Packet Filtering Patents (Class 726/13)
  • Patent number: 11943618
    Abstract: Described herein are techniques for preventing a user from continuing to access an online service once access rights have been revoked. In some embodiments, the techniques comprise receiving a request to determine a current status of access rights in association with a user and an online service, determining, based on one or more conditions associated with the online service, the current status of access rights, upon determining that the current status of access rights indicates that the user is not authorized to access the online service, identifying at least one user device associated with the user, generating programmatic instructions to cause a session token associated with the online service to be removed from a memory of the at least one user device, and providing the programmatic instructions to the at least one user device.
    Type: Grant
    Filed: December 29, 2020
    Date of Patent: March 26, 2024
    Assignee: T-Mobile USA, Inc.
    Inventor: Kanakrai Chauhan
  • Patent number: 11929895
    Abstract: A communication log aggregation device includes: a communicator that obtains flow information including one or more flow records and first statistical information for each flow from each of collection devices, the one or more flow records each including flow identification information included in a message received by at least one observer that is disposed in a control network system, the flow being classified based on the flow identification information, the collection devices each collecting the one or more flow records and the first statistical information for each flow from the message received by the observer; and a flow aggregator that generates aggregated flow information by performing at least one of the following: (i) selecting at least one of the one or more flow records, (ii) adding second statistical information, and (iii) deleting at least one of the one or more flow records, and outputs the aggregated flow information.
    Type: Grant
    Filed: June 30, 2022
    Date of Patent: March 12, 2024
    Assignee: PANASONIC INTELLECTUAL PROPERTY CORPORATION OF AMERICA
    Inventors: Takeshi Kishikawa, Ryo Hirano, Yoshihiro Ujiie
  • Patent number: 11930029
    Abstract: A packet-filtering system configured to filter packets in accordance with packet-filtering rules may receive data indicating network-threat indicators and may configure the packet-filtering rules to cause the packet-filtering system to identify packets comprising unencrypted data, and packets comprising encrypted data. A portion of the unencrypted data may correspond to one or more of the network-threat indicators, and the packet-filtering rules may be configured to cause the packet-filtering system to determine, based on the portion of the unencrypted data, that the packets comprising encrypted data correspond to the one or more network-threat indicators.
    Type: Grant
    Filed: September 19, 2023
    Date of Patent: March 12, 2024
    Assignee: Centripetal Networks, LLC
    Inventors: David K. Ahn, Sean Moore, Douglas M. Disabello
  • Patent number: 11929987
    Abstract: Techniques are disclosed for a network device to preserve packet flow information across bump-in-the-wire (BITW) firewalls. For example, a method comprises receiving, by a network device, a packet. The method also comprises determining, by the network device, that the packet matches a packet flow that is associated with an action to redirect the packet to a firewall configured as a bump-in-the-wire. The method further comprises, in response to the determination: modifying, by the network device, a Media Access Control (MAC) address field of a layer 2 (L2) packet header with a flow identifier of the packet flow; sending, by the network device, the packet to the firewall; receiving, by the network device, the packet from the firewall; and recovering, by the network device, the packet flow by modifying the packet according to the flow identifier in the packet to restore the L2 packet header of the packet.
    Type: Grant
    Filed: February 25, 2020
    Date of Patent: March 12, 2024
    Assignee: Juniper Networks, Inc.
    Inventors: Pranavadatta D N, Aniket G. Daptari, Carlo Contavalli, Prasad Miriyala, Kiran K N, Prasannaa Vengatesan T S, Venkatesh Velpula
  • Patent number: 11916879
    Abstract: Some embodiments of the invention provide a novel method for performing firewall operations on a computer. The method of some embodiments instantiates first and second firewall processes on the computer. These two processes are two separate processes, which in some embodiments have separate memory allocations in the memory system of the computer. The method uses the first firewall process to examine a data message to determine whether an encryption based firewall policy (e.g., a TLS-based firewall policy) has to be enforced on the data message. Based on a determination that the encryption-based firewall policy has to be enforced on the data message, the method provides metadata, which is produced by the first firewall process in its examination of the data message, to the second firewall process. The second firewall process then uses the provided metadata to perform an encryption-based firewall operation based on the encryption-based firewall policy.
    Type: Grant
    Filed: January 3, 2022
    Date of Patent: February 27, 2024
    Assignee: VMware LLC
    Inventors: Manish Jain, Mani Kancherla
  • Patent number: 11909721
    Abstract: A firewall configuration server includes a processor in communication with a memory device. The processor is configured to: receive, from an admin computer device, group-based firewall rules, wherein the group-based firewall rules identify a plurality of groups of virtual machines (VMs) executable on a VM server system and a respective set of firewall policies to be applied to the VMs in each group; receive, from a virtual machine (VM) server system, group membership data, the group membership data identifying the plurality of groups and a respective list of VMs associated with each group; parse the group membership data according to the group-based firewall rules to generate VM-specific firewall rules; and transmit the VM-specific firewall rules to a firewall, wherein each VM-specific firewall rule is configured for application by the firewall to communication requests identifying an IP address of one of the VMs.
