Automated configuration of endpoint security management
Granted: November 13, 2018
Patent Number:
10129341
Systems and methods for managing configuration of a client security application based on a network environment in which the client device is operating are provided. According to one embodiment, a network connection state of a client device with respect to a private network is determined by a client security application running on the client device. The client security application, then selects a configuration based on the determined network connection state. Finally, the client security…
HTTP proxy
Granted: November 6, 2018
Patent Number:
10122816
Systems and methods for translating between an older version of HTTP and a newer version of HTTP are provided. According to an embodiment, a first request message, compliant with the newer version and directed to a server that supports the older version but does not support the newer version, is received by the proxy from a client that supports the newer version. A second request message, compliant with the older version, is created by the proxy by translating the first request message.…
Heuristics-based identification of IoT (internet of things) attacks in Wi-fi
Granted: November 6, 2018
Patent Number:
10122745
Attacks from IoT (Internet of Things) devices (or other statins) on a Wi-Fi network are identified using heuristics. Frames are detected from an IoT device (or conventional station) over a window of time. The frame is processed to expose IoT application data from the frame over the time window. Deviations are identified in the IoT application data to detect malicious activity from the IoT device by comparing the IoT application data from at least a first time and a second time within the…
System and method for software defined behavioral DDoS attack mitigation
Granted: October 30, 2018
Patent Number:
10116703
Systems and methods for software defined behavioral DDoS attack mitigation are provided. According to one embodiment, a method is provided for controlling multiple distributed denial of service (DDoS) mitigation appliances. A DDoS attack mitigation central controller configures attack mitigation policies for the DDoS attack mitigation appliances. The DDoS attack mitigation policies are sent to the DDoS attack mitigation appliances through a network connecting the DDoS attack mitigation…
Cloud based logging service
Granted: October 30, 2018
Patent Number:
10116626
Methods and systems are provided for facilitating access to a cloud-based logging service. According to one embodiment, access to a cloud-based logging service is integrated within a network security appliance by automatically configuring access settings for the logging service and creating an account for the security appliance with the logging service. A log is created within the logging service by making use of the automatically configured access settings and the account. A request is…
Calculating consecutive matches using parallel computing
Granted: October 30, 2018
Patent Number:
10114934
Methods and systems for determining consecutive matches are provided. According to one embodiment, a class definition and a data stream are received by a network security device. The data stream is partitioned into multiple data blocks each containing N data segments. Each data block is processed in parallel to compute: (i) a value (F) indicating whether every data segment value meets the class definition; (ii) a value (L) indicating a number of consecutive data segment values meeting…
Application layer-based single sign on
Granted: October 16, 2018
Patent Number:
10104121
Methods and systems are provided for implementing application layer security. According to one embodiment, an application layer packet is received by a network appliance and one or more information fields, selected based on an application type associated with the packet, are used to identify an associated end user. Then, security rules that match the traffic pattern, traffic content and identified end user can be applied to the packet. Identification of end users based on application…
Filtering hidden data embedded in media files
Granted: October 9, 2018
Patent Number:
10097514
Systems and methods for filtering unsafe content by a network security device are provided. According to one embodiment, a network security device captures network traffic and extracts a media file from the network traffic. The network security device then determines the presence of a hidden data item embedded in the media file in a machine-readable form. When such a hidden data item is identified, the network security device performs one or more actions on the media file based on a…
Sequentially serving network security devices using a software defined networking (SDN) switch
Granted: October 2, 2018
Patent Number:
10091166
Systems and methods for an SDN switch that provides service group chaining for sequentially serving multiple network security devices are provided. According to one embodiment, a packet received by the switch is processed by a first FPU based on a first set of rules and forwarded conditionally to a first security device. The packet is security processed, including dropping it or forwarding it to an egress port or forwarding it to a second FPU. When forwarded to the second FPU, the packet…
Context-aware pattern matching accelerator
Granted: October 2, 2018
Patent Number:
10091248
Methods and systems for improving accuracy, speed, and efficiency of context-aware pattern matching are provided. According to one embodiment, a packet stream is received by a first stage of a hardware accelerator of a network device. A pre-matching process is performed by the first stage to identify a candidate packet that matches a string or over-flow pattern associated with access control (e.g., IPS or ADC) rules. A candidate rule is identified based on a correlation of results of the…
