Fortinet Patent Grants

Direct cache access for network input/output devices

Granted: July 18, 2017
Patent Number: 9712544
Methods and systems for improving efficiency of direct cache access (DCA) are provided. According to one embodiment, a set of DCA control settings are defined by a network interface controller (NIC) of a network security device for each of multiple I/O device queues. The control settings specify portions of network packets that are to be copied to a cache of the corresponding CPU. A packet is received by the NIC. The packet is parsed to identify boundaries of portions of the packet and…

Repurposing protocol messages to facilitate handoff

Granted: July 18, 2017
Patent Number: 9713045
A control element identifies the possibility that a station will transfer to a destination AP, and prepares that destination for a handoff. The control element repurposes messages from the station which indicate a possible near-term handoff, to prepare access points to receive that handoff. The control element treats a neighbor list request as a trigger to select which AP's to identify, to restrict the neighbor list to selected AP's, and to prepare each selected AP for a handoff. In…

Extension of Wi-Fi services multicast to a subnet across a Wi-Fi network using software-defined networking (SDN) to centrally control data plane behavior

Granted: July 11, 2017
Patent Number: 9705694
Wi-Fi services multicast to a subnet in a software-defined network (SDN) are extended. An SDN controller centrally monitors a data plane of a Wi-Fi network. Advertisements for services within a first subnet by an advertising station are forwarded to the SDN controller. Parameters of the service of the advertising station are extracted for storage by performing deep packet inspection on the one or more packets. Queries for services within a second subnet by a querying station are also…

Directing clients based on communication format

Granted: July 4, 2017
Patent Number: 9699138
Methods and systems for redirecting client requests are provided. According to one embodiment, a system includes a processor and a memory coupled to the processor and configured to provide the processor with instructions. A request is received from a client capable of communicating via multiple supported communication formats. The request is capable of being serviced by multiple servers each of which are configured to communicate via a different communication format. A server is selected…

Mobile hotspot managed by access controller

Granted: July 4, 2017
Patent Number: 9699144
Systems and methods are described for a mobile hotspot that can be managed by an access controller. According to an embodiment, a WAN connection is established by a mobile hotspot through a telecommunication data network via a wireless WAN module. When in a first mode, the mobile hotspot: (i) sets up a secure tunnel through the WAN connection with an AC of the enterprise that manages APs of a wireless network of an enterprise; (ii) broadcasts an SSID that is also broadcast by the APs;…

Scalable inline behavioral DDoS attack mitigation

Granted: July 4, 2017
Patent Number: 9699211
Methods and systems for a scalable solution to behavioral Distributed Denial of Service (DDoS) attacks targeting a network are provided. According to one embodiment, a method to determine the scaling treatment is provided for various granular layer parameters of the Open System Interconnection (OSI) model for communication systems. A hardware-based apparatus helps identify packet rates and determine packet rate thresholds through continuous and adaptive learning with multiple DDoS attack…

Detecting malicious resources in a network based upon active client reputation monitoring

Granted: June 27, 2017
Patent Number: 9692782
Systems and methods for detecting malicious resources by analyzing communication between multiple resources coupled to a network are provided. According to one embodiment, a method is performed for client reputation monitoring. A monitoring unit within a network observes activities relating to multiple monitored devices within the network. For each observed activity, the monitoring unit assigns a score to the observed activity based upon a policy of multiple polices established within…

Logging attack context data

Granted: June 20, 2017
Patent Number: 9686309
Methods and systems for improved attack context data logging are provided. According to one embodiment, configuration information is received from an administrator of a network security device. The configuration information includes information indicative of a quantity of packets to be captured for post attack analysis. Responsive to receipt of the configuration information, a size of a circular buffer is configured based thereon. Multiple packets directed to a network protected by the…

Virus co-processor instructions and methods for using such

Granted: June 13, 2017
Patent Number: 9679138
Circuits and methods for detecting, identifying and/or removing undesired content are provided. According to one embodiment, a system includes a co-processor (CP), a first memory, a general purpose processor (GPP) and a second memory. The first memory is associated with the CP and coupled to the CP. The first memory includes a first signature compiled for execution on the CP. The GPP is coupled to the CP. The second memory is associated with the GPP and coupled to the CP and to the GPP.…

Securing internet of things (IOT) RF (radio frequency) location tags using source addresses to locate stations on a Wi-Fi network

Granted: June 13, 2017
Patent Number: 9679171
RF tags using source addresses to locate stations on a Wi-Fi network are secured. An RF location server receives a pseudo source address of an RF (radio frequency) tag from a station. The station obtains the pseudo source address while being within radio range of the RF tag and the station receiving a beacon frame from the RF tag. A source address for the RF tag is looked-up utilizing the pseudo source address, and a specific location for the RF tag is looked-up utilizing the source…

Facilitating content accessibility via different communication formats

Granted: June 13, 2017
Patent Number: 9680791
Facilitating content accessibility via different communication formats is disclosed. In some embodiments, in response to receiving a content request from an IPv6 enabled client, the requested content is provided to the IPv6 enabled client in IPv6 format, wherein the requested content is originally obtained in IPv4 format from an IPv4 enabled server and translated into IPv6 format.

