CHECK POINT SOFTWARE TECHNOLOGIES, LTD. Patent applications |
Patent application number | Title | Published |
20150220645 | EWS Optimized Paged Item Loading - A system for optimized paged item loading in Exchange Web Services (EWS) improves response time of user queries to EWS. In contrast to conventional implementations that search an entire folder first, and then present results to user, this invention features not searching the entire folder, but searching only portions of the folder and then only searching portions until a desired number of results is obtained. Folders are sampled in an interval of N items and then using an abstract paging mechanism, thus defining a new restricted page with a limited item count of N. The sampling is performed in a first operation, for example, by using FindItem. In a second operation, FindItem is again used with a requested restriction, which is limited to the restricted page according to the samples. Searches may be limited by the amount of items to return or results (result set) desired. | 08-06-2015 |
20140351878 | LOCATION-AWARE RATE-LIMITING METHOD FOR MITIGATION OF DENIAL-OF-SERVICE ATTACKS - A network component has a set of one or more rules, each of which has a match component and an action component. If an incoming packet maps to the match component of a rule, then the packet is handled according to the rule's action component. If the rule also includes a limit component, then if the packet maps to the rule's match component, a family history of the rule is updated, and the packet is handled according to the rule's action component only if the rule's family history satisfies the rule's limit component. | 11-27-2014 |
20140237590 | SIMULTANEOUS SCREENING OF UNTRUSTED DIGITAL FILES - A plurality of untrusted digital files are run simultaneously in fewer sandboxes than there are files, while monitoring for malicious activity. Preferably, only one sandbox is used. If the monitoring detects malicious activity, either the files are run again in individual sandboxes, or the files are divided among subsets whose files are run simultaneously in one or more sandboxes, while monitoring for malicious activity. | 08-21-2014 |
20140165127 | NATURAL LANGUAGE PROCESSING INTERFACE FOR NETWORK SECURITY ADMINISTRATION - To administer computer network security, a computer system receives a bit string that encodes a natural-language request for adjusting a security policy of the network and parses the bit string to identify one or more objects and an action to be applied to the object(s). Preferably, the system displays a description of one of the objects and a menu of operations that are applicable to the object, receives a user selection of one of the options, and effects the selected operation. The scope of the invention also includes a non-transient computer-readable storage medium bearing code for implementing the method and a system for implementing the method. | 06-12-2014 |
20140143850 | PENALTY BOX FOR MITIGATION OF DENIAL-OF-SERVICE ATTACKS - A security gateway of a computer network receives incoming packets at one or more network interfaces. One or more security functions are applied to the packets. Reports of security function violations are recorded. The reports include the source addresses of the packets, the times that the packets were received, and descriptions of the violations. The descriptions include weights, and if the sum of the weights, for packets of a common source address that are received within a first time interval, exceeds a threshold, subsequent packets from that source address are dropped. Alternatively, in a “monitor only” mode, the common source address is logged but packets are not dropped. Optionally, encrypted packets and/or packets received at some network interfaces but not at other network interfaces are not dropped. | 05-22-2014 |
20140123269 | FILTERING OF APPLICATIONS FOR ACCESS TO AN ENTERPRISE NETWORK - A computer-readable storage medium has embedded thereon non-transient computer-readable code for controlling access to a protected computer network, by intercepting packets that are being exchanged between a computer system and the protected network, and then, for each intercepted packet, identifying the associated application that is running on the computer system, determining whether the application is trusted, for example according to a white list or according to a black list, and disposing of the packet accordingly. | 05-01-2014 |
20130304690 | REDUCING FALSE POSITIVES IN DATA VALIDATION USING STATISTICAL HEURISTICS - To validate data, a plurality of strings that match a predetermined regular expression is extracted from the data. A validated subset of the strings is identified. To determine whether the validated subset has been falsely validated, it is determined whether the validated subset satisfies each of one or more predetermined criteria relative to the plurality of strings. In one embodiment, the subset is determined to be falsely validated if at least one of the criteria is satisfied. In another embodiment, the subset is determined to be falsely validated if all of the criteria are satisfied. The data are released only if the subset is determined to be falsely validated. | 11-14-2013 |
20130156040 | PREDICTIVE SYNCHRONIZATION FOR CLUSTERED DEVICES - A method and system is provided for a scalable clustered system. The method and system may handle asynchronous traffic as well as session backup. In the method and system, a home cluster member having ownership of a local session predicts designation of a an other cluster member to receive a packet associated with the local session and sends appropriate state information or forwarding instruction to the other network member. | 06-20-2013 |
