Packet Filtering Patents (Class 726/13)
-
Patent number: 11822638Abstract: Embodiments described herein disclose technology for authenticating a user. In some embodiments, a smart card or other similar authentication device can be associated with a user profile. When a request to interact is received via an application associated with a device, the system prompts the user to waive the smart card within a threshold proximity of the device. In response to the smart card being placed within the proximity, the system collects information from the smart card and verifies that the smart card is associated with the user profile of the user. In response to verifying the information from the smart card, the system authenticates the user and allows the user to interact.Type: GrantFiled: May 31, 2022Date of Patent: November 21, 2023Assignee: United Services Automobile AssociationInventor: John R. Clowe
-
Patent number: 11818099Abstract: A method for filtering data packets at a firewall system is disclosed that includes receiving a data packet having a plurality of fields at a processor, and determining whether a precondition exists, where an action is associated the precondition. The action associated with the precondition is performed if it is determined that the precondition exists. The data packet is processed using a plurality of rules if it is determined that the precondition does not exist for the one or more of the plurality of fields. A user associated with the data packet is identified, and it is determined whether one or more rules are stored in a cache for one or more of a plurality of groups associated with the user. The data packet is processed using the one or more rules stored in the cache if present.Type: GrantFiled: September 20, 2021Date of Patent: November 14, 2023Assignee: FORCEPOINT LLCInventor: Kari Nurmela
-
Patent number: 11818024Abstract: A statistical information generation device that generates statistical information from Ethernet frames on a mobility network includes: a transceiver that transmits and receives the Ethernet frames; and a statistical information generator that collects a plurality of Ethernet frames transmitted or received by the transceiver within a predetermined time period, and classifies, out of the plurality of Ethernet frames collected, Ethernet frames containing the same destination IP address, source IP address, destination port number, source port number, and protocol, and containing, in payloads, same identification information related to mobility control, into the same group, generates the statistical information for each group from the Ethernet frames classified into groups, and transmits the generated statistical information from the transceiver.Type: GrantFiled: April 26, 2021Date of Patent: November 14, 2023Assignee: PANASONIC INTELLECTUAL PROPERTY CORPORATION OF AMERICAInventors: Tomoyuki Haga, Yuishi Torisaki, Manabu Maeda, Ryo Kato
-
Patent number: 11818045Abstract: Embodiments of the present invention provide a system for dynamically monitoring and filtering data packets associated with accessing one or more entity resources. The system is configured for identifying a data packet in a network comprising at least a first data unit and a second data unit, determining that the first data unit and the second data unit of the data packet are attempting to access an entity resource, determining that first data associated with the first data unit and second data associated with the second data unit cannot access the entity resource at a same instance based on a first signature bit associated with the first data unit and a second signature bit associated with the second data unit, and attenuating the first data unit or the second data unit from the data packet based on the first signature bit and the second signature bit.Type: GrantFiled: April 5, 2021Date of Patent: November 14, 2023Assignee: BANK OF AMERICA CORPORATIONInventors: Sasidhar Purushothaman, Sravan Kumar Kommu, Ramkumar Masilamani, Ramaiah Muvvala, Sajid A. Shah, Manohar Reddy Singamareddy, Srikanth Vemula
-
Patent number: 11811734Abstract: An HTTP connection between a client computing device and an application is established through a reverse proxy. A response to the client computing device includes a payload instructing initiation of a non-HTTP connection (e.g., TCP, UDP). The response is modified to replace references to an original port with a dynamic port allocated to the non-HTTP connection and a temporary ACL entry is created. A subsequent connection request addressed to the dynamic port is authorized per the ACL, modified to replace the dynamic port with the original port, and forwarded to the application. Subsequent packets for the non-HTTP connection have port numbers translated between the original and dynamic ports.Type: GrantFiled: June 17, 2021Date of Patent: November 7, 2023Assignee: Prosimo IncInventors: Howard Chen, Arunabha Saha, Prashanth Prabhu
-
Patent number: 11805106Abstract: A system and method for trigger-based scanning of cyber-physical assets, including a distributed operating system, parameter evaluation engine, at least one cyber-physical asset, at least one crypt-ledger, a network, and a scanner that detects trigger conditions and events and performs scans of cyber-physical assets based on the trigger and any relevant stored scan rules before storing scan results as time-series data.Type: GrantFiled: December 31, 2020Date of Patent: October 31, 2023Assignee: QOMPLX, INC.Inventors: Jason Crabtree, Andrew Sellers
