Palo Alto Networks, Inc.

United States of America

Back to Profile

1-60 of 60 for Palo Alto Networks, Inc. Sort by
Query
Patent
World - WIPO
Excluding Subsidiaries
Aggregations Reset Report
Date
New (last 4 weeks) 2
2024 June (MTD) 1
2024 May 1
2024 March 2
2024 February 2
See more
IPC Class
H04L 9/40 - Network security protocols 18
H04L 29/06 - Communication control; Communication processing characterised by a protocol 17
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements 14
G06F 21/55 - Detecting local intrusion or implementing counter-measures 9
G06F 21/00 - Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity 4
See more
Found results for  patents

1.

STRATEGICALLY AGED DOMAIN DETECTION

      
Application Number US2023079692
Publication Number 2024/118315
Status In Force
Filing Date 2023-11-14
Publication Date 2024-06-06
Owner PALO ALTO NETWORKS, INC. (USA)
Inventor
  • Chen, Zhanhao
  • Liu, Daiping
  • Li, Wanjin
  • Fei, Fan

Abstract

Detection of strategically aged domains is detected. A list of aged dormant domains is determined, including by evaluating passive Domain Name System (DNS) information. The list of aged dormant domains is monitored for a change by an aged dormant domain from a dormant domain status to an active status. In response to determining the change to active status of the aged dormant domain, an action is taken with respect to the aged dormant domain.

IPC Classes  ?

  • H04L 9/40 - Network security protocols
  • H04L 61/4511 - Network directories; Name-to-address mapping using standardised directory access protocols using domain name system [DNS]

2.

CENTRALIZED IDENTITY REDISTRIBUTION

      
Application Number IB2023061381
Publication Number 2024/105524
Status In Force
Filing Date 2023-11-10
Publication Date 2024-05-23
Owner PALO ALTO NETWORKS, INC. (USA)
Inventor
  • Shah, Nidhi
  • Han, Songling
  • Ramachandran, Srikanth

Abstract

Techniques for providing centralized identity redistribution for a security service are disclosed. In some embodiments, a system/process/computer program product for providing centralized identity redistribution for a security service includes receiving user context information (e.g., an IP-user mapping, a user-tag mapping, an IP-tag mapping, an IP-port-user mapping, an IP- device ID mapping, 5G user context information, and/or other user context information/data) at a security platform from a cloud security service; and applying a security policy at the security platform using the user context information.

IPC Classes  ?

3.

APPLYING SUBSCRIBER-ID BASED SECURITY, EQUIPMENT-ID BASED SECURITY, AND/OR NETWORK SLICE-ID BASED SECURITY WITH USER-ID AND SYSLOG MESSAGES IN MOBILE NETWORKS

      
Application Number US2023028739
Publication Number 2024/049591
Status In Force
Filing Date 2023-07-26
Publication Date 2024-03-07
Owner PALO ALTO NETWORKS, INC. (USA)
Inventor
  • Verma, Sachin
  • Burakovsky, Leonid
  • Perez Villegas, Hugo, Alberto

Abstract

Techniques for applying subscriber-ID based security, equipment-ID based security, and/or network slice-ID based security with user-ID and syslog messages in mobile networks are disclosed. In some embodiments, a system/process/computer program product for applying subscriber-ID based security, equipment-ID based security, and/or network slice-ID based security with user-ID and syslog messages in mobile networks includes monitoring network traffic on a mobile network at a security platform to identify a new session; extracting a plurality of parameters by parsing syslog messages with a user-ID agent at the security platform; and enforcing a security policy on the new session at the security platform based on one or more of the plurality of parameters including one or more of a subscriber-ID, equipment- ID, and network slice-ID to apply context-based security in the mobile network.

IPC Classes  ?

4.

INLINE PACKAGE NAME BASED SUPPLY CHAIN ATTACK DETECTION AND PREVENTION

      
Application Number US2023031082
Publication Number 2024/049702
Status In Force
Filing Date 2023-08-24
Publication Date 2024-03-07
Owner PALO ALTO NETWORKS, INC. (USA)
Inventor
  • Duan, Ruian
  • Liu, Daiping
  • Wang, Jun
  • Xiao, Zihang

Abstract

Inline package name based supply chain attack detection and prevention is disclosed. An indication that a client device has made a request to a remote server for a package is received. A data appliance then performs an action responsive to the received indication. In an example implementation, the data appliance makes a determination of whether the request for the package is associated with a nonexisting package.

IPC Classes  ?

  • G06F 8/60 - Software deployment
  • G06F 21/10 - Protecting distributed programs or content, e.g. vending or licensing of copyrighted material

5.

ATTACK CHAIN IDENTIFICATION VIA MISCONFIGURATIONS IN CLOUD RESOURCES

      
Application Number US2023020360
Publication Number 2024/025624
Status In Force
Filing Date 2023-04-28
Publication Date 2024-02-01
Owner PALO ALTO NETWORKS, INC. (USA)
Inventor
  • Narayan, Krishnan Shankar
  • Herur, Praveen

Abstract

A cloud resource management system detects resource misconfiguration for resources in a cloud including cloud policy misconfigurations and resource vulnerabilities. An attack chain analyzer identifies attack chains from misconfigured resources ordered according to stages in an attack framework that models sequential behavior for malicious attacks. The attack chains are detected according to a depth-first search traversal of adjacent resources that have pairwise exposure according to characteristics indicated in the cloud policy misconfigurations and resource vulnerabilities. The attack chain analyzer generates further diagnostics that inform remediation of resource misconfigurations for malicious attack prevention.

IPC Classes  ?

  • G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
  • H04L 9/40 - Network security protocols

6.

COBALT STRIKE BEACON HTTP C2 HEURISTIC DETECTION

      
Application Number US2023026791
Publication Number 2024/025705
Status In Force
Filing Date 2023-06-30
Publication Date 2024-02-01
Owner PALO ALTO NETWORKS, INC. (USA)
Inventor
  • Jia, Yanhui
  • Navarrete Discua, Christian Elihu
  • Sangvilkar, Durgesh Madhavrao
  • Neupane, Ajaya
  • Fu, Yu
  • Xu, Chengming

Abstract

Techniques for Cobalt Strike Beacon HTTP C2 heuristic detection are disclosed. In some embodiments, a system/process/computer program product for Cobalt Strike Beacon HTTP C2 heuristic detection includes monitoring HyperText Transfer Protocol (HTTP) network traffic at a firewall; prefiltering the monitored HTTP network traffic at the firewall to select a subset of the HTTP network traffic to forward to a cloud security service; determining whether the subset of the HTTP network traffic is associated with Cobalt Strike Beacon HTTP C2 traffic activity based on a plurality of heuristics; and performing an action in response to detecting the Cobalt Strike Beacon HTTP C2 traffic activity.

IPC Classes  ?

  • H04L 9/40 - Network security protocols
  • G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements

7.

NETWORK ATTACK DETECTION WITH TARGETED FEATURE EXTRACTION FROM EXPLOIT TOOLS

      
Application Number US2023026430
Publication Number 2024/015216
Status In Force
Filing Date 2023-06-28
Publication Date 2024-01-18
Owner PALO ALTO NETWORKS, INC. (USA)
Inventor
  • Zhang, Zhibin
  • Chen, Jin
  • Fu, Yu
  • Achleitner, Stefan
  • Qu, Bo
  • Xu, Lei

Abstract

The present application discloses a method, system, and computer system for detecting malicious SQL or command injection strings. The method includes obtaining an SQL or command injection string and determining whether the command injection string is malicious based at least in part on a machine learning model.

IPC Classes  ?

  • G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
  • G06N 20/00 - Machine learning
  • H04L 9/40 - Network security protocols
  • G06F 21/55 - Detecting local intrusion or implementing counter-measures

8.

