Palo Alto Networks, Inc.

United States of America

Back to Profile

1-100 of 897 for Palo Alto Networks, Inc. and 1 subsidiary Sort by
Query
Aggregations
IP Type
        Patent 837
        Trademark 60
Jurisdiction
        United States 799
        World 70
        Canada 20
        Europe 8
Owner / Subsidiary
[Owner] Palo Alto Networks, Inc. 896
Evident.io, Inc. 1
Date
New (last 4 weeks) 11
2024 March (MTD) 8
2024 February 19
2024 January 10
2023 December 10
See more
IPC Class
H04L 29/06 - Communication control; Communication processing characterised by a protocol 336
H04L 9/40 - Network security protocols 186
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements 138
H04L 29/08 - Transmission control procedure, e.g. data link level control procedure 71
G06F 17/30 - Information retrieval; Database structures therefor 53
See more
NICE Class
42 - Scientific, technological and industrial services, research and design 46
09 - Scientific and electric apparatus and instruments 33
41 - Education, entertainment, sporting and cultural services 11
45 - Legal and security services; personal services for individuals. 10
35 - Advertising and business services 7
See more
Status
Pending 186
Registered / In Force 711
  1     2     3     ...     9        Next Page

1.

MALICIOUS JS DETECTION BASED ON AUTOMATED USER INTERACTION EMULATION

      
Application Number 18535835
Status Pending
Filing Date 2023-12-11
First Publication Date 2024-03-28
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Chen, Jin
  • Yan, Tao
  • Wang, Taojie
  • Qu, Bo

Abstract

Detection of malicious JavaScript based on automated user interaction emulation is disclosed. A malware sample is executed in an instrumented virtual environment. Dynamic behavior is triggered based on emulated user interactions.

IPC Classes  ?

  • G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
  • G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine

2.

IOT DEVICE APPLICATION WORKLOAD CAPTURE

      
Application Number 18520385
Status Pending
Filing Date 2023-11-27
First Publication Date 2024-03-21
Owner Palo Alto Networks, Inc. (USA)
Inventor Du, Jun

Abstract

Internet of Things (IoT) device application workload capture is disclosed. A target IoT device is selected. A flow associated with the target IoT device is determined and tagged. Packets from the tagged flow are admitted into a ring buffer. An indication is received that an extraction should be performed on a portion of the packets included in the ring buffer.

IPC Classes  ?

  • H04L 9/40 - Network security protocols
  • G16Y 10/75 - Information technology; Communication
  • G16Y 30/10 - Security thereof
  • H04L 41/06 - Management of faults, events, alarms or notifications
  • H04L 41/0816 - Configuration setting characterised by the conditions triggering a change of settings the condition being an adaptation, e.g. in response to network events

3.

DETECTING BEHAVIORAL CHANGE OF IOT DEVICES USING NOVELTY DETECTION BASED BEHAVIOR TRAFFIC MODELING

      
Application Number 18520915
Status Pending
Filing Date 2023-11-28
First Publication Date 2024-03-21
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Tian, Ke
  • Zhao, Yilin
  • Duan, Xiaoyi
  • Du, Jun

Abstract

An anomalous behavior detector has been designed to detect novel behavioral changes of devices based on network traffic data that likely correlate to anomalous behaviors. The anomalous behavior detector uses the local outlier factor (LOF) algorithm with novelty detection. After initial semi-supervised training with a single class training dataset representing stable device behaviors, the obtained model continues learning frontiers that delimit subspaces of inlier observations with live network traffic data. Instead of traffic variables being used as features, the features that form feature vectors are similarities of network traffic variable values across time intervals. A feature vector for the anomalous behavior detector represents stability or similarity of network traffic variables that have been chosen as device identifiers and behavioral indicators.

IPC Classes  ?

  • H04L 43/0876 - Network utilisation, e.g. volume of load or congestion level

4.

DETECTING PATIENT-ZERO EXFILTRATION ATTACKS ON WEBSITES USING TAINT TRACKING

      
Application Number 18513869
Status Pending
Filing Date 2023-11-20
First Publication Date 2024-03-21
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Melicher, William Russell
  • Mohamed Nabeel, Mohamed Yoosuf
  • Starov, Oleksii

Abstract

An execution environment has been designed that detects likely data exfiltration by using taint tracking and abstract execution. The execution environment is instrumented to monitor for use of functions identified as having functionality for transferring data out of an execution environment. In addition, heuristics-based rules are defined to mark or “taint” objects (e.g., variables) that are likely targets for exfiltration. With taint tracking and control flow analysis, the execution environment tracks the tainted objects through multiple execution paths of a code sample. After comprehensive code coverage, logged use of the monitored functions are examined to determine whether any tainted objects were passed to the monitored functions. If so, the logged use will indicate a destination or sink for the tainted source. Each tainted source-sink association can be examined to verify whether the exfiltration was malicious.

IPC Classes  ?

  • G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements

5.

PROVIDING APPLICATION SECURITY USING CAUSAL GRAPH

      
Application Number 18519828
Status Pending
Filing Date 2023-11-27
First Publication Date 2024-03-14
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Varadarajan, Subramanian
  • Antonyraj, Rosarin Roy

Abstract

Computer systems and methods are provided for storing a first path profile. A computing device receives a first request to access a first location of a website, transmits the first request to a server, and receives a first cookie that includes identifying information for the first location. In response to receiving the first cookie, the device stores the identifying information. The device receives a second request to access a second location of the website that is distinct from the first location. The second request includes the identifying information for the first location. The device transmits the second request to the server and receives a second cookie that includes the identifying information for the first location and for the second location. In response to receiving the second cookie, the device stores the first path profile that includes the identifying information for the first location and the second location.

IPC Classes  ?

6.

APPLYING SUBSCRIBER-ID BASED SECURITY, EQUIPMENT-ID BASED SECURITY, AND/OR NETWORK SLICE-ID BASED SECURITY WITH USER-ID AND SYSLOG MESSAGES IN MOBILE NETWORKS

      
Application Number US2023028739
Publication Number 2024/049591
Status In Force
Filing Date 2023-07-26
Publication Date 2024-03-07
Owner PALO ALTO NETWORKS, INC. (USA)
Inventor
  • Verma, Sachin
  • Burakovsky, Leonid
  • Perez Villegas, Hugo, Alberto

Abstract

Techniques for applying subscriber-ID based security, equipment-ID based security, and/or network slice-ID based security with user-ID and syslog messages in mobile networks are disclosed. In some embodiments, a system/process/computer program product for applying subscriber-ID based security, equipment-ID based security, and/or network slice-ID based security with user-ID and syslog messages in mobile networks includes monitoring network traffic on a mobile network at a security platform to identify a new session; extracting a plurality of parameters by parsing syslog messages with a user-ID agent at the security platform; and enforcing a security policy on the new session at the security platform based on one or more of the plurality of parameters including one or more of a subscriber-ID, equipment- ID, and network slice-ID to apply context-based security in the mobile network.

IPC Classes  ?

7.

CONTEXT PROFILING FOR MALWARE DETECTION

      
Application Number 18506542
Status Pending
Filing Date 2023-11-10
First Publication Date 2024-03-07
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Wang, Jun
  • Xu, Wei

Abstract

Analysis of samples for maliciousness is disclosed. A sample is executed and one or more network activities associated with executing the sample are recorded. The recorded network activities are compared to a malware profile. The malware profile comprises a set of network activities taken by a known malicious application during execution of the known malicious application. A verdict of “malicious” is assigned to the sample based at least in part on a determination that the recorded network activities match the malware profile.

IPC Classes  ?

  • H04L 9/40 - Network security protocols
  • G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
  • G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
  • H04W 12/128 - Anti-malware arrangements, e.g. protection against SMS fraud or mobile malware

8.

INLINE PACKAGE NAME BASED SUPPLY CHAIN ATTACK DETECTION AND PREVENTION

      
Application Number US2023031082
Publication Number 2024/049702
Status In Force
Filing Date 2023-08-24
Publication Date 2024-03-07
Owner PALO ALTO NETWORKS, INC. (USA)
Inventor
  • Duan, Ruian
  • Liu, Daiping
  • Wang, Jun
  • Xiao, Zihang

Abstract

Inline package name based supply chain attack detection and prevention is disclosed. An indication that a client device has made a request to a remote server for a package is received. A data appliance then performs an action responsive to the received indication. In an example implementation, the data appliance makes a determination of whether the request for the package is associated with a nonexisting package.

IPC Classes  ?

  • G06F 8/60 - Software deployment
  • G06F 21/10 - Protecting distributed programs or content, e.g. vending or licensing of copyrighted material

9.

INLINE PACKAGE NAME BASED SUPPLY CHAIN ATTACK DETECTION AND PREVENTION

      
Application Number 18500857
Status Pending
Filing Date 2023-11-02
First Publication Date 2024-02-29
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Duan, Ruian
  • Liu, Daiping
  • Wang, Jun
  • Xiao, Zihang

Abstract

Inline package name based supply chain attack detection and prevention is disclosed. An indication that a client device has made a request to a remote server for a package is received. A data appliance then performs an action responsive to the received indication. In an example implementation, the data appliance makes a determination of whether the request for the package is associated with a nonexisting package.

IPC Classes  ?

10.

APPLYING SUBSCRIBER-ID BASED SECURITY, EQUIPMENT-ID BASED SECURITY, AND/OR NETWORK SLICE-ID BASED SECURITY WITH USER-ID AND SYSLOG MESSAGES IN MOBILE NETWORKS

      
Application Number 17900706
Status Pending
Filing Date 2022-08-31
First Publication Date 2024-02-29
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Verma, Sachin
  • Burakovsky, Leonid
  • Perez Villegas, Hugo Alberto

Abstract

Techniques for applying subscriber-ID based security, equipment-ID based security, and/or network slice-ID based security with user-ID and syslog messages in mobile networks are disclosed. In some embodiments, a system/process/computer program product for applying subscriber-ID based security, equipment-ID based security, and/or network slice-ID based security with user-ID and syslog messages in mobile networks includes monitoring network traffic on a mobile network at a security platform to identify a new session; extracting a plurality of parameters by parsing syslog messages with a user-ID agent at the security platform; and enforcing a security policy on the new session at the security platform based on one or more of the plurality of parameters including one or more of a subscriber-ID, equipment-ID, and network slice-ID to apply context-based security in the mobile network.

IPC Classes  ?

11.

OPTICAL CHARACTER RECOGNITION FILTERING

      
Application Number 17821247
Status Pending
Filing Date 2022-08-22
First Publication Date 2024-02-22
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Mittal, Anirudh
  • Hewlett, Ii, William Redington

Abstract

An OCR filter described herein filters non-textual files in scanned customer data from optical character recognition (OCR) and pattern analysis of text generated thereof for sensitive customer data. The OCR filter is trained on files labelled using feature values for features generated from OCR applied to the corresponding files. Moreover, the OCR filter stores internal representations of the files during training to avoid leaking potential sensitive customer data contained therein. Once trained, performance of the OCR filter in filtering files comprising image data without text is evaluated according to false positive rates and false negative rates by comparing classifications of the OCR filter to classifications according to feature values for features generated from OCR. Evaluation of the OCR filter ensures continued model performance and informs model updates.

IPC Classes  ?

12.

INNOCENT UNTIL PROVEN GUILTY (IUPG): ADVERSARY RESISTANT AND FALSE POSITIVE RESISTANT DEEP LEARNING MODELS

      
Application Number 18386969
Status Pending
Filing Date 2023-11-03
First Publication Date 2024-02-22
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Kutt, Brody James
  • Starov, Oleksii
  • Zhou, Yuchen
  • Hewlett, Ii, William Redington

Abstract

Techniques for providing innocent until proven guilty (IUPG) solutions for building and using adversary resistant and false positive resistant deep learning models are disclosed. In some embodiments, a system, process, and/or computer program product includes storing a set comprising one or more innocent until proven guilty (IUPG) models for static analysis of a sample; performing a static analysis of content associated with the sample, wherein performing the static analysis includes using at least one stored IUPG model; and determining that the sample is malicious based at least in part on the static analysis of the content associated with the sample, and in response to determining that the sample is malicious, performing an action based on a security policy.