-
Patent number: 11790121Abstract: An appliance includes an external communication port, such as an RJ45 port, and a wireless communication module in wireless communication with a remote server through an external network. A controller is configured to detect port activity at the external communication port, e.g., by detecting a plug-in or data transfer, transmit a notification of the port activity to the remote server using the wireless communication module, receive an activity assessment, e.g., such as an activity approval or disapproval, from the remote server, and adjust at least one operating parameter of the appliance in response to the activity assessment.Type: GrantFiled: July 23, 2021Date of Patent: October 17, 2023Assignee: Haier US Appliance Solutions, Inc.Inventors: John Gilman Chapman, Jr., Ryan James Scheckelhoff
-
Patent number: 11777859Abstract: A method for guaranteeing data transmission and a communications device are provided. The method for guaranteeing data transmission, applied to a terminal, includes: obtaining information of an IPsec tunnel, where the IPsec tunnel is used for transmitting information between the terminal and a second network; and performing a related operation for a tunnel of a first network based on the information of the IPsec tunnel.Type: GrantFiled: June 10, 2021Date of Patent: October 3, 2023Assignee: VIVO MOBILE COMMUNICATION CO., LTD.Inventor: Xiaowan Ke
-
Patent number: 11770406Abstract: Systems and methods for mitigating cyberattacks are described herein. A computing system can detect illegitimate network traffic associated with a cyberattack in network traffic. The computing system can determine an amplification factor of the cyberattack based in part on a probability distribution of the illegitimate network traffic. The computing system can determine a filter to demotivate a generation of the illegitimate network traffic. The determined filter can reduce the amplification factor of the cyberattack. The computing system can implement the determined filter to block the illegitimate network traffic.Type: GrantFiled: February 23, 2021Date of Patent: September 26, 2023Assignee: Hewlett Packard Enterprise Development LPInventors: Yuanjie Li, Kyu-Han Kim, Qianru Li
-
Patent number: 11757747Abstract: A device may determine internet protocol (IP) traffic monitoring criteria and may monitor IP traffic based on the IP traffic monitoring criteria. The device may update, based on monitoring the IP traffic, a table of currently active IP traffic flows and may update, based on the table of currently active IP traffic flows, an address resolution protocol (ARP) packet filter. The device may receive one or more ARP packets from a different device and may determine whether to accept or discard the one or more ARP packets based on the ARP packet filter. The device may update an ARP table based on determining to accept the one or more ARP packets.Type: GrantFiled: June 25, 2021Date of Patent: September 12, 2023Assignee: Juniper Networks, Inc.Inventor: Shijo Thomas
-
Patent number: 11757888Abstract: Systems, devices, and methods are discussed for forward testing rule sets at a granularity that is less than all activity on the network. In some cases, the granularity is that of an individual application.Type: GrantFiled: June 15, 2021Date of Patent: September 12, 2023Assignee: Fortinet, Inc.Inventors: Rajiv Sreedhar, Manuel Nedbal, Manoj Ahluwalia, Damodar K. Hegde, Jitendra B. Gaitonde, Suresh Rajanna, Mark Lubeck, Gary Nool
-
Patent number: 11757935Abstract: Methods to secure against IP address thefts by rogue devices in a virtualized datacenter are provided. Rogue devices are detected and distinguished from a migration of an endpoint in a virtualized datacenter. A first hop network element in a one or more network fabrics intercepts a request that includes an identity of an endpoint and performs a local lookup for the endpoint entity identifier. Based on the lookup not finding the endpoint entity identifier, the first hop network element broadcasts a message such as a remote media access address (MAC) query to other network elements in the one or more network fabrics. Based on the received response, which may include an IP address associated with the MAC address, the first hop network element performs a theft validation process to determine whether the request originated from a migrated endpoint or a rogue device.Type: GrantFiled: May 4, 2022Date of Patent: September 12, 2023Assignee: CISCO TECHNOLOGY, INC.Inventors: Govind Prasad Sharma, Eshwar Rao Yedavalli, Mohammed Javed Asghar, Ashwath Kumar Chandrasekaran, Swapnil Mankar, Umamaheswararao Karyampudi
-
Patent number: 11757936Abstract: Techniques for providing a large scale high-interaction honeypot farm are disclosed. In some embodiments, a system/method/computer program product for providing a large scale high-interaction honeypot farm includes sending traffic detected at a sensor to a smart proxy for a honeypot farm that is executed in a honeypot cloud, wherein the traffic is forwarded attack traffic that is sent using a tunneling protocol, and wherein the honeypot farm includes a plurality of container images of distinct types of vulnerable services; selecting a matching type of vulnerable service from the plurality of container images of distinct types of vulnerable services based on a profile of the attack traffic; forwarding the traffic to an instance of the matching type of vulnerable service; and executing a security agent associated with the instance of the matching type of vulnerable service to identify a threat by monitoring behaviors and detecting anomalies or post exploitation activities.Type: GrantFiled: January 13, 2022Date of Patent: September 12, 2023Assignee: Palo Alto Networks, Inc.Inventors: Zihang Xiao, Cong Zheng, Jiangxia Liu
