公开(公告)号：US20100254615A1

公开(公告)日：2010-10-07

申请号：US12417030

申请日：2009-04-02

申请人： ALON KANTOR ,  LIRAN ANTEBI ,  YOAV KIRSCH ,  URI BIALIK

发明人： ALON KANTOR ,  LIRAN ANTEBI ,  YOAV KIRSCH ,  URI BIALIK

IPC分类号： G06K9/68

CPC分类号： G06K9/6201

摘要： The present invention discloses methods for document-to-template matching for data-leak prevention (DLP), the methods including the steps of: providing a document as a stream of characters; splitting the stream into a plurality of serialized data lines; calculating a hash value for each serialized data line; checking for each hash value in a hash map of a template set; determining a similarity match to a particular template based on a predefined threshold of template hash values, of the template set, being found in the stream; and based on the similarity match, executing a DLP security policy for the document. Preferably, the template set is extracted from documents manually prepared by a security administrator. Preferably, each template in the template set is deduced automatically from a plurality of documents.

摘要翻译： 本发明公开了一种用于数据泄露预防（DLP）的文件到模板匹配的方法，所述方法包括以下步骤：将文档提供为字符流; 将流分解成多个串行数据线; 计算每个序列化数据行的哈希值; 检查模板集的散列图中的每个哈希值; 基于在流中找到的模板集合的模板哈希值的预定义阈值来确定与特定模板的相似性匹配; 并基于相似性匹配，为文档执行DLP安全策略。 优选地，从由安全管理员手动准备的文档中提取模板集。 优选地，模板集合中的每个模板自动地从多个文档中推导出来。

公开(公告)号：US20100183014A1

公开(公告)日：2010-07-22

申请号：US12357434

申请日：2009-01-22

申请人： Avi SHUA

发明人： Avi SHUA

IPC分类号： H04L12/56 ,  H04L9/32

CPC分类号： H04L63/12 ,  H04L9/3236 ,  H04L29/12367 ,  H04L61/2514 ,  H04L63/102

摘要： Methods including the steps of: upon sending an IP packet, obtaining, by a sender, a sender identity for a sender of the packet; securely tagging, by a sender, the packet with the sender identity, the packet having a plurality of fixed-length fields concatenated into a single fixed-length virtual field shared between a cryptographic hash and an identity index for supporting multiple distinct identities residing on an IP endpoint; determining, by a receiver, the sender identity by extracting it from the packet; checking, by the receiver, the packet to ensure the packet has been appropriately tagged; and enforcing a security policy, by the receiver, according to the sender identity. Preferably, the step of obtaining includes: accessing, by the sender, a server for obtaining the sender identity; and associating, by the server, the sender identity with the endpoint. Most preferably, the associating is performed using a prefix code for encoding the identities.

摘要翻译： 方法包括以下步骤：在发送IP分组时，由发送方获取分组的发送者的发送者身份; 由发送者安全地标记具有发送方身份的分组，该分组具有连接到加密哈希和身份索引之间共享的单个固定长度虚拟字段中的多个固定长度字段，以支持驻留在发送方身份上的多个不同身份 IP端点; 由接收者通过从所述分组提取所述发送者身份来确定所述发送者身份; 由接收者检查分组以确保分组被适当地标记; 并根据发送者身份由接收方执行安全策略。 优选地，获取步骤包括：由发送者访问用于获得发送者身份的服务器; 并且由服务器将发送者身份与端点相关联。 最优选地，使用用于编码身份的前缀码来执行关联。

公开(公告)号：US20100161830A1

公开(公告)日：2010-06-24

申请号：US12340830

申请日：2008-12-22

申请人： Tomer Noy ,  Alon Kantor ,  Uri Bialik ,  Yoav Kirsch

发明人： Tomer Noy ,  Alon Kantor ,  Uri Bialik ,  Yoav Kirsch

IPC分类号： G06F15/173

CPC分类号： H04L51/12 ,  H04L12/185 ,  H04L43/026 ,  H04L63/0227 ,  H04L63/104 ,  Y02D50/30

摘要： Disclosed are methods for automatic categorization of internal and external communication, the method including the steps of: defining groups of entities that transmit data; monitoring data flow of the groups; extracting the data, from the data flow, for learning traffic-flow characteristics of the groups; classifying the data into group flows; upon the data being transmitted, checking the data to determine whether the data is designated as group-internal; and blocking data traffic for data that is group-internal. Preferably, the step of monitoring includes assigning data weights to the data using Bayesian methods. Most preferably, the step of classifying includes classifying the data using Bayesian methods for evaluating the data weights. Preferably, the step of blocking includes blocking data traffic between members of two or more groups. Preferably, the method further includes the step of: enabling an authorized entity to unblock the data traffic.