APPLICATION TRAFFIC FLOW PREDICTION BASED ON MULTI-STAGE NETWORK TRAFFIC FLOW SCANNING

      
Application Number US2023016575
Publication Number 2023/249679
Status In Force
Filing Date 2023-03-28
Publication Date 2023-12-28
Owner PALO ALTO NETWORKS, INC. (USA)
Inventor
  • Sang, Daphne
  • Patil, Harish

Abstract

In a network control plane, a pattern matching database is built and maintained for identifying an application or application level protocol. In addition, pattern matching databases for predicting a subsequent flow for application layer/level protocols or data protocols are built and maintained. After flow differentiation in network traffic mirrored from a data plane, the network traffic flow is scanned in a first stage and then in a second stage if a signaling protocol message is detected in the first stage scan. For the second stage, one of the application/data protocol pattern databases is selected for scanning based on the signaling protocol message detected in the first stage scanning. If a match is found from the stage 2 scanning, a mapping between the signaling protocol identifier and an identifier for a predicted application traffic flow is created and communicated to the data plane for policy selection and enforcement.

IPC Classes  ?

  • H04L 9/40 - Network security protocols
  • H04L 43/028 - Capturing of monitoring data by filtering
  • H04L 45/302 - Route determination based on requested QoS
  • H04L 45/745 - Address table lookup; Address filtering
  • H04L 47/2408 - Traffic characterised by specific attributes, e.g. priority or QoS for supporting different services, e.g. a differentiated services [DiffServ] type of service
  • H04L 69/22 - Parsing or analysis of headers

9.

RENDERING CONTEXTUAL SECURITY INFORMATION DETERMINED IN-BROWSER WITH WEB PAGES OF CLOUD AND SAAS VENDORS

      
Application Number US2023017859
Publication Number 2023/239444
Status In Force
Filing Date 2023-04-07
Publication Date 2023-12-14
Owner PALO ALTO NETWORKS, INC. (USA)
Inventor Narayan, Krishnan Shankar

Abstract

the browser extension matches URLs and/or HTML/XML syntactic patterns of the retrieved web pages to the fingerprints to determine the security information to obtain from backend storage. The type/granularity of information that is retrieved can vary depending on the identified fingerprint match. The browser extension retrieves security information corresponding to fingerprints for which matches are identified, generates security overviews therefrom, and integrates the security overviews into the requested web pages to generate a consolidated, multi-perspective view.

IPC Classes  ?

  • G06F 21/55 - Detecting local intrusion or implementing counter-measures
  • G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
  • G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
  • H04L 9/40 - Network security protocols

10.

AUTOMATICALLY DETECTING UNKNOWN PACKERS

      
Application Number US2023022284
Publication Number 2023/229873
Status In Force
Filing Date 2023-05-15
Publication Date 2023-11-30
Owner PALO ALTO NETWORKS, INC. (USA)
Inventor
  • Lu, Chienhua
  • Hu, Wenjun

Abstract

Techniques for automatically detecting unknown packers are disclosed. In some embodiments, a system/process/computer program product for automatically detecting unknown packers includes receiving a plurality of samples for malware packer detection analysis; performing a packer filter to determine whether each of the plurality of samples is packed; emulating each of the packed samples to extract a plurality of features; and clustering the packed samples based on the extracted features.

IPC Classes  ?

  • G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
  • H04L 9/40 - Network security protocols

11.

APPLICATION IDENTIFICATION FOR PHISHING DETECTION

      
Application Number US2023017111
Publication Number 2023/211629
Status In Force
Filing Date 2023-03-31
Publication Date 2023-11-02
Owner PALO ALTO NETWORKS, INC. (USA)
Inventor
  • Shao, Rongbo
  • Qu, Bo
  • He, Zhanglin
  • Xu, Shengming
  • Lee, Amy

Abstract

Techniques for application identification for phishing detection are disclosed. In some embodiments, a system/process/computer program product for application identification for phishing detection includes monitoring network activity associated with a session to detect a request to access a site; determining advanced application identification associated with the site; and identifying the site as a phishing site based on the advanced application identification.

IPC Classes  ?

  • H04L 9/40 - Network security protocols
  • G06F 16/955 - Retrieval from the web using information identifiers, e.g. uniform resource locators [URL]

12.

ENFORCING A DYNAMICALLY MODIFIABLE GEOFENCE BASED ON CONDITIONS OF A CELLULAR NETWORK

      
Application Number US2023063831
Publication Number 2023/183707
Status In Force
Filing Date 2023-03-07
Publication Date 2023-09-28
Owner PALO ALTO NETWORKS, INC. (USA)
Inventor
  • Chandrasekaran, Arun Athrey
  • Kadam, Avaneesh Anandrao

Abstract

A geofencing service establishes an initial geofence for monitoring devices connected to a cellular network. Upon receipt of a notification generated and transmitted by a device that crossed the geofence, the service determines a difference in location of the device at the times of notification generation and transmission based on coordinates included in the notification. A difference in location that satisfies a criterion indicates that the geofence corresponds to a geographic location with poor cellular network connectivity. The service modifies the geofence radius based on available signal strength data and enforces the resulting modified geofence. After this first radius modification, the service determines quality of network connectivity at geographic locations corresponding to internally tracked "shadow" geofences and modifies the geofence radius if device coordinates indicate that a shadow geofence corresponds to an area with sufficient connectivity. Geofence radius modification is ongoing until the geofence is returned to its initial configuration.

IPC Classes  ?

  • H04W 4/021 - Services related to particular areas, e.g. point of interest [POI] services, venue services or geofences
  • H04B 17/318 - Received signal strength
  • H04L 67/52 - Network services specially adapted for the location of the user terminal

13.

CONTEXT-BASED SECURITY OVER INTERFACES IN NG-RAN ENVIRONMENTS AND O-RAN ENVIRONMENTS IN MOBILE NETWORKS

      
Application Number US2023012014
Publication Number 2023/163843
Status In Force
Filing Date 2023-01-31
Publication Date 2023-08-31
Owner PALO ALTO NETWORKS, INC. (USA)
Inventor
  • Verma, Sachin
  • Burakovsky, Leonid

Abstract

Techniques for applying context-based security over interfaces in O-RAN environments in mobile networks are disclosed. In some embodiments, a system/process/computer program product for applying context-based security over interfaces in O-RAN environments in mobile networks includes monitoring network traffic on a mobile network at a security platform to identify a GTP-U tunnel session setup message associated with a new session; extracting a plurality of parameters from the GTP-U tunnel session setup message and from F1AP traffic to extract contextual information at the security platform; and enforcing a security policy at the security platform on the new session based on one or more of the plurality of parameters to apply context-based security to the network traffic transported between O-RAN Distributed Unit (O-DU) and O-RAN Centralized Unit Control Plane (O-CU- CP) nodes in an O-RAN environment in the mobile network. Techniques for applying context-based security over interfaces in NG-RAN environments in mobile networks are also disclosed. In some embodiments, a system/process/computer program product for applying context-based security over interfaces in NG-RAN environments in mobile networks includes monitoring network traffic on a mobile network at a security platform to identify a GTP-U tunnel session setup message associated with a new session; extracting a plurality of parameters from the GTP-U tunnel session setup message and from XnAP traffic to extract contextual information at the security platform; and enforcing a security policy at the security platform on the new session based on one or more of the plurality of parameters to apply context-based security to the network traffic transported between NG-RAN nodes in an NG-RAN environment in the mobile network.

IPC Classes  ?

14.

SYSTEM AND METHOD FOR DETECTING EXPLOIT INCLUDING SHELLCODE

      
Application Number US2023011449
Publication Number 2023/146856
Status In Force
Filing Date 2023-01-24
Publication Date 2023-08-03
Owner PALO ALTO NETWORKS, INC. (USA)
Inventor
  • Yan, Tao
  • Chen, Jin
  • Qu, Bo
  • Liu, Jiangxia
  • Bochin, Edouard
  • Lu, Royce

Abstract

Detection of an exploit including shellcode is disclosed. Memory blocks are monitored during dynamic analysis of a sample to identify a memory block including suspicious shellcode. The memory block is dumped in memory to identify a candidate shellcode entry point associated with the suspicious shellcode. The suspicious shellcode is executed based on the candidate shellcode entry point to determine whether the suspicious shellcode is malicious. A verdict is generated regarding the sample based on results of executing the suspicious shellcode.

IPC Classes  ?

  • G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
  • G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine

15.

