公开(公告)号：US20240394587A1

公开(公告)日：2024-11-28

申请号：US18292748

申请日：2022-07-27

Applicant: WatchGuard Technologies, Inc.

Inventor： Anindya ROY ,  Eugen PANAITESCU ,  Li LI ,  Ramesh NATARAJAN

IPC: G06N20/00 ,  G06N7/01

Abstract: A computer-implemented system and method generate a model of a plurality of features of network flow data. The model includes a composition of a plurality of Gaussian components, each of which may be skewed. The features are represented as a multivariate feature vector. Training is performed on the feature data using Gaussian Mixture Model (GMM) using Expectation Maximization. The feature data are assigned to clusters with corresponding probabilities. Once the model has been generated, it may be used to detect outlier activity.

公开(公告)号：US11863984B2

公开(公告)日：2024-01-02

申请号：US17861073

申请日：2022-07-08

Applicant: WatchGuard Technologies, Inc.

Inventor： Scott Elliott ,  Jay Lindenauer

IPC: H04L29/06 ,  H04W12/08 ,  H04L9/06 ,  H04W12/12

CPC classification number: H04W12/08 ,  H04L9/0643 ,  H04W12/12

Abstract: Methods and apparatus for detecting and handling evil twin access points (APs). The method and apparatus employ trusted beacons including security tokens that are broadcast by trusted APs. An Evil twin AP masquerades as a trusted AP by broadcasting beacons having the same SSID as the trusted AP, as well as other header field and information elements IE in the beacon frame body containing identical information. A sniffer on the trusted AP or in another AP that is part of a Trusted Wireless Environment (TWE) receives the beacons broadcasts by other APs in the TWE including potential evil twin APs. The content in the header and one or more IEs in received beacons are examined to determine whether a beacon is being broadcast by an evil twin. Detection of the evil twin are made by one of more of differences in MAC addresses of trusted and untrusted beacons, time jitter measurements and replay detection using timestamps in the beacons, detection of missing security tokens in untrusted beacons and detection that a security token that is mimicked by an evil twin is invalid. In one aspect, the security token is stored in a vendor-specific IE in trusted beacons that is generated by employing a secret key using a cryptographic operation operating on data in the beacon prior to the vendor-specific IE.

公开(公告)号：US08977746B2

公开(公告)日：2015-03-10

申请号：US13871896

申请日：2013-04-26

Applicant: Watchguard Technologies, Inc.

Inventor： Mark D. Hughes ,  Eivind Naess

IPC: G06F15/173 ,  H04L12/26 ,  G06F21/52 ,  H04L29/06

CPC classification number: H04L43/0882 ,  G06F21/52 ,  H04L43/026 ,  H04L43/028 ,  H04L43/045 ,  H04L43/0876 ,  H04L63/02 ,  H04L63/0227 ,  Y02D50/30

Abstract: A network security device may gather a large amount of metadata pertaining to the connections being managed thereby. A refinement module may filter and/or aggregate the connection metadata. The metadata may be refined on the network security device. The refined metadata may be provided for display on a terminal. The refined metadata may include a subset of the larger connection metadata, which may reduce the overhead required to display and/or transmit monitoring information to the terminal device. The refined metadata may comprise connection groups, which may be formed based on aggregation criteria, such as connection source, destination, application, security policy, protocol, port, and/or the like. The connection groups may be ranked in accordance with ranking criteria.

Abstract translation: 网络安全设备可以收集与正被管理的连接有关的大量元数据。 细化模块可以过滤和/或聚合连接元数据。 可以在网络安全设备上改进元数据。 精致的元数据可以被提供用于在终端上显示。 精细化元数据可以包括较大连接元数据的子集，这可以减少向终端设备显示和/或发送监控信息所需的开销。 精细元数据可以包括可以基于聚合标准形成的连接组，诸如连接源，目的地，应用，安全策略，协议，端口等。 可以根据排序标准对连接组进行排名。

公开(公告)号：US08504675B2

公开(公告)日：2013-08-06

申请号：US13466826

申请日：2012-05-08

Applicant: Bruce Murray Walker

Inventor： Bruce Murray Walker

IPC: G06F15/173

CPC classification number: H04L69/40 ,  H04L41/0668 ,  H04L41/0816 ,  H04L41/0889 ,  H04L51/00 ,  H04L67/1095

Abstract: An email system comprises a plurality of email servers connected by a data communications network. The email system avoids single points of failure by employing multiple email servers which self configure, without requiring dedicated servers, through self addressing and discovery and announcement protocols. An email server can act as a primary email server by executing an administration tool allowing an administrator to modify the configuration data set which the email servers utilize, and the primary email server will then announce the resulting change in the version level of the configuration data set to other email servers. Each email server will then determine and request any needed updates to its respective configuration data set from the primary email server or another email server.