摘要翻译： 公开了用于内部和外部通信的自动分类的方法，所述方法包括以下步骤：定义传送数据的实体组; 监测组的数据流; 从数据流中提取数据，用于学习组的流量特征; 将数据分类为组流; 在发送数据时，检查数据以确定数据是否被指定为组内部; 并阻止组内部数据的数据流量。 优选地，监视步骤包括使用贝叶斯方法向数据分配数据权重。 最优选地，分类步骤包括使用贝叶斯方法对数据进行分类以评估数据权重。 优选地，阻塞步骤包括阻止两个或更多个组的成员之间的数据业务。 优选地，该方法还包括以下步骤：使授权实体能够解除数据业务的阻塞。

公开(公告)号：US20100125637A1

公开(公告)日：2010-05-20

申请号：US12273567

申请日：2008-11-19

申请人： Oded GONDA ,  Ofer Raz ,  Alon Kantor ,  Uri Bialik ,  Yoav Kirsch

发明人： Oded GONDA ,  Ofer Raz ,  Alon Kantor ,  Uri Bialik ,  Yoav Kirsch

IPC分类号： G06F15/16

CPC分类号： H04L12/583 ,  G06Q10/107 ,  H04L51/063 ,  H04L51/12 ,  H04L51/34 ,  H04L63/08 ,  H04L63/20

摘要： Disclosed are methods, media, and vault servers for providing a secure messaging system using vault servers in conjunction with client-side restricted-execution vault-mail environments. Methods include the steps of upon activating a vault-mail message containing sensitive content, removing the content from the vault-mail message; placing the content on a vault server; creating a link in the vault-mail message to the content on the vault server; sending the vault-mail message to a designated recipient; and upon activating the link, allowing the content to be only viewed in a restricted-execution session of a client application, wherein the restricted-execution session does not allow the content to be altered, copied, stored, printed, forwarded, or otherwise executed. Preferably, the activation of the vault-mail message is performed by a network-security gateway, and can be performed on a per-message basis. Preferably, the activation of the link requires user authentication which may be designated during activation of the vault-mail message on a per-message basis based on said content. Preferably, the restricted-execution session enforces a security policy.

摘要翻译： 公开了方法，媒体和保管库服务器，用于使用保管库服务器与客户端受限执行的保管库邮件环境一起提供安全邮件系统。 方法包括以下步骤：激活包含敏感内容的保管箱邮件消息，从文件库邮件消息中移除内容; 将内容放置在保管库服务器上; 在保管库邮件消息中创建一个到保管库服务器上的内容的链接; 将保险库邮件发送给指定的收件人; 并且在激活链接时，允许仅在客户端应用的受限执行会话中观看内容，其中，限制执行会话不允许改变，复制，存储，打印，转发或以其他方式执行内容 。 优选地，保险库邮件消息的激活由网络安全网关执行，并且可以基于每个消息来执行。 优选地，链接的激活需要用户认证，其可以在基于所述内容的基于每个消息的激活邮箱消息期间被指定。 优选地，限制执行会话强制执行安全策略。

公开(公告)号：US20100046537A1

公开(公告)日：2010-02-25

申请号：US12193821

申请日：2008-08-19

申请人： Amnon PERLMUTTER ,  Benzi Waisman

发明人： Amnon PERLMUTTER ,  Benzi Waisman

IPC分类号： H04L12/56

CPC分类号： H04L49/25 ,  H04L47/125 ,  H04L49/3009

摘要： Methods, devices, and media for intelligent NIC bonding and load-balancing including the steps of: providing a packet at an incoming-packet port of a gateway; attaching an incoming-port identification, associated with the incoming-packet port, to the packet; routing the packet to a processing core; passing the packet through a gateway processing; sending the packet, by the core, to the operating system of a host system; and routing the packet to an outgoing-packet port of the gateway based on the incoming-port identification. Preferably, the gateway processing includes security processing of the packets. Preferably, the step of routing the packet to the outgoing-packet port is based solely on the incoming-port identification. Preferably, an outgoing-port identification, associated with the outgoing-packet port, has an identical bond-index to the incoming-port identification. Preferably, the gateway includes a plurality of incoming-packet ports, a plurality of respective incoming-port identifications, a plurality of processing cores, and a plurality of outgoing-packet ports.