IPC Classes  ?

  • H04L 9/40 - Network security protocols
  • G06N 3/04 - Architecture, e.g. interconnection topology

13.

SUPPORTING OVERLAPPING NETWORK ADDRESSES UNIVERSALLY

      
Application Number 17884844
Status Pending
Filing Date 2022-08-10
First Publication Date 2024-02-15
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Chen, Jia
  • Long, Hao
  • Lin, Shu

Abstract

Techniques for supporting overlapping network addresses universally are disclosed. A system, process, and/or computer program product for supporting overlapping network addresses universally includes generating at least two virtual routers for a cloud security service, the at least two virtual routers including a first virtual router and a second virtual router, routing cloud security service packets using the first virtual router, and routing enterprise subscriber packets using the second virtual router.

IPC Classes  ?

  • H04L 45/00 - Routing or path finding of packets in data switching networks
  • H04L 45/586 - Association of routers of virtual routers
  • H04L 45/745 - Address table lookup; Address filtering
  • H04L 9/40 - Network security protocols

14.

DYNAMIC MANAGEMENT OF PACKET LOSS

      
Application Number 18109802
Status Pending
Filing Date 2023-02-14
First Publication Date 2024-02-15
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Varadarajan, Subramanian
  • Antonyraj, Rosarin Roy
  • Senthivel, Kumaravel

Abstract

Exemplary methods, apparatuses, and systems include duplicating a packet within a plurality of packets to be transmitted to a destination computing node as a sequence of packets. The plurality of packets including the duplicate of the packet are transmitted to the destination computing node. Upon receiving a first acknowledgement of the packet from the destination computing node, it is determined that the first acknowledgment is directed to a duplicated packet. In response to determining that the first acknowledgment is directed to a duplicated packet, it is determined that a second acknowledgement has yet to be received for each of one or more packets within the plurality of packets transmitted prior to the packet. In response to determining that the second acknowledgement has yet to be received, the one or more packets are retransmitted to the destination computing node.

IPC Classes  ?

  • H04L 1/1607 - Arrangements for detecting or preventing errors in the information received by using return channel in which the return channel carries supervisory signals, e.g. repetition request signals - Details of the supervisory signal
  • H04L 43/0829 - Packet loss
  • H04L 43/16 - Threshold monitoring
  • H04L 1/1867 - Arrangements specially adapted for the transmitter end
  • H04L 1/08 - Arrangements for detecting or preventing errors in the information received by repeating transmission, e.g. Verdan system
  • H04L 1/00 - Arrangements for detecting or preventing errors in the information received
  • H04L 1/1825 - Adaptation of specific ARQ protocol parameters according to transmission conditions

15.

IDENTIFICATION OF MALICIOUS DOMAIN CAMPAIGNS USING UNSUPERVISED CLUSTERING

      
Application Number 18481764
Status Pending
Filing Date 2023-10-05
First Publication Date 2024-02-08
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Weber, Michael Edward
  • Wang, Jun
  • Zhou, Yuchen
  • Xu, Wei

Abstract

The technology presented herein enables the use of a clustering algorithm to identify additional malicious domains based on known malicious domains. A domain identifier system identifies a first plurality of domain names associated with a malicious domain campaign and seeding a first clustering algorithm with the first plurality of domain names. After seeding the first clustering algorithm, the domain identifier system uses the first clustering algorithm to process passive domain name system (DNS) records to identify and group a second plurality of domain names associated with the malicious domain campaign.

IPC Classes  ?

  • H04L 9/40 - Network security protocols
  • H04L 61/4511 - Network directories; Name-to-address mapping using standardised directory access protocols using domain name system [DNS]

16.

Intent-based query and response routing between users and backend services

      
Application Number 18455165
Grant Number 11893358
Status In Force
Filing Date 2023-08-24
First Publication Date 2024-02-06
Grant Date 2024-02-06
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Lakshmikanthan, Ramanathan
  • Merchant, Sameer Dilip
  • Sharma, Gaurav

Abstract

For a seamless and robust artificial intelligence-based assistant experience, an intent-based query and response router has been designed to operate as an intelligent layer between a user and multiple backend services that may respond to one or more queries over the course of a conversation with the user. The query router interacts with an intent classification service to obtain an intent classification for a prompt that is based on a user query. The query router uses the intent classification, which is used as an identifier of a backend service, to route the user query to an appropriate one (or more) of the backend services. When a response is detected, the query router determines a corresponding conversation and provides the response for the conversation.

IPC Classes  ?

17.

TEXT CLASSIFICATION OF API DOCUMENTATION FOR INFORMING SECURITY POLICY CREATION

      
Application Number 17816047
Status Pending
Filing Date 2022-07-29
First Publication Date 2024-02-01
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Narayan, Krishnan Shankar
  • Chari, Srikumar Narayan
  • Katakam, Venkata Ramadurga Prasad
  • Chang, Patrick Kar Yin

Abstract

An API response field classification service obtains API documentation published by a vendor and defined security policies and matches the response fields represented in the security policies to their descriptions in the API documentation. The service generates labelled training data that comprise the identified response field descriptions with labels indicating that their corresponding response field is security related. Additional labelled training data for security unrelated response fields comprises descriptions of response fields that are known not to be represented with any security policies. The service trains a text classifier on the labelled training data. The trained text classifier accepts inputs comprising descriptions of unknown response fields and outputs predicted classes indicating whether the corresponding response fields are predicted to be security related. Subsequent creation of security policies can be focused on these response fields predicted to be security related.

IPC Classes  ?

18.

METHOD TO CLASSIFY COMPLIANCE PROTOCOLS FOR SAAS APPS BASED ON WEB PAGE CONTENT

      
Application Number 17877199
Status Pending
Filing Date 2022-07-29
First Publication Date 2024-02-01
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Yang, Sheng
  • Hewlett Ii, William Redington
  • Mradul, Manish
  • Dutta, Sanchita

Abstract

The present application discloses a method, system, and computer system for automatically detecting protocol compliance of applications. The method includes determining a URL of a webpage for a software-as-a-service (SaaS) product, extracting body text from the webpage, and using a classifier to determine whether the SaaS product is compliant with one or more protocols.

IPC Classes  ?

  • G06F 16/951 - Indexing; Web crawling techniques
  • G06F 16/955 - Retrieval from the web using information identifiers, e.g. uniform resource locators [URL]
  • G06F 16/954 - Navigation, e.g. using categorised browsing
  • G06N 3/02 - Neural networks

19.

PROBING FOR COBALT STRIKE TEAMSERVER DETECTION

      
Application Number 17877803
Status Pending
Filing Date 2022-07-29
First Publication Date 2024-02-01
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Jia, Yanhui
  • Xu, Shengming

Abstract

Techniques for probing for Cobalt Strike TeamServer detection are disclosed. In some embodiments, a system/process/computer program product for probing for Cobalt Strike TeamServer detection includes monitoring HyperText Transfer Protocol (HTTP), HTTPS, and/or Domain Name System (DNS) network traffic at a firewall; prefiltering the monitored HTTP, HTTPS, and/or DNS network traffic at the firewall to select a subset of the HTTP, HTTPS, and/or DNS network traffic to forward to a cloud security service; performing HTTP, HTTPS, and/or DNS probing of a target to detect whether the target is a Cobalt Strike TeamServer; and performing an action in response to detecting that the target is the Cobalt Strike TeamServer.

IPC Classes  ?

20.

BEACON AND THREAT INTELLIGENCE BASED APT DETECTION

      
Application Number 17877816
Status Pending
Filing Date 2022-07-29
First Publication Date 2024-02-01
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Jia, Yanhui
  • Zhang, Qi
  • Xu, Shengming

Abstract

Techniques for beacon and threat intelligence based Advanced Persistent Threat (APT) detection are disclosed. In some embodiments, a system/process/computer program product for beacon and threat intelligence based APT detection includes collecting firewall log data from monitored network traffic; analyzing the firewall log data at a cloud security service to identify beacon traffic based on a plurality of heuristics; performing a risk evaluation of the beacon traffic to detect malicious beacon traffic; and performing an action in response to detecting the malicious beacon traffic.

IPC Classes  ?

21.

DETECTING SHADOWED DOMAINS

      
Application Number 17878665
Status Pending
Filing Date 2022-08-01
First Publication Date 2024-02-01
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Szurdi, Janos
  • Houser, Rebekah
  • Liu, Daiping

Abstract

A method and system for detecting shadowed domains is provided. New hostnames are collected for a predetermined period of time. Candidate shadowed domains are selected from the new hostnames. Classification of the candidate shadowed domains is performed based on a plurality of features relating to the candidate shadowed domains to output a set of identified shadowed domains. An action is performed based on the set of identified shadowed domains.

IPC Classes  ?

  • H04L 9/40 - Network security protocols
  • H04L 41/16 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence

22.

SAMPLE TRAFFIC BASED SELF-LEARNING MALWARE DETECTION

      
Application Number 18208204
Status Pending
Filing Date 2023-06-09
First Publication Date 2024-02-01
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Jia, Yanhui
  • Tennis, Matthew W.
  • Achleitner, Stefan
  • Wang, Taojie
  • Gao, Hui
  • Xu, Shengming

Abstract

Techniques for sample traffic based self-learning malware detection are disclosed. In some embodiments, a system/process/computer program product for sample traffic based self-learning malware detection includes receiving a plurality of samples for malware detection analysis using a sandbox; executing each of the plurality of samples in the sandbox and monitoring network traffic during execution of each of the plurality of samples in the sandbox; detecting that one or more of the plurality of samples is malware based on automated analysis of the monitored network traffic using a command and control (C2) machine learning (ML) model if there is not a prior match with an intrusion prevention system (LPS) signature; and performing an action in response to detecting that the one or more of the plurality of samples is malware based on the automated analysis of the monitored network traffic using the C2 ML model. In some embodiments, the IPS signatures and C2 ML model are automatically generated and trained.

IPC Classes  ?

  • G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
  • G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
  • G06N 5/022 - Knowledge engineering; Knowledge acquisition

23.

ATTACK CHAIN IDENTIFICATION VIA MISCONFIGURATIONS IN CLOUD RESOURCES

      
Application Number US2023020360
Publication Number 2024/025624
Status In Force
Filing Date 2023-04-28
Publication Date 2024-02-01
Owner PALO ALTO NETWORKS, INC. (USA)
Inventor
  • Narayan, Krishnan Shankar
  • Herur, Praveen

Abstract

A cloud resource management system detects resource misconfiguration for resources in a cloud including cloud policy misconfigurations and resource vulnerabilities. An attack chain analyzer identifies attack chains from misconfigured resources ordered according to stages in an attack framework that models sequential behavior for malicious attacks. The attack chains are detected according to a depth-first search traversal of adjacent resources that have pairwise exposure according to characteristics indicated in the cloud policy misconfigurations and resource vulnerabilities. The attack chain analyzer generates further diagnostics that inform remediation of resource misconfigurations for malicious attack prevention.

IPC Classes  ?

  • G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
  • H04L 9/40 - Network security protocols

24.

COBALT STRIKE BEACON HTTP C2 HEURISTIC DETECTION

      
Application Number US2023026791
Publication Number 2024/025705
Status In Force
Filing Date 2023-06-30
Publication Date 2024-02-01
Owner PALO ALTO NETWORKS, INC. (USA)
Inventor
  • Jia, Yanhui
  • Navarrete Discua, Christian Elihu
  • Sangvilkar, Durgesh Madhavrao
  • Neupane, Ajaya
  • Fu, Yu
  • Xu, Chengming

Abstract

Techniques for Cobalt Strike Beacon HTTP C2 heuristic detection are disclosed. In some embodiments, a system/process/computer program product for Cobalt Strike Beacon HTTP C2 heuristic detection includes monitoring HyperText Transfer Protocol (HTTP) network traffic at a firewall; prefiltering the monitored HTTP network traffic at the firewall to select a subset of the HTTP network traffic to forward to a cloud security service; determining whether the subset of the HTTP network traffic is associated with Cobalt Strike Beacon HTTP C2 traffic activity based on a plurality of heuristics; and performing an action in response to detecting the Cobalt Strike Beacon HTTP C2 traffic activity.