DEEP LEARNING PIPELINE TO DETECT MALICIOUS COMMAND AND CONTROL TRAFFIC

      
Application Number US2023010947
Publication Number 2023/141103
Status In Force
Filing Date 2023-01-17
Publication Date 2023-07-27
Owner PALO ALTO NETWORKS, INC. (USA)
Inventor
  • Neupane, Ajaya
  • Dai, Yuwen
  • Achleitner, Stefan
  • Fu, Yu
  • Xu, Shengming

Abstract

Detection of command and control malware is disclosed. A network traffic session is monitored. Automatic feature identification for real-time malicious command and control traffic detection based on a request header of the monitored network traffic session using a deep learning model is performed.

IPC Classes  ?

16.

IDENTIFICATION OF.NET MALWARE WITH "UNMANAGED IMPHASH"

      
Application Number US2022051866
Publication Number 2023/121862
Status In Force
Filing Date 2022-12-05
Publication Date 2023-06-29
Owner PALO ALTO NETWORKS, INC. (USA)
Inventor
  • Samuel, Yaron
  • Reichel, Dominik
  • Jung, Robert
  • Che, Lauren

Abstract

The present application discloses a method, system, and computer system for detecting malicious files. The method includes receiving a sample that comprises a.NET file, obtaining imported API function names based at least in part on a.NET header of the.NET file, determining a hash of a list of unmanaged imported API function names, and determining whether the sample is malware based at least in part on the hash of the list of unmanaged imported API function names.

IPC Classes  ?

  • G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
  • G06F 21/00 - Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • H04L 9/00 - Arrangements for secret or secure communications; Network security protocols

17.

NETWORKING AND SECURITY SPLIT ARCHITECTURE

      
Application Number US2022052048
Publication Number 2023/121868
Status In Force
Filing Date 2022-12-06
Publication Date 2023-06-29
Owner PALO ALTO NETWORKS, INC. (USA)
Inventor
  • Warburton, Thomas, Arthur
  • Long, Hao
  • Lin, Shu
  • Peng, Mingfei

Abstract

Techniques for providing a networking and security split architecture are disclosed. In some embodiments, a system, process, and/or computer program product for providing a networking and security split architecture includes receiving a flow at a security service; processing the flow at a network layer of the security service to perform one or more networking functions; and offloading the flow to a security layer of the security service to perform security enforcement based on a policy.

IPC Classes  ?

  • H04L 9/40 - Network security protocols
  • H04L 47/2441 - Traffic characterised by specific attributes, e.g. priority or QoS relying on flow classification, e.g. using integrated services [IntServ]

18.

INLINE IDENTIFY AND BLOCK DANGLING DNS RECORDS

      
Application Number US2022047186
Publication Number 2023/076091
Status In Force
Filing Date 2022-10-19
Publication Date 2023-05-04
Owner PALO ALTO NETWORKS, INC. (USA)
Inventor
  • Liu, Daiping
  • Duan, Ruian
  • Wang, Jun

Abstract

The present application discloses a method, system, and computer system for identifying dangling records. The method includes obtaining a set of domains, determining whether a record associated with a domain comprised in the set of domains is dangling, and in response to determining that the record associated with the domain is dangling, providing, to a registrant, a notification that the record is dangling.

IPC Classes  ?

  • H04L 9/40 - Network security protocols
  • H04L 61/4511 - Network directories; Name-to-address mapping using standardised directory access protocols using domain name system [DNS]

19.

PREDICTIVE DNS CACHE TO IMPROVE SECURITY AND PERFORMANCE

      
Application Number US2022047183
Publication Number 2023/076090
Status In Force
Filing Date 2022-10-19
Publication Date 2023-05-04
Owner PALO ALTO NETWORKS, INC. (USA)
Inventor
  • Liu, Daiping
  • Wang, Jun
  • Xu, Wei

Abstract

The present application discloses a method, system, and computer system for predicting responses to DNS queries. The method includes receiving a DNS query comprising a subdomain portion and a root domain portion from a client device, determining whether to obtain target address information corresponding to the DNS from a predictive cache, in response to determining to obtain the target address information from the predictive cache, obtaining the target address information from the predictive cache, and providing the target address information to the client device.

IPC Classes  ?

  • H04L 61/4511 - Network directories; Name-to-address mapping using standardised directory access protocols using domain name system [DNS]
  • H04L 61/58 - Caching of addresses or names
  • G06F 12/02 - Addressing or allocation; Relocation
  • G06F 12/10 - Address translation
  • H04L 67/14 - Session management
  • H04L 67/50 - Network services

20.

IOT DEVICE IDENTIFICATION WITH PACKET FLOW BEHAVIOR MACHINE LEARNING MODEL

      
Application Number US2022047493
Publication Number 2023/076127
Status In Force
Filing Date 2022-10-21
Publication Date 2023-05-04
Owner PALO ALTO NETWORKS, INC. (USA)
Inventor
  • Zhang, Jialiang
  • Tian, Ke
  • Zhang, Fan

Abstract

Identifying Internet of Things (loT) devices with packet flow behavior including by using machine learning models is disclosed. Information associated with a network communication of an loT device is received. A determination of whether the loT device has previously been classified is made. In response to determining that the loT device has not previously been classified, a determination is made that a probability match for the loT device against a behavior signature exceeds a threshold. Based at least in part on the probability match, a classification of the loT device is provided to a security appliance configured to apply a policy to the loT device.

IPC Classes  ?

21.

IOT SECURITY POLICY ON A FIREWALL

      
Application Number US2022045113
Publication Number 2023/055851
Status In Force
Filing Date 2022-09-28
Publication Date 2023-04-06
Owner PALO ALTO NETWORKS, INC. (USA)
Inventor
  • Siddam, Kalyan
  • Du, Jun

Abstract

Techniques for enforcing policies on Internet of Things (loT) device communications are disclosed. Information associated with a network communication of an loT device is received. The received information is used to determine a device profile, including a device type, to associate with the loT device. A recommended security policy to be applied to the loT device by a security appliance is generated.

IPC Classes  ?

  • H04W 8/02 - Processing of mobility data, e.g. registration information at HLR [Home Location Register] or VLR [Visitor Location Register]; Transfer of mobility data, e.g. between HLR, VLR or external networks
  • H04W 12/12 - Detection or prevention of fraud
  • H04W 12/50 - Secure pairing of devices
  • G06F 21/35 - User authentication involving the use of external additional devices, e.g. dongles or smart cards communicating wirelessly
  • H04L 9/08 - Key distribution

22.

SECURING CONTAINERIZED APPLICATIONS

      
Application Number US2022030734
Publication Number 2022/251220
Status In Force
Filing Date 2022-05-24
Publication Date 2022-12-01
Owner PALO ALTO NETWORKS, INC. (USA)
Inventor
  • Mcdowall, John, Edward
  • Saha, Sharad
  • Bansal, Nilesh

Abstract

Techniques for securing containerized applications are disclosed, In some embodiments, a system, process, and/or computer program product for securing containerized applications includes detecting a new application container (e.g., an application pod); deploying a security entity (e.g., a firewall) to the application container; and monitoring all traffic to and from the application container (e.g., all layer-7 ingress, egress, and east-west traffic associated with the application container) using the security entity to enforce a policy.

IPC Classes  ?

23.

INCREASED COVERAGE OF APPLICATION-BASED TRAFFIC CLASSIFICATION WITH LOCAL AND CLOUD CLASSIFICATION SERVICES

      
Application Number US2022071543
Publication Number 2022/217218
Status In Force
Filing Date 2022-04-05
Publication Date 2022-10-13
Owner PALO ALTO NETWORKS, INC. (USA)
Inventor
  • Jiang, Mengying
  • Xu, Shengming
  • Fang, Menglan
  • Lam, Ho Yu

Abstract

A cloud-based traffic classification engine maintains a catalog of application-based traffic classes which have been developed based on known applications, and a local traffic classification engine maintains a subset of these classes. Network traffic intercepted by the firewall which cannot be classified by the local engine is forwarded to the cloud-based engine for classification. Upon determination of a class of the traffic, the cloud-based engine forwards the determined class and corresponding signature to the local engine. The firewall maintains a cache which is updated with the signatures corresponding to the class communicated by the cloud-based engine. Subsequent network traffic sent from the application can be determined to correspond to the application and classified according locally at the firewall based on the cached signatures. Localization of the cache to the firewall reduces latency of traffic classification operations as the catalog of classification information stored in the cloud scales.

