MANAGEMENT OF A HOSTS FILE BY A CLIENT SECURITY APPLICATION
Granted: January 3, 2019
Application Number:
20190007455
Systems and methods for managing a host name resolution file by a client security manager are provided. In one embodiment, a client security manager acquires a remote host name resolution file maintained by a remote server or a network security appliance and imports the remote host name resolution file into a local host name resolution file of the client computer system. The local host name resolution file is used for resolving host names to internet protocol (IP) addresses on the client…
DETECTION AND MITIGATION OF TIME-DELAY BASED NETWORK ATTACKS
Granted: January 3, 2019
Application Number:
20190007426
Systems and methods for mitigation of time-delay based network attacks are provided. According to one embodiment, an email directed to a user of an enterprise and containing a potentially malicious link is received by a mail server of the enterprise. At a first time, a file to which the potentially malicious link points is evaluated within a sandbox environment and a first hash value is generated based on contents of the file. At a second time, a file to which the potentially malicious…
AUTOMATIC ELECTRONIC MAIL (EMAIL) ENCRYPTION BY EMAIL SERVERS
Granted: January 3, 2019
Application Number:
20190007423
Systems and methods for automated email encryption between email servers are provided. According to one embodiment, an email, originated by a sender using a client device coupled with a private network and directed to a recipient, is received by an email server associated with the private network. A key server is queried for public keys of the recipient and the sender. When the recipient's public key is returned by the key server, it is used to encrypt the email message; otherwise, no…
CENTRALIZED STATE DATABASE STORING STATE INFORMATION
Granted: January 3, 2019
Application Number:
20190005100
Systems and methods for a cloud state engine are provided. According to one embodiment, a query pertaining to state information associated with a packet to be processed by a first packet processing device of multiple packet processing devices associated with a distributed security environment is received by a centralized state engine running on a computing device associated with the distributed security environment. The state information associated with the packet influences how the…
CHECK VALVE FAN COVER
Granted: December 27, 2018
Application Number:
20180376614
A check valve cover to prevent backflow of air through a cooling fan. A circumferential base connects to a fan and flaps arranged in an annular pattern, the flaps each have an outer substantially fixed portion and an inner un-fixed portion. The flaps are flexibly fixed at the outer fixed portion to the circumferential base and are freely movable at the inner un-fixed portion. Flaps may have self-closing property and/or may incorporate one or more anti-vibration holes located between…
PATTERN MATCHING FOR DATA LEAK PREVENTION
Granted: December 27, 2018
Application Number:
20180373888
Systems and methods for preprocessing data to facilitate DLP pattern matching are provided. An input string is received by a Data Leak Prevention (DLP) system. The input string is converted by the DLP system into a fixed string pattern. The conversion is performed based on one or more of multiple class definitions, including a digit class, a letter class and a symbol class. A determination is then made by the DLP system regarding whether the input string contains potential sensitive data…
SECURITY SANITIZATION OF USB DEVICES
Granted: December 27, 2018
Application Number:
20180373864
Methods and systems for performing security sanitization of Universal Serial Bus (USB) devices are provided. According to one embodiment, existence of a Universal Serial Bus (USB) device connected to a USB port of a network security device is detected by the network security device. Responsive thereto, read and write access to a memory of the USB device is facilitated, by mounting, by the network security device, the USB device within a file system of the network security device.…
MANAGING WIRELESS CLIENT CONNECTIONS VIA NEAR FIELD COMMUNICATION
Granted: November 15, 2018
Application Number:
20180332630
Systems and methods for automatically obtaining WiFi profile data from an NFC device are provided. According to one embodiment, a client security application obtains a WiFi profile of a WiFi network via a near-field communication (NFC) device of the WiFi client device and establishes a WiFi connection with the WiFi network using the WiFi profile.