IPC Classes  ?

  • H04L 9/40 - Network security protocols
  • G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements

25.

COBALT STRIKE BEACON HTTP C2 HEURISTIC DETECTION

      
Application Number 18231139
Status Pending
Filing Date 2023-08-07
First Publication Date 2024-02-01
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Jia, Yanhui
  • Navarrete Discua, Christian Elihu
  • Sangvikar, Durgesh Madhavrao
  • Neupane, Ajaya
  • Fu, Yu
  • Xu, Shengming

Abstract

Techniques for Cobalt Strike Beacon HTTP C2 heuristic detection are disclosed. In some embodiments, a system/process/computer program product for Cobalt Strike Beacon HTTP C2 heuristic detection includes monitoring HyperText Transfer Protocol (HTTP) network traffic at a firewall; prefiltering the monitored HTTP network traffic at the firewall to select a subset of the HTTP network traffic to forward to a cloud security service; determining whether the subset of the HTTP network traffic is associated with Cobalt Strike Beacon HTTP C2 traffic activity based on a plurality of heuristics; and performing an action in response to detecting the Cobalt Strike Beacon HTTP C2 traffic activity.

IPC Classes  ?

26.

ATTACK CHAIN IDENTIFICATION VIA MISCONFIGURATIONS IN CLOUD RESOURCES

      
Application Number 17816334
Status Pending
Filing Date 2022-07-29
First Publication Date 2024-02-01
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Narayan, Krishnan Shankar
  • Herur, Praveen

Abstract

A cloud resource management system detects resource misconfiguration for resources in a cloud including cloud policy misconfigurations and resource vulnerabilities. An attack chain analyzer identifies attack chains from misconfigured resources ordered according to stages in an attack framework that models sequential behavior for malicious attacks. The attack chains are detected according to a depth-first search traversal of adjacent resources that have pairwise exposure according to characteristics indicated in the cloud policy misconfigurations and resource vulnerabilities. The attack chain analyzer generates further diagnostics that inform remediation of resource misconfigurations for malicious attack prevention.

IPC Classes  ?

27.

UNIFIED PARKED DOMAIN DETECTION SYSTEM

      
Application Number 17877205
Status Pending
Filing Date 2022-07-29
First Publication Date 2024-02-01
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • You, Zeyu
  • Wang, Wei
  • Zhang, Yu

Abstract

The present application discloses a method, system, and computer system for detecting parked domains. The method includes obtaining, by one or more processors, a set of webpages corresponding to a plurality of domains, extracting a plurality of features based on the set of webpages, detecting parked domains based on the plurality of features using a machine learning model, and periodically applying automatic signature generation to detect a new pattern of parked domains without retraining the machine learning model.

IPC Classes  ?

  • G06N 20/00 - Machine learning
  • G06F 16/958 - Organisation or management of web site content, e.g. publishing, maintaining pages or automatic linking
  • G06F 16/955 - Retrieval from the web using information identifiers, e.g. uniform resource locators [URL]
  • G06F 16/953 - Querying, e.g. by the use of web search engines

28.

COBALT STRIKE BEACON HTTPS C2 HEURISTIC DETECTION

      
Application Number 17877815
Status Pending
Filing Date 2022-07-29
First Publication Date 2024-02-01
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Jia, Yanhui
  • Xu, Shengming

Abstract

Techniques for Cobalt Strike Beacon HTTPS C2 heuristic detection are disclosed. In some embodiments, a system/process/computer program product for Cobalt Strike Beacon HTTPS C2 heuristic detection includes monitoring HyperText Transfer Protocol Secure (HTTPS) network traffic at a firewall; prefiltering the monitored HTTPS network traffic at the firewall to select a subset of the HTTPS network traffic to forward to a cloud security service; determining whether the subset of the HTTPS network traffic is associated with Cobalt Strike Beacon HTTPS C2 traffic activity based on a plurality of heuristics; and performing an action in response to detecting the Cobalt Strike Beacon HTTPS C2 traffic activity.

IPC Classes  ?

29.

Heuristic database querying with dynamic partitioning

      
Application Number 17815969
Grant Number 11941006
Status In Force
Filing Date 2022-07-29
First Publication Date 2024-02-01
Grant Date 2024-03-26
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Mouleeswaran, Chandra Biksheswaran
  • Agarwal, Amit
  • Pathak, Prashant Kumar
  • Wang, Xiaoyan

Abstract

Dynamic partitioning of a search space of queries is implemented for flexible, heuristic database querying. Search space partitioning refers to dividing the search space for a submitted query into smaller parts by augmenting the queries to append thereto an additional predicate comprising a dynamic partition key and a value(s) selected based on heuristics (e.g., recency and/or relevancy of the value(s)). A plurality of candidate augmentations of the query and corresponding query plans are generated and evaluated based on additional heuristics to determine which can be executed to yield the best results in terms of result quality and latency. This query plan is selected and executed for retrieval of results that satisfy the query, with pagination utilized for presentation of the results. The procedure of generating candidate query plans, selecting one of the candidates for execution, and paginating results is repeated until a search termination criterion is satisfied.

IPC Classes  ?

30.

CONSISTENT MONITORING AND ANALYTICS FOR SECURITY INSIGHTS FOR NETWORK AND SECURITY FUNCTIONS FOR A SECURITY SERVICE

      
Application Number 18360485
Status Pending
Filing Date 2023-07-27
First Publication Date 2024-01-25
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Oswal, Anand
  • Ramasamy, Arivu Mani
  • Ramachandran, Kumar

Abstract

Techniques for providing consistent monitoring and analytics for security insights for network and security functions for a security service are disclosed. In some embodiments, a system/process/computer program product for providing consistent monitoring and analytics for security insights for network and security functions for a security service includes receiving a flow at a software-defined wide area network (SD-WAN) device; inspecting the flow to determine whether the flow is associated with a split tunnel; and monitoring the flow at the SD-WAN device to collect security information associated with the flow for reporting to a security service.

IPC Classes  ?

31.

AUTOMATED EXTRACTION AND CLASSIFICATION OF MALICIOUS INDICATORS

      
Application Number 18373481
Status Pending
Filing Date 2023-09-27
First Publication Date 2024-01-25
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Szurdi, Janos
  • Liu, Daiping
  • Wang, Jun

Abstract

Techniques for generating actionable indicators of compromise (IOCs) are disclosed. A set of potential sources for IOCs are received. One or more candidate IOCs are extracted from at least one source included in the set of potential sources. An actionable IOC is automatically identified from the one or more candidate IOCs. The actionable IOC is provided to a security enforcement service.

IPC Classes  ?

32.

PACKET CLASSIFICATION FOR NETWORK ROUTING

      
Application Number 18478478
Status Pending
Filing Date 2023-09-29
First Publication Date 2024-01-25
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Zuk, Nir
  • Benoit, Marc Joseph

Abstract

Techniques for packet classification for network routing are disclosed. In some embodiments, packet classification for network routing includes receiving packets associated with a new flow at a security controller from a network device, in which the network device performs packet forwarding; classifying the flow; and determining an action for the flow based on a policy (e.g., a security policy). In some embodiments, the network device is a Software Defined Network (SDN) network device (e.g., a packet forwarding device that supports the OpenFlow protocol or another protocol).

IPC Classes  ?

  • H04L 9/40 - Network security protocols
  • H04L 47/2441 - Traffic characterised by specific attributes, e.g. priority or QoS relying on flow classification, e.g. using integrated services [IntServ]
  • H04L 67/63 - Routing a service request depending on the request content or context
  • H04L 45/00 - Routing or path finding of packets in data switching networks
  • H04L 45/64 - Routing or path finding of packets in data switching networks using an overlay routing layer
  • H04L 69/22 - Parsing or analysis of headers

33.

SECURITY APPLIANCE TO MONITOR NETWORKED COMPUTING ENVIRONMENT

      
Application Number 18478637
Status Pending
Filing Date 2023-09-29
First Publication Date 2024-01-25
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Mouleeswaran, Chandra
  • Jensen, Wayne

Abstract

A security appliance samples data about software defined infrastructures (SDIs) of a cloud computing environment to incrementally build models that map resource attributes indicated in fields to data types. The security appliance uses the model(s) to provide context sensitive help in policy rule constructions.

IPC Classes  ?

34.

DATA SLICING FOR INTERNET ASSET ATTRIBUTION

      
Application Number 17814005
Status Pending
Filing Date 2022-07-21
First Publication Date 2024-01-25
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Yadgaran, Elisha Aharon
  • Toman, Pamela Lynn
  • Mignot, Xavier Jacques
  • Wong, Sydney Marie
  • Lopez Suarez, Alejandro Omar
  • Papadimitriou, Christina
  • Heon, Gregory David
  • Isaksen, Aaron Mark
  • Kraning, Matthew Stephen

Abstract

An asset attribution model attributes assets to organizations according to metadata about the assets retrieved by a network scanner and other metadata in association with the assets that is retrieved and stored in a repository. A data slice rules interface applies logical rules to query the repository to retrieve metadata for assets satisfying each logical rule to generate data slices. Each logical rule is constructed so that assets satisfying the rule have attributions to known organizations. The asset attribution model is evaluated for accuracy in predicting known attributed organizations along each data slice. Depending on the resulting accuracies, the asset attribution model either updates its architecture and is retrained or is deployed for asset attribution.

IPC Classes  ?

35.

NETWORK ATTACK DETECTION WITH TARGETED FEATURE EXTRACTION FROM EXPLOIT TOOLS

      
Application Number 17862869
Status Pending
Filing Date 2022-07-12
First Publication Date 2024-01-18
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Zhang, Zhibin
  • Chen, Jin
  • Fu, Yu
  • Achleitner, Stefan
  • Qu, Bo
  • Xu, Lei

Abstract

The present application discloses a method, system, and computer system for detecting malicious SQL or command injection strings. The method includes obtaining an SQL or command injection string and determining whether the command injection string is malicious based at least in part on a machine learning model.

IPC Classes  ?

  • H04L 9/40 - Network security protocols
  • G06N 20/10 - Machine learning using kernel methods, e.g. support vector machines [SVM]

36.

SEQUENTIAL DUAL MACHINE LEARNING MODELS FOR EFFECTIVE CLOUD DETECTION ENGINES

      
Application Number 17862877
Status Pending
Filing Date 2022-07-12
First Publication Date 2024-01-18
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Fu, Yu
  • Xu, Lei
  • Chen, Jin
  • Zhang, Zhibin
  • Qu, Bo
  • Achleitner, Stefan

Abstract

The present application discloses a method, system, and computer system for detecting malicious files. The method includes obtaining network traffic, pre-filtering the network traffic based at least in part on a first set of features for traffic reduction, and using a detection model in connection with determining whether the filtered network traffic comprises malicious traffic, the detection model being based at least in part on a second set of features for malware detection.

IPC Classes  ?

  • H04L 9/40 - Network security protocols
  • H04L 41/16 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence

37.

NETWORK ATTACK DETECTION WITH TARGETED FEATURE EXTRACTION FROM EXPLOIT TOOLS

      
Application Number US2023026430
Publication Number 2024/015216
Status In Force
Filing Date 2023-06-28
Publication Date 2024-01-18
Owner PALO ALTO NETWORKS, INC. (USA)
Inventor
  • Zhang, Zhibin
  • Chen, Jin
  • Fu, Yu
  • Achleitner, Stefan
  • Qu, Bo
  • Xu, Lei

Abstract

The present application discloses a method, system, and computer system for detecting malicious SQL or command injection strings. The method includes obtaining an SQL or command injection string and determining whether the command injection string is malicious based at least in part on a machine learning model.

IPC Classes  ?