    Type: Grant
    Filed: December 29, 2020
    Date of Patent: February 20, 2024
    Assignee: MASTERCARD INTERNATIONAL INCORPORATED
    Inventor: Michael Keiser
  • Patent number: 11900923
    Abstract: Systems and processes for operating an intelligent automated assistant are provided. In one example process, a speech input is received from a user. In response to determining that the speech input corresponds to a user intent of obtaining information associated with a user experience of the user, one or more parameters referencing a user experience of the user are identified. Metadata associated with the referenced user experience is obtained from an experiential data structure. Based on the metadata, one or more media items associated with the referenced are retrieved based on the metadata. The one or more media items associated with the referenced user experience are output together.
    Type: Grant
    Filed: September 7, 2021
    Date of Patent: February 13, 2024
    Assignee: Apple Inc.
    Inventors: Marcos Regis Vescovi, Eric M. G. Circlaeys, Richard Warren, Jeffrey Traer Bernstein, Matthaeus Krenn
  • Patent number: 11902250
    Abstract: The attack vectors for some denial-of-service cyber attacks on the Internet's Domain Name System (DNS) are bad, bogus, or unregistered domain name DNS requests to resolve domain names that are not registered in the DNS. Some other cyber attacks steal sensitive data by encoding the data in bogus domain names, or domain names otherwise not registered in the DNS, that are transferred across networks in bogus DNS requests. A DNS gatekeeper may filter in-transit packets containing DNS requests and may efficiently determine if a request's domain name is registered in the DNS. When the domain name is not registered in the DNS, the DNS gatekeeper may take one of a plurality of protective actions. The DNS gatekeeper drops requests determined not to be legitimate, which may prevent an attack.
    Type: Grant
    Filed: April 1, 2021
    Date of Patent: February 13, 2024
    Assignee: Centripetal Networks, LLC
    Inventors: Sean Moore, Jonathan R. Rogers, Steven Rogers
  • Patent number: 11902153
    Abstract: A node receives an internet protocol (IP) payload packet that includes an IPv6 transport header that has been extended with a compressed routing header (CRH). The CRH includes a list of segment identifiers (SIDs) that identify nodes that the IP payload packet is to traverse. The node determines, by referencing the list of SIDs, a next segment for the IP payload packet. The node updates a destination IP address that is included in the IPv6 transport header to a particular destination IP address of a next-hop node. The node updates a remaining segments value, included in the CRH, that identifies a number of segments left in a route of the IP payload packet. The node provides the IP payload packet to the next-hop node to allow the next-hop node to route the IP payload packet to another node in the network or to a destination device.
    Type: Grant
    Filed: December 16, 2021
    Date of Patent: February 13, 2024
    Assignee: Juniper Networks, Inc.
    Inventor: Ronald Bonica
  • Patent number: 11902327
    Abstract: Techniques are described herein that are capable of evaluating a result of enforcement of access control policies instead of enforcing the access control policies. For instance, a result of enforcement of an access control policy with regard to sign-in processes is evaluated instead of enforcing the access control policy with regard to the sign-in processes. The evaluation includes monitoring access requests that are received during the sign-in processes. Each access request requests access to a resource. The evaluation further includes comparing attributes of each access request against the access control policy that specifies criteria that are to be satisfied as a prerequisite to granting access to the resource to which access is requested by the respective access request. Metadata associated with the sign-in processes is generated instead of enforcing the access control policy with regard to the sign-in processes.
    Type: Grant
    Filed: January 6, 2020
    Date of Patent: February 13, 2024
    Assignee: Microsoft Technology Licensing, LLC
    Inventors: Daniel Edward Lee Wood, Caleb Geoffrey Baker, Sarat Subramaniam, Etan Micah Basseri, Carlos Adrian Lopez Castro, Sandra Jiang, Dilesh Dhokia, Jessica Tian-Hueih Lin, Pui Yin Winfred Wong, Robyn Nicole Hicock
  • Patent number: 11902320
    Abstract: Systems and methods are provided to implement a moving target defense for a server computer. The server computer can be provided both a permanent IP address and a temporary IP address. The temporary IP address can be used when communicating with client computers connected to the server computer. The temporary IP address can be dynamically changed at a predetermined interval that can be varied based on conditions at the server computer. An intrusion detection system can be used with the moving target defense systems and methods to identify attacks on the server computer based on the temporary IP address(es) provided by the server computer. When an attack is identified, the corresponding client computer is determined based on the temporary IP address and the client computer is placed on a blacklist that is not provided with new temporary IP addresses when the server computer changes temporary IP address.
    Type: Grant
    Filed: June 10, 2021
    Date of Patent: February 13, 2024
    Assignee: Board of Trustees of the University of Alabama, for and on behalf of the University of Alabama in Huntsville
    Inventor: Vahid Heydari
  • Patent number: 11889319
    Abstract: An access point (AP) device for controlling spectrum usage of a hierarchical communication system, in which a spectrum reserved for an Incumbent is usable by at least one user equipment (UE) for transmission when the spectrum is not required by the Incumbent, is disclosed. The AP device includes a processor configured to receive a message from the Incumbent requesting vacating of a spectrum; generate a group of users affected by the message from the Incumbent requesting vacating of the spectrum; and perform a spectrum management operation on the group of users.
