公开(公告)号：US11005926B2

公开(公告)日：2021-05-11

申请号：US16522244

申请日：2019-07-25

Applicant: CITRIX SYSTEMS, INC.

Inventor： Jong Kann ,  Kenneth Bell

IPC: H04L29/08 ,  H04L29/06

Abstract: A method may include generating a proxy auto-configuration file including a function and a hash value associated with a resource. The hash value may be determined based on an identifier of the resource. The proxy auto-configuration file may include the hash value instead of a plaintext value of the identifier to obscure the plaintext value of the identifier. The proxy auto-configuration file including the function and the hash value may be sent to at least enable the function to be invoked by a web browser at one or more clients. The function may be configured to respond to being invoked by the web browser by determining, based on the hash value, whether to bypass a proxy server when accessing the resource. Related systems and computer program products are also provided.

公开(公告)号：US10721270B2

公开(公告)日：2020-07-21

申请号：US16401860

申请日：2019-05-02

Applicant: Citrix Systems, Inc.

Inventor： Anoop Reddy ,  Kenneth Bell ,  Georgios Oikonomou ,  Kurt Roemer

IPC: H04L29/06

Abstract: The present disclosure is directed towards systems and methods for evaluating or mitigating a network attack. A device determines one or more client internet protocol addresses associated with the attack on the service. The device assigns a severity score to the attack based on a type of the attack. The device identifies a probability of a user account accessing the service during an attack window based on the type of attack. The device generates an impact score for the user account based on the severity score and the probability of the user account accessing the service during the attack window. The device selects a mitigation policy for the user account based on the impact score.

公开(公告)号：US20190182288A1

公开(公告)日：2019-06-13

申请号：US16266931

申请日：2019-02-04

Applicant: Citrix Systems, Inc.

Inventor： Anoop Reddy ,  Kenneth Bell ,  Georgios Oikonomou ,  Kurt Roemer

IPC: H04L29/06 ,  H04L9/00 ,  G06F9/455 ,  H04L29/12 ,  H04L9/32

Abstract: The disclosure is directed to a system for improving security of SSL communications. The system can include an device intermediary between one or more servers, one or more clients, a plurality of agents, and a web service. The servers can be configured to receive SSL connections and issue SSL certificates. The device can include a virtual server associated with a respective one of the servers, such that the SSL certificate of the respective server is transmitted through the device. The device can generate service fingerprints for the one or more servers. Each service fingerprint can include information corresponding to an SSL certificate of the virtual server, one or more DNS aliases for a virtual IP address of the respective virtual server, one or more port numbers serving the SSL certificate, and an IP address serviced by the device. The device also can transmit the service fingerprints to a web service.

公开(公告)号：US10218734B2

公开(公告)日：2019-02-26

申请号：US15148374

申请日：2016-05-06

Applicant: Citrix Systems, Inc.

Inventor： Anoop Reddy ,  Kenneth Bell ,  Georgios Oikonomou ,  Kurt Roemer

IPC: H04L29/06 ,  H04L29/12 ,  G06F9/455 ,  H04L9/32 ,  H04L9/00

Abstract: The disclosure is directed to a system for improving security of SSL communications. The system can include an device intermediary between one or more servers, one or more clients, a plurality of agents, and a web service. The servers can be configured to receive SSL connections and issue SSL certificates. The device can include a virtual server associated with a respective one of the servers, such that the SSL certificate of the respective server is transmitted through the device. The device can generate service fingerprints for the one or more servers. Each service fingerprint can include information corresponding to an SSL certificate of the virtual server, one or more DNS aliases for a virtual IP address of the respective virtual server, one or more port numbers serving the SSL certificate, and an IP address serviced by the device. The device also can transmit the service fingerprints to a web service.

公开(公告)号：US20210377294A1

公开(公告)日：2021-12-02

申请号：US17063230

申请日：2020-10-05

Applicant: Citrix Systems, Inc.

Inventor： Punit Gupta ,  Sandilya Sangabathula ,  Kenneth Bell

IPC: H04L29/06 ,  H04L12/26

Abstract: Implementations of the systems and methods discussed herein provide for distributed HTTP proxy services with synchronization of per-server or per-tenant resource allocation counters amongst the proxy devices, allowing devices to quickly identify denial of service attacks or other malicious or erroneous behavior. In some implementations, a database server may receive resource consumption notifications from each of a plurality of proxy devices and may aggregate the notifications or increment a counter on a per-server or per-tenant basis, and provide updated counter values to proxy devices via callbacks. Each proxy device may check the counter value before utilizing resources, and may disable or block proxy processing responsive to the counter exceeding a threshold.

公开(公告)号：US10819734B2

公开(公告)日：2020-10-27

申请号：US16266931

申请日：2019-02-04

Applicant: Citrix Systems, Inc.