  • G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
  • G06N 20/00 - Machine learning
  • H04L 9/40 - Network security protocols
  • G06F 21/55 - Detecting local intrusion or implementing counter-measures

38.

HIGH AVAILABILITY OF CLOUD-BASED SERIVCES WITH ADDRESS TRANSLATION

      
Application Number 18465750
Status Pending
Filing Date 2023-09-12
First Publication Date 2024-01-04
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Lin, Shu
  • Xu, Patrick
  • Sadaram, Eswar Rao
  • Long, Hao

Abstract

Described herein are systems, methods, and software to enhance failover operations in a cloud computing environment. In one implementation, a method of operating a first service instance in a cloud computing environment includes obtaining a communication from a computing asset, wherein the communication comprises a first destination address. The method further provides replacing the first destination address with a second destination address in the communication, wherein the second destination address comprises a shared address for failover from a second service instance. After replacing the address, the method determines whether the communication is permitted based on the second destination address, and if permitted, processes the communication in accordance with a service executing on the service instance.

IPC Classes  ?

  • H04L 61/2517 - Translation of Internet protocol [IP] addresses using port numbers
  • G06F 9/455 - Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
  • H04L 67/10 - Protocols in which an application is distributed across nodes in the network
  • H04L 69/40 - Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass for recovering from a failure of a protocol instance or entity, e.g. service redundancy protocols, protocol state redundancy or protocol service redirection
  • G06F 11/20 - Error detection or correction of the data by redundancy in hardware using active fault-masking, e.g. by switching out faulty elements or by switching in spare elements

39.

Inline package name based supply chain attack detection and prevention

      
Application Number 17957650
Grant Number 11863586
Status In Force
Filing Date 2022-09-30
First Publication Date 2024-01-02
Grant Date 2024-01-02
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Duan, Ruian
  • Liu, Daiping
  • Wang, Jun
  • Xiao, Zihang

Abstract

Inline package name based supply chain attack detection and prevention is disclosed. An indication that a client device has made a request to a remote server for a package is received. A data appliance then performs an action responsive to the received indication. In an example implementation, the data appliance makes a determination of whether the request for the package is associated with a nonexisting package.

IPC Classes  ?

40.

APPLICATION TRAFFIC FLOW PREDICTION BASED ON MULTI-STAGE NETWORK TRAFFIC FLOW SCANNING

      
Application Number US2023016575
Publication Number 2023/249679
Status In Force
Filing Date 2023-03-28
Publication Date 2023-12-28
Owner PALO ALTO NETWORKS, INC. (USA)
Inventor
  • Sang, Daphne
  • Patil, Harish

Abstract

In a network control plane, a pattern matching database is built and maintained for identifying an application or application level protocol. In addition, pattern matching databases for predicting a subsequent flow for application layer/level protocols or data protocols are built and maintained. After flow differentiation in network traffic mirrored from a data plane, the network traffic flow is scanned in a first stage and then in a second stage if a signaling protocol message is detected in the first stage scan. For the second stage, one of the application/data protocol pattern databases is selected for scanning based on the signaling protocol message detected in the first stage scanning. If a match is found from the stage 2 scanning, a mapping between the signaling protocol identifier and an identifier for a predicted application traffic flow is created and communicated to the data plane for policy selection and enforcement.

IPC Classes  ?

  • H04L 9/40 - Network security protocols
  • H04L 43/028 - Capturing of monitoring data by filtering
  • H04L 45/302 - Route determination based on requested QoS
  • H04L 45/745 - Address table lookup; Address filtering
  • H04L 47/2408 - Traffic characterised by specific attributes, e.g. priority or QoS for supporting different services, e.g. a differentiated services [DiffServ] type of service
  • H04L 69/22 - Parsing or analysis of headers

41.

APPLICATION TRAFFIC FLOW PREDICTION BASED ON MULTI-STAGE NETWORK TRAFFIC FLOW SCANNING

      
Application Number 17819708
Status Pending
Filing Date 2022-08-15
First Publication Date 2023-12-28
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Sang, Daphne
  • Patil, Harish

Abstract

In a network control plane, a pattern matching database is built and maintained for identifying an application or application level protocol. In addition, pattern matching databases for predicting a subsequent flow for application layer/level protocols or data protocols are built and maintained. After flow differentiation in network traffic mirrored from a data plane, the network traffic flow is scanned in a first stage and then in a second stage if a signaling protocol message is detected in the first stage scan. For the second stage, one of the application/data protocol pattern databases is selected for scanning based on the signaling protocol message detected in the first stage scanning. If a match is found from the stage 2 scanning, a mapping between the signaling protocol identifier and an identifier for a predicted application traffic flow is created and communicated to the data plane for policy selection and enforcement.

IPC Classes  ?

  • H04L 45/00 - Routing or path finding of packets in data switching networks
  • H04L 45/745 - Address table lookup; Address filtering

42.

5G LAN SECURITY

      
Application Number 17852062
Status Pending
Filing Date 2022-06-28
First Publication Date 2023-12-28
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Burakovsky, Leonid
  • Verma, Sachin
  • Koratala, Sree

Abstract

Techniques for 5G LAN security in mobile networks are disclosed. In some embodiments, a system/process/computer program product for 5G LAN security in mobile networks includes monitoring network traffic on a mobile network at a security platform to identify a new session; extracting a plurality of 5G LAN related parameters using an application programming interface (API) at the security platform; and enforcing a security policy on the new session at the security platform based on one or more of the plurality of 5G LAN related parameters to apply 5G LAN security in the mobile network.

IPC Classes  ?

  • H04W 12/37 - Managing security policies for mobile devices or for controlling mobile applications
  • H04W 12/121 - Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
  • H04W 24/10 - Scheduling measurement reports

43.

Blocking download of content

      
Application Number 17574495
Grant Number 11855964
Status In Force
Filing Date 2022-01-12
First Publication Date 2023-12-26
Grant Date 2023-12-26
Owner Palo Alto Networks, Inc. (USA)
Inventor Xie, Huagang

Abstract

At least initially blocking client download of certain content and injecting a user verification step for such downloads is disclosed. In some embodiments, a notification page with an option to accept a response from a server is provided to a client, an indication of user selection of the option to accept in the notification page is received from the client, and requested content received from the server is provided to the client. Injecting a user verification step via the notification page before providing requested content facilitates protecting the client from security threats.

IPC Classes  ?

  • H04L 29/00 - Arrangements, apparatus, circuits or systems, not covered by a single one of groups
  • H04L 67/00 - Network arrangements or protocols for supporting network services or applications
  • H04L 9/40 - Network security protocols
  • H04L 67/06 - Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
  • H04L 67/02 - Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
  • H04L 67/01 - Protocols

44.

SECURING CONTROL AND USER PLANE SEPARATION IN MOBILE NETWORKS

      
Application Number 18314023
Status Pending
Filing Date 2023-05-08
First Publication Date 2023-12-21
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Burakovsky, Leonid
  • Verma, Sachin
  • Hu, Fengliang
  • Chen, I-Chun
  • Lim, How Tung

Abstract

Techniques for securing control and user plane separation in mobile networks (e.g., service provider networks for mobile subscribers, such as for 4G/5G networks) are disclosed. In some embodiments, a system/process/computer program product for securing control and user plane separation in mobile networks in accordance with some embodiments includes monitoring network traffic on a mobile network at a security platform to identify an Packet Forwarding Control Protocol (PFCP) message associated with a new session, in which the mobile network includes a 4G network or a 5G network; extracting a plurality of parameters from the PFCP message at the security platform; and enforcing a security policy at the security platform on the new session based on one or more of the plurality of parameters to secure control and user plane separation in the mobile network.

IPC Classes  ?

45.

FAST POLICY MATCHING WITH RUNTIME SIGNATURE UPDATE

      
Application Number 17842324
Status Pending
Filing Date 2022-06-16
First Publication Date 2023-12-21
Owner Palo Alto Networks, Inc. (USA)
Inventor Cai, Chunqing

Abstract

Techniques for fast policy matching with runtime signature update are disclosed. In some embodiments, a system/process/computer program product for fast policy matching with runtime signature update includes receiving a plurality of rules for malware signatures; compiling the plurality of rules for a fast policy matching engine that detects malware using the malware signatures; and executing the compiled plurality of rules using the fast policy matching engine to detect malware using at least one of the malware signatures.

IPC Classes  ?

46.

RENDERING CONTEXTUAL SECURITY INFORMATION DETERMINED IN-BROWSER WITH WEB PAGES OF CLOUD AND SAAS VENDORS

      
Application Number US2023017859
Publication Number 2023/239444
Status In Force
Filing Date 2023-04-07
Publication Date 2023-12-14
Owner PALO ALTO NETWORKS, INC. (USA)
Inventor Narayan, Krishnan Shankar

Abstract

the browser extension matches URLs and/or HTML/XML syntactic patterns of the retrieved web pages to the fingerprints to determine the security information to obtain from backend storage. The type/granularity of information that is retrieved can vary depending on the identified fingerprint match. The browser extension retrieves security information corresponding to fingerprints for which matches are identified, generates security overviews therefrom, and integrates the security overviews into the requested web pages to generate a consolidated, multi-perspective view.

IPC Classes  ?

  • G06F 21/55 - Detecting local intrusion or implementing counter-measures
  • G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
  • G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
  • H04L 9/40 - Network security protocols

47.

WHITELISTING CLIENTS ACCESSING RESOURCES VIA A SECURE WEB GATEWAY WITH TIME-BASED ONE TIME PASSWORDS FOR AUTHENTICATION

      
Application Number 18451155
Status Pending
Filing Date 2023-08-17
First Publication Date 2023-12-14
Owner Palo Alto Networks, Inc. (USA)
Inventor Sahni, Mohit

Abstract

Each tenant of a secure web gateway (SWG) is issued a secret key. A user accesses a unique secret key derived from the tenant's secret key and loads the secret key into an application which generates time-based one time passwords (TOTPs). When the SWG receives a connection request from a client and cannot decrypt the network traffic, the SWG challenges the client request and indicates an authentication scheme to be used. The client obtains user credentials, constructs a response to the challenge based on the authentication scheme, and issues a connection request to the SWG which indicates the response. The SWG determines an expected response based on a locally generated TOTP and the secret key of the corresponding tenant. If the expected response matches the provided response, the SWG authenticates the user, allows the connection request, and whitelists the client for a period longer than the lifetime of the TOTP.

IPC Classes  ?

  • H04L 9/32 - Arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system
  • H04L 67/02 - Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
  • H04L 9/08 - Key distribution

48.

RENDERING CONTEXTUAL SECURITY INFORMATION DETERMINED IN-BROWSER WITH WEB PAGES OF CLOUD AND SAAS VENDORS

      
Application Number 17806079
Status Pending
Filing Date 2022-06-09
First Publication Date 2023-12-14
Owner Palo Alto Networks, Inc. (USA)
Inventor Narayan, Krishnan Shankar

Abstract

A browser extension produces a single view comprising content of web pages of a target vendor requested by a customer and corresponding security information for the target vendor maintained for the customer. Fingerprints of the target vendor's web page URLs and web page elements corresponding to resources, respectively, are determined. As the web browser retrieves web pages and the customer selects web page elements that identify resources, the browser extension matches URLs and/or HTML/XML syntactic patterns of the retrieved web pages to the fingerprints to determine the security information to obtain from backend storage. The type/granularity of information that is retrieved can vary depending on the identified fingerprint match. The browser extension retrieves security information corresponding to fingerprints for which matches are identified, generates security overviews therefrom, and integrates the security overviews into the requested web pages to generate a consolidated, multi-perspective view.

IPC Classes  ?

49.

Providing application security using causal graph

      
Application Number 17096705
Grant Number 11838316
Status In Force
Filing Date 2020-11-12
First Publication Date 2023-12-05
Grant Date 2023-12-05
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Varadarajan, Subramanian
  • Antonyraj, Rosarin Roy

Abstract

Computer systems and methods are provided for storing a first path profile. A computing device receives a first request to access a first location of a website, transmits the first request to a server, and receives a first cookie that includes identifying information for the first location. In response to receiving the first cookie, the device stores the identifying information. The device receives a second request to access a second location of the website that is distinct from the first location. The second request includes the identifying information for the first location. The device transmits the second request to the server and receives a second cookie that includes the identifying information for the first location and for the second location. In response to receiving the second cookie, the device stores the first path profile that includes the identifying information for the first location and the second location.

