公开(公告)号：US10855725B2

公开(公告)日：2020-12-01

申请号：US15171917

申请日：2016-06-02

Applicant: Microsoft Technology Licensing, LLC

Inventor： Navin Narayan Pai ,  Charles G. Jeffries ,  Giridhar Viswanathan ,  Benjamin M. Schultz ,  Frederick J. Smith ,  Lars Reuther ,  Michael B. Ebersol ,  Gerardo Diaz Cuellar ,  Ivan Dimitrov Pashov ,  Poornananda R. Gaddehosur ,  Hari R. Pulapaka ,  Vikram Mangalore Rao

IPC: H04L29/06 ,  G06F21/53 ,  H04L12/46 ,  H04L29/08

Abstract: A host operating system running on a computing device monitors network communications for the computing device to identify network resources that are requested by the computing device. The host operating system compares requested network resources against security policies to determine if the requested network resources are trusted. When an untrusted network resource is identified, the host operating system accesses the untrusted network resource within a container that is isolated from the host operating system kernel using techniques discussed herein. By restricting access to untrusted network resources to isolated containers, the host operating system is protected from even kernel-level attacks or infections that may result from an untrusted network resource.

公开(公告)号：US20230336530A1

公开(公告)日：2023-10-19

申请号：US17659728

申请日：2022-04-19

Applicant: Microsoft Technology Licensing, LLC

Inventor： Arupendra N. Roy ,  Arun Yadav ,  Chin Pong Kwong ,  Gerardo Diaz Cuellar ,  Alexandru Naparu ,  Jing Li

IPC: H04L9/40

CPC classification number: H04L63/0281 ,  H04L63/0823 ,  H04L63/166

Abstract: Examples of the present disclosure describe systems and methods for configuring and executing per-service TLS settings in a forward proxy. In examples, a proxy device receives a connection request from a client device to access a service. The proxy device identifies service connection information included in the connection request and selects a connection scheme for connecting to the service. The service connection information is compared to a static mapping of connection data in the connection scheme. If the service connection information matches the static mapping of connection data, a TLS type is determined for the connection request. If the service connection information does not match the static mapping of connection information, the service connection information is compared to a dynamic mapping of session information. Based on the comparison of the service connection information to the dynamic mapping of session information, a TLS type is determined for the connection request.

公开(公告)号：US11558189B2

公开(公告)日：2023-01-17

申请号：US17107842

申请日：2020-11-30

Applicant: Microsoft Technology Licensing, LLC

Inventor： Fernando Garcia Valenzuela ,  Venkatasubrahmanyam Raman ,  Gerardo Diaz Cuellar ,  Arupendra Narayan Roy ,  Bisconde Ramon Aquino ,  Alexandru Naparu

IPC: H04L9/08 ,  H04L9/32

Abstract: The disclosure herein describes securing access to a service resource within a security boundary. A security gateway instance receives a request from an edge deployment outside the security boundary. The request includes identity data identifying the edge deployment. The identity data is validated based on allowed identity data of the security gateway instance and based on a validation handler associated with the service resource. Based on validating the identity data and validating the request, the identity data is transformed using security data specific to the security gateway instance. The transformed identity data indicates the request has been validated by the security gateway instance. Based on transforming the identity data of the request, the transformed identity data and the request are forwarded to the service resource via a network link within the security boundary, wherein the service resource is configured to process the request based on identifying the transformed identity data.

公开(公告)号：US20180103010A1

公开(公告)日：2018-04-12

申请号：US15402237

申请日：2017-01-10

Applicant: Microsoft Technology Licensing, LLC

Inventor： Gerardo Diaz Cuellar ,  Praveen Balasubramanian ,  Hossam Fattah

IPC: H04L29/06 ,  H04L12/851

CPC classification number: H04L63/0263 ,  H04L47/2441 ,  H04L63/0227 ,  H04L63/1408 ,  H04L63/164 ,  H04L63/166

Abstract: A computer system enforces network security policy by pre-classifying network traffic. Unidimensional pre-classifier filters analyze network traffic to populate a pre-classifier bit array. Rather than having filter explosion with the creation of multidimensional filters, the pre-classifier bit array is used by other layers and/or filters to enforce network security policy. Further, reclassification of network traffic due to network security changes is streamlined due to the inclusion of pre-classifier layers and the pre-classifier bit array.

公开(公告)号：US12184616B2

公开(公告)日：2024-12-31

申请号：US17659728

申请日：2022-04-19

Applicant: Microsoft Technology Licensing, LLC

Inventor： Arupendra N. Roy ,  Arun Yadav ,  Chin Pong Kwong ,  Gerardo Diaz Cuellar ,  Alexandru Naparu ,  Jing Li

IPC: H04L9/40

Abstract: Examples of the present disclosure describe systems and methods for configuring and executing per-service TLS settings in a forward proxy. In examples, a proxy device receives a connection request from a client device to access a service. The proxy device identifies service connection information included in the connection request and selects a connection scheme for connecting to the service. The service connection information is compared to a static mapping of connection data in the connection scheme. If the service connection information matches the static mapping of connection data, a TLS type is determined for the connection request. If the service connection information does not match the static mapping of connection information, the service connection information is compared to a dynamic mapping of session information. Based on the comparison of the service connection information to the dynamic mapping of session information, a TLS type is determined for the connection request.

