公开(公告)号：US10476893B2

公开(公告)日：2019-11-12

申请号：US14927580

申请日：2015-10-30

Applicant: Citrix Systems, Inc.

Inventor： Nastaran Baradaran ,  Anoop Reddy ,  Ratnesh Singh Thakur

IPC: H04L29/06

Abstract: The present disclosure is directed towards systems and methods for detecting anomalous network traffic. Network traffic corresponding to an application executed by a server can be received. Application characteristics of the application can be identified to select an anomaly detection profile. The anomaly detection profile can be selected based on the identified application characteristics. The anomaly detection profile can include a set of detection features for the anomaly and one or more predetermined threshold values of the detection features. One or more feature values of the set of one or more detection features can be determined. An anomaly in the network traffic can be detected responsive to comparing the feature values and the predetermined threshold values of the detection features.

公开(公告)号：US20190260801A1

公开(公告)日：2019-08-22

申请号：US16401860

申请日：2019-05-02

Applicant: Citrix Systems, Inc.

Inventor： Anoop Reddy ,  Kenneth Bell ,  Georgios Oikonomou ,  Kurt Roemer

IPC: H04L29/06

Abstract: The present disclosure is directed towards systems and methods for evaluating or mitigating a network attack. A device determines one or more client internet protocol addresses associated with the attack on the service. The device assigns a severity score to the attack based on a type of the attack. The device identifies a probability of a user account accessing the service during an attack window based on the type of attack. The device generates an impact score for the user account based on the severity score and the probability of the user account accessing the service during the attack window. The device selects a mitigation policy for the user account based on the impact score.

公开(公告)号：US10318886B2

公开(公告)日：2019-06-11

申请号：US14927553

申请日：2015-10-30

Applicant: Citrix Systems, Inc.

Inventor： Nastaran Baradaran ,  Anoop Reddy ,  Ratnesh Singh Thakur

IPC: G06N5/04 ,  G06N20/00 ,  H04L12/24 ,  H04L29/06

Abstract: The present disclosure is directed towards systems and methods for improving anomaly detection using injected outliers. A normalcy calculator of a device may include a set of outliers into a training dataset of data points. The normalcy calculator, using a K-means clustering algorithm applied on the training dataset, identify at least a first cluster of data points. The normalcy calculator of the device may determine a region with a center and an outer radius that covers at least a spatial extent of the first cluster of data points. The normalcy calculator may determine a first normalcy radius for the first cluster by reducing the region around the center until a point at which all artificial outliers are excluded from a region defined by the first normalcy radius. An outlier detector of the device may use the region defined by the first normalcy radius to determine whether a new data point is normal or abnormal.

公开(公告)号：US09819647B2

公开(公告)日：2017-11-14

申请号：US14486676

申请日：2014-09-15

Applicant: Citrix Systems, Inc.

Inventor： Anoop Reddy ,  Craig Anderson

IPC: G06F21/51 ,  H04L29/06 ,  H04L29/08

CPC classification number: H04L63/0428 ,  G06F21/51 ,  G06F2221/2107 ,  H04L67/02 ,  H04L67/28

Abstract: The present disclosure is directed towards systems and methods for performing multi-level tagging of encrypted items for additional security and efficient encrypted item determination. A device intercepts a message from a server to a client, parses the message and identifies a cookie. The device processes and encrypts the cookie. The device adds a flag to the cookie indicating the device encrypted the cookie. The device re-inserts the modified cookie into the message and transmits the message. The device intercepts a message from a client and determines whether the cookie in the message was encrypted by the device. If the message was not encrypted by the device, the device transmits the message to its destination. If the message was encrypted by the device, the device removes the flag, decrypts the cookie, removes the tag from the cookie, re-inserts the cookie into the message and transmits the message to its final destination.

公开(公告)号：US10819734B2

公开(公告)日：2020-10-27

申请号：US16266931

申请日：2019-02-04

Applicant: Citrix Systems, Inc.

Inventor： Anoop Reddy ,  Kenneth Bell ,  Georgios Oikonomou ,  Kurt Roemer

IPC: H04L29/06 ,  H04L29/12 ,  G06F9/455 ,  H04L9/32 ,  H04L9/00

Abstract: The disclosure is directed to a system for improving security of SSL communications. The system can include an device intermediary between one or more servers, one or more clients, a plurality of agents, and a web service. The servers can be configured to receive SSL connections and issue SSL certificates. The device can include a virtual server associated with a respective one of the servers, such that the SSL certificate of the respective server is transmitted through the device. The device can generate service fingerprints for the one or more servers. Each service fingerprint can include information corresponding to an SSL certificate of the virtual server, one or more DNS aliases for a virtual IP address of the respective virtual server, one or more port numbers serving the SSL certificate, and an IP address serviced by the device. The device also can transmit the service fingerprints to a web service.

公开(公告)号：US10129239B2

公开(公告)日：2018-11-13

申请号：US15148425

申请日：2016-05-06

Applicant: Citrix Systems, Inc.

Inventor： Kenneth Bell ,  Anoop Reddy

IPC: H04L29/06 ,  H04L29/12 ,  H04L12/26

Abstract: The present disclosure is directed towards systems and methods for scanning of a target range of IP addresses to verify security certificates associated with the target range of IP addresses. Network traffic may be monitored between a plurality of clients and a plurality of servers over an IP address space. Traffic monitors positioned intermediary to the plurality of client and the plurality of servers can identify a target range of IP addresses in the address space for targeted scanning. The target range of IP address may be grouped into a priority queue and a scan can be performed of the target range of IP addresses to verify a security certificate associated with each IP address in the target range of IP addresses. In some embodiments, a rogue security certificate is detected that is associated with at least one IP address in the target range of IP addresses.