20130117853 | METHODS FOR DETECTING MALICIOUS PROGRAMS USING A MULTILAYERED HEURISTICS APPROACH - Three heuristic layers are used to determine whether suspicious code received at a port of a data processing device is malware. First, static analysis is applied to the suspicious code. If the suspicious code passes the static analysis, dissembling analysis is applied to the suspicious code. Preferably, if the suspicious code passes the dissembling analysis, dynamic analysis is applied to the suspicious code. | 05-09-2013 |
20120297491 | NETWORK SECURITY SMART LOAD BALANCING - A system and method for protecting data communications in a system including a toad-balancer connected to a cluster of security network components, e.g. firewall node. The load-balancer transfers one or more of the data streams respectively to the security components. The security network components transmit control information to the load-balancer and the control information includes an instruction regarding balancing load of the data streams between said components; The load-balancer balances load based on the control information. Preferably, network address translation (NAT) is performed by the load-balancer based on the control information or NAT is performed by the security network component and the control information includes information regarding an expected connection based on NAT. Preferably, when the data communications includes an encrypted session, an encrypted connection of the encrypted session is identified based on the control information and the balancing of the load maintains stickiness of said encrypted connection. | 11-22-2012 |
20120297477 | DETECTION OF ACCOUNT HIJACKING IN A SOCIAL NETWORK - To protect a user of a social network, the user's activity is monitored during a baseline monitoring period to determine a baseline activity record. If subsequently monitored activity of the user deviates sufficiently from the baseline activity record to indicate abuse (hijacking) of the user's account, the abuse is mitigated, for example by notifying the user of the abuse. Monitored activity includes posting links, updating statuses, sending messages, and changing a profile. Monitoring also includes logging times of the user activity. Monitoring anomalous profile changes does not need a baseline. | 11-22-2012 |
20120167212 | METHODS FOR INSPECTING SECURITY CERTIFICATES BY NETWORK SECURITY DEVICES TO DETECT AND PREVENT THE USE OF INVALID CERTIFICATES - Disclosed are methods and media for inspecting security certificates. Methods include the steps of: scanning, by a network security device, messages of a security protocol between a server and a client system; detecting the messages having a security certificate; detecting suspicious security certificates from the messages; and aborting particular sessions of the security protocol associated with the suspicious certificates. Preferably, the step of scanning is performed only on messages of server certificate records. Preferably, the method further includes the step of sending an invalid-certificate notice to the server and the client system. Preferably, the step of detecting the suspicious certificates includes detecting a use of an incorrectly-generated private key for the certificates. Preferably, the step of detecting the suspicious certificates includes detecting an unavailability of revocation information for the certificates. Preferably, the step of detecting the suspicious certificates includes detecting a use of an invalid cryptographic algorithm for the certificates. | 06-28-2012 |
20120057591 | PREDICTIVE SYNCHRONIZATION FOR CLUSTERED DEVICES - A method and system is provided for a scalable clustered system. The method and system may handle asynchronous traffic as well as session backup. In the method and system, a home cluster member having ownership of a local session predicts designation of a an other cluster member to receive a packet associated with the local session and sends appropriate state information or forwarding instruction to the other network member. | 03-08-2012 |
20120023480 | SCRIPTING LANGUAGE PROCESSING ENGINE IN DATA LEAK PREVENTION APPLICATION - A data leak prevention application that categorizes documents by data type is provided, a data type being a sensitivity classification of a document based on what data the document contains. A scripting language processing engine is embedded into the data leak prevention application, the scripting language forming part of the application as hard code. A user configures interaction of the scripting language processing engine with the application. The configuring may include modifying or adding code or setting criteria for when code portions of the scripting language processing engine activates. The scripting language processing engine is activated to enhance an accuracy of an existing data type or so as to detect a new data type. Upon enhancing the accuracy of the data type, documents may be re-categorized. | 01-26-2012 |
20110176421 | METHODS FOR INTELLIGENT NIC BONDING AND LOAD-BALANCING - Methods, devices, and media for intelligent NIC bonding and load-balancing including the steps of: providing a packet at an incoming-packet port of a gateway; attaching an incoming-port identification, associated with the incoming-packet port, to the packet; routing the packet to a processing core; passing the packet through a gateway processing; sending the packet, by the core, to the operating system of a host system; and routing the packet to an outgoing-packet port of the gateway based on the incoming-port identification. Preferably, the gateway processing includes security processing of the packets. Preferably, the step of routing the packet to the outgoing-packet port is based solely on the incoming-port identification. Preferably, an outgoing-port identification, associated with the outgoing-packet port, has an identical bond-index to the incoming-port identification. Preferably, the gateway includes a plurality of incoming-packet ports, a plurality of respective incoming-port identifications, a plurality of processing cores, and a plurality of outgoing-packet ports. | 07-21-2011 |