    Type: Grant
    Filed: June 1, 2022
    Date of Patent: January 30, 2024
    Assignee: Intel Corporation
    Inventors: Markus Dominik Mueck, Christian Drewes, Kostas Tsagkaris, Panagiotis Demestichas, Michalis Michaloliakos, Stavroula Vassaki
  • Patent number: 11888878
    Abstract: Various example embodiments relate generally to providing security for a communication network based on detection and mitigation of an attack in the communication network. Various example embodiments supporting attack detection and mitigation may be configured to support detection and mitigation of an attack in a communication network based on distributed collection of network traffic information at network elements and analysis of aggregated network traffic information at a network controller for determining whether a traffic anomaly indicative of an attack on the communication network is detected. Various example embodiments supporting attack detection and mitigation may be configured to support detection and mitigation of an attack in a communication network based on use of traffic records for supporting the collection, aggregation, and analysis of network traffic information.
    Type: Grant
    Filed: February 23, 2018
    Date of Patent: January 30, 2024
    Assignee: NOKIA TECHNOLOGIES OY
    Inventors: Xuyang Jing, Zheng Yan
  • Patent number: 11888867
    Abstract: A method of monitoring a network is provided. The method includes receiving a packet of network traffic, determining a source IP address of the packet, consulting a database of source IP addresses, each source IP address having an associated probability of threat indicator (PTI) that indicates a probability of threat posed by the source IP address. The packet's source IP address' PTI is assigned to the packet as the packet's PTI, and one or more inspection checks are selected to be performed on the packet, wherein the selection of the inspection checks is a function of the packet's source IP address PTI. The method further includes performing the selected inspection checks, assigning treatment of the packet based on a result of the inspection checks performed, and adjusting the packet's source IP address' PTI or the packet's PTI based on the result of the one or more inspection checks performed.
    Type: Grant
    Filed: December 9, 2020
    Date of Patent: January 30, 2024
    Assignee: ARBOR NETWORKS, INC.
    Inventor: Brian St. Pierre
  • Patent number: 11888865
    Abstract: Systems and methods of the disclosure can implement intrusion radiation protection (IRP) to prevent malicious IP traffic in a secure network. The IRP system can receive an IP packet, determine that a protocol of the IP packet matches a predetermined policy of a plurality of predetermined policies, classify the IP packet based on the predetermined policy and a size of the IP packet, inspect a payload of the IP packet responsive to the classification to determine features of the IP packet, determine that one of the features of the IP packet is improper based on the classification, and flag the IP packet as suspect based on the determination. The IRP system can log and/or drop the flagged IP packet. The IRP system can additionally replace a payload of the IP packet with a second payload, and transmit the IP packet with the second payload to its destination.
    Type: Grant
    Filed: November 25, 2019
    Date of Patent: January 30, 2024
    Assignee: Belden, Inc.
    Inventors: Jeffrey Caldwell, Divij Agarwal, Ashish Mathur, Raja Chhabra, Gourav Rastogi
  • Patent number: 11888897
    Abstract: A system includes one or more “BotMagnet” modules that are exposed to infection by malicious code. The BotMagnets may include one or more virtual machines hosting operating systems in which malicious code may be installed and executed without exposing sensitive data or other parts of a network. In particular, outbound traffic may be transmitted to a Sinkhole module that implements a service requested by the outbound traffic and transmits responses to the malicious code executing within the BotMagnet. Credentials for services implemented by a BotSink may be planted in an active directory (AD) server. The BotSink periodically uses the credentials thereby creating log entries indicating use thereof. When an attacker accesses the services using the credentials, the BotSink engages and monitors an attacker system and may generate an alert. Decoy services may be assigned to a domain and associated with names according to a naming convention of the domain.
    Type: Grant
    Filed: August 24, 2022
    Date of Patent: January 30, 2024
    Assignee: SentinelOne, Inc.
    Inventors: Venu Vissamsetty, Nitin Jyoti, Pavan Patel, Prashanth Srinivas Mysore
  • Patent number: 11882131
    Abstract: A URL velocity monitor is integrated with a message-hold decision maker of an electronic mail processing system that processes electronic messages for a protected computer network. The URL velocity monitor receives or obtains a URL, decomposes the URL into URL features based on logical boundaries, and determines features of interest from the URL features for velocity tracking. Examples of URL features can include a randomized URL segment. The velocity of each feature of interest is tracked over a period of time using a counting algorithm that employs a slow counter or a fast counter. The two different counters track two types of velocities which represent different domain behaviors targeting the protected computer network. The URL velocity monitor determines whether the velocity of a feature of interest is accelerating within the time period. If so, the URL is placed in a queue or a sandbox.
    Type: Grant
    Filed: March 26, 2021
    Date of Patent: January 23, 2024
    Assignee: Proofpoint, Inc.