公开(公告)号：US10193863B2

公开(公告)日：2019-01-29

申请号：US15402237

申请日：2017-01-10

Applicant: Microsoft Technology Licensing, LLC

Inventor： Gerardo Diaz Cuellar ,  Praveen Balasubramanian ,  Hossam Fattah

IPC: H04L29/06 ,  H04L12/851

Abstract: A computer system enforces network security policy by pre-classifying network traffic. Unidimensional pre-classifier filters analyze network traffic to populate a pre-classifier bit array. Rather than having filter explosion with the creation of multidimensional filters, the pre-classifier bit array is used by other layers and/or filters to enforce network security policy. Further, reclassification of network traffic due to network security changes is streamlined due to the inclusion of pre-classifier layers and the pre-classifier bit array.

公开(公告)号：US20170353496A1

公开(公告)日：2017-12-07

申请号：US15171917

申请日：2016-06-02

Applicant: Microsoft Technology Licensing, LLC

Inventor： Navin Narayan Pai ,  Charles G. Jeffries ,  Giridhar Viswanathan ,  Benjamin M. Schultz ,  Frederick J. Smith ,  Lars Reuther ,  Michael B. Ebersol ,  Gerardo Diaz Cuellar ,  Ivan Dimitrov Pashov ,  Poornananda R. Gaddehosur ,  Hari R. Pulapaka ,  Vikram Mangalore Rao

IPC: H04L29/06 ,  H04L12/46 ,  H04L29/08

CPC classification number: H04L63/20 ,  G06F21/53 ,  H04L12/4641 ,  H04L63/08 ,  H04L63/10 ,  H04L63/1416 ,  H04L63/1433 ,  H04L63/1441 ,  H04L67/02

Abstract: A host operating system running on a computing device monitors network communications for the computing device to identify network resources that are requested by the computing device. The host operating system compares requested network resources against security policies to determine if the requested network resources are trusted. When an untrusted network resource is identified, the host operating system accesses the untrusted network resource within a container that is isolated from the host operating system kernel using techniques discussed herein. By restricting access to untrusted network resources to isolated containers, the host operating system is protected from even kernel-level attacks or infections that may result from an untrusted network resource.

公开(公告)号：US10438019B2

公开(公告)日：2019-10-08

申请号：US15640164

申请日：2017-06-30

Applicant: Microsoft Technology Licensing, LLC

Inventor： Giridhar Viswanathan ,  Gerardo Diaz Cuellar ,  Hari R. Pulapaka ,  Ivan Dimitrov Pashov ,  Navin Narayan Pai ,  Benjamin M. Schultz

IPC: G06F21/00 ,  G06F21/62 ,  G06F21/31 ,  G06F21/74 ,  G06F9/455 ,  G06F9/50

Abstract: A second operating system accessing resources from an external service. A method includes sending an anonymized request, for an anonymized user corresponding to an authorized user, for resources, through a broker. A request for proof indicating that the anonymized user is authorized to obtain the resources is received from the broker. As a result, a request is send to a first operating system for the proof that the anonymized user is authorized to obtain the resources. Proof is received from the first operating system, based on the anonymized user being associated with the authorized user, that the anonymized user is authorized to obtain the resources. The proof is provided to the broker. As a result, the resources are obtained by the second operating system from the service.

公开(公告)号：US20250158966A1

公开(公告)日：2025-05-15

申请号：US18954756

申请日：2024-11-21

Applicant: Microsoft Technology Licensing, LLC

Inventor： Arupendra N. Roy ,  Arun Yadav ,  Chin Pong Kwong ,  Gerardo Diaz Cuellar ,  Alexandru Naparu ,  Jing Li

IPC: H04L9/40

Abstract: Examples of the present disclosure describe systems and methods for configuring and executing per-service TLS settings in a forward proxy. In examples, a proxy device receives a connection request from a client device to access a service. The proxy device identifies service connection information included in the connection request and selects a connection scheme for connecting to the service. The service connection information is compared to a static mapping of connection data in the connection scheme. If the service connection information matches the static mapping of connection data, a TLS type is determined for the connection request. If the service connection information does not match the static mapping of connection information, the service connection information is compared to a dynamic mapping of session information. Based on the comparison of the service connection information to the dynamic mapping of session information, a TLS type is determined for the connection request.

公开(公告)号：US10666655B2

公开(公告)日：2020-05-26

申请号：US15818481

申请日：2017-11-20

Applicant: Microsoft Technology Licensing, LLC

Inventor： Gerardo Diaz Cuellar ,  Navin Narayan Pai ,  Ivan Dimitrov Pashov ,  Giridhar Viswanathan ,  Benjamin M. Schultz ,  Hari R. Pulapaka

IPC: H04L29/06 ,  G06F21/31

Abstract: Providing access control by a first operating system. A method includes receiving at the first operating system, from the second operating system, a request for a bounding reference to a set having at least one resource. A bounding reference for the set is obtained. The bounding reference comprises a reference created from a first operating system resolvable reference to the set. The method further includes providing the obtained bounding reference for the obtained provided bounding reference to the second operating system. A request, including the obtained bounding reference and an identifier identifying the second operating system for the set, is received from the second operating system. The obtained bounding reference and the identifier identifying the second operating system are evaluated. As a result of evaluating the obtained bounding reference and the identifier identifying the second operating system, a resource control action is performed.