Deauthenticating and disassociating unauthorized access points with spoofed management frames
Granted: April 17, 2018
Patent Number:
9949131
A spoofed management frame is sent to an unauthorized access point (AP) on behalf of a station from an authorized AP, using a media access control (MAC) address of the station. The spoofed frame triggers a security association (SA) query from an unauthorized AP to reestablish valid communications. An acknowledgment (ACK) frame sent from the client to the unauthorized AP responsive to the SA query request is detected by the AP. A probe response is sent to the client. The probe response…
Security configuration file conversion with security policy optimization
Granted: April 17, 2018
Patent Number:
9948680
Systems and methods for converting a configuration file from a first language into a second language with policy optimization and auditing are provided. According to one embodiment, a network appliance configuration converter parses network security policies of an input configuration file of a first network appliance to intermediate representations. The network security policies of the input configuration file are in a first language and the intermediate representations are general data…
Providing security in a communication network
Granted: April 17, 2018
Patent Number:
9948662
Systems and methods for optimizing system resources by selectively enabling various scanning functions relating to user traffic streams based on the level of trust associated with the destination are provided. According to one embodiment, a network security device within an enterprise network receives an application protocol request directed to an external network that is originated by a client device associated with the enterprise network. It is determined by the network security device…
Directed station roaming in cloud managed Wi-Fi network
Granted: April 10, 2018
Patent Number:
9942822
Directing station roaming in a cloud-managed Wi-Fi network. Management messages are received from a controller that is located remotely from the Wi-Fi communication network by an access point. When an RSSI (received signal strength indication) value between the station and the access point falls below a threshold, the access point (i.e., controller access point) determines which neighboring access point would be a best fit for a hand-off, with limited real-time input form the cloud-based…
Optimizing progressive downloading in WLANs (wireless local access networks)
Granted: April 10, 2018
Patent Number:
9942296
An access point provisions of network resources at a data plane to optimize progressive downloads in WLANs. To do so, link information concerning at least one routing path of the access point is periodically sent to an SDN controller. As needed, download parameters are determined for a file transfer from the access point to a station from a resource external to the communication network. Responsive to the file transfer being a progressive download, one or more OpenFlow rules are received…
High-availability cluster architecture and protocol
Granted: April 3, 2018
Patent Number:
9934112
Methods and systems are provided for an improved cluster-based network architecture. According to one embodiment, an active connection is established between a first interface of a network device and an enabled interface of a first cluster unit of a high availability (HA) cluster. The HA cluster is configured to provide connectivity between network devices of an internal and external network. A backup connection is established between a second interface of the network device and a…
Management of wireless access points via virtualization
Granted: April 3, 2018
Patent Number:
9936059
Wireless access point (AP) and methods for providing wireless connectivity to wireless client are provided. According to one embodiment, a wireless AP includes a host hardware platform and a hypervisor for providing a first virtual machine where a first guest operating system (OS) is configured to run on the first virtual machine. A wireless module is configured to run on the first guest OS for managing the wireless connection to at least one wireless client. A wireless AP management…
Hardware-logic based flow collector for distributed denial of service (DDoS) attack mitigation
Granted: April 3, 2018
Patent Number:
9935974
Methods and systems for an integrated solution to flow collection for determination of rate-based DoS attacks targeting ISP infrastructure are provided. According to one embodiment, a method of mitigating DDoS attacks is provided. Information regarding at least one destination within a network for which a distributed denial of service (DDoS) attack status is to be monitored is received by a DDoS attack detection module coupled with a flow controller via a bus. The DDoS attack status is…
Emulator-based malware learning and detection
Granted: April 3, 2018
Patent Number:
9935972
Methods and systems are described for malware learning and detection. According to one embodiment, an antivirus (AV) engine includes a training mode for internal lab use, for example, and a detection mode for use in commercial deployments. In training mode, an original set of suspicious patterns is generated by scanning malware samples. A set of clean patterns is generated by scanning clean samples. A revised set of suspicious patterns is created by removing the clean patterns from the…
Virtualization in a multi-host environment
Granted: April 3, 2018
Patent Number:
9934139
Methods and systems for implementing improved partitioning and virtualization in a multi-host environment are provided. According to one embodiment, multiple devices, including CPUs and peripherals, coupled with a system via an interconnect matrix/bus are associated with a shared memory logically partitioned into multiple domains. A first domain is associated with a first set of the devices and a second domain is associated with a second set of the devices. A single shared virtual map…