20100333203 | METHODS FOR DETECTING MALICIOUS PROGRAMS USING A MULTILAYERED HEURISTICS APPROACH - Three heuristic layers are used to determine whether suspicious code received at a port of a data processing device is malware. First, static analysis is applied to the suspicious code. If the suspicious code passes the static analysis, dissembling analysis is applied to the suspicious code. Preferably, if the suspicious code passes the dissembling analysis, dynamic analysis is applied to the suspicious code. | 12-30-2010 |
20100269171 | METHODS FOR EFFECTIVE NETWORK-SECURITY INSPECTION IN VIRTUALIZED ENVIRONMENTS - The present invention discloses methods for effective network-security inspection in virtualized environments, the methods including the steps of: providing a data packet, embodied in machine-readable signals, being sent from a sending virtual machine to a receiving virtual machine via a virtual switch; intercepting the data packet by a sending security agent associated with the sending virtual machine; injecting the data packet into an inspecting security agent associated with a security virtual machine via a direct transmission channel which bypasses the virtual switch; forwarding the data packet to the security virtual machine by employing a packet-forwarding mechanism; determining, by the security virtual machine, whether the data packet is allowed for transmission; upon determining the data packet is allowed, injecting the data packet back into the sending security agent via the direct transmission channel; and forwarding the data packet to the receiving virtual machine via the virtual switch. | 10-21-2010 |
20100254615 | METHODS FOR DOCUMENT-TO-TEMPLATE MATCHING FOR DATA-LEAK PREVENTION - The present invention discloses methods for document-to-template matching for data-leak prevention (DLP), the methods including the steps of: providing a document as a stream of characters; splitting the stream into a plurality of serialized data lines; calculating a hash value for each serialized data line; checking for each hash value in a hash map of a template set; determining a similarity match to a particular template based on a predefined threshold of template hash values, of the template set, being found in the stream; and based on the similarity match, executing a DLP security policy for the document. Preferably, the template set is extracted from documents manually prepared by a security administrator. Preferably, each template in the template set is deduced automatically from a plurality of documents. | 10-07-2010 |
20100186086 | METHODS FOR INSPECTING SECURITY CERTIFICATES BY NETWORK SECURITY DEVICES TO DETECT AND PREVENT THE USE OF INVALID CERTIFICATES - Disclosed are methods and media for inspecting security certificates. Methods include the steps of: scanning, by a network security device, messages of a security protocol between a server and a client system; detecting the messages having a security certificate; detecting suspicious security certificates from the messages; and aborting particular sessions of the security protocol associated with the suspicious certificates. Preferably, the step of scanning is performed only on messages of server certificate records. Preferably, the method further includes the step of: sending an invalid-certificate notice to the server and the client system. Preferably, the step of detecting the suspicious certificates includes detecting a use of an incorrectly-generated private key for the certificates. Preferably, the step of detecting the suspicious certificates includes detecting an unavailability of revocation information for the certificates. Preferably, the step of detecting the suspicious certificates includes detecting a use of an invalid cryptographic algorithm for the certificates. | 07-22-2010 |
20100183014 | METHODS AND DEVICES FOR PACKET TAGGING USING IP INDEXING VIA DYNAMIC-LENGTH PREFIX CODE - Methods including the steps of: upon sending an IP packet, obtaining, by a sender, a sender identity for a sender of the packet; securely tagging, by a sender, the packet with the sender identity, the packet having a plurality of fixed-length fields concatenated into a single fixed-length virtual field shared between a cryptographic hash and an identity index for supporting multiple distinct identities residing on an IP endpoint; determining, by a receiver, the sender identity by extracting it from the packet; checking, by the receiver, the packet to ensure the packet has been appropriately tagged; and enforcing a security policy, by the receiver, according to the sender identity. Preferably, the step of obtaining includes: accessing, by the sender, a server for obtaining the sender identity; and associating, by the server, the sender identity with the endpoint. Most preferably, the associating is performed using a prefix code for encoding the identities. | 07-22-2010 |
20100169971 | METHODS FOR USER PROFILING FOR DETECTING INSIDER THREATS BASED ON INTERNET SEARCH PATTERNS AND FORENSICS OF SEARCH KEYWORDS - Disclosed are methods for user profiling for detecting insider threats including the steps of: upon a client application sending a request for a link, extracting at least one search keyword from a search session associated with the request; classifying the link into at least one classification; determining whether at least one classification is a monitored classification; capturing search elements of search sessions associated with the monitored classification; acquiring usage data from the search elements to create a user profile associated with a user's search behavior; and performing a statistical analysis, on a search frequency for the monitored classification, on user profiles associated with many users. Preferably, the method includes: designating a profile as suspicious based on the statistical analysis exceeding a pre-determined threshold value, wherein the pre-determined threshold value is based on an expected search frequency for the profile and each respective grade for at least one risk-assessment dimension. | 07-01-2010 |