摘要翻译： 用于智能NIC绑定和负载平衡的方法，设备和介质，包括以下步骤：在网关的进入分组端口处提供分组; 将与进入分组端口相关联的入口标识附加到分组; 将数据包路由到处理核心; 通过网关处理传递数据包; 通过核心将分组发送到主机系统的操作系统; 以及基于所述入端口标识将所述分组路由到所述网关的输出分组端口。 优选地，网关处理包括分组的安全处理。 优选地，将分组路由到出站分组端口的步骤仅基于进入端口标识。 优选地，与输出分组端口相关联的出端口标识对于入口标识具有相同的绑定索引。 优选地，网关包括多个进入分组端口，多个相应的入口标识，多个处理核心和多个输出分组端口。

公开(公告)号：US20090276538A1

公开(公告)日：2009-11-05

申请号：US12114778

申请日：2008-05-04

申请人： Oded Gonda ,  Yaron Sheffer

发明人： Oded Gonda ,  Yaron Sheffer

IPC分类号： G06F15/16

CPC分类号： H04L63/0227 ,  H04L63/0218

摘要： Disclosed are devices and methods for providing network access control utilizing traffic-regulation hardware, the device including: at least one client-side port for operationally connecting to a client system; at least one network-side port for operationally connecting to a network; a logic module for regulating network traffic, based on device-related data, between the ports, the logic module including: a memory unit for storing and loading the device-related data; and a CPU for processing the device-related data; and at least one relay, between at least one respective client-side port and at least one respective network-side port, configured to open upon receiving a respective network-access-denial command from the logic module. Preferably, the logic module is configured to maintain an open-relay line-rate when at least one relay is open, and to maintain a closed-relay line-rate when at least one relay is closed.

摘要翻译： 公开了利用交通管制硬件提供网络访问控制的设备和方法，该设备包括：用于操作地连接到客户端系统的至少一个客户端端口; 至少一个用于操作地连接到网络的网络侧端口; 逻辑模块，用于根据设备相关的数据，在端口之间调节网络流量，所述逻辑模块包括：用于存储和加载所述设备相关数据的存储器单元; 以及用于处理设备相关数据的CPU; 以及至少一个中继站，在至少一个相应的客户侧端口和至少一个相应的网络侧端口之间，被配置为在从逻辑模块接收到相应的网络访问拒绝命令时打开。 优选地，逻辑模块被配置为当至少一个继电器断开时维持开路继电器线路速率，并且当至少一个继电器闭合时保持闭路继电器线路速率。

公开(公告)号：US20090119307A1

公开(公告)日：2009-05-07

申请号：US11875955

申请日：2007-10-22

申请人： Uri Braun ,  Yuri Zaslavsky ,  Yosef Teitz

发明人： Uri Braun ,  Yuri Zaslavsky ,  Yosef Teitz

IPC分类号： G06F17/30

CPC分类号： G06F17/30985 ,  G06F17/30144 ,  G06F17/30964

摘要： A computerized method performed in a computer operatively connected to storage. Parsing rules are determined for parsing logs output as text and/or symbols from multiple devices in a computer network. The logs are stored in the storage. Multiple log samples are sampled from the logs. The log samples are input into an application running on the computer. The log samples are each sectioned into multiple sections which include variable information separated by static structural text. Each of the log samples is processed by: comparing the sections to a list of regular expressions. The list is maintained in the storage, and upon matching a matched section of the sections to a matched regular expression from the list of the regular expressions, the matched section is tagged with a tag associated with the matched regular expression. The tag associated to the matched regular expression is stored and combined with any unmatched sections and with the static structural text to create a log pattern. The log pattern is stored in a table only if the log pattern is distinct from all log patterns previously stored in the table.

摘要翻译： 在可操作地连接到存储器的计算机中执行的计算机化方法。 确定解析规则以将计算机网络中的多个设备的日志输出解析为文本和/或符号。 日志存储在存储器中。 从日志中采样多个日志样本。 日志样本被输入到在计算机上运行的应用程序中。 日志样本分为多个部分，包括由静态结构文本分隔的变量信息。 每个日志样本都通过以下方式处理：将部分与正则表达式列表进行比较。 该列表被保存在存储器中，并且在将匹配的段的部分匹配到正则表达式的列表中的匹配的正则表达式之后，匹配的部分被标记有与匹配的正则表达式相关联的标签。 与匹配的正则表达式关联的标签与任何不匹配的部分和静态结构文本进行存储和组合，以创建日志模式。 仅当日志模式与先前存储在表中的所有日志模式不同时，日志模式才会存储在表中。

公开(公告)号：US20030236887A1

公开(公告)日：2003-12-25

申请号：US10176177

申请日：2002-06-21

申请人： Check Point Software Technologies Ltd.

发明人： Alex Kesselman ,  Amos Peleg

IPC分类号： G06F015/173

CPC分类号： H04L47/10 ,  H04L47/20 ,  H04L67/1002 ,  H04L67/101 ,  H04L67/1023 ,  H04L67/1029 ,  H04L2029/06054

摘要： A method to manage the bandwidth of a link that is available to a cluster of servers. The method includes establishing a localized bandwidth management policy for at least one of the servers from a centralized management policy of the cluster. The localized policy and the centralized policy are based on a hierarchical policy having a plurality of rules associated with classes of connections that are routed through the link. Each of the rules has an associated rate. The plurality of rules includes a plurality of terminal rules. Establishing the localized policy is performed by prorating the rate of at least one of the terminal rules under the centralized policy according to a first measurement of a usage of the link by the at least one server for the at least one terminal rule. The method also includes operating the at least one server according to the localized policy.