Socket application program interface (API) for efficient data transactions

Granted: June 13, 2017
Patent Number: 9680918
Methods and systems for efficient data transactions between applications running on devices associated with the same host. According to one embodiment, a host system includes an HTTP proxy and an SSL/TLS proxy operatively coupled with each other. The SSL/TLS proxy may be configured to perform SSL negotiation with a client and the HTTP proxy may be configured to communicate with a web server in clear text. Data can be transferred directly between the proxies through a pair of connected…

Deauthenticating and disassociating unauthorized access points with spoofed management frames

Granted: June 13, 2017
Patent Number: 9681299
A spoofed management frame is sent to an unauthorized access point (AP) on behalf of a station from an authorized AP, using a media access control (MAC) address of the station. The spoofed frame triggers a security association (SA) query from an unauthorized AP to reestablish valid communications. An acknowledgment (ACK) frame sent from the client to the unauthorized AP responsive to the SA query request is detected by the AP. A probe response is sent to the client. The probe response…

Computerized system and method for deployment of management tunnels

Granted: June 6, 2017
Patent Number: 9673987
Methods and systems for deploying management tunnels between managed and managing devices are provided. According to one embodiment, the use of PKI-authenticated serial numbers within network devices manufactured by a particular manufacturer enables one-step provisioning of one or more managed devices. A managed device is provisioned with the serial number of a management device manufactured by the particular manufacturer. When the managed device is installed within a network, the…

Centralized management of access points

Granted: June 6, 2017
Patent Number: 9674037
Systems and methods are provided for centralized access, control, and management of APs. According to one embodiment, multiple APs of a private IP network are decoupled from potentially transient IP addresses by assigning a unique identifier to each of the multiple APs by an AC. An AC GUI is presented by the AC to an administrator through which (i) commands are provided by the administrator and (ii) the administrator is provided with access to a first AP of the multiple APs responsive to…

Secure system for allowing the execution of authorized computer program code

Granted: May 30, 2017
Patent Number: 9665708
Systems and methods for selective authorization of code modules are provided. According to one embodiment, a kernel-level driver within a kernel of an operating system of a computer system intercepts activity in connection with a file system associated with the computer system or the operating system relating to a code module. A determination is made by the kernel-level driver regarding whether to allow the intercepted activity to proceed by performing a real-time authentication process…

Tunnel interface for securing traffic over a network

Granted: May 30, 2017
Patent Number: 9667604
Methods and systems for a flexible, scalable hardware and software platform that allows a managed security service provider to easily provide security services to multiple customers are provided. According to one embodiment, a method is provided for delivering customized network services to subscribers of the service provider. A request is received, at a service management system (SMS) of the service provider, to establish an Internet Protocol (IP) connection between a first and second…

Detecting malicious resources in a network based upon active client reputation monitoring

Granted: May 30, 2017
Patent Number: 9667647
Systems and methods for detecting malicious resources by analyzing communication between multiple resources coupled to a network are provided. According to one embodiment, a method of client reputation monitoring is provided. A monitoring unit executing on a network security device operable to protect a private network observes activities relating to multiple monitored devices within the private network. For each of the observed activities, a score is assigned by the monitoring unit…

Filtering hidden data embedded in media files

Granted: May 23, 2017
Patent Number: 9660958
Systems and methods for filtering unsafe content at a network security appliance are provided. According to one embodiment, a network security appliance captures network traffic and extracts a media file from the network traffic. The network security appliance then determines the presence of a hidden data item embedded in the media file in a machine-readable form. When such a hidden data item is identified, the network security appliance performs one or more actions on the media file…

Network interface card rate limiting

Granted: May 16, 2017
Patent Number: 9652417
Systems and methods for limiting the rate of packet transmission from a NIC to a host CPU are provided. According to one embodiment, data packets are received from a network by the NIC. The NIC is coupled to a host central processing unit (CPU) of a network appliance through a bus system. A status of the host CPU is monitored by the NIC. A rate limiting mode indicator is set by the NIC based on the status. When the rate limiting mode indicator indicates rate limiting is inactive, then…