Abstract translation: 电子邮件系统包括由数据通信网络连接的多个电子邮件服务器。 电子邮件系统通过采用自己配置的多个电子邮件服务器，避免单点故障，而无需专用服务器，通过自寻址和发现和通知协议。 电子邮件服务器可以通过执行管理工具充当主要电子邮件服务器，允许管理员修改电子邮件服务器利用的配置数据集，然后主电子邮件服务器将通知配置数据集的版本级别的结果更改 到其他电子邮件服务器。 然后，每个电子邮件服务器将确定并请求从主电子邮件服务器或其他电子邮件服务器到其各自配置数据集的任何所需更新。

公开(公告)号：US20130173766A1

公开(公告)日：2013-07-04

申请号：US13682259

申请日：2012-11-20

Applicant: WATCHGUARD TECHNOLOGIES, INC.

Inventor： Thomas Linden ,  James Huang ,  Jeff Hsu ,  Ming-Jeng Lee

IPC: G06F15/177

CPC classification number: H04L43/0876 ,  G06F11/181 ,  G06F11/182 ,  G06F11/2028 ,  G06F11/203 ,  G06F11/2035 ,  G06F15/177 ,  H04L41/0659 ,  H04L41/0869 ,  H04L41/0893 ,  H04L43/0817 ,  H04L63/0218 ,  H04L63/029 ,  H04L63/20 ,  H04L67/1095 ,  H04L67/142

Abstract: A computing device may be joined to a cluster by discovering the device, determining whether the device is eligible to join the cluster, configuring the device, and assigning the device a cluster role. A device may be assigned to act as a cluster master, backup master, active device, standby device, or another role. The cluster master may be configured to assign tasks, such as network flow processing to the cluster devices. The cluster master and backup master may maintain global, run-time synchronization data pertaining to each of the network flows, shared resources, cluster configuration, and the like. The devices within the cluster may monitor one another. Monitoring may include transmitting status messages comprising indicators of device health to the other devices in the cluster. In the event a device satisfies failover conditions, a failover operation to replace the device with another standby device, may be performed.

Abstract translation: 计算设备可以通过发现设备，确定设备是否有资格加入集群，配置设备以及为设备分配集群角色而与集群相连。 可以将设备分配为集群主控，备份主控，主动设备，备用设备或其他角色。 集群主机可以被配置为向集群设备分配诸如网络流处理的任务。 集群主备份主机可以维护与每个网络流，共享资源，集群配置等相关的全局运行时同步数据。 群集中的设备可能会相互监视。 监视可以包括将包括设备运行状况的指示符的状态消息发送到集群中的其他设备。 在设备满足故障切换条件的情况下，可以执行将设备替换为另一备用设备的故障转移操作。

公开(公告)号：US08223751B2

公开(公告)日：2012-07-17

申请号：US12610978

申请日：2009-11-02

Applicant: Rod Gilchrist ,  Richard Fogel ,  Robert Osborne ,  John Alsop

Inventor： Rod Gilchrist ,  Richard Fogel ,  Robert Osborne ,  John Alsop

IPC: H04L12/66 ,  H04M15/06

CPC classification number: H04L63/0218 ,  H04L29/06027 ,  H04L51/04 ,  H04L51/12 ,  H04L63/1458 ,  H04L65/1079 ,  H04L65/403 ,  H04M3/436 ,  H04M7/006

Abstract: Sensor nodes (or addresses therefore), acting as real-time message decoys, are distributed across a real-time communications network to attract unsolicited real-time messages. Filtering rules are derived from the message characteristics (such as the source address) and messaging content of the traffic encountered at the sensor nodes. The filtering rules are distributed to filtering agents positioned in the communications network in such a way that they can filter traffic for legitimate users. The filtering agents may identify and control the disposition of real-time messaging traffic that is part of a mass communication campaign on behalf of legitimate users of the real-time messaging communication system. Disposition may include suppressing, diverting, or labeling.

Abstract translation: 作为实时消息诱饵的传感器节点（或地址）分布在实时通信网络中，以吸引未经请求的实时消息。 过滤规则是从传感器节点遇到的流量的消息特征（如源地址）和消息传递内容得出的。 将过滤规则分配给位于通信网络中的过滤代理，使得它们可以过滤合法用户的流量。 过滤代理可以代表实时消息通信系统的合法用户来识别和控制作为大众传播活动的一部分的实时消息流量的处置。 处置可能包括抑制，转移或标记。

公开(公告)号：US07237263B1

公开(公告)日：2007-06-26

申请号：US09800754

申请日：2001-03-06

Applicant: Christopher Boscolo ,  Shabnam Erfani ,  Mark Hughes ,  Brad Robel-Forrest

Inventor： Christopher Boscolo ,  Shabnam Erfani ,  Mark Hughes ,  Brad Robel-Forrest

IPC: G06F17/00

CPC classification number: H04L41/0869 ,  H04L41/0816 ,  H04L41/082 ,  H04L63/0272 ,  H04L63/20

Abstract: A facility in a single manager computer system for managing properties for a plurality of managed computer systems is described. The facility reiteratively receives new managed properties for an identified managed computer system. In response, the facility delivers the received new managed properties to the identified managed computer system.