IPC Classes  ?

50.

AUTOMATED MATCHING OF VULNERABILITY DATA BETWEEN VULNERABILITY FEEDS

      
Application Number 17804719
Status Pending
Filing Date 2022-05-31
First Publication Date 2023-11-30
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Zelivansky, Ariel M.
  • Ben Zeev, Sharon
  • Ben Hai, Shaul
  • Levin, Liron

Abstract

A system has been designed that examines details of a security advisory against informal vulnerability records. The system generates a vulnerability match confidence value based on comparison of different details in the security advisory against the informal vulnerability records. Based on the comparisons, the system determines similarity of different details between the security advisory and the informal vulnerability records and cumulatively updates a vulnerability match confidence value with various detail similarity weights according to the determined similarities. Based on the vulnerability match confidence value, the system can classify or designate a security advisory for automatic merging or for manual examination. This reduces the burden on cybersecurity personnel and allows cybersecurity personnel to focus their limited resources on analyzing new vulnerabilities.

IPC Classes  ?

51.

POLICY ENFORCEMENT USING HOST INFORMATION PROFILE

      
Application Number 18116774
Status Pending
Filing Date 2023-03-02
First Publication Date 2023-11-30
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Leung, Siu-Wang
  • Wang, Song
  • Chen, Yueh-Zen

Abstract

Embodiments of the present application relate to a method for policy enforcement, a system for policy enforcement, and a computer program product for policy enforcement. A method for policy enforcement is provided. The method includes receiving a host information profile report from a client device, and enforcing a security policy for network access based on the host information profile report. The host information profile report includes device profile information associated with the client device.

IPC Classes  ?

52.

AUTOMATIC AND DYNAMIC PERFORMANCE BENCHMARKING AND SCORING OF APPLICATIONS BASED ON CROWDSOURCED TRAFFIC DATA

      
Application Number 18447789
Status Pending
Filing Date 2023-08-10
First Publication Date 2023-11-30
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Bothe, John
  • Siakou, Hristos
  • Nikolouzakis, Con

Abstract

The disclosure describes various aspects of crowdsourcing traffic data for automatic and dynamic benchmarking of applications. In an aspect, an intelligence layer, communicatively coupled to a data collection layer and a visualization layer, is configured to receive traffic data from data sources (e.g., physical appliances, probes) in the data collection layer, the data sources being associated with multiple customers, and the traffic data being associated with at least one application (e.g., word processing, video streaming) used by the multiple customers. The intelligence layer is a cloud-based layer further configured to process the traffic data to determine performance thresholds for the at least one application, and may send one or more of the performance thresholds to a data source for a different customer to be used for benchmarking the at least one application for the different customer.

IPC Classes  ?

  • H04L 43/022 - Capturing of monitoring data by sampling
  • H04L 43/16 - Threshold monitoring
  • H04L 43/062 - Generation of reports related to network traffic
  • H04L 43/12 - Network monitoring probes
  • H04L 43/04 - Processing captured monitoring data, e.g. for logfile generation
  • H04L 43/0876 - Network utilisation, e.g. volume of load or congestion level

53.

AUTOMATICALLY DETECTING UNKNOWN PACKERS

      
Application Number US2023022284
Publication Number 2023/229873
Status In Force
Filing Date 2023-05-15
Publication Date 2023-11-30
Owner PALO ALTO NETWORKS, INC. (USA)
Inventor
  • Lu, Chienhua
  • Hu, Wenjun

Abstract

Techniques for automatically detecting unknown packers are disclosed. In some embodiments, a system/process/computer program product for automatically detecting unknown packers includes receiving a plurality of samples for malware packer detection analysis; performing a packer filter to determine whether each of the plurality of samples is packed; emulating each of the packed samples to extract a plurality of features; and clustering the packed samples based on the extracted features.

IPC Classes  ?

  • G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
  • H04L 9/40 - Network security protocols

54.

DOMAIN-INDEPENDENT RESOURCE SECURITY AND MANAGEMENT

      
Application Number 18365638
Status Pending
Filing Date 2023-08-04
First Publication Date 2023-11-30
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Mehata, Angad Abhay
  • Mouleeswaran, Chandra Biksheswaran
  • Badhwar, Varun
  • Jensen, Wayne Jens

Abstract

A resource database which stores structured data describing resources from a diverse array of origins (e.g., an application or cloud environment) is built and maintained to support querying, policy enforcement, and remediation of resources from any origin. Structured data representing resources are obtained from any origin for insertion and categorized based on their type and/or origin. Resources within a category have a shared set of potential object paths as defined by the hierarchical tree structure of their structured data. Resources may be correlated across categories based on having values at different object paths in common. Queries and rules/policies can thus reference resources of any category and also resources across different categories based on correlations between the resources, thereby extending rule/policy enforcement and incident remediation across multiple different origins of resources.

IPC Classes  ?

  • H04L 9/40 - Network security protocols
  • G06F 16/28 - Databases characterised by their database models, e.g. relational or object models
  • G06F 9/451 - Execution arrangements for user interfaces

55.

AUTOMATICALLY DETECTING UNKNOWN PACKERS

      
Application Number 17824427
Status Pending
Filing Date 2022-05-25
First Publication Date 2023-11-30
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Lu, Chienhua
  • Hu, Wenjun

Abstract

Techniques for automatically detecting unknown packers are disclosed. In some embodiments, a system/process/computer program product for automatically detecting unknown packers includes receiving a plurality of samples for malware packer detection analysis; performing a packer filter to determine whether each of the plurality of samples is packed; emulating each of the packed samples to extract a plurality of features; and clustering the packed samples based on the extracted features.

IPC Classes  ?

  • G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
  • G06F 21/62 - Protecting access to data via a platform, e.g. using keys or access control rules

56.

AUTOMATED CONTENT TAGGING WITH LATENT DIRICHLET ALLOCATION OF CONTEXTUAL WORD EMBEDDINGS

      
Application Number 18363313
Status Pending
Filing Date 2023-08-01
First Publication Date 2023-11-23
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Thor, Nandan Gautam
  • Arvaniti, Vasiliki
  • Helenius, Jere Armas Michael
  • Bower, Erik Michael

Abstract

Dynamic content tags are generated as content is received by a dynamic content tagging system. A natural language processor (NLP) tokenizes the content and extracts contextual N-grams based on local or global context for the tokens in each document in the content. The contextual N-grams are used as input to a generative model that computes a weighted vector of likelihood values that each contextual N-gram corresponds to one of a set of unlabeled topics. A tag is generated for each unlabeled topic comprising the contextual N-gram having a highest likelihood to correspond to that unlabeled topic. Topic-based deep learning models having tag predictions below a threshold confidence level are retrained using the generated tags, and the retrained topic-based deep learning models dynamically tag the content.

IPC Classes  ?

57.

IDENTIFY AND BLOCK DOMAINS USED FOR NXNS-BASED DDOS ATTACK

      
Application Number 17826766
Status Pending
Filing Date 2022-05-27
First Publication Date 2023-11-16
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Duan, Ruian
  • Liu, Daiping

Abstract

Techniques for identifying and blocking domains used for NXNS-based distributed denial of service (DDos) attacks are disclosed. An analysis of DNS data is performed to identify a candidate attack domain associated with an NXNS attack. The candidate attack domain is confirmed as a confirmed attack domain based at least in part on a validation.

IPC Classes  ?

58.

FIREWALL SWITCHOVER WITH MINIMIZED SESSION DISCONNECTION

      
Application Number 17663257
Status Pending
Filing Date 2022-05-13
First Publication Date 2023-11-16
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Singh, Tapraj
  • Parandekar, Harshavardhan
  • Magharei, Nazanin
  • Bhardwaj, Rimu
  • Guleria, Vikram

Abstract

A pseudo-active/active firewall configuration handles firewall switchover events with minimized session disconnection. A passive firewall is set to an active state, and an active firewall is switched to a pseudo-active state wherein it continues to process ingress and egress traffic according to traffic handling protocols for its active state. During updating of a corresponding Network Address Translation (NAT) table to route traffic to the now-active firewall, the pseudo-active firewall enters a forwarding state wherein it forwards ingress network sessions to the now-active firewall and processes the ingress network sessions according to its active state. The now-active firewall receives the ingress network sessions and records session states prior to discarding them. After updating the NAT table, when traffic is routed to the now-active firewall, the recorded session states are used to maintain active sessions.

IPC Classes  ?

  • H04L 9/40 - Network security protocols
  • H04L 61/256 - NAT traversal
  • H04L 61/2514 - Translation of Internet protocol [IP] addresses between local and global IP addresses

59.

PATTERN MATCH-BASED DETECTION IN IOT SECURITY

      
Application Number 18226161
Status Pending
Filing Date 2023-07-25
First Publication Date 2023-11-16
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Du, Jun
  • Wang, Mei
  • Regalado, Hector Daniel
  • Xia, Jianhong

Abstract

Techniques for providing Internet of Things (IoT) security are disclosed. An applicable system includes profiling IoT devices to limit the number of network signatures applicable to the IoT devices and performing pattern matching using a pattern that is appropriate for the profile of a given IoT device.

IPC Classes  ?

60.

Firewall switchover with minimized traffic disruption

      
Application Number 17663249
Grant Number 11824757
Status In Force
Filing Date 2022-05-13
First Publication Date 2023-11-16
Grant Date 2023-11-21
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Singh, Tapraj
  • Magharei, Nazanin
  • Bhardwaj, Rimu
  • Parandekar, Harshavardhan
  • Guleria, Vikram

Abstract

A pseudo-active/active firewall configuration handles firewall switchover events without traffic disruption. A passive firewall is set to an active state, and an active firewall is switched to a pseudo-active state wherein it continues to process ingress and egress traffic according to traffic handling protocols for its active state. An Internet protocol address binding linking the now pseudo-active firewall to an Internet gateway that forwards traffic to the firewalls is updated in a network address translation (NAT) table to route traffic to the newly active firewall. Once a pseudo-active timer expires and the binding is successfully updated to route traffic to the newly active firewall, the pseudo-active firewall is set to a passive state.

IPC Classes  ?

61.

SYSTEM AND METHOD FOR LOCATING DGA COMPROMISED IP ADDRESSES

      
Application Number 17735896
Status Pending
Filing Date 2022-05-03
First Publication Date 2023-11-09
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Jiang, Weihan
  • He, David Qianshan
  • Jiang, Xuya

Abstract

A system and method for locating DGA compromised IP addresses is provided. A domain name system (DNS) stream is received. The DNS stream is classified into DGA generated domains using a machine learning classifier to generate a classification output. User behavior profiling is performed to enhance the classification output. A verdict is generated based on the user behavior profiling of the classification output including identifying a compromised source IP address associated with a detected DGA malware attack.

IPC Classes  ?

62.

PRECISION AI

      
Serial Number 98262728
Status Pending
Filing Date 2023-11-09
Owner Palo Alto Networks, Inc. ()
NICE Classes  ? 42 - Scientific, technological and industrial services, research and design

Goods & Services

Software as a service (SAAS) services featuring software using artificial intelligence for the monitoring of computer systems for security purposes, namely, for detecting, analyzing, preventing, and responding to threats of unauthorized access, data breaches, security violations, phishing attacks, ransomware, security vulnerabilities, and malware

63.