Reducing redundant operations performed by members of a cooperative security fabric
Granted: September 25, 2018
Patent Number:
10084825
Systems and methods for coordinating security operations among members of a cooperative security fabric (CSF) are provided. According to one embodiment, a first network security appliance of a CSF receives incoming network traffic and determines whether the network traffic has been transmitted from a second network security appliance based on a flag carried by one or more packets of the network traffic. If the incoming network traffic is from the second network security appliance, the…
Protocol based detection of suspicious network traffic
Granted: September 25, 2018
Patent Number:
10084816
Embodiments of the present invention relate to identification of suspicious network traffic indicative of a Botnet and/or an Advanced Persistent Threat (APT) based on network protocol of such traffic. According to one embodiment, a traffic file is received at a network security device that is protecting a private network. The traffic file contains therein network traffic associated with the private network that has been captured and stored. The received traffic file is processed by the…
Rating of signature patterns for pattern matching
Granted: September 25, 2018
Patent Number:
10084803
Systems and methods for rating of signature patterns are provided. According to one embodiment, a frequency of occurrence is determined by a network security system of each of multiple patterns within a pattern database containing a set of candidate patterns from which a set of patterns or sub-patterns thereof will be selected for inclusion within a pre-match list. For each pattern, the network security device determines whether a length of the pattern exceeds a pre-defined length; and,…
Load balancing among a cluster of firewall security devices
Granted: September 25, 2018
Patent Number:
10084751
A method for balancing load among firewall security devices (FSDs) is provided. According to one embodiment, a switching device performs adaptive load balancing among cluster units of an HA cluster of firewall security devices. A load balancing (LB) function implemented by the switching device is configured based on information received from a network administrator. A LB table is maintained that forms associations between hash values output by the LB function and corresponding ports of…
Policy-based content filtering
Granted: September 25, 2018
Patent Number:
10084750
Methods and systems for processing application-level content of network service protocols are described. According to one embodiment, a firewall maintains multiple configuration schemes, each defining a set of administrator-configurable content filtering process settings. The firewall also maintains a security policy database including multiple firewall security policies. At least one of the firewall security policies includes an associated configuration scheme and an action to take with…
Pattern matching for data leak prevention
Granted: September 25, 2018
Patent Number:
10083318
Systems and methods for preprocessing data to facilitate DLP pattern matching are provided. An input string is received by a Data Leak Prevention (DLP) system. The input string is converted by the DLP system into a fixed string pattern. The conversion is performed based on multiple class definitions, including a digit class, a letter class and a symbol class. A determination is then made by the DLP system regarding whether the input string contains potential sensitive data to which a…
Secure cloud storage distribution and aggregation
Granted: September 25, 2018
Patent Number:
10083309
Methods and systems for secure cloud storage are provided. According to one embodiment, file storage policies are maintained for users of an enterprise network by a trusted gateway device interposed between the network and multiple third-party cloud storage services. Responsive to receiving a request to store a local file from a user: (i) searchable encrypted data is created by the gateway corresponding to one or more of (a) content of the local file and (b) metadata associated with the…
Packet routing using a software-defined networking (SDN) switch
Granted: September 11, 2018
Patent Number:
10075393
Systems and methods for an SDN switch that facilitates forwarding/differential routing decision determination are provided. A packet is received at an input port of the SDN switch. The switch includes a first and second set of flow processing units (FPUs). The packet is forwarded to a first FPU of the first set. Based on a flow table associated with the first FPU, it is determined whether the packet is to be forwarded to a network device or an output port. The packet is received from the…
Intelligent telephone call routing
Granted: September 11, 2018
Patent Number:
10075584
Systems and methods for intelligently routing an incoming telephone call to an internal extension based on the calling history are provided. According to one embodiment, a session log, containing information regarding sessions between internal extension numbers and external telephone numbers, is maintained by a call monitor of a telephone system. The internal extension numbers are associated with telephone extensions within the telephone system and the external telephone numbers are…
Sandboxing protection for endpoints
Granted: September 11, 2018
Patent Number:
10075457
Methods and systems for integrating a sandboxing service and distributed threat intelligence within an endpoint security application are provided. According to one embodiment, The method includes file system or operating system activity relating to a file accessible to an endpoint system is monitored by an endpoint security application running on the endpoint system. The endpoint security application determines whether the file has been previously analyzed for a threat status. When a…