Seamless roaming in wireless networks
Granted: March 27, 2018
Patent Number:
9930595
A system and method for providing a seamless transition between access points for mobile devices. The method comprises associating a unique identifier for a plurality of mobile stations with a unique identifier for a first network in an acknowledgment table, then, upon receiving a frame from a mobile station, acknowledging the reception of the frame if the frame includes the unique identifier for the mobile station and the unique identifier for the network. The transfer of operation…
Detecting network traffic content
Granted: March 27, 2018
Patent Number:
9930054
A device for detecting network traffic content is provided. The device includes a memory configured for storing one or more signatures, each of the one or more signatures associated with content desired to be detected, and 5 defined by one or more predicates. The device a/so includes a processor configured to receive data associated with network traffic content, execute one or more instructions based on the one or more signatures and the data, and determine whether the network traffic…
Network advertising system
Granted: March 13, 2018
Patent Number:
9916603
Systems and methods for transmitting content to a client via a communication network are provided. An insertion server, running within a firewall device associated with a private IP network, detects establishment of a transport communication protocol connection between a client associated with the network and a destination located external to the network by examining packets as they pass through the network and pass by the insertion server. A content request of an application protocol…
Detection of undesired computer files using digital certificates
Granted: March 13, 2018
Patent Number:
9917844
Methods and systems for detecting undesirable computer files based on scanning and analysis of information contained within an associated digital certificate chain are provided. According to one embodiment, a determination is made regarding whether there exists a certificate chain associated with a computer file. If the certificate chain is determined to exist, then the certificate chain is evaluated by extracting information from the certificate chain and analyzing the extracted…
Inheritance based network management
Granted: March 13, 2018
Patent Number:
9917842
Systems and methods for normalization of physical interfaces having different physical attributes are provided. According to one embodiment, information regarding multiple network devices is presented to a network manager. The network devices have one or more different physical attributes. Two physical attributes of two network devices that are to be normalized and that are among the one or more different physical attributes are identified. The physical attributes are normalized by…
Automated configuration of endpoint security management
Granted: March 13, 2018
Patent Number:
9917814
Systems and methods for managing configuration of a client security application based on a network environment in which the client device is operating are provided. According to one embodiment, a network connection state of a client device with respect to a private network is determined by a client security application running on the client device. The client security application, then selects a configuration based on the determined network connection state. Finally, the client security…
Interface groups for rule-based network security
Granted: March 13, 2018
Patent Number:
9917813
Systems and methods for designating interfaces of a network security appliance as source/destination interfaces in connection with defining a security rule are provided. According to one embodiment, a security rule configuration interface is displayed through which a network administrator can specify parameters of security rules to be applied to traffic attempting to traverse the network security appliance. Information defining a traffic flow to be controlled by a security rule is…
Inline inspection of security protocols
Granted: March 13, 2018
Patent Number:
9917812
Systems and methods for inline security protocol inspection are provided. According to one embodiment, a security device receives an encrypted packet from a first network appliance and buffers the encrypted packet in a buffer. An inspection module accesses the encrypted packet from the buffer, decrypts the encrypted packet to produce plain text and scans the plain text by the inspection module.
Optimization of contention paramaters for quality of service of VOIP (voice over internet protocol) calls in a wireless communication network
Granted: March 13, 2018
Patent Number:
9917752
A system and method for optimizing voice communications in a wireless network including an AP having a message waiting time that provides proper QoS while losing minimal communication bandwidth. The QoS may be responsive to the amount of user traffic in both the AP and neighboring APs. The method may include setting parameters for each level of QoS in response to a measure of the degree of contention for that level of QoS, and in response to a measure of the degree of contention for…
Polarity recognition and swapping for DC powered devices
Granted: March 13, 2018
Patent Number:
9917438
A system for recognizing and swapping polarity for DC powered devices that includes a polarity detection module that is configured to identify polarity of DC power input, and further configured to send an output to a controller based on identification of polarity of the DC power input. The system includes a power switch array that is operatively coupled with the controller, and wherein the controller, based on the output, can set one or more switches of the power switch array for…