IPC Classes  ?

  • H04L 9/40 - Network security protocols
  • H04L 47/2441 - Traffic characterised by specific attributes, e.g. priority or QoS relying on flow classification, e.g. using integrated services [IntServ]

24.

IOT DEVICE APPLICATION WORKLOAD CAPTURE

      
Application Number US2022021583
Publication Number 2022/212150
Status In Force
Filing Date 2022-03-23
Publication Date 2022-10-06
Owner PALO ALTO NETWORKS, INC. (USA)
Inventor Du, Jun

Abstract

Internet of Things (loT) device application workload capture is disclosed. A target loT device is selected. A flow associated with the target device is determined and tagged. Packets from the tagged flow are admitted into a ring buffer. An indication is received that an extraction should be performed on a portion of the packets included in the ring buffer.

IPC Classes  ?

25.

GENERATION OF A CAUSALITY TREE REPRESENTATION OF THREAT ANALYSIS REPORT DATA

      
Application Number US2022071396
Publication Number 2022/213060
Status In Force
Filing Date 2022-03-29
Publication Date 2022-10-06
Owner PALO ALTO NETWORKS, INC. (USA)
Inventor
  • Bhosale, Swati Vaibhav
  • Firstenberg, Eyal
  • Spencer, Edward Thomas
  • Jacobs, Christopher

Abstract

A report generated from analysis of a software sample is obtained and parsed. A root node of a causality tree is determined based on source-target relationships and a primary malware instance indicated in the report. Actions, behaviors, and additional malware instances are identified based on the report. Additional relationships among the data which are not explicitly represented are extracted from further parsing and processing of the report by tracing the relationships in the report data starting from the data of the entity represented by the root node, with child nodes added for processes and files discovered from the tracing. For each entity for which a node is added to the causality tree, counts of the related behaviors and actions are determined and associated with the node along with the corresponding details. A GUI depiction of the resulting causality tree is generated and displayed for visualizing and navigating the causality tree.

IPC Classes  ?

  • G06F 21/55 - Detecting local intrusion or implementing counter-measures
  • G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements

26.

AUTOMATED EXTRACTION AND CLASSIFICATION OF MALICIOUS INDICATORS

      
Application Number US2022016823
Publication Number 2022/182568
Status In Force
Filing Date 2022-02-17
Publication Date 2022-09-01
Owner PALO ALTO NETWORKS, INC. (USA)
Inventor
  • Szurdi, Janos
  • Liu, Daiping
  • Wang, Jun

Abstract

Techniques for generating actionable indicators of compromise (IOCs) are disclosed. A set of potential sources for IOCs are received. One or more candidate IOCs are extracted from at least one source included in the set of potential sources. An actionable IOC is automatically identified from the one or more candidate IOCs. The actionable IOC is provided to a security enforcement service.

IPC Classes  ?

  • G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
  • G06F 16/28 - Databases characterised by their database models, e.g. relational or object models
  • G06F 16/35 - Clustering; Classification
  • G06F 21/00 - Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F 21/55 - Detecting local intrusion or implementing counter-measures

27.

JOINING JAVASCRIPT OBJECT NOTATION (JSON) QUERIES ACROSS CLOUD RESOURCES

      
Application Number US2022070273
Publication Number 2022/159964
Status In Force
Filing Date 2022-01-20
Publication Date 2022-07-28
Owner PALO ALTO NETWORKS, INC. (USA)
Inventor
  • Mouleeswaran, Chandra Biksheswaran
  • Repaka, Rama Teja
  • Wang, Xiaoyan
  • Shukla, Parul

Abstract

A cloud resource join query for join operations across cloud resources is parsed to extract join rules and queries to each cloud resource in the cloud resource join query. Results from the individual cloud queries are dynamically indexed based on pairs of cloud resources indicated in the join rules. A search engine applies first order predicates in the join rules using the dynamic indexes to generate pairwise join results corresponding to the query. A result for the cloud resource join query comprises the pairwise join results after merging.

IPC Classes  ?

28.

DYNAMICALLY SCALABLE APPLICATION FIREWALL DEPLOYMENT FOR CLOUD NATIVE APPLICATIONS

      
Application Number US2021073133
Publication Number 2022/147436
Status In Force
Filing Date 2021-12-28
Publication Date 2022-07-07
Owner PALO ALTO NETWORKS, INC. (USA)
Inventor
  • Levin, Liron
  • Schnitzer, Isaac
  • Shuster, Elad
  • Segal, Ory

Abstract

A configuration of a cloud application exposed via a public IP address is duplicated with modifications to include a private IP address to expose the application internally. The original configuration is updated so that external network traffic sent to the application is redirected to and distributed across agents running on nodes of a cloud cluster by which web application firewalls (WAFs) are implemented. A set of agents for which the respective WAFs should inspect the redirected network traffic are selected based on cluster metrics, such as network and resource utilization metrics. The redirected network traffic targets a port allocated to the agents that is unique to the application, where ports are allocated on a per-application basis so each of the agents can support WAF protection for multiple applications. Network traffic which a WAF allows to pass is directed from the agent to the application via its private IP address.

IPC Classes  ?

  • H04L 9/40 - Network security protocols
  • H04W 12/088 - Access security using filters or firewalls
  • H04L 41/0893 - Assignment of logical groups to network elements
  • H04L 41/0896 - Bandwidth or capacity management, i.e. automatically increasing or decreasing capacities
  • H04L 61/5007 - Internet protocol [IP] addresses
  • H04L 67/1001 - Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers

29.

ENHANCED SD-WAN PATH QUALITY MEASUREMENT AND SELECTION

      
Application Number US2021047185
Publication Number 2022/072083
Status In Force
Filing Date 2021-08-23
Publication Date 2022-04-07
Owner PALO ALTO NETWORKS, INC. (USA)
Inventor
  • Cai, Chunqing
  • Kwan, Philip
  • Wang, Lin
  • Chang, Lei
  • Kumar, Sameer
  • Ramanath, Pulikeshi
  • Narayankhedkar, Santosh

Abstract

Techniques for enhanced Software-Defined Wide Area Network (SD-WAN) path quality measurement and selection are disclosed, In some embodiments, a system/method/computer program product for enhanced SD-WAN path quality measurement and selection includes periodically performing a network path measurement for each of a plurality of network paths at a Software-Defined Wide Area Network (SD-WAN) interface; updating a version if the network path measurement exceeds a threshold for one or more of the plurality of network paths; and selecting one of the plurality of network paths for a session based on the version according to an application policy.

IPC Classes  ?

  • H04L 12/725 - Selecting a path with suitable quality of service [QoS]

30.

MALICIOUS TRAFFIC DETECTION WITH ANOMALY DETECTION MODELING

      
Application Number US2021071244
Publication Number 2022/040698
Status In Force
Filing Date 2021-08-20
Publication Date 2022-02-24
Owner PALO ALTO NETWORKS, INC. (USA)
Inventor
  • Achleitner, Stefan
  • Xu, Chengcheng

Abstract

An anomaly detection model is trained to detect malicious traffic sessions with a low rate of false positives. A sample feature extractor extracts tokens corresponding to human-readable substrings of incoming unstructured payloads in a traffic session. The tokens are correlated with a list of malicious traffic features and frequent malicious traffic features across the traffic session are aggregated into a feature vector of malicious traffic feature frequencies. An anomaly detection model trained on feature vectors for unstructured malicious traffic samples predicts the traffic session as malicious or unclassified. The anomaly detection model is trained and updated based on its' ongoing false positive rate and malicious traffic features in the list of malicious traffic features that result in a high false positive rate are removed.

IPC Classes  ?

  • H04L 29/06 - Communication control; Communication processing characterised by a protocol

31.