-
Patent number: 11757941Abstract: A computer performs dynamic address isolation. The computer comprises an application associated with an application address, a network interface coupled to receive incoming data packets from and transmit outgoing data packets to an external network, a network address translation engine configured to translate between the application address and a public address, and a driver for automatically forwarding the outgoing data packets to the network address translation engine to translate the application address to the public address, and for automatically forwarding the incoming data packets to the network address translation engine to translate the public address to the application address. The computer may communicate with a firewall configured to handle both network-level security and application-level security.Type: GrantFiled: March 16, 2021Date of Patent: September 12, 2023Assignee: CUPP Computer ASInventor: Shlomo Touboul
-
Patent number: 11757885Abstract: Outbound traffic of a host application may be received from a host device having a host processor. The secure resource may be configured to provide a secure transaction based on the outbound network traffic. Using a second processor different than the host processor, it may be determined whether the host application is authorized to provide the outbound network traffic to the secure resource. The outbound network traffic may be allowed to be forwarded to the secure resource if the host application is authorized. The outbound network traffic may be disallowed to be forwarded to the secure resource if the host application is not authorized.Type: GrantFiled: January 26, 2021Date of Patent: September 12, 2023Assignee: CUPP Computing ASInventor: Shlomo Touboul
-
Patent number: 11757844Abstract: Techniques for providing a smart proxy for a large scale high-interaction honeypot farm are disclosed. In some embodiments, a system/method/computer program product for providing a smart proxy for a large scale high-interaction honeypot farm includes receiving tunneled traffic at a smart proxy from a sensor for a honeypot farm that is executed in a honeypot cloud, wherein the tunneled traffic is forwarded attack traffic, and wherein the honeypot farm includes a plurality of container images of distinct types of vulnerable services; selecting a matching type of vulnerable service from the plurality of container images of distinct types of vulnerable services based on a profile of the attack traffic; and forwarding the tunneled traffic to an instance of the matching type of vulnerable service.Type: GrantFiled: January 13, 2022Date of Patent: September 12, 2023Assignee: Palo Alto Networks, Inc.Inventors: Zihang Xiao, Cong Zheng, Jiangxia Liu
-
Patent number: 11757909Abstract: Methods and systems for generating a security policy at a gateway are disclosed. A server computer and a gateway can perform a protocol in order to train a security model at a gateway, such that it can detect attack packets and prevent those attack packets from reaching the server computer via the gateway. In a learning phase, the server computer can provide training packets and test packets to the gateway. The gateway can use the training packets to train a security model, and the gateway can classify the test packets using the security model in order to test its accuracy. When the server computer is satisfied with the accuracy of the security policy, the server computer can transmit an acceptance of the security policy to the gateway, which can subsequently deploy the model in order to detect and filter attack packets.Type: GrantFiled: June 10, 2021Date of Patent: September 12, 2023Assignee: Visa International Service AssociationInventors: Abhinav Aggarwal, Mahdi Zamani, Mihai Christodorescu
-
Patent number: 11757940Abstract: Some embodiments provide a method for a network management and control system that manages a virtual infrastructure deployed across a set of datacenters. The method receives a definition of an application to be deployed in the virtual infrastructure. The application definition specifies a requirement that the application receive data traffic from sources external to the virtual infrastructure. Based on the application definition, the method defines a first set of firewall rules for the application that indicate conditions for allowing data traffic from sources external to the virtual infrastructure. For an existing second set of higher-level firewall rules for data traffic entering and exiting the virtual infrastructure, the method specifies a new firewall rule that directs a network element implementing the sets of firewall rules to apply the first set of firewall rules to any data traffic that is from sources external to the virtual infrastructure and directed to the application.Type: GrantFiled: November 24, 2020Date of Patent: September 12, 2023Assignee: VMWARE, INC.Inventors: Sachin Mohan Vaidya, Kausum Kumar, Jayant Jain, Shadab Shah, Anirban Sengupta
-