    Inventors: Gregory Lee Wittel, Edward Pavlov
  • Patent number: 11876782
    Abstract: In various examples, a first network interface duplicates received network traffic and forwards a first set of network traffic data to a central processing unit (CPU) and a second set of identical network traffic to one or more parallel processing units (PPUs). In an embodiment, the one or more PPUs analyze the second set of network traffic to identify whether the second set of network traffic is malicious. First, the one or more PPUs filter and classify the second set of network traffic into flows, or logical groupings or subsets of the second set of network traffic. Second, the one or more PPUs sort the network packets within each flow and extract features of interest specific to each flow. Using the extracted features of interest, one or more deep learning techniques infer a status indicating whether each flow is malicious (mal) or good.
    Type: Grant
    Filed: February 8, 2021
    Date of Patent: January 16, 2024
    Assignee: NVIDIA Corporation
    Inventors: Andrea Miele, Gaurav Dadwal
  • Patent number: 11861463
    Abstract: Using a natural language analysis, a current message is classified into a current message class, the current message being a portion of an interaction in narrative text form. Using a trained message class prediction model, a probability of a previous message class having resulted in the current message class is determined. A previous message is extracted from the interaction using the probability, the previous message being a portion of the interaction occurring prior to the current message, the previous message being classified into the previous message class.
    Type: Grant
    Filed: September 6, 2019
    Date of Patent: January 2, 2024
    Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATION
    Inventors: Jonathan F. Brunn, Rachael Marie Huston Dickens, Rui Zhang
  • Patent number: 11856027
    Abstract: A secure communication system enabling secure transport of information is disclosed. The system comprises a secure network with one or more packet processing units connected by links through an internal communication system. The secure network transports packets of information between credentialed and authenticated agents. Each packet is associated with a visa issued by a visa service. The visa specifies the procedures governing the processing of the packet by the packet processing units as it is transported along a compliant flow, between agents thorough the network, according to a set of policies specified in a network configuration. Packet processing units include docks and forwarders. Adaptors serving the agents communicate with the network through tie-ins to docks. The system also includes and admin service, accessible to one more admins, that facilitates configuration and management of the network.
    Type: Grant
    Filed: November 6, 2020
    Date of Patent: December 26, 2023
    Assignee: APPLIED INVENTION, LLC
    Inventors: W. Daniel Hillis, David C. Douglas, Mathias Kolehmainen, Steven Willis, Frank Kastenholz, Michael Dubno
  • Patent number: 11856260
    Abstract: A system for to monitor image input of a computing device having a control circuit with a programmable processor, and configured to receive images and to output the images to an image output device coupled to the computing device. The computing device can be configured to monitor the received images via the processor of the computing device being programmed using a Machine Learning Image Classification (MLIC) algorithm configured to determine a score of at least one received image within a predetermined criteria for classifying said at least one received image as a restricted subject image. Based on determination of the score, a modify or non-modify command is generated; and wherein in response to said at least one received image being scored by said processor within the modify criteria, the processor is programmed to generate a command to output the modified image.
    Type: Grant
    Filed: March 30, 2017
    Date of Patent: December 26, 2023
    Assignee: COVENANT EYES, INC.
    Inventors: Michael Holm, Matt Ribiero, Scott Hammersley, Ronald Dehaas
  • Patent number: 11829423
    Abstract: Described herein are technologies relating to predicting whether a resource is spam based solely upon a Uniform Resource Locator (URL) for the resource. The URL is tokenized in connection with generating a sequence of numerical identifiers for the resource. A score for the URL is computed based upon the sequence of numerical identifiers, where the score is indicative of a probability that the resource pointed to by the URL is spam. generating a score for the URL based upon the sequence of numbers, wherein the score is indicative of a probability that the resource pointed to by the URL is spam. When the score is above a predefined threshold, a label is assigned to the URL that indicates that the resource pointed to by the URL is spam, and an entry for the resource is not included in a search engine index based upon the label assigned to the URL.
    Type: Grant
    Filed: June 25, 2021
    Date of Patent: November 28, 2023
    Assignee: Microsoft Technology Licensing, LLC
    Inventors: Siarhei Alonichau, Qiong Wei, Aliaksei Bondarionok
  • Patent number: 11831803
    Abstract: Systems and methods for detecting and preventing a denial-of-service attack at one or more victim agents of a telecommunication network include one or more session management systems communicatively coupled to one or more attacker agents. The one or more session management systems to receive a call initiation message during a session, provide a provisional response during the session, activate a connection timer, determine whether a provisional acknowledgement message is received within a pre-determined period associated with the connection timer, deactivate the connection timer if the provisional acknowledgement message is not received within the pre-determined period, determine whether a call counter is greater than or equal to a threshold in response to the connection timer deactivation, and activate a block timer if the call counter is greater than or equal to the threshold. The block timer to block one or more calls from the attacker agent.