20100161830 | METHODS FOR AUTOMATIC CATEGORIZATION OF INTERNAL AND EXTERNAL COMMUNICATION FOR PREVENTING DATA LOSS - Disclosed are methods for automatic categorization of internal and external communication, the method including the steps of: defining groups of entities that transmit data; monitoring data flow of the groups; extracting the data, from the data flow, for learning traffic-flow characteristics of the groups; classifying the data into group flows; upon the data being transmitted, checking the data to determine whether the data is designated as group-internal; and blocking data traffic for data that is group-internal. Preferably, the step of monitoring includes assigning data weights to the data using Bayesian methods. Most preferably, the step of classifying includes classifying the data using Bayesian methods for evaluating the data weights. Preferably, the step of blocking includes blocking data traffic between members of two or more groups. Preferably, the method further includes the step of: enabling an authorized entity to unblock the data traffic. | 06-24-2010 |
20100138910 | METHODS FOR ENCRYPTED-TRAFFIC URL FILTERING USING ADDRESS-MAPPING INTERCEPTION - The present invention discloses methods, media, and perimeter gateways for encrypted-traffic URL filtering using address-mapping interception, methods including the steps of: providing a client system having a client application for accessing websites from web servers; upon the client application attempting to access an encrypted website, performing a name-to-address query to resolve a name of the encrypted website; intercepting address-mapping responses; creating a mapping between the name and at least one network address of the encrypted website; intercepting incoming encrypted traffic; extracting a server's network address from the incoming encrypted traffic; establishing a resolved name being accessed using the mapping; and filtering the resolved name. Preferably, the step of filtering includes redirecting the encrypted traffic. Preferably, the method further includes the step of: blocking all encrypted traffic for unresolved names. | 06-03-2010 |
20100125637 | METHODS AND SYSTEMS FOR USING A VAULT SERVER IN CONJUNCTION WITH A CLIENT-SIDE RESTRICTED-EXECUTION VAULT-MAIL ENVIRONMENT - Disclosed are methods, media, and vault servers for providing a secure messaging system using vault servers in conjunction with client-side restricted-execution vault-mail environments. Methods include the steps of upon activating a vault-mail message containing sensitive content, removing the content from the vault-mail message; placing the content on a vault server; creating a link in the vault-mail message to the content on the vault server; sending the vault-mail message to a designated recipient; and upon activating the link, allowing the content to be only viewed in a restricted-execution session of a client application, wherein the restricted-execution session does not allow the content to be altered, copied, stored, printed, forwarded, or otherwise executed. Preferably, the activation of the vault-mail message is performed by a network-security gateway, and can be performed on a per-message basis. Preferably, the activation of the link requires user authentication which may be designated during activation of the vault-mail message on a per-message basis based on said content. Preferably, the restricted-execution session enforces a security policy. | 05-20-2010 |
20100107234 | METHODS FOR PROTECTING AGAINST COOKIE-POISONING ATTACKS IN NETWORKED-COMMUNICATION APPLICATIONS - The present invention discloses methods, media, and gateways for protecting against cookie-poisoning attacks in networked-communication applications. Methods include the steps of: creating a protected gateway cookie, generated by a gateway, for a server cookie, generated by a server, wherein the server cookie is received by the gateway in an HTTP response message; and validating, by the gateway, that a client cookie from a client request has a corresponding gateway cookie with expected field values. Preferably, the field values include at least one field value selected from the group consisting of: a name, a hash value computed over the server cookie, a hash-function index, a timestamp, a nonce, a hash value computed over newly-generated values, a path, a domain, an expiration, and an HTTP-only value. Preferably, the gateway cookie is signed with a secret key. Most preferably, the secret key is generated by a secret seed. | 04-29-2010 |
20100046537 | METHODS FOR INTELLIGENT NIC BONDING AND LOAD-BALANCING - Methods, devices, and media for intelligent NIC bonding and load-balancing including the steps of: providing a packet at an incoming-packet port of a gateway; attaching an incoming-port identification, associated with the incoming-packet port, to the packet; routing the packet to a processing core; passing the packet through a gateway processing; sending the packet, by the core, to the operating system of a host system; and routing the packet to an outgoing-packet port of the gateway based on the incoming-port identification. Preferably, the gateway processing includes security processing of the packets. Preferably, the step of routing the packet to the outgoing-packet port is based solely on the incoming-port identification. Preferably, an outgoing-port identification, associated with the outgoing-packet port, has an identical bond-index to the incoming-port identification. Preferably, the gateway includes a plurality of incoming-packet ports, a plurality of respective incoming-port identifications, a plurality of processing cores, and a plurality of outgoing-packet ports. | 02-25-2010 |