Patent number: 11750565Abstract: A method at a system including a firewall and at least one application, the method including obtaining, at the at least one application, a new address for a service provider for the at least one application; triggering a firewall update; obtaining a new firewall configuration; and updating the firewall, wherein the updating the firewall allows a connection from the at least one application to the new address for the service provider.Type: GrantFiled: January 21, 2022Date of Patent: September 5, 2023Assignee: BlackBerry LimitedInventors: Michaela Vanderveen, Stephen John Barrett
-
Patent number: 11736466Abstract: A device is described that includes a first microprocessor configured for interfacing with a digital access control backend, and a second microprocessor configured for dedicated communications with an access control manager device backend. The first microprocessor is a master device that controls the operation of the second microprocessor as a secondary device. The proposed device is configured for operation of the first microprocessor and the second microprocessor at low clock speeds and to maintain a hash segregation between locally received data sets and data sets transmitted to an external authentication system.Type: GrantFiled: September 18, 2020Date of Patent: August 22, 2023Assignee: BIOCONNECT INC.Inventors: Courtney Ryan Gibson, Robert Douglas
-
Patent number: 11736496Abstract: A data security system, including a security manager computer making network application programming interface (API) calls to a cloud-based service that performs data exchange transactions among end users, the API calls remotely controlling the cloud-based service so that the security manager computer accesses transactions that have entered the cloud-based service, whereby an end user may forward a transaction received through the cloud-based service to a central authority as being a potentially harmful or deceptive transaction, and a data inspector operative to analyze a transaction as being indeed harmful or deceptive, by applying machine learning, wherein the security manager computer controls the cloud-based service so as to transmit to the security manager transactions forwarded to the central authority, instead of or in addition to transmitting these transactions to the central authority, for analysis by the data inspector.Type: GrantFiled: February 16, 2021Date of Patent: August 22, 2023Assignee: AVANAN, INC.Inventors: Roy Rotem, Gil Friedrich
-
Patent number: 11736527Abstract: A multi-enterprise system for selecting custom high-value sets of SIEM rules for individual member enterprises communicates with member enterprises via network connections. User interfaces are implemented to enable member enterprises to access the system for search, download, and other functions. Advanced rule identification using a sophisticated security knowledge graph enhances processing efficiency and effectiveness.Type: GrantFiled: September 4, 2020Date of Patent: August 22, 2023Assignee: ANVILOGIC, INC.Inventors: Satheesh Kumar Joseph Durairaj, Deb Banerjee, Karthik Kannan
-
Patent number: 11729148Abstract: A method including receiving, at a VPN server from a user device during an established VPN connection between the VPN server and the user device, a data request for the VPN server to retrieve data of interest from a host device; utilizing, by the VPN server, a first exit IP address to transmit a query for retrieving the data of interest to the host device during the established VPN connection; determining, by the VPN server based at least in part on transmitting the query, that the first exit IP address is blocked by the host device; and utilizing, by the VPN server, a second exit IP address to retransmit the query for retrieving the data of interest to the host device during the established VPN connection is disclosed. Various other aspects are contemplated.Type: GrantFiled: September 4, 2022Date of Patent: August 15, 2023Assignee: UAB 360 ITInventors: Karolis Pabijanskas, Zenonas Funka
-
Patent number: 11729192Abstract: Detection and notification of malware at a user device may be performed by a validation server. The user device may hash elements associated with a document object model of a webpage and send generated hash values to the validation server. The validation server may validate the hash values. Based on detection of hash values corresponding to elements maliciously-injected by malware, the validation server may send one or more notifications to other servers that may communicate with the user device.Type: GrantFiled: March 16, 2021Date of Patent: August 15, 2023Assignee: Bank of America CorporationInventors: Joel Richard Townsend, John Raymond Omernik, William Anderson Hodges
-
Patent number: 11729188Abstract: Device and method for intrusion detection in a computer network. A data packet is received at an input of a hardware switch unit, an actual value from a field of the data packet being compared in a comparison by a hardware filter with a setpoint value for values from the field, the field including data link layer data or network layer data, a value for a counter determined as a function of a result of the comparison being provided by the hardware switch unit, and a computing device determining a result of the intrusion detection as a function of the value of the counter in the hardware switch unit and independently of information from the data packet, in particular, without an evaluation of information from the data packet by the computing device.Type: GrantFiled: July 7, 2020Date of Patent: August 15, 2023Assignee: ROBERT BOSCH GMBHInventors: Andreas Weber, Janin Wolfinger, Jens Gramm, Michael Herrmann, Wolfram Gottschlich
