公开(公告)号：US20130298190A1

公开(公告)日：2013-11-07

申请号：US13935320

申请日：2013-07-03

Applicant: Citrix Systems, Inc.

Inventor： Namit Sikka ,  Anoop Reddy ,  Rajiv Mirani ,  Abhishek Chauhan

IPC: H04L29/06

CPC classification number: H04L63/20 ,  H04L63/102

Abstract: Systems and methods for configuring and evaluating policies that direct processing of one or more data streams are described. A configuration interface is described for allowing users to specify object oriented policies. These object oriented policies may allow any data structures to be applied with respect to a payload of a received packet stream, including any portions of HTTP traffic. A configuration interface may also allow the user to control the order in which policies and policy groups are executed, in addition to specifying actions to be taken if one or more policies are undefined. Systems and methods for processing the policies may allow efficient processing of object-oriented policies by applying potentially complex data structures to unstructured data streams. A device may also interpret and process a number of flow control commands and policy group invocation statements to determine an order of execution among a number of policies and policy groups. These policy configurations and processing may allow configuration and processing of complex network behaviors relating to load balancing, VPNs, SSL offloading, content switching, application security, acceleration, and caching.

Abstract translation: 描述用于配置和评估直接处理一个或多个数据流的策略的系统和方法。 描述了用于允许用户指定面向对象策略的配置界面。 这些面向对象的策略可以允许针对所接收的分组流的有效载荷（包括HTTP流量的任何部分）应用任何数据结构。 配置界面还可以允许用户控制执行策略和策略组的顺序，以及如果未定义一个或多个策略，则指定要采取的操作。 用于处理策略的系统和方法可以允许通过将潜在的复杂数据结构应用于非结构化数据流来有效地处理面向对象的策略。 设备还可以解释和处理多个流控制命令和策略组调用语句以确定多个策略和策略组中的执行顺序。 这些策略配置和处理可能允许配置和处理与负载均衡，VPN，SSL卸载，内容切换，应用安全，加速和缓存相关的复杂网络行为。

公开(公告)号：US10721270B2

公开(公告)日：2020-07-21

申请号：US16401860

申请日：2019-05-02

Applicant: Citrix Systems, Inc.

Inventor： Anoop Reddy ,  Kenneth Bell ,  Georgios Oikonomou ,  Kurt Roemer

IPC: H04L29/06

Abstract: The present disclosure is directed towards systems and methods for evaluating or mitigating a network attack. A device determines one or more client internet protocol addresses associated with the attack on the service. The device assigns a severity score to the attack based on a type of the attack. The device identifies a probability of a user account accessing the service during an attack window based on the type of attack. The device generates an impact score for the user account based on the severity score and the probability of the user account accessing the service during the attack window. The device selects a mitigation policy for the user account based on the impact score.

公开(公告)号：US20200067948A1

公开(公告)日：2020-02-27

申请号：US16666092

申请日：2019-10-28

Applicant: Citrix Systems, Inc.

Inventor： Nastaran Baradaran ,  Anoop Reddy ,  Ratnesh Singh Thakur

IPC: H04L29/06

Abstract: The present disclosure is directed towards systems and methods for detecting anomalous network traffic. Network traffic corresponding to an application executed by a server can be received. Application characteristics of the application can be identified to select an anomaly detection profile. The anomaly detection profile can be selected based on the identified application characteristics. The anomaly detection profile can include a set of detection features for the anomaly and one or more predetermined threshold values of the detection features. One or more feature values of the set of one or more detection features can be determined. An anomaly in the network traffic can be detected responsive to comparing the feature values and the predetermined threshold values of the detection features.

公开(公告)号：US20190182288A1

公开(公告)日：2019-06-13

申请号：US16266931

申请日：2019-02-04

Applicant: Citrix Systems, Inc.