PATTERN-BASED MALICIOUS URL DETECTION

      
Application Number US2021042654
Publication Number 2022/026272
Status In Force
Filing Date 2021-07-21
Publication Date 2022-02-03
Owner PALO ALTO NETWORKS, INC. (USA)
Inventor
  • Liu, Fang
  • Zhou, Yuchen
  • Wang, Jun

Abstract

To perform pattern-based detection of malicious URLs, patterns are first generated from known URLs to build a pattern repository. A URL is first normalized and parsed, and keywords are extracted and stored in an additional repository of keywords. Tokens are then determined from the parsed URL and tags are associated with the parsed substrings. Substring text may also be replaced with general identifying information. Patterns generated from known malicious and benign URLs satisfying certain criteria are published to a pattern repository of which can be accessed during subsequent detection operations. During detection, upon identifying a request which indicates an unknown URL, the URL is parsed and tokenized to generate a pattern. The repository of malicious URL patterns is queried to determine if a matching malicious URL pattern can be identified. If a matching malicious URL pattern is identified, the URL is detected as malicious.

IPC Classes  ?

  • H04L 29/06 - Communication control; Communication processing characterised by a protocol

32.

CONJOINING MALWARE DETECTION MODELS FOR DETECTION PERFORMANCE AGGREGATION

      
Application Number US2021070981
Publication Number 2022/027009
Status In Force
Filing Date 2021-07-27
Publication Date 2022-02-03
Owner PALO ALTO NETWORKS, INC. (USA)
Inventor
  • Rao, Akshata Krishnamoorthy
  • Tsechansky, Danny
  • Hu, Wenjun

Abstract

To leverage the higher detection rate of a supplemental model and manage the higher false positive rate of that model, an activation range is tuned for the candidate model to operate in conjunction with an incumbent model. The activation range is a range of output values for the incumbent model that activates the supplemental model. Inputs having benign output values from the incumbent model that are within the activation range are fed into the supplemental model. Thus, the lower threshold of the activation range corresponds to the malware detection threshold of the incumbent model and the upper threshold determines how many benign classified outputs from the incumbent model activate the supplemental model. This conjoining of models with a tuned activation range manages overall false positive rate of the conjoined detection models while the malware detection rate increases over the incumbent detection model alone.

IPC Classes  ?

  • H04L 29/06 - Communication control; Communication processing characterised by a protocol
  • G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
  • G06N 20/00 - Machine learning

33.

MALWARE ANALYSIS THROUGH VIRTUAL MACHINE FORKING

      
Application Number US2021071081
Publication Number 2022/027072
Status In Force
Filing Date 2021-07-30
Publication Date 2022-02-03
Owner PALO ALTO NETWORKS, INC. (USA)
Inventor
  • Lu, Chien-Hua
  • Salsamendi, Ryan Carroll

Abstract

A set of virtual machines (VMs) with different guest operating systems installed is initially booted and prepared to facilitate rapid creation, or "forking," of a child VM(s) for malware analysis of a software sample. Because malicious code may be packaged for a specific operating system version, subsets of the VMs may have different versions of the same guest operating system installed. Upon detection of a sample indicated for malware analysis, a child VM(s) running the appropriate guest operating system is created based on a corresponding one(s) of the set of VMs. A process in which the corresponding VM(s) has been booted is forked to create a child process. A child VM which is a copy of the VM booted in the parent process is then created in the child process. The sample is then sandboxed in the child VM for analysis to determine if the sample comprises malware.

IPC Classes  ?

  • G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
  • G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements

34.

SECURING CONTROL AND USER PLANE SEPARATION IN MOBILE NETWORKS

      
Application Number US2021037590
Publication Number 2022/005748
Status In Force
Filing Date 2021-06-16
Publication Date 2022-01-06
Owner PALO ALTO NETWORKS, INC. (USA)
Inventor
  • Burakovsky, Leonid
  • Verma, Sachin
  • Hu, Fengliang
  • Chen, I-Chun
  • Lim, How Tung

Abstract

Techniques for securing control and user plane separation in mobile networks (e.g., service provider networks for mobile subscribers, such as for 4G/5G networks) are disclosed. In some embodiments, a system/process/computer program product for securing control and user plane separation in mobile networks in accordance with some embodiments includes monitoring network traffic on a mobile network at a security platform to identify a Packet Forwarding Control Protocol (PFCP) message associated with a new session, in which the mobile network includes a 4G network or a 5G network; extracting a plurality of parameters from the PFCP message at the security platform; and enforcing a security policy at the security platform on the new session based on one or more of the plurality of parameters to secure control and user plane separation in the mobile network.

IPC Classes  ?

  • H04L 29/06 - Communication control; Communication processing characterised by a protocol

35.

AUTOMATING IOT DEVICE IDENTIFICATION USING STATISTICAL PAYLOAD FINGERPRINTS

      
Application Number US2021035279
Publication Number 2021/247598
Status In Force
Filing Date 2021-06-01
Publication Date 2021-12-09
Owner PALO ALTO NETWORKS, INC. (USA)
Inventor Wang, Feng

Abstract

Internet of Things (IoT) device classification is disclosed. A byte frequency pattern associated with network traffic of an IoT device is received. The received pattern is used to determine a classification for the IoT device. The classification is provided to a security appliance. The security appliance is configured to apply a policy to the IoT device based at least in part on the classification.

IPC Classes  ?

  • G06F 11/00 - Error detection; Error correction; Monitoring

36.

INNOCENT UNTIL PROVEN GUILTY (IUPG): ADVERSARY RESISTANT AND FALSE POSITIVE RESISTANT DEEP LEARNING MODELS

      
Application Number US2021035699
Publication Number 2021/247860
Status In Force
Filing Date 2021-06-03
Publication Date 2021-12-09
Owner PALO ALTO NETWORKS, INC. (USA)
Inventor
  • Kutt, Brody James
  • Starov, Oleksii
  • Zhou, Yuchen
  • Hewlett, William, Redington, Ii

Abstract

Techniques for providing innocent until proven guilty (IUPG) solutions for building and using adversary resistant and false positive resistant deep learning models are disclosed. In some embodiments, a system, process, and/or computer program product includes storing a set comprising one or more innocent until proven guilty (IUPG) models for static analysis of a sample; performing a static analysis of content associated with the sample, wherein performing the static analysis includes using at least one stored IUPG model; and determining that the sample is malicious based at least in part on the static analysis of the content associated with the sample, and in response to determining that the sample is malicious, performing an action based on a security policy.

IPC Classes  ?

  • H04L 29/06 - Communication control; Communication processing characterised by a protocol

37.

IOT DEVICE DISCOVERY AND IDENTIFICATION

      
Application Number US2021035278
Publication Number 2021/247597
Status In Force
Filing Date 2021-06-01
Publication Date 2021-12-09
Owner PALO ALTO NETWORKS, INC. (USA)
Inventor
  • Du, Jun
  • Zhao, Yilin

Abstract

Techniques for performing Internet of Things (IoT) device identification are disclosed. Information associated with a network communication of an IoT device is received. A determination of whether the IoT device has been classified has been made. In response to determining that the IoT device has not been classified, a two-part classification process is performed, where a first portion includes an inline classification, and a second portion includes a subsequent verification of the inline classification. A result of the classification process is provided to a security appliance configured to apply a policy to the IoT device.

IPC Classes  ?

  • H04W 8/00 - Network data management
  • H04W 8/18 - Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data

38.

REDUCING MEMORY FOOTPRINT AFTER TLS CONNECTION ESTABLISHMENT

      
Application Number US2021070604
Publication Number 2021/243356
Status In Force
Filing Date 2021-05-25
Publication Date 2021-12-02
Owner PALO ALTO NETWORKS, INC. (USA)
Inventor
  • Sahni, Mohit
  • Tripathi, Saurabh

Abstract

For connection establishment, a system allocates memory that will be occupied by the data and handshake sub-protocol infrastructure that facilitates establishing a TLS connection. After connection establishment, the system allocates memory space for the data and record sub-protocol infrastructure that facilitates the asynchronous communication of application traffic. The memory space for the TLS session (i.e., the communication information separate from the handshake) has a substantially smaller footprint than the memory space for the TLS handshake. The TLS handshake memory space can be released and recycled for other connections while application communications use the smaller memory space allocated and populated with the TLS session data and infrastructure.

IPC Classes  ?

  • G06F 21/64 - Protecting data integrity, e.g. using checksums, certificates or signatures
  • H04L 29/06 - Communication control; Communication processing characterised by a protocol
  • G06F 12/02 - Addressing or allocation; Relocation
  • H04L 29/08 - Transmission control procedure, e.g. data link level control procedure

39.