-
Patent number: 11722510Abstract: Aspects of the disclosure relate to monitoring virtual desktops accessed by devices at remote locations using machine-learning models to mitigate potential cyber-attacks. In some embodiments, a computing platform may monitor data associated with a series of activities from a virtual desktop accessed by a remote computing device. Subsequently, the computing platform may detect new activity data on the virtual desktop accessed by the remote computing device, and evaluate the new activity data relative to the data associated with the series of activities, wherein evaluating includes applying a machine learning model to the new activity data. Based on evaluating the new activity data, the computing platform may determine if the new activity data is indicative of a potential cyber-attack. In response to determining that the new activity data is indicative of a potential cyber-attack, the computing platform may initiate one or more security response actions.Type: GrantFiled: August 10, 2020Date of Patent: August 8, 2023Assignee: Bank of America CorporationInventor: Patrick Lewis
-
Patent number: 11716391Abstract: According to examples, an apparatus may include a processor and a memory on which are stored machine-readable instructions that when executed by the processor, may cause the processor to obtain an encryption key from a user. The processor may identify session activity data during a proxy session of the user and may encrypt the identified session activity data using the encryption key obtained from the user. The processor may store the encrypted session activity data.Type: GrantFiled: December 17, 2020Date of Patent: August 1, 2023Assignee: MICROSOFT TECHNOLOGY LICENSING, LLCInventors: Itamar Azulay, Tomer Cherni
-
Patent number: 11716314Abstract: Described embodiments provide systems and apparatuses for enhanced quality of service, steering and policy enforcement for https traffic via intelligent in-line path discovery of a TLS terminating node. The system may include a first network device having a secure connection traversing through the first network device, and in communication with a second network device. The first network device and the second network device may be intermediary to a client device and a server. The first network device may determine that the second network device terminates the secure connection. The first network device may receive key generation information of the secure connection from the second network device following determining the second network device terminates the secure connection.Type: GrantFiled: May 4, 2021Date of Patent: August 1, 2023Inventors: J Mohan Rao Arisankala, Chaitra Maraliga Ramaiah, Karthick Srivatsan
-
Patent number: 11711340Abstract: A privatized link between an origin server and a content delivery network is provided. A privatized link can be a direct connection that does not route over the internet. Another privatized link is one that rotates IP addresses. An origin server may be assigned to use a set of multiple IP addresses for communication with the content delivery network. However, at any given time, the origin server is only using a small number of IP addresses. When one of the IP addresses being used to communicate with the content delivery network comes under attack, the origin server switches to another IP address in the set in order to continue serving content to the content delivery network via an IP address that is not under attack.Type: GrantFiled: April 20, 2020Date of Patent: July 25, 2023Assignee: Fastly, Inc.Inventors: Sean A. Leach, Artur Bergman, Thomas J. Daly
-
Patent number: 11711344Abstract: A system for firewall data log processing, comprising a firewall logging system operating on a first processor and configured to cause the first processor to receive firewall log data and to process the firewall log data on a periodic basis to reduce the size of the firewall log data and a firewall reporting system operating on a second processor and configured to process the reduced size firewall log data to generate a report on a user interface that includes one or more analytics from the reduced size firewall data.Type: GrantFiled: April 30, 2020Date of Patent: July 25, 2023Assignee: FORCEPOINT LLCInventors: Michael Oliver O'Mahony, Nicole Carin Petersen, Mandar Harish Harkare, Damien Christopher Monaghan
-
Patent number: 11711389Abstract: A method, including identifying, in network data traffic, multiple scans, each of the scans including an access, in the traffic, of multiple ports on a given destination node by a given source node during a time period. A group of high-traffic ports are identified in the traffic that include one or more ports that receive respective volumes of the traffic that exceed a threshold, and respective signatures are generated for the identified port scans that indicate the ports other than the high-traffic ports that were accessed in each of the port scans. A respective frequency of occurrence of each of the signatures over the set of the port scans is computed, and a whitelist of the signatures for which the respective frequency of occurrence is greater than a threshold is assembled. Upon detecting a port scan for which the respective signature is not whitelisted, a preventive action is initiated.Type: GrantFiled: October 21, 2021Date of Patent: July 25, 2023Assignee: PALO ALTO NETWORKS (ISRAEL ANALYTICS) LTD.Inventors: Idan Amit, Yinnon Meshi, Jonathan Allon, Aviad Meyer