    Type: Grant
    Filed: May 4, 2022
    Date of Patent: November 28, 2023
    Assignee: T-Mobile Innovations LLC
    Inventors: Jean-Luc Rene Bouthemy, Khurram Ahmad Mirza
  • Patent number: 11822638
    Abstract: Embodiments described herein disclose technology for authenticating a user. In some embodiments, a smart card or other similar authentication device can be associated with a user profile. When a request to interact is received via an application associated with a device, the system prompts the user to waive the smart card within a threshold proximity of the device. In response to the smart card being placed within the proximity, the system collects information from the smart card and verifies that the smart card is associated with the user profile of the user. In response to verifying the information from the smart card, the system authenticates the user and allows the user to interact.
    Type: Grant
    Filed: May 31, 2022
    Date of Patent: November 21, 2023
    Assignee: United Services Automobile Association
    Inventor: John R. Clowe
  • Patent number: 11818099
    Abstract: A method for filtering data packets at a firewall system is disclosed that includes receiving a data packet having a plurality of fields at a processor, and determining whether a precondition exists, where an action is associated the precondition. The action associated with the precondition is performed if it is determined that the precondition exists. The data packet is processed using a plurality of rules if it is determined that the precondition does not exist for the one or more of the plurality of fields. A user associated with the data packet is identified, and it is determined whether one or more rules are stored in a cache for one or more of a plurality of groups associated with the user. The data packet is processed using the one or more rules stored in the cache if present.
    Type: Grant
    Filed: September 20, 2021
    Date of Patent: November 14, 2023
    Assignee: FORCEPOINT LLC
    Inventor: Kari Nurmela
  • Patent number: 11818024
    Abstract: A statistical information generation device that generates statistical information from Ethernet frames on a mobility network includes: a transceiver that transmits and receives the Ethernet frames; and a statistical information generator that collects a plurality of Ethernet frames transmitted or received by the transceiver within a predetermined time period, and classifies, out of the plurality of Ethernet frames collected, Ethernet frames containing the same destination IP address, source IP address, destination port number, source port number, and protocol, and containing, in payloads, same identification information related to mobility control, into the same group, generates the statistical information for each group from the Ethernet frames classified into groups, and transmits the generated statistical information from the transceiver.
    Type: Grant
    Filed: April 26, 2021
    Date of Patent: November 14, 2023
    Assignee: PANASONIC INTELLECTUAL PROPERTY CORPORATION OF AMERICA
    Inventors: Tomoyuki Haga, Yuishi Torisaki, Manabu Maeda, Ryo Kato
  • Patent number: 11818045
    Abstract: Embodiments of the present invention provide a system for dynamically monitoring and filtering data packets associated with accessing one or more entity resources. The system is configured for identifying a data packet in a network comprising at least a first data unit and a second data unit, determining that the first data unit and the second data unit of the data packet are attempting to access an entity resource, determining that first data associated with the first data unit and second data associated with the second data unit cannot access the entity resource at a same instance based on a first signature bit associated with the first data unit and a second signature bit associated with the second data unit, and attenuating the first data unit or the second data unit from the data packet based on the first signature bit and the second signature bit.
    Type: Grant
    Filed: April 5, 2021
    Date of Patent: November 14, 2023
    Assignee: BANK OF AMERICA CORPORATION
    Inventors: Sasidhar Purushothaman, Sravan Kumar Kommu, Ramkumar Masilamani, Ramaiah Muvvala, Sajid A. Shah, Manohar Reddy Singamareddy, Srikanth Vemula
  • Patent number: 11811734
    Abstract: An HTTP connection between a client computing device and an application is established through a reverse proxy. A response to the client computing device includes a payload instructing initiation of a non-HTTP connection (e.g., TCP, UDP). The response is modified to replace references to an original port with a dynamic port allocated to the non-HTTP connection and a temporary ACL entry is created. A subsequent connection request addressed to the dynamic port is authorized per the ACL, modified to replace the dynamic port with the original port, and forwarded to the application. Subsequent packets for the non-HTTP connection have port numbers translated between the original and dynamic ports.
    Type: Grant
    Filed: June 17, 2021
    Date of Patent: November 7, 2023
    Assignee: Prosimo Inc
    Inventors: Howard Chen, Arunabha Saha, Prashanth Prabhu
  • Patent number: 11805106
    Abstract: A system and method for trigger-based scanning of cyber-physical assets, including a distributed operating system, parameter evaluation engine, at least one cyber-physical asset, at least one crypt-ledger, a network, and a scanner that detects trigger conditions and events and performs scans of cyber-physical assets based on the trigger and any relevant stored scan rules before storing scan results as time-series data.
    Type: Grant
    Filed: December 31, 2020
    Date of Patent: October 31, 2023
    Assignee: QOMPLX, INC.
    Inventors: Jason Crabtree, Andrew Sellers
  • Patent number: 11790121
    Abstract: An appliance includes an external communication port, such as an RJ45 port, and a wireless communication module in wireless communication with a remote server through an external network. A controller is configured to detect port activity at the external communication port, e.g., by detecting a plug-in or data transfer, transmit a notification of the port activity to the remote server using the wireless communication module, receive an activity assessment, e.g., such as an activity approval or disapproval, from the remote server, and adjust at least one operating parameter of the appliance in response to the activity assessment.