Inventor： Anoop Reddy ,  Kenneth Bell ,  Georgios Oikonomou ,  Kurt Roemer

IPC: H04L29/06 ,  H04L29/12 ,  G06F9/455 ,  H04L9/32 ,  H04L9/00

Abstract: The disclosure is directed to a system for improving security of SSL communications. The system can include an device intermediary between one or more servers, one or more clients, a plurality of agents, and a web service. The servers can be configured to receive SSL connections and issue SSL certificates. The device can include a virtual server associated with a respective one of the servers, such that the SSL certificate of the respective server is transmitted through the device. The device can generate service fingerprints for the one or more servers. Each service fingerprint can include information corresponding to an SSL certificate of the virtual server, one or more DNS aliases for a virtual IP address of the respective virtual server, one or more port numbers serving the SSL certificate, and an IP address serviced by the device. The device also can transmit the service fingerprints to a web service.

公开(公告)号：US10129239B2

公开(公告)日：2018-11-13

申请号：US15148425

申请日：2016-05-06

Applicant: Citrix Systems, Inc.

Inventor： Kenneth Bell ,  Anoop Reddy

IPC: H04L29/06 ,  H04L29/12 ,  H04L12/26

Abstract: The present disclosure is directed towards systems and methods for scanning of a target range of IP addresses to verify security certificates associated with the target range of IP addresses. Network traffic may be monitored between a plurality of clients and a plurality of servers over an IP address space. Traffic monitors positioned intermediary to the plurality of client and the plurality of servers can identify a target range of IP addresses in the address space for targeted scanning. The target range of IP address may be grouped into a priority queue and a scan can be performed of the target range of IP addresses to verify a security certificate associated with each IP address in the target range of IP addresses. In some embodiments, a rogue security certificate is detected that is associated with at least one IP address in the target range of IP addresses.

公开(公告)号：US20160330236A1

公开(公告)日：2016-11-10

申请号：US15148400

申请日：2016-05-06

Applicant: Citrix Systems, Inc.

Inventor： Anoop Reddy ,  Kenneth Bell ,  Georgios Oikonomou ,  Kurt Roemer

IPC: H04L29/06

CPC classification number: H04L63/1466 ,  H04L63/1416 ,  H04L63/1425 ,  H04L2463/146

Abstract: The present disclosure is directed towards systems and methods for evaluating or mitigating a network attack. A device determines one or more client internet protocol addresses associated with the attack on the service. The device assigns a severity score to the attack based on a type of the attack. The device identifies a probability of a user account accessing the service during an attack window based on the type of attack. The device generates an impact score for the user account based on the severity score and the probability of the user account accessing the service during the attack window. The device selects a mitigation policy for the user account based on the impact score.

Abstract translation: 本公开涉及用于评估或减轻网络攻击的系统和方法。 设备确定与该服务的攻击相关联的一个或多个客户端因特网协议地址。 设备根据攻击的类型为攻击分配严重性分数。 该设备基于攻击类型识别在攻击窗口期间用户帐户访问服务的概率。 该设备基于攻击窗口中的严重性得分和用户帐户访问服务的概率，为用户帐户生成影响分数。 该设备根据影响分数选择用户帐户的缓解策略。

公开(公告)号：US20230229547A1

公开(公告)日：2023-07-20

申请号：US17580113

申请日：2022-01-20

Applicant: Citrix Systems, Inc.

Inventor： Himanshu Agarwal ,  Vikramjeet Singh Sandhu ,  Mukesh Garg ,  Kenneth Bell ,  Leo C. Singleton, IV ,  Balasubramanian Swaminathan ,  Vivek Koni Raghuveer ,  Aditya Ranjan

IPC: G06F11/07 ,  H04L9/40

CPC classification number: G06F11/079 ,  G06F11/0751 ,  G06F11/0793 ,  H04L63/0846

Abstract: A computer system configured to identify errors in a session launch initiated by a client application is provided. The computer system includes a memory and at least one processor coupled to the memory. The at least one processor is configured to receive one or more events from one or more applications or devices involved in the session launch, wherein an event of the one or more events comprises information from an application or device call (e.g., an application programming interface (API) call) communicated during the session launch, the information comprising destination information; build a primary Directed Acyclic Graph (DAG) based on the information from the API call; determine an error identifier based on the primary DAG; retrieve a troubleshooting recommendation from a library based on the error identifier; and send the troubleshooting recommendation to the client application.

公开(公告)号：US20210058470A1

公开(公告)日：2021-02-25

申请号：US17076321

申请日：2020-10-21

Applicant: Citrix Systems, Inc.

Inventor： Leo C. Singleton, IV ,  Kenneth Bell ,  Jitendra Deshpande

IPC: H04L29/08 ,  H04L12/46 ,  H04L29/06

Abstract: A method may include establishing a first direct route to a gateway appliance from session clients each associated with a respective Desktop as a Service (DaaS) session run by a virtual session controller within a computing network, and establishing a second direct route from the gateway appliance to a virtual session connector within at least one private enterprise computing network. The method may also include relaying private enterprise network data between the session clients and the virtual session connector through the gateway appliance via the first direct route to each session client and the second direct route to the virtual session connector.