LEARNING NETWORK TOPOLOGY AND MONITORING COMPLIANCE WITH SECURITY GOALS
Granted: November 8, 2018
Application Number:
20180324218
Systems and methods for monitoring compliance with security goals by a network or part thereof are provided. According to one embodiment, a topology of a network segment of a private network is discovered by a network security device associated with the private network. Security policies implemented by one or more network security devices that form part of the network segment are learned by the network security device. Compliance with a security goal associated with the network segment…
NETWORK SECURITY FRAMEWORK BASED SCORING METRIC GENERATION AND SHARING
Granted: November 8, 2018
Application Number:
20180324219
Systems and methods are described for analysing, sharing and comparing security configurations. According to one embodiment, a security metric for a network segment of a private network is generated based on determination and analysis of network assets, network topology, and one or more defined security criteria representing security features being implemented by one or more network security devices that form part of the network segment, wherein the scoring metric is a quantitative…
BUILDING A COOPERATIVE SECURITY FABRIC OF HIERARCHICALLY INTERCONNECTED NETWORK SECURITY DEVICES
Granted: November 8, 2018
Application Number:
20180324217
Systems and methods for implementing a cooperative security fabric (CSF) protocol are provided. According to one embodiment, a CSF of multiple network security devices (NSDs) deployed within a protected network is constructed in a form of a tree, having a root node, one or more intermediate nodes and one or more leaf nodes, based on hierarchical interconnections among the NSDs by determining a relative upstream or downstream relationship among each NSD. Backend daemons of the NSDs…
REDUCING REDUNDANT OPERATIONS PERFORMED BY MEMBERS OF A COOPERATIVE SECURITY FABRIC
Granted: November 8, 2018
Application Number:
20180324147
Systems and methods for coordinating security operations among members of a cooperative security fabric (CSF) are provided. According to one embodiment, a first network security appliance of a CSF receives incoming network traffic and determines if the incoming network traffic is transmitted from a second network security appliance based on the source address of the network traffic. If the incoming network traffic is from the second network security appliance, the first network security…
STEERING WIRELESS LOCAL AREA NETWORK (WLAN) CLIENTS
Granted: October 25, 2018
Application Number:
20180310240
Systems and methods for steering WiFi clients based on capabilities of the clients and access points (APs) are provided. According to one embodiment, multiple access points (APs) of a wireless local area network (WLAN) receives probe requests from a WLAN client for joining the WLAN. The APs forward the probe requests to an AP controller (AC) that controls the APs of the WLAN. The AC selects one or more of the multiple APs based at least on the matching of the capability of the WLAN…
PREDICTING THE RISK ASSOCIATED WITH A NETWORK FLOW, SUCH AS ONE INVOLVING AN IOT DEVICE, AND APPLYING AN APPROPRIATE LEVEL OF SECURITY INSPECTION BASED THEREON
Granted: October 11, 2018
Application Number:
20180295148
Systems and methods for applying a risk-based approach to security inspection of network flows is provided. According to one embodiment, a packet of a flow between a first and second device coupled with a private network is received by a network security device. If an explicit flow policy is defined for the flow, it is applied to the flow; otherwise: (i) a risk level associated with the flow is obtained based on one or more of attributes of the flow, one or more derived attributes of the…
PER-APPLICATION MICRO-FIREWALL IMAGES EXECUTING IN CONTAINERS ON A DATA COMMUNICATIONS NETWORK
Granted: October 4, 2018
Application Number:
20180287999
Per-application micro-firewall container images execute in containers on a data communication network. A micro-firewall controller detects that a specific application has been activated. In response, a micro-firewall image corresponding to the specific application is configured and executed in a container.
UNINTERRUPTED FLOW PROCESSING BY A SOFTWARE DEFINED NETWORK (SDN) APPLIANCE DESPITE A LOST OR DISRUPTED CONNECTION WITH AN SDN CONTROLLER
Granted: October 4, 2018
Application Number:
20180287859
Systems and methods for allowing continuous network traffic processing by an SDN appliance despite a lost or disrupted connection with an SDN controller are provided. According to one embodiment, a software-defined networking (SDN) appliance receives one or more policies/flows from an SDN controller. The policies/flows are locally stored by the SDN appliance within the SDN appliance. Responsive to receipt of a packet to be processed by the SDN appliance, the SDN appliance queries the SDN…
TWO-STAGE HASH BASED LOGIC FOR APPLICATION LAYER DISTRIBUTED DENIAL OF SERVICE (DDoS) ATTACK ATTRIBUTION
Granted: September 13, 2018
Application Number:
20180262528
Methods and systems for a two-stage attribution of application layer DDoS attack are provided. In a first table just a hash index is maintained whereas the second stage table keeps the string parameter corresponding to the application layer attribute under attack. A linked list maintains a plurality of rows if there is hash collision in the first table. The second table is aged out and reported periodically with details of large strings.
MULTI-TIERED SANDBOX BASED NETWORK THREAT DETECTION
Granted: September 6, 2018
Application Number:
20180253551
Systems and methods for multi-tiered sandbox based network threat detection are provided. According to one embodiment, a file is received by a computer system. The file is caused to exhibit a first set of behaviors by processing the file within a virtualization application based environment of the computer system. The virtualization application based environment is created based on an application to which the file pertains. The file is further caused to exhibit a second set of behaviors…
HIGH-AVAILABILITY CLUSTER ARCHITECTURE AND PROTOCOL
Granted: August 30, 2018
Application Number:
20180246791
Methods and systems are provided for an improved cluster-based network architecture. According to one embodiment, an active connection is established between a first interface of a network device and an enabled interface of a first cluster unit of an HA cluster of network security devices. The HA cluster is configured to provide connectivity between network devices of an internal and external network. A backup connection is established between a second interface of the network device and…
PROVIDING SECURITY IN A COMMUNICATION NETWORK
Granted: August 16, 2018
Application Number:
20180234440
Systems and methods for optimizing system resources by selectively enabling various scanning functions of a network security device are provided. According to one embodiment, information specifying a set of reputable websites deemed to be trustworthy by one or more web filtering services is received by a network security device protecting a private network. One or more directives are received by the network security device from a network administrator via a GUI of the network security…