CONTENT-BASED DEEP LEARNING FOR INLINE PHISHING DETECTION

      
Application Number 17661370
Status Pending
Filing Date 2022-04-29
First Publication Date 2023-11-02
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Hu, Lucas Mingyuan
  • Chung, Seokkyung
  • Fan, Jingwei
  • Wang, Wei
  • Kutt, Brody James
  • Hewlett, Ii, William Redington

Abstract

An inline and offline machine learning pipeline for detection of phishing attacks with a holistic, easily upgradeable framework is presented herein. A packet analyzer records capture logs of network traffic between an endpoint device and a firewall. A parser extracts inputs from the capture logs inline that it communicates to one of an inline model and an offline model for phishing detection. The inline model and offline model are neural networks with parallelizable network architectures that do not depend on handcrafted inputs. The inline model operates inline with the packet analyzer and parser and makes fast phishing attack classifications based on inputs generated from capture logs. The offline model uses additional inputs such as inputs generated from network logs to make phishing attack classifications.

IPC Classes  ?

64.

APPLICATION IDENTIFICATION FOR PHISHING DETECTION

      
Application Number US2023017111
Publication Number 2023/211629
Status In Force
Filing Date 2023-03-31
Publication Date 2023-11-02
Owner PALO ALTO NETWORKS, INC. (USA)
Inventor
  • Shao, Rongbo
  • Qu, Bo
  • He, Zhanglin
  • Xu, Shengming
  • Lee, Amy

Abstract

Techniques for application identification for phishing detection are disclosed. In some embodiments, a system/process/computer program product for application identification for phishing detection includes monitoring network activity associated with a session to detect a request to access a site; determining advanced application identification associated with the site; and identifying the site as a phishing site based on the advanced application identification.

IPC Classes  ?

  • H04L 9/40 - Network security protocols
  • G06F 16/955 - Retrieval from the web using information identifiers, e.g. uniform resource locators [URL]

65.

COMMUNICATING URL CATEGORIZATION INFORMATION

      
Application Number 18220190
Status Pending
Filing Date 2023-07-10
First Publication Date 2023-11-02
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Zheng, Dao-Chen
  • Cao, Wei
  • Hewlett, Ii, William Redington
  • Zhou, Shangde

Abstract

A URL categorization query is received. The URL categorization query includes at least one URL. The URL is used to determine a set of data distribution keys. A distributed key-value data store is queried using at least one data distribution key included in the determined set of data distribution keys. Categorization information is returned. The returned URL categorization information can be used to enforce policies.

IPC Classes  ?

  • G06F 16/955 - Retrieval from the web using information identifiers, e.g. uniform resource locators [URL]
  • G06F 16/9035 - Filtering based on additional data, e.g. user or group profiles
  • G06F 16/9038 - Presentation of query results
  • G06F 18/24 - Classification techniques

66.

OPTIMIZED ADAPTIVE POOLING LAYER HYPERPARAMETERS FOR VARIABLY SIZED INPUTS

      
Application Number 17661378
Status Pending
Filing Date 2022-04-29
First Publication Date 2023-11-02
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Kutt, Brody James
  • Hewlett, Ii, William Redington

Abstract

Adaptive pooling layers for compressing variably sized inputs use window sizes and stride lengths specific to variable input size and fixed output size at the pooling layer. A naïve and an optimal adaptive pooling algorithm disclosed herein determine window size and stride length for variable sized inputs while minimizing window size and ensuring no padding is used in the output representation. These adaptive pooling algorithms are implemented in a pipeline for text document classification involving a natural language processor that generates embedding vectors for variably sized text documents and at least one of the adaptive pooling algorithms at a first adaptive pooling layer of a classification neural network to process the embedding vectors.

IPC Classes  ?

67.

DETECTING PHISHING PDFS WITH AN IMAGE-BASED DEEP LEARNING APPROACH

      
Application Number 17734956
Status Pending
Filing Date 2022-05-02
First Publication Date 2023-10-26
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Du, Min
  • Huang, Hao
  • Carmony, Curtis Leland
  • Hu, Wenjun
  • Raygoza, Daniel
  • Halfpop, Tyler Pals
  • White, Jeff
  • Idrizovic, Esmid

Abstract

The detection of phishing Portable Document Format (PDF) files using an image-based deep learning approach is disclosed. A PDF document that includes a Universal Resource Locator is received. A likelihood that the received PDF document represents a phishing threat is determined, at least in part, by using an image based model. A verdict for the PDF document is provided as output based at least in part on the determined likelihood.

IPC Classes  ?

  • H04L 9/40 - Network security protocols
  • G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities

68.

MALWARE DETECTION FOR DOCUMENTS WITH DEEP MUTUAL LEARNING

      
Application Number 17853762
Status Pending
Filing Date 2022-06-29
First Publication Date 2023-10-26
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Du, Min
  • Carmony, Curtis Leland
  • Hu, Wenjun

Abstract

The detection of malicious documents using deep mutual learning is disclosed. A document is received for maliciousness determination. A likelihood that the received document represents a threat is determined. The determination is made, at least in part, using a raw bytes model that was trained, at least in part, using a mutual learning process in conjunction with training an image based model. A verdict for the document is provided as output based at least in part on the determined likelihood.

IPC Classes  ?

  • G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements

69.

DETECTION OF USER ANOMALIES FOR SOFTWARE AS A SERVICE APPLICATION TRAFFIC WITH HIGH AND LOW VARIANCE FEATURE MODELING

      
Application Number 17660164
Status Pending
Filing Date 2022-04-21
First Publication Date 2023-10-26
Owner Palo Alto Networks, Inc. (USA)
Inventor Akhtar, Muhammad Aurangzeb

Abstract

Low variance clustering models and high variance clustering models comprising low and high variance features of user Software as a Service application traffic detect anomalous user behavior and, when risk thresholds are exceeded, trigger behavioral alerts. The low and high variance clustering models are trained with feature vectors that are dimension reduced using principal component analysis and clusters therein are classified as normal, benign, or malicious. Models are trained repeatedly in a sliding time window of training data to detect recent and potentially malicious user behavior. Behavioral alerts are triggered according to criterion specific to each of the low and high variance clustering models that account for increased risk associated with anomalous changes in low variance features.

IPC Classes  ?

70.

APPLICATION IDENTIFICATION FOR PHISHING DETECTION

      
Application Number 17729723
Status Pending
Filing Date 2022-04-26
First Publication Date 2023-10-26
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Shao, Rongbo
  • Qu, Bo
  • He, Zhanglin
  • Xu, Shengming
  • Lee, Amy

Abstract

Techniques for application identification for phishing detection are disclosed. In some embodiments, a system/process/computer program product for application identification for phishing detection includes monitoring network activity associated with a session to detect a request to access a site; determining advanced application identification associated with the site; and identifying the site as a phishing site based on the advanced application identification.

IPC Classes  ?

71.

DETECTING MICROSOFT .NET MALWARE USING MACHINE LEARNING ON .NET STRUCTURE

      
Application Number 17730083
Status Pending
Filing Date 2022-04-26
First Publication Date 2023-10-26
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Rao, Akshata Krishnamoorthy
  • Samuel, Yaron
  • Reichel, Dominik
  • Jung, Robert

Abstract

The present application discloses a method, system, and computer system for detecting malicious .NET files. The method includes receiving a sample that comprises a .NET file, obtaining information pertaining to common language runtime (CLR) metadata and streams associated with the .NET file, and determining whether the sample is malware based at least in part on (i) a classifier, and (ii) the information pertaining to the CLR metadata and streams.

IPC Classes  ?

72.

APPLICATION-LEVEL SANDBOXING ON DEVICES

      
Application Number 18196683
Status Pending
Filing Date 2023-05-12
First Publication Date 2023-10-26
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Xu, Zhi
  • Zheng, Cong
  • Luo, Tongbo
  • Hu, Wenjun

Abstract

Execution of an application in an application-level sandbox is disclosed. A request to launch an application is received by an operating system executing on a device. A determination is made that a stored copy of the application should be executed within an application-level sandbox. The stored copy of the application is executed in the application-level sandbox.

IPC Classes  ?

  • G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
  • G06F 21/14 - Protecting executable software against software analysis or reverse engineering, e.g. by obfuscation
  • G06F 21/55 - Detecting local intrusion or implementing counter-measures
  • G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements

73.

COMBINATION RULE MINING FOR MALWARE SIGNATURE GENERATION

      
Application Number 18217273
Status Pending
Filing Date 2023-06-30
First Publication Date 2023-10-26
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Du, Min
  • Hu, Wenjun
  • Hewlett, Ii, William Redington

Abstract

Malware signature generation through combination rule mining is disclosed. A set of properties associated, collectively, with a plurality of data samples is received. A first data sample has a first set of properties and a second data sample has a second set of properties. A combination signature comprising at least a first property included in the first set of properties and a second property included in the second set of properties is generated.

IPC Classes  ?

74.

FIREWALL LOAD BALANCING WITH TUNNEL SWITCHING PROTOCOLS

      
Application Number 17660128
Status Pending
Filing Date 2022-04-21
First Publication Date 2023-10-26
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Kadam, Avaneesh Anandrao
  • Bhupalam, Bhaskar
  • Kulkarni, Ketan Gunawant

Abstract

An auto scale monitoring service performs load balancing on a cloud firewall with minimized traffic disruption using eager and lazy load balancing protocols. The auto scale monitoring service operates through an orchestrator that initializes a new firewall and sends forwarding instructions to the new firewall for rerouting excess traffic. The auto scale monitoring service additionally operates through a software defined wide area network controller that sends routing instructions to a local branch of network devices to reroute to the new firewall from an overloaded current firewall. The eager protocol immediately tears down a tunneling session from the local branch to the current firewall and the lazy protocols gradually tears down this tunneling session. Both protocols properly inform firewalls how to forward ongoing traffic in each case and establish updated traffic flow through a tunneling session from the local branch to the new firewall.

IPC Classes  ?

  • H04L 47/125 - Avoiding congestion; Recovering from congestion by balancing the load, e.g. traffic engineering
  • H04L 12/46 - Interconnection of networks
  • H04L 9/40 - Network security protocols

75.

MALWARE DETECTION FOR DOCUMENTS USING KNOWLEDGE DISTILLATION ASSISTED LEARNING

      
Application Number 17853768
Status Pending
Filing Date 2022-06-29
First Publication Date 2023-10-26
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Du, Min
  • Carmony, Curtis Leland
  • Hu, Wenjun

Abstract

The detection of malicious documents using knowledge distillation assisted learning is disclosed. A document is received for maliciousness determination. A likelihood that the received document represents a threat is determined. The determination is made, at least in part, using a raw bytes model that was trained, at least in part, using image model prediction probabilities. A verdict for the document is provided as output based at least in part on the determined likelihood.

IPC Classes  ?

  • G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements

76.

SYSTEM AND METHOD FOR DETECTING DICTIONARY-BASED DGA TRAFFIC

      
Application Number 17723292
Status Pending
Filing Date 2022-04-18
First Publication Date 2023-10-19
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Szurdi, Janos
  • Jiang, Weihan
  • He, David Qianshan

Abstract

A system and method for detecting dictionary-based DGA traffic is provided. A domain name system (DNS) stream is received. The DNS stream is classified using a per domain dictionary domain generation algorithm (DGA) classifier to generate candidate dictionary DGA domains with cluster information. The candidate dictionary DGA domains are filtered to generate a set of dictionary DGA domains. An action is performed based on a match with a monitored domain name of a monitored DNS request and a dictionary DGA domain of the set of dictionary DGA domains.

IPC Classes  ?

77.

IN-LINE DETECTION OF ALGORITHMICALLY GENERATED DOMAINS

      
Application Number 18212311
Status Pending
Filing Date 2023-06-21
First Publication Date 2023-10-19
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Liu, Daiping
  • Walter, Martin
  • Hua, Ben
  • Li, Suquan
  • Fei, Fan
  • Chung, Seokkyung
  • Wang, Jun
  • Xu, Wei

Abstract

Detection of algorithmically generated domains is disclosed. A DNS query is received. Markov Chain analysis is performed on a domain included in the received query. A determination of whether the received query implicates an algorithmically generated domain is made based at least in part on a result of the Markov Chain analysis.

IPC Classes  ?

