公开(公告)号：WO2018045338A1

公开(公告)日：2018-03-08

申请号：PCT/US2017/049949

申请日：2017-09-01

Applicant: IBOSS, INC.

Inventor： MARTINI, Paul Michael

IPC: H04L29/06 ,  H04L29/08 ,  H04L29/12

Abstract: This specification generally relates to methods and systems for applying network policies to devices based on their current access network. One example method includes identifying a proxy connection request sent from a particular client device to a proxy server over a network, the proxy connection request including a hostname and configured to direct the proxy server to establish communication with the computer identified by the hostname on behalf of the client device; determining an identity of the client device based on the proxy connection request; identifying a domain name system (DNS) response to a DNS request including the hostname from the proxy connection request; and updating DNS usage information for the particular client based on the identified DNS response including the hostname from the proxy connection request.

Abstract translation: 本说明书总体上涉及用于基于其当前接入网络向设备应用网络策略的方法和系统。 一个示例方法包括识别通过网络从特定客户端设备发送到代理服务器的代理连接请求，代理连接请求包括主机名并且被配置为指示代理服务器代表与主机名标识的计算机建立通信 客户端设备; 基于代理连接请求确定客户端设备的身份; 从代理连接请求中识别对包括主机名的DNS请求的域名系统（DNS）响应; 以及基于所识别的包括来自代理连接请求的主机名的DNS响应来更新特定客户端的DNS使用信息。

公开(公告)号：WO2015077492A1

公开(公告)日：2015-05-28

申请号：PCT/US2014/066688

申请日：2014-11-20

Applicant: IBOSS, INC.

Inventor： MARTINI, Paul Michael

IPC: H04L29/12 ,  H04L29/06

CPC classification number: H04L63/0464 ,  H04L61/1511 ,  H04L61/2007 ,  H04L63/0236 ,  H04L63/0823 ,  H04L63/168 ,  H04L63/20 ,  H04L67/02 ,  H04L69/326 ,  H04W76/10

Abstract: Methods and systems for managing encrypted network traffic using spoofed addresses. One example method includes receiving a request to resolve a domain name; determining that the domain name is included in a predetermined set of domain names; associating a spoofed address with the domain name; sending a response to the request to resolve the domain name, the response including the spoofed address; receiving a secure request for a resource, the secure request directed to the spoofed address; determining that the secure request is directed to the domain name based on the association between the spoofed address and the domain name; and selectively decrypting the secure request based at least in part on determining that the secure request is directed to the domain name.

Abstract translation: 使用欺骗性地址管理加密网络流量的方法和系统。 一个示例性方法包括接收解析域名的请求; 确定域名被包括在预定的一组域名中; 将欺骗地址与域名相关联; 发送响应以解决域名的请求，响应包括欺骗地址; 接收针对资源的安全请求，所述安全请求被引导到所述欺骗地址; 基于欺骗地址和域名之间的关联，确定安全请求被引导到域名; 以及至少部分地基于确定所述安全请求被引导到所述域名来选择性地解密所述安全请求。

公开(公告)号：WO2014194122A1

公开(公告)日：2014-12-04

申请号：PCT/US2014/040070

申请日：2014-05-29

Applicant: IBOSS, INC.

Inventor： MARTINI, Paul Michael

IPC: H04L29/08 ,  H04L12/813

CPC classification number: H04L67/22 ,  H04L63/0407 ,  H04L63/102 ,  H04L63/1416 ,  H04L67/30 ,  H04L2463/144

Abstract: This specification generally relates to controlling access of a device to a network based on detection of a network application running on the device. One example method includes maintaining one or more application profiles, each application profile associated with one or more network activities in a network; detecting one or more network activities associated with a device connected to the network; determining that the one or more detected network activities associated with the device substantially match network activities associated with a first application profile; and associating the device with a restricted network profile upon determining that the one or more detected network activities substantially match network activities associated with the first application profile, the restricted network profile configured to deny access by the device to one or more first resources on the network, and configured to allow access by the device to one or more second resources on the network.

Abstract translation: 该规范通常涉及基于对在设备上运行的网络应用的检测来控制设备到网络的接入。 一个示例性方法包括维护一个或多个应用简档，每个应用简档与网络中的一个或多个网络活动相关联; 检测与连接到所述网络的设备相关联的一个或多个网络活动; 确定与所述设备相关联的所述一个或多个检测到的网络活动基本上匹配与第一应用简档相关联的网络活动; 以及在确定所述一个或多个检测到的网络活动基本上匹配与所述第一应用简档相关联的网络活动时，将所述设备与受限网络配置文件相关联，所述受限网络配置文件被配置为拒绝所述设备访问所述网络上的一个或多个第一资源 并且被配置为允许所述设备访问所述网络上的一个或多个第二资源。

公开(公告)号：WO2016019175A1

公开(公告)日：2016-02-04

申请号：PCT/US2015/042974

申请日：2015-07-30

Applicant: IBOSS, INC.