公开(公告)号：US20170126709A1

公开(公告)日：2017-05-04

申请号：US14927580

申请日：2015-10-30

Applicant: Citrix Systems, Inc.

Inventor： Nastaran Baradaran ,  Anoop Reddy ,  Ratnesh Singh Thakur

IPC: H04L29/06

CPC classification number: H04L63/1416 ,  H04L63/1425 ,  H04L63/1441 ,  H04L63/1458

Abstract: The present disclosure is directed towards systems and methods for detecting anomalous network traffic. Network traffic corresponding to an application executed by a server can be received. Application characteristics of the application can be identified to select an anomaly detection profile. The anomaly detection profile can be selected based on the identified application characteristics. The anomaly detection profile can include a set of detection features for the anomaly and one or more predetermined threshold values of the detection features. One or more feature values of the set of one or more detection features can be determined. An anomaly in the network traffic can be detected responsive to comparing the feature values and the predetermined threshold values of the detection features.

公开(公告)号：US20170124478A1

公开(公告)日：2017-05-04

申请号：US14927553

申请日：2015-10-30

Applicant: Citrix Systems, Inc.

Inventor： Nastaran Baradaran ,  Anoop Reddy ,  Ratnesh Singh Thakur

IPC: G06N99/00 ,  H04L12/26

CPC classification number: G06N99/005 ,  G06N5/045 ,  H04L41/142 ,  H04L41/16 ,  H04L63/1425

Abstract: The present disclosure is directed towards systems and methods for improving anomaly detection using injected outliers. A normalcy calculator of a device may include a set of outliers into a training dataset of data points. The normalcy calculator, using a K-means clustering algorithm applied on the training dataset, identify at least a first cluster of data points. The normalcy calculator of the device may determine a region with a center and an outer radius that covers at least a spatial extent of the first cluster of data points. The normalcy calculator may determine a first normalcy radius for the first cluster by reducing the region around the center until a point at which all artificial outliers are excluded from a region defined by the first normalcy radius. An outlier detector of the device may use the region defined by the first normalcy radius to determine whether a new data point is normal or abnormal.

公开(公告)号：US20160330236A1

公开(公告)日：2016-11-10

申请号：US15148400

申请日：2016-05-06

Applicant: Citrix Systems, Inc.

Inventor： Anoop Reddy ,  Kenneth Bell ,  Georgios Oikonomou ,  Kurt Roemer

IPC: H04L29/06

CPC classification number: H04L63/1466 ,  H04L63/1416 ,  H04L63/1425 ,  H04L2463/146

Abstract: The present disclosure is directed towards systems and methods for evaluating or mitigating a network attack. A device determines one or more client internet protocol addresses associated with the attack on the service. The device assigns a severity score to the attack based on a type of the attack. The device identifies a probability of a user account accessing the service during an attack window based on the type of attack. The device generates an impact score for the user account based on the severity score and the probability of the user account accessing the service during the attack window. The device selects a mitigation policy for the user account based on the impact score.

Abstract translation: 本公开涉及用于评估或减轻网络攻击的系统和方法。 设备确定与该服务的攻击相关联的一个或多个客户端因特网协议地址。 设备根据攻击的类型为攻击分配严重性分数。 该设备基于攻击类型识别在攻击窗口期间用户帐户访问服务的概率。 该设备基于攻击窗口中的严重性得分和用户帐户访问服务的概率，为用户帐户生成影响分数。 该设备根据影响分数选择用户帐户的缓解策略。

公开(公告)号：US20140157361A1

公开(公告)日：2014-06-05

申请号：US14175616

申请日：2014-02-07

Applicant: CITRIX SYSTEMS, INC.

Inventor： Puneet Agarwal ,  Srinivasan Thirunarayanan ,  Vamsi Korrapatti ,  Prakash Khemani ,  Rajiv Mirani ,  Anoop Reddy

IPC: H04L29/06

CPC classification number: H04L63/0272 ,  H04L29/08846 ,  H04L63/0281 ,  H04L63/105 ,  H04L63/166 ,  H04L63/20 ,  H04L67/02 ,  H04L67/14 ,  H04L67/2814

Abstract: The present disclosure provides solutions for an enterprise providing services to a variety of clients to enable the client to use the resources provided by the enterprise by modifying URLs received and the URLs from the responses from the servers to the client's requests before forwarding the requests and the responses to the intended destinations. An intermediary may identify an access profile for a clients' request to access a server via a clientless SSL VPN session. The intermediary may detect one or more URLs in content served by the server in response to the request using one or more regular expressions of the access profile. The intermediary may rewrite or modify, responsive to detecting, the one or more detected URLs in accordance with a URL transformation specified by one or more rewrite policies of the access profile. The response with modified URLs may be forwarded to the client.

Abstract translation: 本公开提供了向各种客户端提供服务的企业的解决方案，以使得客户端能够在转发请求之前通过修改所接收的URL和从服务器的响应到客户端的请求来使用企业提供的资源，并且 对预期目的地的回应。 中介可以识别客户端通过无客户端SSL VPN会话访问服务器的请求的访问配置文件。 响应于使用访问简档的一个或多个正则表达式的请求，中介可以检测服务器所服务的内容中的一个或多个URL。 根据由访问简档的一个或多个重写策略指定的URL变换，中介可以响应于检测到一个或多个检测到的URL来重写或修改。 具有修改的URL的响应可以转发给客户端。