  • H04L 61/3015 - Name registration, generation or assignment
  • H04L 61/4511 - Network directories; Name-to-address mapping using standardised directory access protocols using domain name system [DNS]
  • H04L 9/40 - Network security protocols
  • G06F 16/955 - Retrieval from the web using information identifiers, e.g. uniform resource locators [URL]
  • G06F 21/55 - Detecting local intrusion or implementing counter-measures
  • G06N 20/00 - Machine learning
  • H04L 61/10 - Mapping addresses of different types
  • G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements

78.

METHOD AND SYSTEM FOR PROVIDING DNS SECURITY USING PROCESS INFORMATION

      
Application Number 18077516
Status Pending
Filing Date 2022-12-08
First Publication Date 2023-10-19
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Xiao, Zihang
  • Chen, Zhanhao

Abstract

Domain Name System (DNS) security using process information is provided. An application accessing an internet service using a domain name is determined. Process information associated with the application along with an associated DNS query to identify an IP address associated with the domain name are identified. The process information and the associated DNS query to a DNS security service are sent. An action based on a response from the DNS security service is performed.

IPC Classes  ?

79.

HEIDI: ML ON HYPERVISOR DYNAMIC ANALYSIS DATA FOR MALWARE CLASSIFICATION

      
Application Number 17715572
Status Pending
Filing Date 2022-04-07
First Publication Date 2023-10-12
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Chhetri, Sujit Rokka
  • Rao, Akshata Krishnamoorthy
  • Raygoza, Daniel
  • Idrizovic, Esmid
  • Hewlett, Ii, William Redington
  • Jung, Robert

Abstract

The present application discloses a method, system, and computer system for detecting malicious files. The method includes executing a sample in a virtual environment, and determining whether the sample is malware based at least in part on memory-use artifacts obtained in connection with execution of the sample in the virtual environment.

IPC Classes  ?

  • G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
  • G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine

80.

PREVENTING RANSOMWARE FROM ENCRYPTING FILES ON A TARGET MACHINE

      
Application Number 18209897
Status Pending
Filing Date 2023-06-14
First Publication Date 2023-10-12
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Aharoni, Eldar
  • Goldstein, Vadim
  • Sapir, Mashav
  • Kitaichik, Jenny

Abstract

Techniques for preventing ransomware from encrypting files on a target machine are disclosed. In some embodiments, a system/process/computer program product for preventing ransomware from encrypting files on a target machine includes monitoring file system activities on a computing device; detecting an unauthorized activity associated with a honeypot file or honeypot folder; and performing an action based on a policy in response to the unauthorized activity associated with the honeypot file or honeypot folder.

IPC Classes  ?

  • G06F 21/55 - Detecting local intrusion or implementing counter-measures
  • G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements

81.

ENFORCING A DYNAMICALLY MODIFIABLE GEOFENCE BASED ON CONDITIONS OF A CELLULAR NETWORK

      
Application Number US2023063831
Publication Number 2023/183707
Status In Force
Filing Date 2023-03-07
Publication Date 2023-09-28
Owner PALO ALTO NETWORKS, INC. (USA)
Inventor
  • Chandrasekaran, Arun Athrey
  • Kadam, Avaneesh Anandrao

Abstract

A geofencing service establishes an initial geofence for monitoring devices connected to a cellular network. Upon receipt of a notification generated and transmitted by a device that crossed the geofence, the service determines a difference in location of the device at the times of notification generation and transmission based on coordinates included in the notification. A difference in location that satisfies a criterion indicates that the geofence corresponds to a geographic location with poor cellular network connectivity. The service modifies the geofence radius based on available signal strength data and enforces the resulting modified geofence. After this first radius modification, the service determines quality of network connectivity at geographic locations corresponding to internally tracked "shadow" geofences and modifies the geofence radius if device coordinates indicate that a shadow geofence corresponds to an area with sufficient connectivity. Geofence radius modification is ongoing until the geofence is returned to its initial configuration.

IPC Classes  ?

  • H04W 4/021 - Services related to particular areas, e.g. point of interest [POI] services, venue services or geofences
  • H04B 17/318 - Received signal strength
  • H04L 67/52 - Network services specially adapted for the location of the user terminal

82.

METHOD AND SYSTEM FOR AUTOMATICALLY GENERATING MALWARE SIGNATURE

      
Application Number 17666103
Status Pending
Filing Date 2022-02-07
First Publication Date 2023-09-28
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Ji, Yang
  • Halfpop, Tyler Pals
  • Xiao, Zihang
  • Hu, Wenjun

Abstract

Automatic generation of a malware signature is disclosed. Code of a sample including packages and function names is parsed. Standard type packages and vendor type packages are filtered from the code of the sample to obtain main type packages. A signature using a fuzzy hash for the sample is generated based on the main type packages. A determination of whether the sample is malware is performed using the signature and a similarity score threshold.

IPC Classes  ?

  • G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
  • G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities

83.

Cobalt strike beacon HTTP C2 heuristic detection

      
Application Number 17877813
Grant Number 11770361
Status In Force
Filing Date 2022-07-29
First Publication Date 2023-09-26
Grant Date 2023-09-26
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Jia, Yanhui
  • Navarrete Discua, Christian Elihu
  • Sangvikar, Durgesh Madhavrao
  • Neupane, Ajaya
  • Fu, Yu
  • Xu, Shengming

Abstract

Techniques for Cobalt Strike Beacon HTTP C2 heuristic detection are disclosed. In some embodiments, a system/process/computer program product for Cobalt Strike Beacon HTTP C2 heuristic detection includes monitoring HyperText Transfer Protocol (HTTP) network traffic at a firewall; prefiltering the monitored HTTP network traffic at the firewall to select a subset of the HTTP network traffic to forward to a cloud security service; determining whether the subset of the HTTP network traffic is associated with Cobalt Strike Beacon HTTP C2 traffic activity based on a plurality of heuristics; and performing an action in response to detecting the Cobalt Strike Beacon HTTP C2 traffic activity.

IPC Classes  ?

  • G06F 9/00 - Arrangements for program control, e.g. control units
  • G06F 15/16 - Combinations of two or more digital computers each having at least an arithmetic unit, a program unit and a register, e.g. for a simultaneous processing of several programs
  • G06F 17/00 - Digital computing or data processing equipment or methods, specially adapted for specific functions
  • H04L 9/40 - Network security protocols

84.

ENFORCING A DYNAMICALLY MODIFIABLE GEOFENCE BASED ON CONDITIONS OF A CELLULAR NETWORK

      
Application Number 17655728
Status Pending
Filing Date 2022-03-21
First Publication Date 2023-09-21
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Chandrasekaran, Arun Athrey
  • Kadam, Avaneesh Anandrao

Abstract

A geofencing service establishes an initial geofence for monitoring devices connected to a cellular network. Upon receipt of a notification generated and transmitted by a device that crossed the geofence, the service determines a difference in location of the device at the times of notification generation and transmission based on coordinates included in the notification. A difference in location that satisfies a criterion indicates that the geofence corresponds to a geographic location with poor cellular network connectivity. The service modifies the geofence radius based on available signal strength data and enforces the resulting modified geofence. After this first radius modification, the service determines quality of network connectivity at geographic locations corresponding to internally tracked “shadow” geofences and modifies the geofence radius if device coordinates indicate that a shadow geofence corresponds to an area with sufficient connectivity. Geofence radius modification is ongoing until the geofence is returned to its initial configuration.

IPC Classes  ?

  • H04W 4/021 - Services related to particular areas, e.g. point of interest [POI] services, venue services or geofences
  • H04W 24/10 - Scheduling measurement reports
  • H04B 17/318 - Received signal strength
  • G01S 5/00 - Position-fixing by co-ordinating two or more direction or position-line determinations; Position-fixing by co-ordinating two or more distance determinations

85.

Securely publishing applications from private networks

      
Application Number 18060774
Grant Number 11757826
Status In Force
Filing Date 2022-12-01
First Publication Date 2023-09-12
Grant Date 2023-09-12
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Jain, Jayant
  • Kean, Brian Russell
  • Ivaturi, Aditya Srinivasa
  • Sahni, Mohit
  • Peng, Mingfei

Abstract

A controller can securely publish an application of a tenant by securely extending a network fabric into the networks of the tenant with virtual private networks and NAT. After a tenant deploys an application into one or more networks of the tenant, the tenant can indicate select applications to publish. The network controller assigns a network address from the routable address space of the network fabric to the application and a network address aggregate to each application connector that will front an instance of the application, which securely extends the network fabric into the tenant network. The network controller configures NAT rules in the network fabric and on the application connector to create a route for traffic of the application through the network fabric to the application instance using a fully qualified domain name assigned to the application without exposing a private network address of the application instance and preserving security of other resource on the tenant network.

IPC Classes  ?

  • H04L 61/256 - NAT traversal
  • H04L 61/2592 - Translation of Internet protocol [IP] addresses using tunnelling or encapsulation
  • H04L 61/4511 - Network directories; Name-to-address mapping using standardised directory access protocols using domain name system [DNS]
  • H04L 101/618 - Types of network addresses - Details of network addresses

86.

CODE TO CLOUD

      
Serial Number 98166436
Status Pending
Filing Date 2023-09-06
Owner Palo Alto Networks, Inc. ()
NICE Classes  ? 42 - Scientific, technological and industrial services, research and design

Goods & Services

Cloud-native application protection platform for an early threat detection and prevention system to ensure security, visibility, and control throughout the entire application life cycle process, including securing code, infrastructure, workloads, data, networks, cloud identities, web applications, and application programming interfaces across cloud-native environments, under a single unified user interface

87.

DETECTING MALICIOUS ACTIVITY ON AN ENDPOINT BASED ON REAL-TIME SYSTEM EVENTS

      
Application Number 18142522
Status Pending
Filing Date 2023-05-02
First Publication Date 2023-08-31
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Moshitzky, Roni
  • Wexler, Elad
  • Khousid, Marat
  • Pilosof, Guy

Abstract

Techniques for detecting malicious activity on an endpoint based on real-time system events are disclosed. In some embodiments, a system/process/computer program product for detecting malicious activity on an endpoint based on real-time system events includes monitoring an endpoint for malicious activity using an endpoint agent, in which the endpoint comprises a local device; detecting malicious activity associated with an application on the endpoint based on real-time system events using the endpoint agent based on a set of rules; and in response to detecting malicious activity on the endpoint based on real-time system events using the endpoint agent, performing a security response based on a security policy.

IPC Classes  ?

88.

MULTI-LAYERED POLICY MANAGEMENT

      
Application Number 18142799
Status Pending
Filing Date 2023-05-03
First Publication Date 2023-08-31
Owner Palo Alto Networks, Inc. (USA)
Inventor Du, Jun

Abstract

Techniques for enforcing policy on multiple levels are disclosed. A multi-level policy includes at least one policy at a low level of abstraction and at least one policy at a high level of abstraction. An Internet of Things (IoT) device is discovered on a network. The IoT device is classified. The set of multi-level policies is applied to the IoT device based on the classification of the IoT device.

IPC Classes  ?

  • H04L 9/40 - Network security protocols
  • G16Y 30/10 - Security thereof
  • H04L 41/0631 - Management of faults, events, alarms or notifications using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
  • H04L 41/22 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks comprising specially adapted graphical user interfaces [GUI]

89.

Context-based security over interfaces in O-RAN environments in mobile networks

      
Application Number 18109171
Grant Number 11943620
Status In Force
Filing Date 2023-02-13
First Publication Date 2023-08-31
Grant Date 2024-03-26
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Verma, Sachin
  • Burakovsky, Leonid

Abstract

Techniques for applying context-based security over interfaces in O-RAN environments in mobile networks are disclosed. In some embodiments, a system/process/computer program product for applying context-based security over interfaces in O-RAN environments in mobile networks includes monitoring network traffic on a mobile network at a security platform to identify a GTP-U tunnel session setup message associated with a new session; extracting a plurality of parameters from the GTP-U tunnel session setup message and from F1AP traffic to extract contextual information at the security platform; and enforcing a security policy at the security platform on the new session based on one or more of the plurality of parameters to apply context-based security to the network traffic transported between O-RAN Distributed Unit (O-DU) and O-RAN Centralized Unit Control Plane (O-CU-CP) nodes in an O-RAN environment in the mobile network.