AUTOMATED CONTENT TAGGING WITH LATENT DIRICHLET ALLOCATION OF CONTEXTUAL WORD EMBEDDINGS

      
Application Number US2021019452
Publication Number 2021/173700
Status In Force
Filing Date 2021-02-24
Publication Date 2021-09-02
Owner PALO ALTO NETWORKS, INC. (USA)
Inventor
  • Thor, Nandan, Gautam
  • Arvaniti, Vasiliki
  • Helenius, Jere, Armas, Michael
  • Bower, Erik, Michael

Abstract

Dynamic content tags are generated as content is received by a dynamic content tagging system. A natural language processor (NLP) tokenizes the content and extracts contextual N-grams based on local or global context for the tokens in each document in the content. The contextual N-grams are used as input to a generative model that computes a weighted vector of likelihood values that each contextual N-gram corresponds to one of a set of unlabeled topics. A tag is generated for each unlabeled topic comprising the contextual N-gram having a highest likelihood to correspond to that unlabeled topic. Topic-based deep learning models having tag predictions below a threshold confidence level are retrained using the generated tags, and the retrained topic-based deep learning models dynamically tag the content.

IPC Classes  ?

  • G06N 3/04 - Architecture, e.g. interconnection topology
  • G06N 7/00 - Computing arrangements based on specific mathematical models
  • G06F 40/00 - Handling natural language data

40.

INTELLIGENT SIGNATURE-BASED ANTI-CLOAKING WEB RECRAWLING

      
Application Number US2020056730
Publication Number 2021/081139
Status In Force
Filing Date 2020-10-21
Publication Date 2021-04-29
Owner PALO ALTO NETWORKS, INC. (USA)
Inventor
  • Starov, Oleksii
  • Chen, Zhanhao
  • Zhou, Yuchen
  • Liu, Fang

Abstract

Web sites are crawled using multiple browser profiles to avoid malicious cloaking. Based on web page content returned from HTTP requests using the multiple browser profiles, web sites returning substantively different content to HTTP requests for different browser profiles are identified. Web sites are further filtered by common cloaking behavior, and redirect scripts are extracted from web page content that performed cloaking. Signatures comprising tokenized versions of the redirect scripts are generated and compared to a database of known cloaking signatures. URLs corresponding to signatures having approximate matches with signatures in the database are flagged for recrawling. Recrawled URLs are verified for malicious cloaking again using HTTP requests from multiple browser profiles.

IPC Classes  ?

  • H04L 29/06 - Communication control; Communication processing characterised by a protocol
  • G06F 16/951 - Indexing; Web crawling techniques
  • H04L 29/08 - Transmission control procedure, e.g. data link level control procedure

41.

IN-LINE DETECTION OF ALGORITHMICALLY GENERATED DOMAINS

      
Application Number US2020053530
Publication Number 2021/067425
Status In Force
Filing Date 2020-09-30
Publication Date 2021-04-08
Owner PALO ALTO NETWORKS, INC. (USA)
Inventor
  • Liu, Daiping
  • Walter, Martin
  • Hua, Ben
  • Li, Suquan
  • Fei, Fan
  • Chung, Seokkyung
  • Wang, Jun
  • Xu, Wei

Abstract

Detection of algorithmically generated domains is disclosed. A DNS query is received. Markov Chain analysis is performed on a domain included in the received query. A determination of whether the received query implicates an algorithmically generated domain is made based at least in part on a result of the Markov Chain analysis.

IPC Classes  ?

  • H04L 29/06 - Communication control; Communication processing characterised by a protocol
  • G06F 21/55 - Detecting local intrusion or implementing counter-measures
  • G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
  • H04L 29/08 - Transmission control procedure, e.g. data link level control procedure
  • H04L 29/12 - Arrangements, apparatus, circuits or systems, not covered by a single one of groups characterised by the data terminal

42.

CONTEXT INFORMED ABNORMAL ENDPOINT BEHAVIOR DETECTION

      
Application Number US2020048531
Publication Number 2021/041901
Status In Force
Filing Date 2020-08-28
Publication Date 2021-03-04
Owner PALO ALTO NETWORKS, INC. (USA)
Inventor
  • Meir, Shai
  • Cohen, Dany
  • Miasnikov, Arkady
  • Ohayon, Ohad

Abstract

Adaptive normal profiles are generated at a hierarchical scope corresponding to a set of endpoints and a process. Abnormal endpoint activity is detected by verifying whether event data tracking activity on the set of endpoints conforms to the adaptive normal profiles. False positives are reduced by verifying alarms correspond to normal endpoint activity. Abnormal event data is forwarded to a causality chain identifier that identifies abnormal chains of processes for the abnormal endpoint activity. A trained threat detection model receives abnormal causality chains from the causality chain identifier and indicates a likelihood of corresponding to a malicious attack that indicates abnormal endpoint behavior.

IPC Classes  ?

  • G06F 21/55 - Detecting local intrusion or implementing counter-measures

43.

MULTI-PERSPECTIVE SECURITY CONTEXT PER ACTOR

      
Application Number US2020042745
Publication Number 2021/016171
Status In Force
Filing Date 2020-07-20
Publication Date 2021-01-28
Owner PALO ALTO NETWORKS, INC. (USA)
Inventor
  • Fitz-Gerald Jr., Jeffrey James
  • Murthy, Ashwath Sreenivasa

Abstract

A flexible security system has been created that allows for fluid security operations that adapt to the dynamic nature of user behavior while also allowing the security related operations themselves to be dynamic. This flexible system includes ongoing collection and/or updating of multi-perspective "security contexts" per actor and facilitating consumption of these multi-perspective security contexts for security related operations on the users. These security related operations can include policy-based security enforcement and inspection. A security platform component or security entity uses a multi-perspective security context for a user or actor. Aggregating and maintaining behavioral information into a data structure for an actor over time from different sources allows a security platform component or entity to have historical context for an actor from one or more security perspectives. Descriptors that form a security context can originate from various sources having visibility of user behavior and/or user attributes.

IPC Classes  ?

  • H04L 29/06 - Communication control; Communication processing characterised by a protocol
  • G06F 21/55 - Detecting local intrusion or implementing counter-measures
  • G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities

44.

INLINE MALWARE DETECTION

      
Application Number US2020040928
Publication Number 2021/015941
Status In Force
Filing Date 2020-07-06
Publication Date 2021-01-28
Owner PALO ALTO NETWORKS, INC. (USA)
Inventor
  • Hewlett, William, Redington
  • Deng, Suiqiang
  • Yang, Sheng
  • Lam, Ho, Yu

Abstract

Detection of malicious files is disclosed. A set comprising one or more sample classification models is stored on a networked device. N-gram analysis is performed on a sequence of received packets associated with a received file. Performing the n-gram analysis includes using at least one stored sample classification model. A determination is made that the received file is malicious based at least in part on the n-gram analysis of the sequence of received packets. In response to determining that the file is malicious, propagation of the received file is prevented.

IPC Classes  ?

  • G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
  • H04L 29/06 - Communication control; Communication processing characterised by a protocol

45.

SECURITY POLICY ENFORCEMENT AND VISIBILITY FOR NETWORK ARCHITECTURES THAT MASK EXTERNAL SOURCE ADDRESSES

      
Application Number US2020030313
Publication Number 2020/223262
Status In Force
Filing Date 2020-04-28
Publication Date 2020-11-05
Owner PALO ALTO NETWORKS, INC. (USA)
Inventor
  • Warburton, Thomas Arthur
  • Sreenivasa Murthy, Ashwath
  • Fitz-Gerald, Jr., Jeffrey James

Abstract

Some network architectures include perimeter or edge devices which perform network address translation or otherwise modify data in a network traffic packet header, such as the source address. The modification of the source address prevents downstream devices from knowing the true or original source address from which the traffic originated. To address this issue, perimeter devices can insert the original source address in an X-F orwarded-F or field of the packet header. Firewalls and related security services can be programmed to record the original source address in the XFF field in addition to the other packet information and to consider the original source address during security analysis. Using the original source address in the XFF field, services can determine additional characteristics about the traffic, such as geographic origin or associated user accounts, and use these characteristics to identify applicable rules or policies.

