公开(公告)号：US10701035B2

公开(公告)日：2020-06-30

申请号：US15960419

申请日：2018-04-23

Applicant: NETFLIX, INC.

Inventor： Jason Chan ,  Poornaprajna Udupi ,  Shashi Madappa

IPC: H04L29/06 ,  G06F16/22 ,  H04L29/08

Abstract: Approaches, techniques, and mechanisms are disclosed for implementing a distributed firewall. In an embodiment, many different computer assets police incoming messages based on local policy data. This local policy data is synchronized with global policy data. The global policy data is generated by one or more separate analyzers. Each analyzer has access to message logs, or information derived therefrom, for groups of computer assets, and is thus able to generate policies based on intelligence from an entire group as opposed to an isolated asset. Among other effects, some of the approaches, techniques, and mechanisms may be effective even in computing environments with limited supervision over the attack surface, and/or computing environments in which assets may need to make independent decisions with respect to how incoming messages should be handled, on account of latency and/or unreliability in connections to other system components.

公开(公告)号：US09990499B2

公开(公告)日：2018-06-05

申请号：US13959640

申请日：2013-08-05

Applicant: Netflix, Inc.

Inventor： Jason Chan ,  Patrick Kelley ,  Benjamin Hagen ,  Samuel Reed

IPC: G06F21/57

CPC classification number: G06F21/577

Abstract: A method and system for discovering and testing security assets is provided. Based on source definition data describing sources to monitor on the one or more computer networks, an example system scans the sources to identify security assets. The system analyses the security assets to identify characteristics of the server-based applications. The system stores database records describing the security assets and the identified characteristics. The system queries the database records to select, based at least on the identified characteristics, one or more target assets, from the security assets, on which to conduct one or more security tests. Responsive to selecting the one or more target assets, the system conducts the one or more security tests on the one or more target assets. The system identifies one or more security vulnerabilities at the one or more target assets based on the conducted one or more security tests.

公开(公告)号：US10691814B2

公开(公告)日：2020-06-23

申请号：US15960468

申请日：2018-04-23

Applicant: NETFLIX, INC.

Inventor： Ariel Tseitlin ,  Roy Rapoport ,  Jason Chan

IPC: H04L29/06 ,  G06F21/60 ,  G06F16/28 ,  G06F21/45 ,  G06F21/57 ,  H04L9/32 ,  H04L12/26 ,  G06F9/50 ,  H04L12/24 ,  G06F11/30 ,  G06F21/00 ,  H04L29/08

Abstract: A security application manages security and reliability of networked applications executing collection of interacting computing elements within a distributed computing architecture. The security application monitors various classes of resources utilized by the collection of nodes within the distributed computing architecture and determine whether utilization of a class of resources is approaching a pre-determined maximum limit. The security application performs a vulnerability scan of a networked application to determine whether the networked application is prone to a risk of intentional or inadvertent breach by an external application. The security application scans a distributed computing architecture for the existence of access control lists (ACLs), and stores ACL configurations and configuration changes in a database. The security application scans a distributed computing architecture for the existence of security certificates, places newly discovered security certificates in a database, and deletes outdated security certificates. Advantageously, security and reliability are improved in a distributed computing architecture.

公开(公告)号：US10332116B2

公开(公告)日：2019-06-25

申请号：US14876613

申请日：2015-10-06

Applicant: NETFLIX, INC.

Inventor： Rudra Peram ,  Jason Chan

IPC: G06Q40/00 ,  G06Q20/40 ,  H04L29/08 ,  G06Q20/32 ,  G06Q30/02

Abstract: Provided herein are systems and methods of monitoring account activity in a streaming media environment. An exemplary system includes a monitoring system, an account creation and management system, and an account payment system. The monitoring system is coupled to the account creation and management system and the account payment system via a network. The processing device of the monitoring system retrieves account information for a first user account. Account information includes user consumption information and user payment information associated with the first user account. The processing device determines a fraudulent account score for the first user account based on at least one of the user consumption information, the user payment information, and account identification information. When the fraudulent account score exceeds an upper threshold, the processing device automatically deletes the first user account from at least one of the account creation and management system and the accounts payment system.