20100005528 | METHODS FOR HOOKING APPLICATIONS TO MONITOR AND PREVENT EXECUTION OF SECURITY-SENSITIVE OPERATIONS - The present invention discloses methods and media for hooking applications to monitor and prevent execution of security-sensitive operations, the method including the steps of: reading at least one configuration parameter list from a configuration module; hooking, by a hooking engine, a hooking point in an application, wherein the hooking point is defined in the configuration module; calling, by the application, the hooking point during operation of the application; matching at least one hooking parameter in the hooking point to at least one configuration parameter in at least one configuration parameter list; and upon detecting a match between the hooking parameter and at least one configuration parameter, performing at least one configuration-defined action. Preferably, the method further includes the step of: updating a state of the hooking engine. Preferably, the hooking engine is operative to prevent malicious operations by obfuscated code. | 01-07-2010 |
20090292719 | METHODS FOR AUTOMATICALLY GENERATING NATURAL-LANGUAGE NEWS ITEMS FROM LOG FILES AND STATUS TRACES - Methods, for automatically generating natural-language news items from log files, including the steps of: gathering at least one data record; filtering at least one data record according to at least one rule to produce at least one filtered data set; aggregating at least one filtered data set; analyzing at least one filtered data set for at least one statistical trend; and automatically generating a news item based on at least one statistical trend. Preferably, the method further includes the step of: customizing the news item based on a relative importance of at least one statistical trend. Preferably, the method further includes the step of: performing a drill-down analysis on at least one statistical trend. Most preferably, the method further includes the step of: enriching the news item based on the drill-down analysis. Preferably, the method further includes the step of: embedding at least one graphical element into the news item. | 11-26-2009 |
20090276538 | DEVICES AND METHODS FOR PROVIDING NETWORK ACCESS CONTROL UTILIZING TRAFFIC-REGULATION HARDWARE - Disclosed are devices and methods for providing network access control utilizing traffic-regulation hardware, the device including: at least one client-side port for operationally connecting to a client system; at least one network-side port for operationally connecting to a network; a logic module for regulating network traffic, based on device-related data, between the ports, the logic module including: a memory unit for storing and loading the device-related data; and a CPU for processing the device-related data; and at least one relay, between at least one respective client-side port and at least one respective network-side port, configured to open upon receiving a respective network-access-denial command from the logic module. Preferably, the logic module is configured to maintain an open-relay line-rate when at least one relay is open, and to maintain a closed-relay line-rate when at least one relay is closed. | 11-05-2009 |
20090249466 | METHODS AND DEVICES FOR ENFORCING NETWORK ACCESS CONTROL UTILIZING SECURE PACKET TAGGING - Disclosed are methods, devices, and media for enforcing network access control, the method including the steps of: extracting a packet signature from a packet (or packet fragment) received from a network; storing the packet signature and the packet in a buffer; computing a buffer signature using a per-endpoint secret key; determining whether the packet signature and the buffer signature are identical; and upon determining the packet signature and the buffer signature are identical, transmitting the packet to a protocol stack. Preferably, the step of extracting includes extracting the packet signature from a field (e.g. identification field) of a header of the packet. Preferably, the method further includes the step of: upon determining the packet signature and the buffer signature are not identical, discarding the packet. Methods for receiving a packet from a protocol stack, and transmitting the packet to a network are disclosed as well. | 10-01-2009 |
20090119307 | SYSLOG PARSER - A computerized method performed in a computer operatively connected to storage. Parsing rules are determined for parsing logs output as text and/or symbols from multiple devices in a computer network. The logs are stored in the storage. Multiple log samples are sampled from the logs. The log samples are input into an application running on the computer. The log samples are each sectioned into multiple sections which include variable information separated by static structural text. Each of the log samples is processed by: comparing the sections to a list of regular expressions. The list is maintained in the storage, and upon matching a matched section of the sections to a matched regular expression from the list of the regular expressions, the matched section is tagged with a tag associated with the matched regular expression. The tag associated to the matched regular expression is stored and combined with any unmatched sections and with the static structural text to create a log pattern. The log pattern is stored in a table only if the log pattern is distinct from all log patterns previously stored in the table. | 05-07-2009 |