IPC Classes  ?

  • H04L 29/06 - Communication control; Communication processing characterised by a protocol

46.

MULTI-ACCESS DISTRIBUTED EDGE SECURITY IN MOBILE NETWORKS

      
Application Number US2020024281
Publication Number 2020/198157
Status In Force
Filing Date 2020-03-23
Publication Date 2020-10-01
Owner PALO ALTO NETWORKS, INC. (USA)
Inventor
  • Verma, Sachin
  • Burakovsky, Leonid

Abstract

Techniques for providing multi-access distributed edge security in mobile networks (e.g., service provider networks for mobile subscribers, such as for 5G networks) are disclosed. In some embodiments, a system/process/computer program product for multi- access distributed edge security in mobile networks in accordance with some embodiments includes monitoring network traffic on a service provider network at a security platform to identify a new session, wherein the service provider network includes a 5G network or a converged 5G network; extracting subscription and/or equipment identifier information for user traffic associated with the new session at the security platform; and determining a security policy to apply at the security platform to the new session based on the subscription and/or equipment identifier information.

IPC Classes  ?

  • H04L 29/06 - Communication control; Communication processing characterised by a protocol
  • H04W 76/11 - Allocation or use of connection identifiers
  • H04W 24/08 - Testing using real traffic
  • H04W 12/06 - Authentication
  • H04W 76/12 - Setup of transport tunnels
  • H04W 80/12 - Application layer protocols, e.g. WAP [Wireless Application Protocol]

47.

EXPLORABLE VISUAL ANALYTICS SYSTEM HAVING REDUCED LATENCY

      
Application Number US2019053866
Publication Number 2020/072379
Status In Force
Filing Date 2019-09-30
Publication Date 2020-04-09
Owner PALO ALTO NETWORKS, INC. (USA)
Inventor
  • Yahyavi Firouz Abadi, Seyed, Amir
  • Amirpour, Amraii, Saman
  • Roosta, Pour, Laleh

Abstract

A method and system for processing datasets having a number of data points are described. A portion of the dataset is received and processed in parallel. A view on a display is updated to include a first section of the portion of the dataset after the first section completes processing but before a remainder of the portion of the dataset completes processing. In some aspects, the portion of the dataset can include up to one million or more data points. In some aspects, if a change from the view to a second view is received before processing has completed, an unusable part of the dataset is discarded and/or a reusable part of the dataset that has completed processing is reused for the second view. In some aspects, columns of different dataset may be correlated and/or processed data is provided such that the processed data may be rapidly rendered.

IPC Classes  ?

  • G06T 15/00 - 3D [Three Dimensional] image rendering

48.

NETWORK SLICE-BASED SECURITY IN MOBILE NETWORKS

      
Application Number US2019051792
Publication Number 2020/068521
Status In Force
Filing Date 2019-09-18
Publication Date 2020-04-02
Owner PALO ALTO NETWORKS, INC. (USA)
Inventor
  • Verma, Sachin
  • Burakovsky, Leonid

Abstract

Techniques for providing network slice-based security in mobile networks (e.g., service provider networks for mobile subscribers) are disclosed. In some embodiments, a system/process/computer program product for network slice-based security in mobile networks in accordance with some embodiments includes monitoring network traffic on a service provider network at a security platform to identify a new session, wherein the service provider network includes a 5G network or a converged 5G network; extracting network slice information for user traffic associated with the new session at the security platform; and determining a security policy to apply at the security platform to the new session based on the network slice information.

IPC Classes  ?

49.

TRANSPORT LAYER SIGNALING SECURITY WITH NEXT GENERATION FIREWALL

      
Application Number US2019017361
Publication Number 2019/160776
Status In Force
Filing Date 2019-02-08
Publication Date 2019-08-22
Owner PALO ALTO NETWORKS, INC. (USA)
Inventor
  • Verma, Sachin
  • Burakovsky, Leonid
  • Huo, Mingxu
  • Hu, Fengliang

Abstract

Techniques for transport layer signaling security with next generation firewall are disclosed. In some embodiments, a system/process/computer program product for transport layer signaling with next generation firewall includes monitoring transport layer signaling traffic on a service provider network at a security platform; and filtering the transport layer signaling traffic at the security platform based on a security policy. Techniques for application layer signaling security with next generation firewall are also disclosed. In some embodiments, a system/process/computer program product for application layer signaling security with next generation firewall includes monitoring application layer signaling traffic on a service provider network at a security platform; and filtering the application layer signaling traffic at the security platform based on a security policy. Techniques for network layer signaling security with next generation firewall are also disclosed. In some embodiments, a system/process/computer program product for network layer signaling security with next generation firewall includes monitoring a network layer signaling protocol traffic on a service provider network at a security platform; and filtering the network layer signaling protocol traffic at the security platform based on a security policy. Techniques for Diameter security with next generation firewall are also disclosed. In some embodiments, a system/process/computer program product for Diameter security with next generation firewall includes monitoring Diameter protocol traffic on a service provider network at a security platform; and filtering the Diameter protocol traffic at the security platform based on a security policy.

IPC Classes  ?

  • H04L 29/06 - Communication control; Communication processing characterised by a protocol
  • H04L 12/26 - Monitoring arrangements; Testing arrangements
  • H04L 12/56 - Packet switching systems
  • H04W 12/08 - Access security

50.

CONTEXT PROFILING FOR MALWARE DETECTION

      
Application Number US2019015684
Publication Number 2019/152421
Status In Force
Filing Date 2019-01-29
Publication Date 2019-08-08
Owner PALO ALTO NETWORKS, INC. (USA)
Inventor
  • Wang, Jun
  • Xu, Wei

Abstract

Analysis of samples for maliciousness is disclosed. A sample is executed and one or more network activities associated with executing the sample are recorded. The recorded network activities are compared to a malware profile. The malware profile comprises a set of network activities associated with executing a copy of a known malicious application. A verdict of "malicious" is assigned to the sample based at least in part on a determination that the recorded network activities match the malware profile. Also disclosed is use of a malware profile to determine whether a host has been compromised. For example, a set of log entries can be analyzed to locate entries that correspond to the malware profile. Based at least in part on identifying the set of entries matching the malware profile, a determination is made that a host was compromised.

IPC Classes  ?

  • G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
  • G06F 21/00 - Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F 21/55 - Detecting local intrusion or implementing counter-measures
  • H04L 29/06 - Communication control; Communication processing characterised by a protocol

51.

FINE-GRAINED FIREWALL POLICY ENFORCEMENT USING SESSION APP ID AND ENDPOINT PROCESS ID CORRELATION

      
Application Number US2018051152
Publication Number 2019/055830
Status In Force
Filing Date 2018-09-14
Publication Date 2019-03-21
Owner PALO ALTO NETWORKS, INC. (USA)
Inventor
  • Ashley, Robert, Earle
  • Lam, Ho, Yu
  • Tesh, Robert
  • Jin, Xuanyu
  • Mathison, Paul, Theodore
  • Li, Qiuming
  • Ettema, Taylor

Abstract

Techniques for fine-grained firewall policy enforcement using session APP ID and endpoint process ID correlation are disclosed. In some embodiments, a system/process/computer program product for fine-grained firewall policy enforcement using session APP ID and endpoint process ID correlation includes receiving, at a network device on an enterprise network, process identification (ID) information from an endpoint (EP) agent executed on an EP device, in which the process identification information identifies a process that is initiating a network session from the EP device on the enterprise network; monitoring network communications associated with the network session at the network device to identify an application identification (APP ID) for the network session; and performing an action based on a security policy using the process ID information and the APP ID.

IPC Classes  ?

  • G06F 9/00 - Arrangements for program control, e.g. control units

52.