-
Patent number: 11689577Abstract: A method comprising: receiving a request from a second application to access information from a first application, said first and second applications installed on a user equipment, and in response to said request, determining whether said second application is operating in accordance with at least one rule.Type: GrantFiled: December 1, 2021Date of Patent: June 27, 2023Assignee: Nokia Technologies OyInventor: Sami Kalervo Majaniemi
-
Patent number: 11689458Abstract: A control device is connected to a plurality of networks, dispatches a packet received from a user terminal to a network among the plurality of networks, and includes a memory and a processor configured to execute receiving a DNS query packet transmitted from the user terminal, and based on a query target of the DNS query packet, dispatching the DNS query packet to a network among the plurality of networks; and receiving a packet, determining a destination of the packet based on a destination address of the packet, and transmitting the packet to the determined destination.Type: GrantFiled: May 28, 2019Date of Patent: June 27, 2023Assignee: NTT Communications CorporationInventors: Wenyu Shen, Kenji Arai, Ryu Kanishima, Takeo Saga
-
Patent number: 11689565Abstract: This disclosure provides a device monitoring method and apparatus and a deregistration method and apparatus. The device monitoring apparatus has a capability of obtaining signaling plane data exchanged between a core network element and a terminal device, and after obtaining the signaling plane data, the device monitoring apparatus can determine, by analyzing attribute information of the signaling plane data, a device that may initiate a DoS attack.Type: GrantFiled: June 15, 2020Date of Patent: June 27, 2023Assignee: Huawei Technologies Co., Ltd.Inventors: Yong Wang, Li Hu, Jing Chen
-
Patent number: 11671270Abstract: The present disclosure is directed to systems and methods for logical flow aggregation for fragmented multicast flows, the methods including the steps of identifying a plurality of fragmented multicast flows that are logically related as a single flow in a multicast network; generating a plurality of multicast joins associated with the plurality of fragmented multicast flows, wherein each multicast join of the plurality of multicast joins includes a join attribute comprising a common flow identifier that identifies the plurality of fragmented multicast flows as logically related; and selecting a reverse forwarding path toward an upstream device for the plurality of multicast joins.Type: GrantFiled: May 4, 2021Date of Patent: June 6, 2023Assignee: CISCO TECHNOLOGY, INC.Inventors: Mankamana Prasad Mishra, Roshan Lal, Anuj Budhiraja
-
Patent number: 11671405Abstract: Systems and methods for implementing filters within computer networks include obtaining blocklist data that includes blocklist entries for a network. Each of the blocklist entries includes one or more network traffic attributes for identifying traffic to be blocked. In response to receiving the blocklist data, a filter based on a common network traffic attribute shared between at least two of the plurality of blocklist entries is generated. The filter is then deployed to a network device within the network such that the filter may be implemented at the network device to block corresponding traffic.Type: GrantFiled: March 4, 2022Date of Patent: June 6, 2023Assignee: Level 3 Communications, LLCInventor: Michael Benjamin
-
Patent number: 11665207Abstract: Embodiments are directed to monitoring communication between computers using network monitoring computers (NMCs). NMCs identify a secure communication session established between two of the computers based on an exchange of handshake information associated with the secure communication session. Key information that corresponds to the secure communication session may be obtained from a key provider such that the key information may be encrypted by the key provider. NMCs may decrypt the key information. NMCs may derive the session key based on the decrypted key information and the handshake information. NMCs may decrypt network packets included in the secure communication session. NMCs may be employed to inspect the one or more decrypted network packets to execute one or more rule-based policies.Type: GrantFiled: November 1, 2021Date of Patent: May 30, 2023Assignee: ExtraHop Networks, Inc.Inventors: Benjamin Thomas Higgins, Jesse Abraham Rothstein
-
Patent number: 11652848Abstract: A plurality of security rule processing nodes is configured for network traffic of a set of sources and destinations. Respective subsets of configuration information of the sources and destinations, including security rules, are transmitted to the nodes. Respective addresses of at least a subset of the nodes are transmitted to a packet processing intermediary. The intermediary requests evaluation of applicable security rules with respect to packet flows by selected nodes prior to initiating routing actions for packets of the flows.Type: GrantFiled: September 26, 2019Date of Patent: May 16, 2023Assignee: Amazon Technologies, Inc.Inventors: Dheerendra Talur, Venkat Maithreya Paritala, Abhishek Chhajer, Charlie Jahchan, Yogeshkumar Kuite
-