Inventor： Anoop Reddy ,  Kenneth Bell ,  Georgios Oikonomou ,  Kurt Roemer

IPC: H04L29/06 ,  H04L9/00 ,  G06F9/455 ,  H04L29/12 ,  H04L9/32

Abstract: The disclosure is directed to a system for improving security of SSL communications. The system can include an device intermediary between one or more servers, one or more clients, a plurality of agents, and a web service. The servers can be configured to receive SSL connections and issue SSL certificates. The device can include a virtual server associated with a respective one of the servers, such that the SSL certificate of the respective server is transmitted through the device. The device can generate service fingerprints for the one or more servers. Each service fingerprint can include information corresponding to an SSL certificate of the virtual server, one or more DNS aliases for a virtual IP address of the respective virtual server, one or more port numbers serving the SSL certificate, and an IP address serviced by the device. The device also can transmit the service fingerprints to a web service.

公开(公告)号：US10270740B2

公开(公告)日：2019-04-23

申请号：US14175616

申请日：2014-02-07

Applicant: Citrix Systems, Inc.

Inventor： Puneet Agarwal ,  Srinivasan Thirunarayanan ,  Vamsi Korrapatti ,  Prakash Khemani ,  Rajiv Mirani ,  Anoop Reddy

IPC: H04L29/06 ,  H04L29/08

Abstract: The present disclosure provides solutions for an enterprise providing services to a variety of clients to enable the client to use the resources provided by the enterprise by modifying URLs received and the URLs from the responses from the servers to the client's requests before forwarding the requests and the responses to the intended destinations. An intermediary may identify an access profile for a clients' request to access a server via a clientless SSL VPN session. The intermediary may detect one or more URLs in content served by the server in response to the request using one or more regular expressions of the access profile. The intermediary may rewrite or modify, responsive to detecting, the one or more detected URLs in accordance with a URL transformation specified by one or more rewrite policies of the access profile. The response with modified URLs may be forwarded to the client.

公开(公告)号：US10218734B2

公开(公告)日：2019-02-26

申请号：US15148374

申请日：2016-05-06

Applicant: Citrix Systems, Inc.

Inventor： Anoop Reddy ,  Kenneth Bell ,  Georgios Oikonomou ,  Kurt Roemer

IPC: H04L29/06 ,  H04L29/12 ,  G06F9/455 ,  H04L9/32 ,  H04L9/00

Abstract: The disclosure is directed to a system for improving security of SSL communications. The system can include an device intermediary between one or more servers, one or more clients, a plurality of agents, and a web service. The servers can be configured to receive SSL connections and issue SSL certificates. The device can include a virtual server associated with a respective one of the servers, such that the SSL certificate of the respective server is transmitted through the device. The device can generate service fingerprints for the one or more servers. Each service fingerprint can include information corresponding to an SSL certificate of the virtual server, one or more DNS aliases for a virtual IP address of the respective virtual server, one or more port numbers serving the SSL certificate, and an IP address serviced by the device. The device also can transmit the service fingerprints to a web service.

公开(公告)号：US10116674B2

公开(公告)日：2018-10-30

申请号：US14928217

申请日：2015-10-30

Applicant: Citrix Systems, Inc.

Inventor： Nastaran Baradaran ,  Anoop Reddy ,  Ratnesh Singh Thakur

IPC: H04L29/06

Abstract: The present disclosure is directed towards systems and methods for characterizing anomalous network traffic. The system includes a device intermediary to clients and servers. The device includes a network traffic engine to receive network traffic including an anomaly. The device includes a univariate policy manager to determine whether the network traffic satisfies at least one of the rules of a univariate policy based on a respective single independent network traffic feature. The device includes a multivariate policy manager to determine, responsive to determining that the network traffic does not satisfy the rules of the univariate policy, that the network satisfies a multivariate policy including a plurality of anomaly explanation tests. The device includes an anomaly explanation selector to select, responsive to determining that the network traffic satisfies the multivariate policy, an anomaly explanation. The device includes a message generator to generate an anomaly explanation output including the selected anomaly explanation.

公开(公告)号：US20150341383A1

公开(公告)日：2015-11-26

申请号：US14286610

申请日：2014-05-23

Applicant: Citrix Systems, Inc.