LOCATION BASED SECURITY IN SERVICE PROVIDER NETWORKS

      
Application Number US2018037142
Publication Number 2018/231855
Status In Force
Filing Date 2018-06-12
Publication Date 2018-12-20
Owner PALO ALTO NETWORKS, INC. (USA)
Inventor
  • Verma, Sachin
  • Burakovsky, Leonid
  • Shu, Jesse
  • Li, Chang
  • Chang, Lei
  • Chen, I-Chun

Abstract

Techniques for location based security in service provider networks (e.g., service provider networks for mobile subscribers) are disclosed. In some embodiments, a system/process/computer program product for location based security in service provider networks includes monitoring network traffic on a service provider network at a security platform to identify a location for a new session; associating the location with the new session at the security platform; and determining a security policy to apply at the security platform to the new session based on the location.

IPC Classes  ?

  • G06F 17/30 - Information retrieval; Database structures therefor
  • H04L 29/06 - Communication control; Communication processing characterised by a protocol

53.

MULTIFACTOR AUTHENTICATION AS A NETWORK SERVICE

      
Application Number US2017047815
Publication Number 2018/063583
Status In Force
Filing Date 2017-08-21
Publication Date 2018-04-05
Owner PALO ALTO NETWORKS, INC (USA)
Inventor
  • Murthy, Ashwath, Sreenivasa
  • Ganesan, Karthik
  • Mangam, Prabhakar, M V B R
  • Jandhyala, Shriram, S.
  • Walter, Martin

Abstract

Techniques for multifactor authentication as a network service are disclosed. In some embodiments, a system, process, and/or computer program product for multifactor authentication as a network service includes monitoring a session at a firewall, applying an authentication profile based on the new session, and performing an action based on the authentication profile.

IPC Classes  ?

  • G06F 1/00 - ELECTRIC DIGITAL DATA PROCESSING - Details not covered by groups and
  • G06F 15/16 - Combinations of two or more digital computers each having at least an arithmetic unit, a program unit and a register, e.g. for a simultaneous processing of several programs
  • G06F 21/00 - Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • H04L 29/06 - Communication control; Communication processing characterised by a protocol
  • H04L 29/08 - Transmission control procedure, e.g. data link level control procedure

54.

AUTOMATICALLY GROUPING MALWARE BASED ON ARTIFACTS

      
Application Number US2017019731
Publication Number 2017/151515
Status In Force
Filing Date 2017-02-27
Publication Date 2017-09-08
Owner PALO ALTO NETWORKS, INC. (USA)
Inventor
  • Rostami-Hesarsorkh, Shadi
  • Vasudevan, Sudarshan
  • Hewlett, Redington, William
  • Rostamabadi, Farshad
  • Malik, Bilal

Abstract

Techniques for automatically grouping malware based on artifacts are disclosed. In some embodiments, a system, process, and/or computer program product for automatically grouping malware based on artifacts includes receiving a plurality of samples for performing automated malware analysis to generate log files based on the automated malware analysis; processing the log files to extract features associated with malware; clustering the plurality of samples based on the extracted features; and performing an action based on the clustering output.

IPC Classes  ?

  • G06F 21/55 - Detecting local intrusion or implementing counter-measures
  • G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
  • H04L 29/06 - Communication control; Communication processing characterised by a protocol

55.

PACKET CLASSIFICATION FOR NETWORK ROUTING

      
Application Number US2014043367
Publication Number 2015/009404
Status In Force
Filing Date 2014-06-20
Publication Date 2015-01-22
Owner PALO ALTO NETWORKS, INC. (USA)
Inventor
  • Zuk, Nir
  • Benoit, Marc, Joseph

Abstract

Techniques for packet classification for network routing are disclosed. In some embodiments, packet classification for network routing includes receiving packets associated with a new flow at a security controller from a network device, in which the network device performs packet forwarding; classifying the flow; and determining an action for the flow based on a policy (e.g., a security policy). In some embodiments, the network device is a Software Defined Network (SDN) network device (e.g., a packet forwarding device that supports the OpenFlow protocol or another protocol).

IPC Classes  ?

  • H04L 1/00 - Arrangements for detecting or preventing errors in the information received

56.

SECURITY DEVICE IMPLEMENTING NETWORK FLOW PREDICTION, AND FLOW OWNERSHIP ASSIGNMENT AND EVENT AGGREGATION IN A DISTRIBUTED PROCESSOR SYSTEM

      
Application Number US2014013689
Publication Number 2014/120838
Status In Force
Filing Date 2014-01-29
Publication Date 2014-08-07
Owner PALO ALTO NETWORKS, INC. (USA)
Inventor
  • Roberson, William, A.
  • Xu, Wilson

Abstract

A security device for processing network flows includes a predict flow table containing predict flow entries mapping predicted network flows to packet processor ownership assignments. The predict key includes multiple data fields identifying a predicted network flow where one or more of the data fields have a wildcard value. In another embodiment, a security device for processing network flows includes a packet processing manager configured to assign ownership of network flows to the one or more packet processors where the packet processing manager includes a global flow table containing entries mapping network flows to packet processor ownership assignments. In another embodiment, a security device for processing network flows includes packet processing cards with packet processors formed thereon where each packet processing card stores local counter values for one or more events and a packet processing manager including global event counters to maintain event statistics for events in the security device.

IPC Classes  ?

57.

USING DNS COMMUNICATIONS TO FILTER DOMAIN NAMES

      
Application Number US2012038420
Publication Number 2012/162099
Status In Force
Filing Date 2012-05-17
Publication Date 2012-11-29
Owner PALO ALTO NETWORKS, INC. (USA)
Inventor Xie, Huagang

Abstract

Using DNS communications to filter domain names is disclosed. A domain name is extracted from a received DNS request. The received DNS request is blocked in response to determining based on a policy that access to the domain name of the DNS request is not permitted. In some cases, such a DNS request is responded to with a spoofed DNS response.

IPC Classes  ?

  • G06F 7/04 - Identity comparison, i.e. for like or unlike values

58.

MALWARE ANALYSIS SYSTEM

      
Application Number US2012038439
Publication Number 2012/162102
Status In Force
Filing Date 2012-05-17
Publication Date 2012-11-29
Owner PALO ALTO NETWORKS, INC. (USA)
Inventor
  • Xie, Huagang
  • Wang, Xinran
  • Liu, Jiangxia

Abstract

In some embodiments, a malware analysis system includes receiving a potential malware sample from a firewall; analyzing the potential malware sample using a virtual machine to determine if the potential malware sample is malware; and automatically generating a signature if the potential malware sample is determined to be malware. In some embodiments, the potential malware sample does not match a preexisting signature, and the malware is a zero-day attack.

IPC Classes  ?

  • G06F 11/00 - Error detection; Error correction; Monitoring
  • G06F 12/14 - Protection against unauthorised use of memory
  • G06F 12/16 - Protection against loss of memory contents

59.

L2/L3 MULTI-MODE SWITCH INCLUDING POLICY PROCESSING

      
Application Number US2008060089
Publication Number 2008/128085
Status In Force
Filing Date 2008-04-11
Publication Date 2008-10-23
Owner PALO ALTO NETWORKS, INC. (USA)
Inventor
  • Zuk, Nir
  • Mao, Yuming
  • Xu, Haoying
  • Green, Arnit

Abstract

Methods and apparatus for processing data packets in a computer network are described. One general method includes receiving a data packet; examining the data packet to classify the data packet including classifying the data packet as a L2 or L3 packet and including determining at least one zone associated with the packet; processing the packet in accordance with one or more policies associated with the zone; determining forwarding information associated with the data packet; and if one or more policies permit, forwarding the data packet toward an intended destination using the forwarding information.

IPC Classes  ?

  • H04L 12/28 - Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
  • H04L 12/26 - Monitoring arrangements; Testing arrangements

60.

PACKET CLASSIFICATION IN A NETWORK SECURITY DEVICE

      
Application Number US2007072148
Publication Number 2008/002930
Status In Force
Filing Date 2007-06-26
Publication Date 2008-01-03
Owner PALO ALTO NETWORKS, INC. (USA)
Inventor
  • Zuk, Nir
  • Wang, Song
  • Leung, Siu-Wang
  • Gong, Fengmin

Abstract

Methods and apparatuses are described for inspecting data packets in a computer network. One or more data packets through the network have associated header data and content. One method includes receiving a data packet, examining the data packet to classify the data packet including classifying the data packet using information included in the header and content, determining flow instructions for processing the packet based on both the header information and the content and processing of the packet using the flow instructions.

IPC Classes  ?