Abstract translation: 描述了用于管理多个管理的计算机系统的属性的单个管理计算机系统中的设施。 该设施重新收到一个已识别的受管计算机系统的新管理属性。 作为响应，该设施将接收到的新的托管属性提供给所识别的受管计算机系统。

公开(公告)号：US09203865B2

公开(公告)日：2015-12-01

申请号：US13784476

申请日：2013-03-04

Applicant: WATCHGUARD TECHNOLOGIES, INC.

Inventor： Thomas Linden ,  James Huang ,  Jeff Hsu ,  Ming-Jeng Lee

IPC: G06F15/16 ,  H04L29/06 ,  G06F11/18 ,  G06F11/20 ,  H04L12/24 ,  G06F15/177 ,  H04L12/26

CPC classification number: H04L43/0876 ,  G06F11/181 ,  G06F11/182 ,  G06F11/2028 ,  G06F11/203 ,  G06F11/2035 ,  G06F15/177 ,  H04L41/0659 ,  H04L41/0869 ,  H04L41/0893 ,  H04L43/0817 ,  H04L63/0218 ,  H04L63/029 ,  H04L63/20 ,  H04L67/1095 ,  H04L67/142

Abstract: A computing device may be joined to a cluster by discovering the device, determining whether the device is eligible to join the cluster, configuring the device, and assigning the device a cluster role. A device may be assigned to act as a cluster master, backup master, active device, standby device, or another role. The cluster master may be configured to assign tasks, such as network flow processing to the cluster devices. The cluster master and backup master may maintain global, run-time synchronization data pertaining to each of the network flows, shared resources, cluster configuration, and the like. The devices within the cluster may monitor one another. Monitoring may include transmitting status messages comprising indicators of device health to the other devices in the cluster. In the event a device satisfies failover conditions, a failover operation to replace the device with another standby device, may be performed.

Abstract translation: 计算设备可以通过发现设备，确定设备是否有资格加入集群，配置设备以及为设备分配集群角色而与集群相连。 可以将设备分配为集群主控，备份主控，主动设备，备用设备或其他角色。 集群主机可以被配置为向集群设备分配诸如网络流处理的任务。 集群主备份主机可以维护与每个网络流，共享资源，集群配置等相关的全局运行时同步数据。 群集中的设备可能会相互监视。 监视可以包括将包括设备运行状况的指示符的状态消息发送到集群中的其他设备。 在设备满足故障切换条件的情况下，可以执行将设备替换为另一备用设备的故障转移操作。

公开(公告)号：US08527592B2

公开(公告)日：2013-09-03

申请号：US11554746

申请日：2006-10-31

Applicant: Christopher John Gabe

Inventor： Christopher John Gabe

IPC: G06F15/00 ,  H04L29/06

CPC classification number: H04L63/1408 ,  G06Q10/107 ,  H04L51/12

Abstract: A system and method for providing a reputation service for use in messaging environments employs a reputation of compiled statistics, representing whether SPAM messages have previously been received from respective a selected set of identifiers for the origin of the message, in a decision making process for newly received messages. In a preferred embodiment, the set of identifiers includes the IP address, a tuple of the domain and IP address and a tuple of the user and IP address and the set of identifiers allows for a relatively fine grained set of reputation metrics to be compiled and used when making a determination of a likelihood as to whether a received message is undesired in accordance with the invention.

Abstract translation: 用于提供在消息传递环境中使用的信誉服务的系统和方法采用编译统计信息，表示在新的决策过程中，是否先前已经从相应的所选择的消息的来源标识符中收到了SPAM消息 收到消息 在优选实施例中，标识符集合包括IP地址，域和IP地址的元组以及用户和IP地址的元组以及标识符集合允许编译相对较细粒度的信誉度量集合， 在根据本发明确定接收到的消息是否是不期望的可能性时使用。

公开(公告)号：US08392496B2

公开(公告)日：2013-03-05

申请号：US12643663

申请日：2009-12-21

Applicant: Thomas Linden ,  James Huang ,  Jeff Hsu ,  Ming-Jeng Lee

Inventor： Thomas Linden ,  James Huang ,  Jeff Hsu ,  Ming-Jeng Lee

IPC: G06F15/16

CPC classification number: H04L43/0876 ,  G06F11/181 ,  G06F11/182 ,  G06F11/2028 ,  G06F11/203 ,  G06F11/2035 ,  G06F15/177 ,  H04L41/0659 ,  H04L41/0869 ,  H04L41/0893 ,  H04L43/0817 ,  H04L63/0218 ,  H04L63/029 ,  H04L63/20 ,  H04L67/1095 ,  H04L67/142

Abstract: A computing device may be joined to a cluster by discovering the device, determining whether the device is eligible to join the cluster, configuring the device, and assigning the device a cluster role. A device may be assigned to act as a cluster master, backup master, active device, standby device, or another role. The cluster master may be configured to assign tasks, such as network flow processing to the cluster devices. The cluster master and backup master may maintain global, run-time synchronization data pertaining to each of the network flows, shared resources, cluster configuration, and the like. The devices within the cluster may monitor one another. Monitoring may include transmitting status messages comprising indicators of device health to the other devices in the cluster. In the event a device satisfies failover conditions, a failover operation to replace the device with another standby device, may be performed.