Patent number: 11652789Abstract: Methods and apparatuses providing file type inspection in firewalls by moving the flow between deep inspection file and lightweight accelerated paths. The method includes obtaining, by a network security device, a packet flow of a file transfer session in which at least two files are transferred and determining, by the network security device, at least an offset parameter based on at least one attribute of at least a first packet in the packet flow. The offset parameter is for a first file being transferred of the at least two files and relates to an expected positon of a control data sequence within the packet flow. In this method, based on the offset parameter, directing, by the network security device, to an accelerated packet inspection path instead of to a deep packet inspection path, a portion of the packet flow including one or more packets that follow the first packet.Type: GrantFiled: June 27, 2019Date of Patent: May 16, 2023Assignee: CISCO TECHNOLOGY, INC.Inventor: Andrew E. Ossipov
-
Patent number: 11652829Abstract: A secure data exchange system comprising a security device including a first external device plug, and a security engine operative to enforce a security policy on data transfer requests received from the host; an external device including a second external device plug; and a host including a first external device port operative to communicatively couple with the first external device plug, a second external device port operative to communicatively couple with the second external device plug, and a driver, e.g., a redirect driver, operative to transfer a data transfer request to the security device before executing the data transfer request.Type: GrantFiled: May 4, 2021Date of Patent: May 16, 2023Assignee: CUPP Computing ASInventor: Shlomo Touboul
-
Patent number: 11630894Abstract: To provide a structure capable of performing more secure authentication between devices. There is provided a processing device comprising: a processing unit that executes a defined process that is defined in advance according to an input first request, executes calculation using first information included in the first request, and transmits a first response including a result of the calculation to a first device having output the first request, wherein the processing unit transmits a second request including second information different from the first information to at least one second device different from the first device, and acquires a second response including a result of calculation using the second information from the at least one second device.Type: GrantFiled: April 19, 2021Date of Patent: April 18, 2023Assignee: KABUSHIKI KAISHA TOKAI RIKA DENKI SEISAKUSHOInventors: Yosuke Hasegawa, Yosuke Ohashi, Takanori Matsuyama
-
Patent number: 11632389Abstract: A first device may receive content from a second device based on a request for the content. The first device may be located between the second device and a third device. The first device may determine a value for a portion of the content using a function, where the value is to be used to analyze the content. The value may uniquely identify the portion of the content. The first device may determine whether a classification of the content can be determined. The first device may selectively determine the classification of the content by providing the value or the portion of the content corresponding to the value, to a fourth device when the classification cannot be determined, or determine the classification of the content using a data store when the classification can be determined. The first device may perform an action with respect to the content.Type: GrantFiled: December 31, 2019Date of Patent: April 18, 2023Assignee: Juniper Networks, Inc.Inventors: Venkata Rama Raju Manthena, Chandrasekar Nagarajan
-
Patent number: 11632810Abstract: It is provided a method, comprising triggering a terminal of a wireless network to establish a control session to a translator device via the wireless network; providing a control port to a station of a wireline network; forwarding at least one of a first message from the station received on the control port via the control session to the translator device and a second message received via the control session from the translator device to the station.Type: GrantFiled: February 28, 2018Date of Patent: April 18, 2023Assignee: NOKIA TECHNOLOGIES OYInventors: Rakash Sivasiva Ganesan, Peter Rost, Christian Markwart, Borislava Gajic, Andreas Maeder, Christian Mannweiler
-
Patent number: 11627040Abstract: A network device may receive a first configuration object associated with an application and may parse the first configuration object to identify first configuration data. The network device may calculate a first hash value based on the first configuration data and may generate a first operational object based on the first configuration data and the first hash value. The network device may receive a second configuration object associated with the application of the network device and may parse the second configuration object to identify second configuration data. The network device may calculate a second hash value based on the second configuration data and may determine whether the first hash value matches the second hash value. The network device may prevent, based on the first hash value matching the second hash value, generation of a second operational object based on the second configuration data and the second hash value.Type: GrantFiled: August 18, 2021Date of Patent: April 11, 2023Assignee: Juniper Networks, Inc.Inventors: Rajat Rastogi, Vikas G, Sandeep Hassan Ramanna