公开(公告)号：US09954822B2

公开(公告)日：2018-04-24

申请号：US15471254

申请日：2017-03-28

Applicant: Netflix, Inc.

Inventor： Jason Chan ,  Poornaprajna Udupi ,  Shashi Madappa

IPC: H04L29/06 ,  H04L29/08

CPC classification number: H04L63/0245 ,  G06F17/30312 ,  H04L63/0218 ,  H04L63/0227 ,  H04L63/1408 ,  H04L63/20 ,  H04L67/10

Abstract: Approaches, techniques, and mechanisms are disclosed for implementing a distributed firewall. In an embodiment, many different computer assets police incoming messages based on local policy data. This local policy data is synchronized with global policy data. The global policy data is generated by one or more separate analyzers. Each analyzer has access to message logs, or information derived therefrom, for groups of computer assets, and is thus able to generate policies based on intelligence from an entire group as opposed to an isolated asset. Among other effects, some of the approaches, techniques, and mechanisms may be effective even in computing environments with limited supervision over the attack surface, and/or computing environments in which assets may need to make independent decisions with respect to how incoming messages should be handled, on account of latency and/or unreliability in connections to other system components.

公开(公告)号：US09953173B2

公开(公告)日：2018-04-24

申请号：US14703862

申请日：2015-05-04

Applicant: NETFLIX, INC.

Inventor： Ariel Tseitlin ,  Roy Rapoport ,  Jason Chan

IPC: H04L29/06 ,  G06F21/60 ,  H04L12/26 ,  G06F17/30

CPC classification number: G06F21/604 ,  G06F9/50 ,  G06F11/302 ,  G06F11/3051 ,  G06F17/30598 ,  G06F21/00 ,  G06F21/45 ,  G06F21/577 ,  G06F2209/504 ,  G06F2221/034 ,  G06F2221/2141 ,  H04L9/3268 ,  H04L41/12 ,  H04L43/16 ,  H04L63/101 ,  H04L63/1408 ,  H04L63/1433 ,  H04L67/10 ,  Y02D10/22

Abstract: A security application manages security and reliability of networked applications executing collection of interacting computing elements within a distributed computing architecture. The security application monitors various classes of resources utilized by the collection of nodes within the distributed computing architecture and determine whether utilization of a class of resources is approaching a pre-determined maximum limit. The security application performs a vulnerability scan of a networked application to determine whether the networked application is prone to a risk of intentional or inadvertent breach by an external application. The security application scans a distributed computing architecture for the existence of access control lists (ACLs), and stores ACL configurations and configuration changes in a database. The security application scans a distributed computing architecture for the existence of security certificates, places newly discovered security certificates in a database, and deletes outdated security certificates. Advantageously, security and reliability are improved in a distributed computing architecture.

公开(公告)号：US20170201489A1

公开(公告)日：2017-07-13

申请号：US15471254

申请日：2017-03-28

Applicant: Netflix, Inc.

Inventor： Jason Chan ,  Poornaprajna Udupi ,  Shashi Madappa

IPC: H04L29/06

CPC classification number: H04L63/0245 ,  G06F17/30312 ,  H04L63/0218 ,  H04L63/0227 ,  H04L63/1408 ,  H04L63/20 ,  H04L67/10

Abstract: Approaches, techniques, and mechanisms are disclosed for implementing a distributed firewall. In an embodiment, many different computer assets police incoming messages based on local policy data. This local policy data is synchronized with global policy data. The global policy data is generated by one or more separate analyzers. Each analyzer has access to message logs, or information derived therefrom, for groups of computer assets, and is thus able to generate policies based on intelligence from an entire group as opposed to an isolated asset. Among other effects, some of the approaches, techniques, and mechanisms may be effective even in computing environments with limited supervision over the attack surface, and/or computing environments in which assets may need to make independent decisions with respect to how incoming messages should be handled, on account of latency and/or unreliability in connections to other system components.

