brian James Buck
  • Patent number: 11233770
    Abstract: Behavior-based security in a datacenter includes monitoring user actions made by users in the datacenter. Behavior-based risk scores are computer for users based on their monitored actions. One or more firewall rules are generated for users based on their behavior-based risk scores. The firewall rules regulate the actions of the users.
    Type: Grant
    Filed: July 2, 2019
    Date of Patent: January 25, 2022
    Assignee: VMWARE INC.
    Inventors: Sirisha Myneni, Rajiv Mordani, Kausum Kumar
  • Patent number: 11228565
    Abstract: To dynamically determine and apply WAF protections for an application deployed to the cloud, exposed entities, are identified. The identified entities are further evaluated to determine whether the application is eligible for WAF protection based on whether the application uses a protocol that is compatible with WAF protection. If the application is eligible for WAF protection, after instantiating a WAF, WAF protections that should be enabled or disabled are determined based on characteristics of the application that are identified at runtime. The WAF can then be configured based on the identified protections such that those which are pertinent to the application will be enabled, while those which are not applicable to the application and thus will not be used are disabled. As a result, security provided by the WAF for a cloud application is tailored to the application based on information about the application gathered in the cloud deployment environment.
    Type: Grant
    Filed: December 4, 2020
    Date of Patent: January 18, 2022
    Assignee: Palo Alto Networks, Inc.
    Inventors: Liron Levin, Isaac Schnitzer, Elad Shuster, Ory Segal
  • Patent number: 11222077
    Abstract: Methods and systems for providing a user interface and workflow for interacting with time series data, and applying portions of time series data sets for refining regression models. A system can present a user interface for receiving a first user input selecting a first model from a list of models for modeling the apparatus, generate and display a first chart depicting a first time series data set depicting data from a first sensor, generate and display a second chart depicting a second time series data set depicting a target output of the apparatus, receive a second user input of a portion of the first time series data set, and generate and display a third chart depicting a third time series data set depicting an output of the selected model and aligned with the second chart of the target output and updated in real-time in response to the second user input.
    Type: Grant
    Filed: June 27, 2019
    Date of Patent: January 11, 2022
    Assignee: PALANTIR TECHNOLOGIES INC.
    Inventors: Christopher Martin, David Fowler
  • Patent number: 11218445
    Abstract: A web application firewall (WAF) receives an application request from a router, wherein the application request is directed to a web application, and wherein the web application firewall is associated with the web application. The WAF updates the application request to include a first header, wherein the first header includes a copy of a uniform resource locator of the application request, and updates the uniform resource locator to indicate an address of the web application firewall. The WAF analyzes the application request to determine whether the application request is secure, wherein the analysis is based on a rule, and in response to a determination that the application request is secure, updates the application request to include a second header, wherein the second header includes an encrypted signature.
    Type: Grant
    Filed: July 29, 2019
    Date of Patent: January 4, 2022
    Assignee: Dell Products L.P.
    Inventors: Mark D. Owens, Frank DiRosa, Rene Herrero, Yongliang Li, Everton Schäfer
  • Patent number: 11209803
    Abstract: A connection management device for establishing secured communications connections to an industrial automation system, wherein the device provides, in cases of a positive authorization verification outcome, access control information for establishing an encrypted communication connection between a first communication unit of a requesting user and a selected second communication unit, where the connection management device is formed by a server instance running on a firewall system, where data packets transmitted via an encrypted communications connection between the first communication unit of the requesting user and the selected second communication unit are encrypted for verification by the firewall system, based on specified security rules and, in cases of a successful verification, the data packets are forwarded encrypted to the first communication unit of the requesting user or to the selected second communication unit.
    Type: Grant
    Filed: June 27, 2017
    Date of Patent: December 28, 2021
    Assignee: Siemens Aktiengesellschaft
    Inventors: Karl Glas, Sven Gottwald
  • Patent number: 11200345
    Abstract: Techniques for a firewall to determine access to a portion of memory are provided. In one aspect, an access request to access a portion of memory within a pool of shared memory may be received at a firewall. The firewall may determine whether the access request to access the portion of memory is allowed. The access request may be allowed to proceed based on the determination. The operation of the firewall may not utilize address translation.
    Type: Grant
    Filed: July 29, 2015
    Date of Patent: December 14, 2021
    Assignee: Hewlett Packard Enterprise Development LP
    Inventors: Mark Lillibridge, Paolo Faraboschi, Chris I. Dalton
  • Patent number: 11165878
    Abstract: Embodiments for automated content delivery to high-speed data service client using redirection of IP service flows independent of physical media delivery mechanisms add, by a backend environment, an Internet gateway media access control (MAC) address to a content triggered service; send, by the backend environment, a request to a re-direct system for the Internet gateway MAC address to be added to a re-direct list; route, by the backend environment, all Internet traffic to the content playback system; display, by the content playback system, content to a subscribing user until a quota is achieved; and instruct the re-direct system to remove the Internet gateway MAC address from the re-direct list, thereby enabling user devices operatively coupled to the Internet gateway unfettered, monitored Internet access; set a usage threshold; and, in response to the usage threshold expiring, instruct the re-direct system to add the Internet gateway MAC address to the re-direct list.