摘要翻译： 管理可用于服务器集群的链路带宽的方法。 该方法包括从群集的集中式管理策略为至少一个服务器建立本地化带宽管理策略。 本地化策略和集中策略基于具有与通过链路路由的连接类相关联的多个规则的分层策略。 每个规则都有相关联的速率。 多个规则包括多个终端规则。 根据针对至少一个终端规则的至少一个服务器对链路的使用的第一测量，按照集中策略下的终端规则中的至少一个的速率来进行建立本地化策略。 该方法还包括根据本地化策略操作至少一个服务器。

公开(公告)号：US5835726A

公开(公告)日：1998-11-10

申请号：US664839

申请日：1996-06-17

申请人： Gil Shwed ,  Shlomo Kramer ,  Nir Zuk ,  Gil Dogon ,  Ehud Ben-Reuven

发明人： Gil Shwed ,  Shlomo Kramer ,  Nir Zuk ,  Gil Dogon ,  Ehud Ben-Reuven

IPC分类号： H04L9/32 ,  H04L29/06 ,  G06F13/36 ,  G06F15/401

CPC分类号： H04L63/0227 ,  H04L29/06 ,  H04L63/0263 ,  H04L63/0272 ,  H04L63/123 ,  H04L63/126 ,  H04L9/3247

摘要： The present invention discloses a novel system for controlling the inbound and outbound data packet flow in a computer network. By controlling the packet flow in a computer network, private networks can be secured from outside attacks in addition to controlling the flow of packets from within the private network to the outside world. A user generates a rule base which is then converted into a set of filter language instruction. Each rule in the rule base includes a source, destination, service, whether to accept or reject the packet and whether to log the event. The set of filter language instructions are installed and execute on inspection engines which are placed on computers acting as firewalls. The firewalls are positioned in the computer network such that all traffic to and from the network to be protected is forced to pass through the firewall. Thus, packets are filtered as they flow into and out of the network in accordance with the rules comprising the rule base. The inspection engine acts as a virtual packet filtering machine which determines on a packet by packet basis whether to reject or accept a packet. If a packet is rejected, it is dropped. If it is accepted, the packet may then be modified. Modification may include encryption, decryption, signature generation, signature verification or address translation. All modifications are performed in accordance with the contents of the rule base. The present invention provides additional security to a computer network by encrypting communications between two firewalls between a client and a firewall. This permits the use of insecure public networks in constructing a WAN that includes both private and public network segments, thus forming a virtual private network.

摘要翻译： 本发明公开了一种用于控制计算机网络中的入站和出站数据分组流的新颖系统。 通过控制计算机网络中的分组流，除了控制从专用网络到外界的分组流之外，还可以保护专用网络免受外部攻击。 用户生成规则库，然后将其转换成一组过滤器语言指令。 规则库中的每个规则都包括源，目标，服务，是接受还是拒绝数据包以及是否记录事件。 一组过滤器语言指令在安装在作为防火墙的计算机上的检测引擎上安装和执行。 防火墙位于计算机网络中，以便所有来往和来自网络的流量都被强制通过防火墙。 因此，根据包括规则库的规则，分组在流入和流出网络时被过滤。 检查引擎作为虚拟分组过滤机，其基于分组确定是否拒绝或接受分组。 如果数据包被拒绝，则丢弃。 如果接受，则可以修改分组。 修改可以包括加密，解密，签名生成，签名验证或地址转换。 所有修改都是根据​​规则库的内容进行的。 本发明通过加密客户端和防火墙之间的两个防火墙之间的通信来向计算机网络提供额外的安全性。 这允许在构建包括私有和公共网段的WAN的情况下使用不安全的公共网络，从而形成虚拟专用网络。

公开(公告)号：US20230179620A1

公开(公告)日：2023-06-08

申请号：US18163329

申请日：2023-02-02

申请人： Check Point Software Technologies Ltd.

发明人： Daniel Cohen-Sason ,  Pini Shamgar ,  Yevgeny Fabrikant

IPC分类号： H04L9/40 ,  H04L67/30

CPC分类号： H04L63/1425 ,  H04L63/20 ,  H04L63/0236 ,  H04L67/30

摘要： A method and system is provided for setting network policies based on electronic devices connected to a network. The electronic devices present on the network are detected and their behavior is captured using profiles. These profiles are then used to generate network policies based on the electronic devices connected to the network. Instead of reacting to behavior of the electronic devices (e.g., anomaly detection to detect malware), the method and system sets the network policies to prevent unauthorized communications (e.g., before malware is present in the system).