IPC Classes  ?

  • H04W 12/088 - Access security using filters or firewalls
  • H04W 12/033 - Protecting confidentiality, e.g. by encryption of the user plane, e.g. user’s traffic
  • H04W 12/30 - Security of mobile devices; Security of mobile applications
  • H04W 12/60 - Context-dependent security
  • H04W 24/08 - Testing using real traffic
  • H04W 76/12 - Setup of transport tunnels
  • H04W 80/12 - Application layer protocols, e.g. WAP [Wireless Application Protocol]
  • H04W 84/04 - Large scale networks; Deep hierarchical networks

90.

CONTEXT-BASED SECURITY OVER INTERFACES IN NG-RAN ENVIRONMENTS IN MOBILE NETWORKS

      
Application Number 17681489
Status Pending
Filing Date 2022-02-25
First Publication Date 2023-08-31
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Verma, Sachin
  • Burakovsky, Leonid

Abstract

Techniques for applying context-based security over interfaces in NG-RAN environments in mobile networks are disclosed. In some embodiments, a system/process/computer program product for applying context-based security over interfaces in NG-RAN environments in mobile networks includes monitoring network traffic on a mobile network at a security platform to identify a GTP-U tunnel session setup message associated with a new session; extracting a plurality of parameters from the GTP-U tunnel session setup message and from XnAP traffic to extract contextual information at the security platform; and enforcing a security policy at the security platform on the new session based on one or more of the plurality of parameters to apply context-based security to the network traffic transported between NG-RAN nodes in an NG-RAN environment in the mobile network.

IPC Classes  ?

  • H04W 12/00 - Security arrangements; Authentication; Protecting privacy or anonymity
  • H04W 12/60 - Context-dependent security
  • H04W 24/08 - Testing using real traffic

91.

CONTEXT-BASED SECURITY OVER INTERFACES IN NG-RAN ENVIRONMENTS AND O-RAN ENVIRONMENTS IN MOBILE NETWORKS

      
Application Number US2023012014
Publication Number 2023/163843
Status In Force
Filing Date 2023-01-31
Publication Date 2023-08-31
Owner PALO ALTO NETWORKS, INC. (USA)
Inventor
  • Verma, Sachin
  • Burakovsky, Leonid

Abstract

Techniques for applying context-based security over interfaces in O-RAN environments in mobile networks are disclosed. In some embodiments, a system/process/computer program product for applying context-based security over interfaces in O-RAN environments in mobile networks includes monitoring network traffic on a mobile network at a security platform to identify a GTP-U tunnel session setup message associated with a new session; extracting a plurality of parameters from the GTP-U tunnel session setup message and from F1AP traffic to extract contextual information at the security platform; and enforcing a security policy at the security platform on the new session based on one or more of the plurality of parameters to apply context-based security to the network traffic transported between O-RAN Distributed Unit (O-DU) and O-RAN Centralized Unit Control Plane (O-CU- CP) nodes in an O-RAN environment in the mobile network. Techniques for applying context-based security over interfaces in NG-RAN environments in mobile networks are also disclosed. In some embodiments, a system/process/computer program product for applying context-based security over interfaces in NG-RAN environments in mobile networks includes monitoring network traffic on a mobile network at a security platform to identify a GTP-U tunnel session setup message associated with a new session; extracting a plurality of parameters from the GTP-U tunnel session setup message and from XnAP traffic to extract contextual information at the security platform; and enforcing a security policy at the security platform on the new session based on one or more of the plurality of parameters to apply context-based security to the network traffic transported between NG-RAN nodes in an NG-RAN environment in the mobile network.

IPC Classes  ?

92.

AUTOMATED MALWARE FAMILY SIGNATURE GENERATION

      
Application Number 18141789
Status Pending
Filing Date 2023-05-01
First Publication Date 2023-08-24
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Xu, Zhi
  • Wang, Jiajie
  • Zhang, Xiao
  • Hu, Wenjun

Abstract

A set of metadata associated with a plurality of samples is received. The samples are clustered. For members of a first cluster, a set of similarities shared among at least a portion of the members of the first cluster is determined. A cluster member is identified within the first cluster, and in response, additional analysis is caused to be performed on the outlier cluster member.

IPC Classes  ?

93.

PREVENTION OF CONTAINER ESCAPE-BASED ATTACKS OF A HOST SYSTEM

      
Application Number 17651198
Status Pending
Filing Date 2022-02-15
First Publication Date 2023-08-17
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Prizmant, Daniel
  • Zelivansky, Ariel M.
  • Levin, Liron
  • Yanay, Eran

Abstract

A service prevents attacks carried out through container escape for silo-based containers. A callback is registered for a function(s) that may be invoked from inside a container and returns an object handle(s). The callback, when triggered by invocation of the function(s), executes for determination of whether requests for access to objects via their handles are issued by suspicious processes. Access to CExecSvc.exe is restricted for processes that request a handle for CExecSvc.exe and are determined to be associated with a container themselves. Processes that escape their container through a technique that evades detection are also blocked from accessing the host system. When a process requests access to an object via invocation of a function that returns a handle, the callback executes for determination of whether the process but not the requested object is associated with a container, in which case the service restricts the process' access to the host system.

IPC Classes  ?

  • G06F 21/55 - Detecting local intrusion or implementing counter-measures
  • G06F 21/52 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure

94.

AUTOMATED GENERATION OF BEHAVIORAL SIGNATURES FOR MALICIOUS WEB CAMPAIGNS

      
Application Number 18104058
Status Pending
Filing Date 2023-01-31
First Publication Date 2023-08-10
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Melicher, William Russell
  • Starov, Oleksii
  • Bellary Seetharam, Shresta
  • Sarker, Shaown

Abstract

Techniques for automated generation of behavioral signatures for malicious web campaigns are disclosed. In some embodiments, a system/process/computer program product for automated generation of behavioral signatures for malicious web campaigns includes crawling a plurality of web sites associated with a malware campaign; determining discriminating repeating attributes (e.g., behavior related attributes, which can be determined using dynamic analysis, and static related attributes, which can be determined using static analysis) as malware campaign related footprint patterns, wherein the discriminating repeating attributes are not associated with benign web sites; and automatically generating a human-interpretable malware campaign signature based on the malware campaign related footprint patterns.

IPC Classes  ?

95.

Process privilege escalation protection in a computing environment

      
Application Number 18136254
Grant Number 11941110
Status In Force
Filing Date 2023-04-18
First Publication Date 2023-08-10
Grant Date 2024-03-26
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Lavi, Yaron
  • Aharoni, Eldar
  • Wexler, Elad

Abstract

Techniques for process privilege escalation protection in a computing environment are disclosed. For example, the disclosure describes a system/process/computer program product for process privilege escalation protection in a computing environment that includes monitoring a process executed on a computing device, detecting an unauthorized change in a token value associated with the process, and performing an action based on a policy (e.g., a kernel protection security policy/rule(s), which can include a whitelisted set of processes and/or configured actions/responses to perform for other/non-whitelisted processes) in response to an unauthorized change in the token value associated with the process.

IPC Classes  ?

  • G06F 21/54 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by adding security routines or objects to programs
  • G06F 21/44 - Program or device authentication

96.

SECURE MULTI-ENTERPRISE WIRELESS NETWORK

      
Application Number 17649704
Status Pending
Filing Date 2022-02-02
First Publication Date 2023-08-03
Owner Palo Alto Networks, Inc. (USA)
Inventor Lin, Ta Chien

Abstract

An access point service configures and manages a multi-enterprise wireless network in public settings. During network profile setup for a client connecting to an enterprise-issued access point (e.g., in a home environment), the service determines network information unique to the client and an authentication server associated with the enterprise to which the client is to authenticate for 802.1X authentication and stores the client network information and an indication of the authentication server in a cloud database. For access points in a public setting, upon detection of an association request by a client, the service determines network information that identifies the client and performs a lookup of the cloud database with the network information to determine to which of the recognized authentication servers to forward authentication messages transmitted by the client. If the result of the lookup does not indicate an authentication server, the connection is terminated.

IPC Classes  ?

97.

DISTRIBUTED OFFLOAD LEVERAGING DIFFERENT OFFLOAD DEVICES

      
Application Number 18129451
Status Pending
Filing Date 2023-03-31
First Publication Date 2023-08-03
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Mcdowall, John Edward
  • Sugg, James
  • Bransi, Charles

Abstract

Techniques for distributed offload leveraging different offload devices are disclosed. In some embodiments, a system, process, and/or computer program product for distributed offload leveraging different offload devices includes receiving a flow at a firewall of a security service (e.g., a cloud-based security service); inspecting the flow at the firewall to determine meta information associated with the flow; and offloading the flow to an offload entity (e.g., a SmartNIC, software executed on a Network Interface Card (NIC), and/or a network device, such as a network router and/or network switch) based on the meta information associated with the flow (e.g., an application identification associated with the flow determined using deep packet inspection) and based on a policy.

IPC Classes  ?

98.

SYSTEM AND METHOD FOR DETECTING EXPLOIT INCLUDING SHELLCODE

      
Application Number US2023011449
Publication Number 2023/146856
Status In Force
Filing Date 2023-01-24
Publication Date 2023-08-03
Owner PALO ALTO NETWORKS, INC. (USA)
Inventor
  • Yan, Tao
  • Chen, Jin
  • Qu, Bo
  • Liu, Jiangxia
  • Bochin, Edouard
  • Lu, Royce

Abstract

Detection of an exploit including shellcode is disclosed. Memory blocks are monitored during dynamic analysis of a sample to identify a memory block including suspicious shellcode. The memory block is dumped in memory to identify a candidate shellcode entry point associated with the suspicious shellcode. The suspicious shellcode is executed based on the candidate shellcode entry point to determine whether the suspicious shellcode is malicious. A verdict is generated regarding the sample based on results of executing the suspicious shellcode.

IPC Classes  ?

  • G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
  • G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine

99.

SYSTEM AND METHOD FOR DETECTING EXPLOIT INCLUDING SHELLCODE

      
Application Number 17587636
Status Pending
Filing Date 2022-01-28
First Publication Date 2023-08-03
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Yan, Tao
  • Chen, Jin
  • Qu, Bo
  • Liu, Jiangxia
  • Bochin, Edouard
  • Lu, Royce

Abstract

Detection of an exploit including shellcode is disclosed. Memory blocks are monitored during dynamic analysis of a sample to identify a memory block including suspicious shellcode. The memory block is dumped in memory to identify a candidate shellcode entry point associated with the suspicious shellcode. The suspicious shellcode is executed based on the candidate shellcode entry point to determine whether the suspicious shellcode is malicious. A verdict is generated regarding the sample based on results of executing the suspicious shellcode.

IPC Classes  ?

  • G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
  • G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine

100.

Detecting behavioral change of IoT devices using novelty detection based behavior traffic modeling

      
Application Number 17649223
Grant Number 11888718
Status In Force
Filing Date 2022-01-28
First Publication Date 2023-08-03
Grant Date 2024-01-30
Owner Palo Alto Networks, Inc. (USA)
Inventor
  • Tian, Ke
  • Zhao, Yilin
  • Duan, Xiaoyi
  • Du, Jun

Abstract

An anomalous behavior detector has been designed to detect novel behavioral changes of devices based on network traffic data that likely correlate to anomalous behaviors. The anomalous behavior detector uses the local outlier factor (LOF) algorithm with novelty detection. After initial semi-supervised training with a single class training dataset representing stable device behaviors, the obtained model continues learning frontiers that delimit subspaces of inlier observations with live network traffic data. Instead of traffic variables being used as features, the features that form feature vectors are similarities of network traffic variable values across time intervals. A feature vector for the anomalous behavior detector represents stability or similarity of network traffic variables that have been chosen as device identifiers and behavioral indicators.

IPC Classes  ?

  1     2     3     ...     9        Next Page