公开(公告)号：US20170099292A1

公开(公告)日：2017-04-06

申请号：US14876629

申请日：2015-10-06

Applicant: NETFLIX, INC.

Inventor： Patrick Kelley ,  Ben Hagen ,  Jason Chan ,  Kevin Glisson

IPC: H04L29/06 ,  H04L29/08

CPC classification number: H04L63/10 ,  H04L63/20 ,  H04L67/10 ,  H04L67/306

Abstract: Provided herein are systems and methods of managing permissions for applications deployed in a distributed computing infrastructure. An exemplary system includes an access management server having a processing device, a distributed computing infrastructure in communication with the management server having a plurality of resource instances and a request log, an administration system having a security application executing thereon. The security application has access policies associated with each of a plurality of applications. The processing device of the management server: receives application request information from the request log describing requests made by a first application being monitored by the access management server. The management server receives an access policy describing a set of accessible APIs associated with the first application from the security application and determines that access to a first API of the set should be removed, and modifies the access policy to remove access to the first API.

公开(公告)号：US20170098219A1

公开(公告)日：2017-04-06

申请号：US14876613

申请日：2015-10-06

Applicant: NETFLIX, INC.

Inventor： Rudra Peram ,  Jason Chan

IPC: G06Q20/40 ,  G06Q20/32 ,  H04L29/08

CPC classification number: G06Q20/4016 ,  G06Q20/3224 ,  G06Q30/0225 ,  H04L67/306

Abstract: Provided herein are systems and methods of monitoring account activity in a streaming media environment. An exemplary system includes a monitoring system, an account creation and management system, and an account payment system. The monitoring system is coupled to the account creation and management system and the account payment system via a network. The processing device of the monitoring system retrieves account information for a first user account. Account information includes user consumption information and user payment information associated with the first user account. The processing device determines a fraudulent account score for the first user account based on at least one of the user consumption information, the user payment information, and account identification information. When the fraudulent account score exceeds an upper threshold, the processing device automatically deletes the first user account from at least one of the account creation and management system and the accounts payment system.

公开(公告)号：US20150040229A1

公开(公告)日：2015-02-05

申请号：US13959640

申请日：2013-08-05

Applicant: Netflix, Inc.

Inventor： Jason Chan ,  Patrick Kelley ,  Benjamin Hagen ,  Samuel Reed

IPC: G06F21/57

CPC classification number: G06F21/577

Abstract: A method and system for discovering and testing security assets is provided. Based on source definition data describing sources to monitor on the one or more computer networks, an example system scans the sources to identify security assets. The system analyses the security assets to identify characteristics of the server-based applications. The system stores database records describing the security assets and the identified characteristics. The system queries the database records to select, based at least on the identified characteristics, one or more target assets, from the security assets, on which to conduct one or more security tests. Responsive to selecting the one or more target assets, the system conducts the one or more security tests on the one or more target assets. The system identifies one or more security vulnerabilities at the one or more target assets based on the conducted one or more security tests.

Abstract translation: 提供了一种发现和测试安全资产的方法和系统。 基于描述在一个或多个计算机网络上监视的源的源定义数据，示例系统扫描源以识别安全资产。 系统分析安全资产以识别基于服务器的应用程序的特征。 系统存储描述安全资产和识别的特征的数据库记录。 系统查询数据库记录，至少基于所识别的特征，从进行一次或多次安全测试的安全资产中选择一个或多个目标资产。 响应于选择一个或多个目标资产，系统对一个或多个目标资产进行一次或多次安全测试。 该系统基于所进行的一个或多个安全测试来识别一个或多个目标资产上的一个或多个安全漏洞。