Inventor： Anoop Reddy ,  Rama Rao Katta ,  Bhanu Prakash Valluri ,  Craig Anderson ,  Ratnesh Singh Thakur

IPC: H04L29/06 ,  H04L29/08

CPC classification number: H04L63/0245 ,  H04L63/0876 ,  H04L63/1466 ,  H04L67/146 ,  H04L67/28 ,  H04L67/2809 ,  H04L67/303

Abstract: Systems and methods for protection against session stealing is described. In embodiments of the present solution, a device intermediary to the client and the server may identify first properties of the client and associate the first properties with the session key. When the device receives subsequent request comprising the session key, the device matches the associated first properties with second properties of the second device that is sending the subsequent request. If there is a match, the subsequent request transmitted to the server. Otherwise, the subsequent request is rejected.

Abstract translation: 描述了防止会话窃取的系统和方法。 在本解决方案的实施例中，客户端和服务器的设备中介可识别客户端的第一属性并将第一属性与会话密钥相关联。 当设备接收到包括会话密钥的后续请求时，设备将相关联的第一属性与正在发送后续请求的第二设备的第二属性相匹配。 如果有匹配，则将后续请求发送到服务器。 否则，后续请求被拒绝。

公开(公告)号：US09160768B2

公开(公告)日：2015-10-13

申请号：US13935320

申请日：2013-07-03

Applicant: Citrix Systems, Inc.

Inventor： Namit Sikka ,  Anoop Reddy ,  Rajiv Mirani ,  Abhishek Chauhan

IPC: H04L29/06

CPC classification number: H04L63/20 ,  H04L63/102

Abstract: Systems and methods for configuring and evaluating policies that direct processing of one or more data streams are described. A configuration interface is described for allowing users to specify object oriented policies. These object oriented policies may allow any data structures to be applied with respect to a payload of a received packet stream, including any portions of HTTP traffic. A configuration interface may also allow the user to control the order in which policies and policy groups are executed, in addition to specifying actions to be taken if one or more policies are undefined. Systems and methods for processing the policies may allow efficient processing of object-oriented policies by applying potentially complex data structures to unstructured data streams. A device may also interpret and process a number of flow control commands and policy group invocation statements to determine an order of execution among a number of policies and policy groups. These policy configurations and processing may allow configuration and processing of complex network behaviors relating to load balancing, VPNs, SSL offloading, content switching, application security, acceleration, and caching.

Abstract translation: 描述用于配置和评估直接处理一个或多个数据流的策略的系统和方法。 描述了用于允许用户指定面向对象策略的配置界面。 这些面向对象的策略可以允许针对所接收的分组流的有效载荷（包括HTTP流量的任何部分）应用任何数据结构。 配置界面还可以允许用户控制执行策略和策略组的顺序，以及如果未定义一个或多个策略，则指定要采取的操作。 用于处理策略的系统和方法可以允许通过将潜在的复杂数据结构应用于非结构化数据流来有效地处理面向对象的策略。 设备还可以解释和处理多个流控制命令和策略组调用语句以确定多个策略和策略组中的执行顺序。 这些策略配置和处理可能允许配置和处理与负载均衡，VPN，SSL卸载，内容切换，应用安全，加速和缓存相关的复杂网络行为。

公开(公告)号：US10412050B2

公开(公告)日：2019-09-10

申请号：US14286610

申请日：2014-05-23

Applicant: Citrix Systems, Inc.

Inventor： Anoop Reddy ,  Rama Rao Katta ,  Bhanu Prakash Valluri ,  Craig Anderson ,  Ratnesh Singh Thakur

IPC: H04L29/06 ,  H04L29/08

Abstract: Systems and methods for protection against session stealing is described. In embodiments of the present solution, a device intermediary to the client and the server may identify first properties of the client and associate the first properties with the session key. When the device receives subsequent request comprising the session key, the device matches the associated first properties with second properties of the second device that is sending the subsequent request. If there is a match, the subsequent request transmitted to the server. Otherwise, the subsequent request is rejected.