    Type: Grant
    Filed: July 2, 2020
    Date of Patent: November 2, 2021
    Assignee: BUCKEYE CABLEVISION, INC.
    Inventor: Brian J. Weber
  • Patent number: 11165649
    Abstract: Disclosed embodiments include systems and methods for filter-based composition of network device configuration including a database associating network devices in management with data points of interest, a network server that communicates over a network with the database and at least one network device in management, and a configuration filter module, stored at least in part on the network server, and including rules for configuring the at least one network device in management.
    Type: Grant
    Filed: September 21, 2020
    Date of Patent: November 2, 2021
    Assignee: CRADLEPOINT, INC.
    Inventor: Cory Owens
  • Patent number: 11159555
    Abstract: Implementations of the present disclosure include providing graph data defining a graph that is representative of an enterprise network, the graph including nodes and edges between nodes, each node representing an asset within the enterprise network, and each edge representing one or more lateral attack paths between assets in the enterprise network, determining, for each node, an incoming value based on attributes of a set of incoming edges and an outgoing value based on attributes of a set of outgoing edges, the attributes including a number of edges and semantic types of the edges, at least one cardinality value of each node being determined based on one or more of the incoming value and the outgoing value of the node, receiving input representative of filter parameters, generating a sub-graph based on attributes of the nodes and the filter parameters, and displaying, by the visualization platform, the sub-graph in a display.
    Type: Grant
    Filed: August 20, 2019
    Date of Patent: October 26, 2021
    Assignee: Accenture Global Solutions Limited
    Inventors: Eitan Hadar, Amin Hassanzadeh, Lisa O'Connor
  • Patent number: 11138475
    Abstract: Systems and methods for data protection are disclosed. In one embodiment, in an information processing apparatus comprising at least one computer processor, a method for providing data protection may include: (1) receiving a plurality of data classification rules; (2) receiving end user data classification from end user software; (3) receiving developer data classification from SDLC software; (4) generating a data inventory; and (5) applying at least one data protection to the data inventory based on the data classification rules, the end user data classification, and the developer data classification.
    Type: Grant
    Filed: March 1, 2019
    Date of Patent: October 5, 2021
    Assignee: JPMORGAN CHASE BANK, N.A.
    Inventors: Matthew Jesse Collins, David MacFarlane, Sean Thomas Kornish, Jorge Garcia Reyero, Philip Harvey
  • Patent number: 11134058
    Abstract: Network traffic inspection is disclosed. An application executing on a client device as an operating system that uses a virtual private network (VPN) stack of the operating system intercepts a first IP packet. The application determines that a policy should be applied to the intercepted first IP packet. The policy is applied to the intercepted first IP packet.
    Type: Grant
    Filed: February 11, 2020
    Date of Patent: September 28, 2021
    Assignee: Barracuda Networks, Inc.
    Inventors: Pablo German Sole, Jose Luis Ferras Pereira, Sinan Eren, Luisa Marina Moya Praca de Araujo Lima
  • Patent number: 11128665
    Abstract: The disclosed computer-implemented method for providing secure access to vulnerable networked devices may include identifying a vulnerable network device connected to a local network, identifying local network traffic destined for the vulnerable network device and that has been tagged as safe, passing the local network traffic tagged as safe to the vulnerable network device, and performing a security action on local network traffic destined for the vulnerable network device that has not been tagged as safe. Various other methods, systems, and computer-readable media are also disclosed.
    Type: Grant
    Filed: September 6, 2018
    Date of Patent: September 21, 2021
    Assignee: NortonLifeLock Inc.
    Inventors: Ilya Sokolov, Bruce McCorkendale
  • Patent number: 11128662
    Abstract: A method for preventing hijacking of a web page is provided. A HyperText Markup Language (HTML) source file is received from a web server in response to a HyperText Transfer Protocol (HTTP) access request, the HTML source file being embedded with a script tag corresponding to script code for preventing HTTP hijacking. The script code for preventing HTTP hijacking is pulled from an antihijacking server according to the script tag. It is detected, based on the script code for preventing HTTP hijacking, whether a document object model (DOM) node used for HTTP hijacking exists in a DOM tree. The DOM node used for HTTP hijacking is hidden from a web page of a browser in response to detecting that the DOM node used for HTTP hijacking.
    Type: Grant
    Filed: July 18, 2019
    Date of Patent: September 21, 2021
    Assignee: TENCENT TECHNOLOGY (SHENZHEN) COMPANY LTD
    Inventors: Li Na Yuan, Xiao Long Zhang, Shaoyu Zhang, Yu Hui Hu