Inventor： MARTINI, Paul Michael ,  MARTINI, Peter Anthony

IPC: G06F15/16

CPC classification number: H04L63/145 ,  G06F17/30887 ,  G06F21/53 ,  H04L63/0227 ,  H04L63/1416 ,  H04L67/02 ,  H04L67/2814 ,  H04L67/2842 ,  H04L67/42 ,  H04W12/08

Abstract: This specification generally relates to using redirect messages to implement content filtering. One example method includes determining that access to a network resource should be redirected based at least in part on access behavior associated with the network resource; receiving from a client a first request for the network resource, the first request including an original location of the network resource; sending a redirect response to the client including a modified location for the network resource different than the original location; receiving a second request for the network resource from the client including the modified location; retrieving the network resource from the original location; performing at least one action on the retrieved network resource; and selectively sending the retrieved network resource to the client based at least in part on a result associated with the at least one action.

Abstract translation: 本说明书通常涉及使用重定向消息来实现内容过滤。 一个示例性方法包括确定至少部分地基于与网络资源相关联的访问行为来重定向对网络资源的访问; 从客户端接收对网络资源的第一请求，所述第一请求包括所述网络资源的原始位置; 向客户端发送重定向响应，包括与原始位置不同的网络资源的修改位置; 从客户端接收包括修改位置的网络资源的第二请求; 从原始位置检索网络资源; 对所检索的网络资源执行至少一个动作; 以及至少部分地基于与所述至少一个动作相关联的结果来选择性地将所检索的网络资源发送到所述客户端。

公开(公告)号：WO2015134933A1

公开(公告)日：2015-09-11

申请号：PCT/US2015/019290

申请日：2015-03-06

Applicant: IBOSS, INC.

Inventor： MARTINI, Paul Michael ,  MARTINI, Peter Anthony

IPC: H04L29/06 ,  H04L29/12

CPC classification number: H04L63/0428 ,  H04L61/1511 ,  H04L63/0236 ,  H04L63/10

Abstract: Methods and systems for managing encrypted network traffic using spoofed addresses. One example method includes receiving a request to resolve a domain name; determining that the domain name is included in a predetermined set of domain names; associating a spoofed address with the domain name; sending a response to the request to resolve the domain name including the spoofed address; receiving a secure request for a resource, the secure request directed to the spoofed address; identifying a user identity associated with the secure request; determining that the secure request is directed to the domain name based on the association between the spoofed address and the domain name; and selectively decrypting and/or blocking the secure request based at least in part on determining that the secure request is directed to the domain name and based at least in part on the user identity associated with the secure request.

Abstract translation: 使用欺骗性地址管理加密网络流量的方法和系统。 一个示例性方法包括接收解析域名的请求; 确定域名被包括在预定的一组域名中; 将欺骗地址与域名相关联; 发送响应以解决包含欺骗地址的域名的请求; 接收针对资源的安全请求，指向欺骗地址的安全请求; 识别与所述安全请求相关联的用户身份; 基于欺骗地址和域名之间的关联，确定安全请求被引导到域名; 以及至少部分地基于确定所述安全请求针对所述域名并且至少部分地基于与所述安全请求相关联的用户身份来选择性地解密和/或阻止所述安全请求。

公开(公告)号：WO2014194125A1

公开(公告)日：2014-12-04

申请号：PCT/US2014/040074

申请日：2014-05-29

Applicant: IBOSS, INC.

Inventor： MARTINI, Paul Michael

IPC: H04L29/08 ,  H04L12/813

CPC classification number: H04L63/102 ,  H04L63/0245 ,  H04L63/101 ,  H04L63/1416

Abstract: This specification generally relates to controlling access of a device to a network based on the detection of a network application running on the device. One example method includes maintaining one or more application profiles, each application profile associated with one or more network activities in a network; detecting one or more network activities in the network associated with a device, the one or more activities directed outside the network; determining that the one or more detected network activities associated with the device directed outside the network substantially match network activities associated with a predetermined application profile; and denying access by the device to one or more resources within the network based upon the determination.

Abstract translation: 该规范通常涉及基于对在设备上运行的网络应用的检测来控制设备到网络的接入。 一个示例性方法包括维护一个或多个应用简档，每个应用简档与网络中的一个或多个网络活动相关联; 检测与设备相关联的网络中的一个或多个网络活动，所述一个或多个活动定向在网络外部; 确定与指定在所述网络外的所述设备相关联的所述一个或多个检测到的网络活动基本上匹配与预定应用简档相关联的网络活动; 并且基于所述确定，拒绝所述设备对所述网络内的一个或多个资源的访问。

公开(公告)号：WO2015148713A1

公开(公告)日：2015-10-01

申请号：PCT/US2015/022554

申请日：2015-03-25

Applicant: IBOSS, INC.