    Type: Grant
    Filed: July 23, 2021
    Date of Patent: October 17, 2023
    Assignee: Haier US Appliance Solutions, Inc.
    Inventors: John Gilman Chapman, Jr., Ryan James Scheckelhoff
  • Patent number: 11777859
    Abstract: A method for guaranteeing data transmission and a communications device are provided. The method for guaranteeing data transmission, applied to a terminal, includes: obtaining information of an IPsec tunnel, where the IPsec tunnel is used for transmitting information between the terminal and a second network; and performing a related operation for a tunnel of a first network based on the information of the IPsec tunnel.
    Type: Grant
    Filed: June 10, 2021
    Date of Patent: October 3, 2023
    Assignee: VIVO MOBILE COMMUNICATION CO., LTD.
    Inventor: Xiaowan Ke
  • Patent number: 11770406
    Abstract: Systems and methods for mitigating cyberattacks are described herein. A computing system can detect illegitimate network traffic associated with a cyberattack in network traffic. The computing system can determine an amplification factor of the cyberattack based in part on a probability distribution of the illegitimate network traffic. The computing system can determine a filter to demotivate a generation of the illegitimate network traffic. The determined filter can reduce the amplification factor of the cyberattack. The computing system can implement the determined filter to block the illegitimate network traffic.
    Type: Grant
    Filed: February 23, 2021
    Date of Patent: September 26, 2023
    Assignee: Hewlett Packard Enterprise Development LP
    Inventors: Yuanjie Li, Kyu-Han Kim, Qianru Li
  • Patent number: 11757941
    Abstract: A computer performs dynamic address isolation. The computer comprises an application associated with an application address, a network interface coupled to receive incoming data packets from and transmit outgoing data packets to an external network, a network address translation engine configured to translate between the application address and a public address, and a driver for automatically forwarding the outgoing data packets to the network address translation engine to translate the application address to the public address, and for automatically forwarding the incoming data packets to the network address translation engine to translate the public address to the application address. The computer may communicate with a firewall configured to handle both network-level security and application-level security.
    Type: Grant
    Filed: March 16, 2021
    Date of Patent: September 12, 2023
    Assignee: CUPP Computer AS
    Inventor: Shlomo Touboul
  • Patent number: 11757747
    Abstract: A device may determine internet protocol (IP) traffic monitoring criteria and may monitor IP traffic based on the IP traffic monitoring criteria. The device may update, based on monitoring the IP traffic, a table of currently active IP traffic flows and may update, based on the table of currently active IP traffic flows, an address resolution protocol (ARP) packet filter. The device may receive one or more ARP packets from a different device and may determine whether to accept or discard the one or more ARP packets based on the ARP packet filter. The device may update an ARP table based on determining to accept the one or more ARP packets.
    Type: Grant
    Filed: June 25, 2021
    Date of Patent: September 12, 2023
    Assignee: Juniper Networks, Inc.
    Inventor: Shijo Thomas
  • Patent number: 11757888
    Abstract: Systems, devices, and methods are discussed for forward testing rule sets at a granularity that is less than all activity on the network. In some cases, the granularity is that of an individual application.
    Type: Grant
    Filed: June 15, 2021
    Date of Patent: September 12, 2023
    Assignee: Fortinet, Inc.
    Inventors: Rajiv Sreedhar, Manuel Nedbal, Manoj Ahluwalia, Damodar K. Hegde, Jitendra B. Gaitonde, Suresh Rajanna, Mark Lubeck, Gary Nool
  • Patent number: 11757935
    Abstract: Methods to secure against IP address thefts by rogue devices in a virtualized datacenter are provided. Rogue devices are detected and distinguished from a migration of an endpoint in a virtualized datacenter. A first hop network element in a one or more network fabrics intercepts a request that includes an identity of an endpoint and performs a local lookup for the endpoint entity identifier. Based on the lookup not finding the endpoint entity identifier, the first hop network element broadcasts a message such as a remote media access address (MAC) query to other network elements in the one or more network fabrics. Based on the received response, which may include an IP address associated with the MAC address, the first hop network element performs a theft validation process to determine whether the request originated from a migrated endpoint or a rogue device.
    Type: Grant
    Filed: May 4, 2022
    Date of Patent: September 12, 2023
    Assignee: CISCO TECHNOLOGY, INC.
    Inventors: Govind Prasad Sharma, Eshwar Rao Yedavalli, Mohammed Javed Asghar, Ashwath Kumar Chandrasekaran, Swapnil Mankar, Umamaheswararao Karyampudi
  • Patent number: 11757909
    Abstract: Methods and systems for generating a security policy at a gateway are disclosed. A server computer and a gateway can perform a protocol in order to train a security model at a gateway, such that it can detect attack packets and prevent those attack packets from reaching the server computer via the gateway. In a learning phase, the server computer can provide training packets and test packets to the gateway. The gateway can use the training packets to train a security model, and the gateway can classify the test packets using the security model in order to test its accuracy. When the server computer is satisfied with the accuracy of the security policy, the server computer can transmit an acceptance of the security policy to the gateway, which can subsequently deploy the model in order to detect and filter attack packets.