-
Patent number: 11621999Abstract: In response to a first programmatic request, metadata indicating that a first isolated read channel of a real-time category has been associated with a first target stream is stored at a stream management service. In response to another request, metadata indicating that a second isolated read channel of a non-real-time category has been associated with a second target stream is stored. In response to a read request indicating the first channel or the second channel, one or more data records of the corresponding target streams are provided.Type: GrantFiled: November 25, 2020Date of Patent: April 4, 2023Assignee: Amazon Technologies, Inc.Inventors: Benjamin Warren Mercier, Sayantan Chakravorty, Yasemin Avcular, Charlie Paucard
-
Patent number: 11616759Abstract: A cloud-based traffic classification engine maintains a catalog of application-based traffic classes which have been developed based on known applications, and a local traffic classification engine maintains a subset of these classes. Network traffic intercepted by the firewall which cannot be classified by the local engine is forwarded to the cloud-based engine for classification. Upon determination of a class of the traffic, the cloud-based engine forwards the determined class and corresponding signature to the local engine. The firewall maintains a cache which is updated with the signatures corresponding to the class communicated by the cloud-based engine. Subsequent network traffic sent from the application can be determined to correspond to the application and classified according locally at the firewall based on the cached signatures. Localization of the cache to the firewall reduces latency of traffic classification operations as the catalog of classification information stored in the cloud scales.Type: GrantFiled: August 26, 2021Date of Patent: March 28, 2023Assignee: Palo Alto Networks, Inc.Inventors: Mengying Jiang, Shengming Xu, Menglan Fang, Ho Yu Lam
-
Patent number: 11611453Abstract: Network interface provisioning of containerized instances based on tenant policies. A network interface assignment process (NIAP) receives a first request to assign a network interface to a first containerized instance comprising at least one container. The NIAP determines that a first tenant of a plurality of different tenants is associated with the first containerized instance. The NIAP accesses a first network assignment tenant policy (NATP) that corresponds to the first tenant. Based on the first NATP, the NIAP assigns, to the first containerized instance, a first network interface via which the first containerized instance can communicate with other containerized instances associated with the first tenant.Type: GrantFiled: February 25, 2021Date of Patent: March 21, 2023Assignee: Red Hat, Inc.Inventors: Huamin Chen, Douglas K. Smith
-
Patent number: 11604874Abstract: Audio visual privacy controls can be provided. A privacy service can be configured to interface with multiple filter drivers that are loaded above components of an AV platform to enable the privacy service to selectively block a particular AV app's access to an AV device based on context. A privacy service may leverage a first filter driver to identify an AV app and may leverage a second filter driver to block the AV app's access. The privacy service may consider different types and combinations of context to determine when access to an AV device's stream should be blocked.Type: GrantFiled: September 23, 2021Date of Patent: March 14, 2023Assignee: Dell Products L.P.Inventors: Srikanth Kondapi, Gokul Thiruchengode Vajravel
-
Patent number: 11606296Abstract: A method performed by a node of a communications network such as a virtual routing function or policy enforcement node comprises receiving at least one packet, such as an internet protocol packet having an associated address and obtaining one or more metrics. The method involves dynamically configuring a longest-prefix match process on the basis of at least the metric(s). The dynamically configured longest-prefix match process is used with the associated address to identify an action and the identified action is applied to the packet.Type: GrantFiled: February 11, 2021Date of Patent: March 14, 2023Assignee: MICROSOFT TECHNOLOGY LICENSING, LLCInventor: Colin Tregenza Dancer
-
Patent number: 11606346Abstract: A logic circuit for managing reception of secure data packets in an industrial controller snoops data being transferred by a Media Access Controller (MAC) between a network port and a shared memory location within the industrial controller. The logic circuit is configured to perform authentication and/or decryption on the data packet as the data packet is being transferred between the port and the shared memory location. The logic circuit performs authentication as the data is being transferred and completes authentication shortly after the MAC has completed transferring the data to the shared memory. The logic circuit coordinates operation with the MAC and signals a Software Packet Processing (SPP) module when authentication is complete. The logic circuit is further configured to decrypt the data packet, if necessary, and to similarly coordinate operation with the MAC and delay signaling the SPP module that data is ready until decryption is complete.Type: GrantFiled: June 29, 2020Date of Patent: March 14, 2023Assignee: Rockwell Automation Technologies, Inc.Inventor: Kenneth William Batcher