Inventor： MARTINI, Paul Michael

IPC: H04L29/06

CPC classification number: H04L63/0227 ,  G06F17/30887 ,  H04L61/301 ,  H04L63/0236 ,  H04L67/2814

Abstract: First data that identifies forbidden resources hosted outside a network that client devices on the network are not permitted to access, and second data that associates, for each forbidden resource, a permitted resource that the client devices on the network are permitted to access is maintained. Each permitted resource offers comparable services as its associated forbidden resource. A request from a client device for a forbidden resource is intercepted. The request is redirected to a permitted resource associated with the requested forbidden resource.

Abstract translation: 识别托管在网络之外的不允许网络上的客户端设备不允许访问的禁止资源的第一数据，以及用于每个被禁止的资源关联允许访问网络上的客户端设备的许可资源的第二数据。 每个允许的资源提供与其相关的禁止资源相当的服务。 来自客户端设备的被禁止资源的请求被拦截。 请求被重定向到与请求的禁止资源相关联的允许资源。

公开(公告)号：WO2015148709A1

公开(公告)日：2015-10-01

申请号：PCT/US2015/022549

申请日：2015-03-25

Applicant: IBOSS, INC.

Inventor： MARTINI, Paul Michael

IPC: H04L29/06

CPC classification number: H04L41/22 ,  G06F3/0482 ,  G06F3/04842 ,  G06F8/61 ,  H04L63/0281 ,  H04L63/0823 ,  H04L63/20 ,  H04L67/025

Abstract: A request is received from a device within a network for a resource on server outside of the network. The resource is subject to a policy of the network. An informational webpage is served to the device; the webpage includes an interface element. An indication of a selection of the interface element is received the resource is served to the device from a proxy server configured to apply the policy to the resource.

Abstract translation: 从网络中的设备接收到针对网络外部的服务器上的资源的请求。 该资源受网络的政策约束。 向设备提供信息网页; 该网页包括一个界面元素。 接收到对接口元素的选择的指示，该资源从被配置为将该策略应用于该资源的代理服务器提供给该设备。

公开(公告)号：WO2014186177A1

公开(公告)日：2014-11-20

申请号：PCT/US2014/037011

申请日：2014-05-06

Applicant: IBOSS, INC.

Inventor： MARTINI, Paul Michael

IPC: H04L29/06 ,  H04L29/12 ,  H04L12/24

CPC classification number: G06Q10/063118 ,  H04L61/1523 ,  H04L63/104 ,  H04L63/20

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for implicitly linking access policies using group names. One of the methods includes receiving first information corresponding to a directory service of network users, the directory service configured to organize the network users into a plurality of user roles, receiving second information corresponding to a resource available to the network users, the resource having a plurality of policy groups, identifying at least one first user role name that matches at least one first policy group name, and linking the user role corresponding to the matched first user role name with the policy group corresponding to the matched first policy group name such that the one or more network users in the linked user role are subject to the usage policies associated with the linked policy group.

Abstract translation: 方法，系统和装置，包括在计算机存储介质上编码的计算机程序，用于使用组名隐含地链接访问策略。 其中一种方法包括接收与网络用户的目录服务相对应的第一信息，该目录服务被配置为将网络用户组织成多个用户角色，接收对应于网络用户可用资源的第二信息，该资源具有 多个策略组，识别与至少一个第一策略组名称匹配的至少一个第一用户角色名称，以及将与匹配的第一用户角色名称相对应的用户角色与对应于匹配的第一策略组名称的策略组链接，使得 链接的用户角色中的一个或多个网络用户受到与链接的策略组相关联的使用策略的约束。

公开(公告)号：WO2019204642A1

公开(公告)日：2019-10-24

申请号：PCT/US2019/028173

申请日：2019-04-18

Applicant: IBOSS, INC.

Inventor： MARTINI, Paul Michael

IPC: G06F17/30 ,  H04L29/06

Abstract: Techniques for delivering a distributed network security service providing isolation of customer data are described. One example method includes configuring a first node to participate in a node cluster, wherein the first node is hosted by a first cloud service provider, and wherein participating in the node cluster includes performing one or more processing actions specific to the node cluster on data received by the node; configuring a second node to participate in the node cluster, the second node hosted by a second cloud service provider; receiving a status indication from the first node over a network; determining a synchronization mechanism for the first node based on a network configuration of the first node, wherein the determined synchronization mechanism is configured to allow the first node to acquire synchronization data from other nodes in the node cluster; and transmitting the synchronization mechanism to the first node over the network.