    Type: Grant
    Filed: June 10, 2021
    Date of Patent: September 12, 2023
    Assignee: Visa International Service Association
    Inventors: Abhinav Aggarwal, Mahdi Zamani, Mihai Christodorescu
  • Patent number: 11757844
    Abstract: Techniques for providing a smart proxy for a large scale high-interaction honeypot farm are disclosed. In some embodiments, a system/method/computer program product for providing a smart proxy for a large scale high-interaction honeypot farm includes receiving tunneled traffic at a smart proxy from a sensor for a honeypot farm that is executed in a honeypot cloud, wherein the tunneled traffic is forwarded attack traffic, and wherein the honeypot farm includes a plurality of container images of distinct types of vulnerable services; selecting a matching type of vulnerable service from the plurality of container images of distinct types of vulnerable services based on a profile of the attack traffic; and forwarding the tunneled traffic to an instance of the matching type of vulnerable service.
    Type: Grant
    Filed: January 13, 2022
    Date of Patent: September 12, 2023
    Assignee: Palo Alto Networks, Inc.
    Inventors: Zihang Xiao, Cong Zheng, Jiangxia Liu
  • Patent number: 11757936
    Abstract: Techniques for providing a large scale high-interaction honeypot farm are disclosed. In some embodiments, a system/method/computer program product for providing a large scale high-interaction honeypot farm includes sending traffic detected at a sensor to a smart proxy for a honeypot farm that is executed in a honeypot cloud, wherein the traffic is forwarded attack traffic that is sent using a tunneling protocol, and wherein the honeypot farm includes a plurality of container images of distinct types of vulnerable services; selecting a matching type of vulnerable service from the plurality of container images of distinct types of vulnerable services based on a profile of the attack traffic; forwarding the traffic to an instance of the matching type of vulnerable service; and executing a security agent associated with the instance of the matching type of vulnerable service to identify a threat by monitoring behaviors and detecting anomalies or post exploitation activities.
    Type: Grant
    Filed: January 13, 2022
    Date of Patent: September 12, 2023
    Assignee: Palo Alto Networks, Inc.
    Inventors: Zihang Xiao, Cong Zheng, Jiangxia Liu
  • Patent number: 11757940
    Abstract: Some embodiments provide a method for a network management and control system that manages a virtual infrastructure deployed across a set of datacenters. The method receives a definition of an application to be deployed in the virtual infrastructure. The application definition specifies a requirement that the application receive data traffic from sources external to the virtual infrastructure. Based on the application definition, the method defines a first set of firewall rules for the application that indicate conditions for allowing data traffic from sources external to the virtual infrastructure. For an existing second set of higher-level firewall rules for data traffic entering and exiting the virtual infrastructure, the method specifies a new firewall rule that directs a network element implementing the sets of firewall rules to apply the first set of firewall rules to any data traffic that is from sources external to the virtual infrastructure and directed to the application.
    Type: Grant
    Filed: November 24, 2020
    Date of Patent: September 12, 2023
    Assignee: VMWARE, INC.
    Inventors: Sachin Mohan Vaidya, Kausum Kumar, Jayant Jain, Shadab Shah, Anirban Sengupta
  • Patent number: 11757885
    Abstract: Outbound traffic of a host application may be received from a host device having a host processor. The secure resource may be configured to provide a secure transaction based on the outbound network traffic. Using a second processor different than the host processor, it may be determined whether the host application is authorized to provide the outbound network traffic to the secure resource. The outbound network traffic may be allowed to be forwarded to the secure resource if the host application is authorized. The outbound network traffic may be disallowed to be forwarded to the secure resource if the host application is not authorized.
    Type: Grant
    Filed: January 26, 2021
    Date of Patent: September 12, 2023
    Assignee: CUPP Computing AS
    Inventor: Shlomo Touboul
  • Patent number: 11750565
    Abstract: A method at a system including a firewall and at least one application, the method including obtaining, at the at least one application, a new address for a service provider for the at least one application; triggering a firewall update; obtaining a new firewall configuration; and updating the firewall, wherein the updating the firewall allows a connection from the at least one application to the new address for the service provider.
    Type: Grant
    Filed: January 21, 2022
    Date of Patent: September 5, 2023
    Assignee: BlackBerry Limited
    Inventors: Michaela Vanderveen, Stephen John Barrett
  • Patent number: 11736527
    Abstract: A multi-enterprise system for selecting custom high-value sets of SIEM rules for individual member enterprises communicates with member enterprises via network connections. User interfaces are implemented to enable member enterprises to access the system for search, download, and other functions. Advanced rule identification using a sophisticated security knowledge graph enhances processing efficiency and effectiveness.
    Type: Grant
    Filed: September 4, 2020
    Date of Patent: August 22, 2023
    Assignee: ANVILOGIC, INC.
    Inventors: Satheesh Kumar Joseph Durairaj, Deb Banerjee, Karthik Kannan
  • Patent number: 11736496
    Abstract: A data security system, including a security manager computer making network application programming interface (API) calls to a cloud-based service that performs data exchange transactions among end users, the API calls remotely controlling the cloud-based service so that the security manager computer accesses transactions that have entered the cloud-based service, whereby an end user may forward a transaction received through the cloud-based service to a central authority as being a potentially harmful or deceptive transaction, and a data inspector operative to analyze a transaction as being indeed harmful or deceptive, by applying machine learning, wherein the security manager computer controls the cloud-based service so as to transmit to the security manager transactions forwarded to the central authority, instead of or in addition to transmitting these transactions to the central authority, for analysis by the data inspector.
    Type: Grant
    Filed: February 16, 2021
    Date of Patent: August 22, 2023
    Assignee: AVANAN, INC.
    Inventors: Roy Rotem, Gil Friedrich
  • Patent number: 11736466
    Abstract: A device is described that includes a first microprocessor configured for interfacing with a digital access control backend, and a second microprocessor configured for dedicated communications with an access control manager device backend. The first microprocessor is a master device that controls the operation of the second microprocessor as a secondary device. The proposed device is configured for operation of the first microprocessor and the second microprocessor at low clock speeds and to maintain a hash segregation between locally received data sets and data sets transmitted to an external authentication system.
    Type: Grant
    Filed: September 18, 2020
    Date of Patent: August 22, 2023
    Assignee: BIOCONNECT INC.
    Inventors: Courtney Ryan Gibson, Robert Douglas
  • Patent number: 11729188
    Abstract: Device and method for intrusion detection in a computer network. A data packet is received at an input of a hardware switch unit, an actual value from a field of the data packet being compared in a comparison by a hardware filter with a setpoint value for values from the field, the field including data link layer data or network layer data, a value for a counter determined as a function of a result of the comparison being provided by the hardware switch unit, and a computing device determining a result of the intrusion detection as a function of the value of the counter in the hardware switch unit and independently of information from the data packet, in particular, without an evaluation of information from the data packet by the computing device.
    Type: Grant
    Filed: July 7, 2020
    Date of Patent: August 15, 2023
    Assignee: ROBERT BOSCH GMBH
    Inventors: Andreas Weber, Janin Wolfinger, Jens Gramm, Michael Herrmann, Wolfram Gottschlich
  • Patent number: 11729192
    Abstract: Detection and notification of malware at a user device may be performed by a validation server. The user device may hash elements associated with a document object model of a webpage and send generated hash values to the validation server. The validation server may validate the hash values. Based on detection of hash values corresponding to elements maliciously-injected by malware, the validation server may send one or more notifications to other servers that may communicate with the user device.
    Type: Grant
    Filed: March 16, 2021
    Date of Patent: August 15, 2023
    Assignee: Bank of America Corporation
    Inventors: Joel Richard Townsend, John Raymond Omernik, William Anderson Hodges
  • Patent number: 11729148
    Abstract: A method including receiving, at a VPN server from a user device during an established VPN connection between the VPN server and the user device, a data request for the VPN server to retrieve data of interest from a host device; utilizing, by the VPN server, a first exit IP address to transmit a query for retrieving the data of interest to the host device during the established VPN connection; determining, by the VPN server based at least in part on transmitting the query, that the first exit IP address is blocked by the host device; and utilizing, by the VPN server, a second exit IP address to retransmit the query for retrieving the data of interest to the host device during the established VPN connection is disclosed. Various other aspects are contemplated.
    Type: Grant
    Filed: September 4, 2022
    Date of Patent: August 15, 2023
    Assignee: UAB 360 IT
    Inventors: Karolis Pabijanskas, Zenonas Funka
  • Patent number: 11722510
    Abstract: Aspects of the disclosure relate to monitoring virtual desktops accessed by devices at remote locations using machine-learning models to mitigate potential cyber-attacks. In some embodiments, a computing platform may monitor data associated with a series of activities from a virtual desktop accessed by a remote computing device. Subsequently, the computing platform may detect new activity data on the virtual desktop accessed by the remote computing device, and evaluate the new activity data relative to the data associated with the series of activities, wherein evaluating includes applying a machine learning model to the new activity data. Based on evaluating the new activity data, the computing platform may determine if the new activity data is indicative of a potential cyber-attack. In response to determining that the new activity data is indicative of a potential cyber-attack, the computing platform may initiate one or more security response actions.
    Type: Grant
    Filed: August 10, 2020
    Date of Patent: August 8, 2023
    Assignee: Bank of America Corporation
    Inventor: Patrick Lewis
  • Patent number: 11716314
    Abstract: Described embodiments provide systems and apparatuses for enhanced quality of service, steering and policy enforcement for https traffic via intelligent in-line path discovery of a TLS terminating node. The system may include a first network device having a secure connection traversing through the first network device, and in communication with a second network device. The first network device and the second network device may be intermediary to a client device and a server. The first network device may determine that the second network device terminates the secure connection. The first network device may receive key generation information of the secure connection from the second network device following determining the second network device terminates the secure connection.
    Type: Grant
    Filed: May 4, 2021
    Date of Patent: August 1, 2023
    Inventors: J Mohan Rao Arisankala, Chaitra Maraliga Ramaiah, Karthick Srivatsan