公开(公告)号：US11277440B2

公开(公告)日：2022-03-15

申请号：US16839504

申请日：2020-04-03

申请人： Imperva, Inc.

发明人： Dvir Shapira ,  Ehud Cohen ,  Tomer Bronshtein ,  Eyal Leshem ,  Alon Ludmer

IPC分类号： H04L29/06 ,  H04L12/721 ,  H04L45/12

摘要： A method of providing infrastructure protection for a server of a network organization, the method including announcing an internet protocol (IP) address range associated with the network organization using a border gateway protocol (BGP) on an edge server of a distributed network of edge servers. The method further including receiving an incoming network packet intended for the server of the network organization identified using a public IP address within the IP address range, the public IP address serving as a first anycast address for a distributed network of edge servers. The method further including determining, by the distributed network, whether the incoming network packet is legitimate. The method further including responsive to determining that the incoming network packet is legitimate, routing, by a processor using generic routing encapsulation (GRE), the incoming network packet to the server at a private IP address.

公开(公告)号：US11240336B2

公开(公告)日：2022-02-01

申请号：US16455207

申请日：2019-06-27

申请人： Imperva, Inc.

发明人： David Levy Nahum

IPC分类号： H04L29/08 ,  H04L12/26 ,  H04L29/06

摘要： A technique for accelerating dynamic content delivery in a content delivery network. In some embodiments of the invention, responsive to a request that is sent by a client and that is for dynamic content, a client-proxy hosted in a datacenter of a CDN sends the request to a “forwarder-proxy” hosted in another datacenter of the same CDN. The forwarder-proxy, responsive to the request for dynamic content, forwards the request to an origin server and does not cache the dynamic content. The datacenter selected for the forwarder-proxy is one that is “close” to the origin server in terms of round-trip time (RTT) to improve network performance for requests for dynamic content.

公开(公告)号：US20210400062A1

公开(公告)日：2021-12-23

申请号：US17447194

申请日：2021-09-08

申请人： Imperva, Inc.

发明人： Guy SHTAR ,  Shiri MARGEL

IPC分类号： H04L29/06 ,  G06F21/62 ,  G06F16/182 ,  G06F21/60 ,  G06F21/55 ,  H04L29/08

摘要： Techniques for detecting suspicious data object access requests indicative of potential insider threats are described. A suspicious access detection module (SADM) determines, based on access data describing a access requests issued on behalf of multiple users, groups of the users having similar patterns of accesses to resource groups, a set of the resource groups accessed by each of the user groups, and ones of the user groups that are to be considered nearby others of the user groups based on having a threshold amount of resource group access similarities. The SADM causes an alert to be generated responsive to a determination that a subsequent access request is suspicious because it accesses a data object of a resource group that is not within the set of accessed resource groups of the issuing user's user group, and because the resource group is not within the sets of accessed resource groups of any nearby user groups.

公开(公告)号：US10834130B2

公开(公告)日：2020-11-10

申请号：US15924156

申请日：2018-03-16

申请人： Imperva, Inc.

发明人： Elad Erez ,  Amichai Shulman

IPC分类号： H04L29/06 ,  G06F21/62 ,  G06F16/27 ,  G06F16/9535

摘要： A method by a security system for detecting malicious attempts to access a decoy database object in a database. The database includes database objects accessible by clients of the database called database clients. The method includes detecting access to a decoy database object of the database is being attempted by a database client over a connection to the database, where the decoy database object is a database object that is created for the purpose of deceiving an attacker as opposed to being a legitimate database object, determining that the connection is of an application connection type, where the application connection type is a type of connection over which queries generated by a database client are submitted, and responsive to the determination that the connection is of the application connection type, causing an alert to be generated.

公开(公告)号：US10805325B2

公开(公告)日：2020-10-13

申请号：US15672055

申请日：2017-08-08

申请人： Imperva, Inc.

发明人： Amichai Shulman ,  Sagie Dulce

IPC分类号： H04L29/06

摘要： A Token Transmission Server transmits active tokens within an enterprise network. The active tokens include either active data tokens or active request tokens, and are fraudulent from the perspective of the enterprise. A Token Monitoring Server monitors network traffic within the enterprise network to detect the presence of network traffic being originated by an enterprise device based upon the active tokens, and generates an alert indicating that the enterprise device is likely compromised.

公开(公告)号：US10469523B2

公开(公告)日：2019-11-05

申请号：US15345445

申请日：2016-11-07

申请人： Imperva, Inc.

发明人： Amichai Shulman ,  Sagie Dulce

IPC分类号： H04L29/06

摘要： Noisy tokens can be placed in locations of client end stations such that local operations performed upon the noisy tokens generate network traffic. A traffic monitoring module (TMM) can determine normal activity patterns of network traffic resulting from one or more of the placed noisy tokens being activated by one or more non-malicious operations, and identify that other network traffic resulting from one or more of the noisy tokens being activated does not meet the one or more normal activity patterns. In response, the TMM can cause an alert to be generated.

公开(公告)号：US09667651B2

公开(公告)日：2017-05-30

申请号：US15184982

申请日：2016-06-16

申请人： Imperva, Inc.

发明人： Amichai Shulman ,  Michael Cherny ,  Sagie Dulce

IPC分类号： H04L29/06

CPC分类号： H04L63/1491 ,  H04L63/0263 ,  H04L63/1416 ,  H04L63/20

摘要： According to one embodiment, a method for setting a trap to detect that an intruder has compromised a client end station (CES) in an attempt to gain unauthorized access to enterprise data provided by a server is described. The method includes causing a honey token to be placed on the CES secluded within a configuration repository, wherein the honey token is metadata and/or instructions indicating how applications can seemingly access the enterprise data but that is actually invalid, and the honey token is placed on the CES and not on the server. The method also includes causing attribute values to be installed on a security gateway for a security rule causing the security gateway to monitor network traffic for attempted use of the honey token, and to generate an alert when a set of one or more packets that include the honey token are received.

公开(公告)号：US09591008B2

公开(公告)日：2017-03-07

申请号：US14688914

申请日：2015-04-16

申请人： Imperva, Inc.

发明人： Amichai Shulman ,  Sagie Dulce

IPC分类号： G06F21/30 ,  H04L29/06 ,  G06F21/55

CPC分类号： H04L63/1425 ,  G06F21/554 ,  G06F2221/034 ,  H04L63/0272 ,  H04L63/0281 ,  H04L63/10 ,  H04L63/1416 ,  H04L63/1441 ,  H04L63/18

摘要： According to one embodiment, a method in a computing device for responding to a determination that a verification with a user is desired responsive to detection of activity indicative of a possible insider threat is described. The method includes selecting a target role and a target user for the verification based on an activity context and an enterprise context repository, the selecting including selecting the target role from a plurality of target roles based on the activity context and optionally the enterprise context repository and selecting a target user in the selected target role based on the enterprise context repository. The method further includes causing a verification request to be sent to the selected target user; and generating an alert when a verification result indicates that the activity is indicative of the possible insider threat.

摘要翻译： 根据一个实施例，描述了一种计算设备中的方法，用于响应于响应于指示可能的内部威胁的活动的检测而响应于用户的验证的确定。 该方法包括基于活动上下文和企业上下文存储库来选择用于验证的目标角色和目标用户，该选择包括基于活动上下文以及可选的企业上下文库从多个目标角色中选择目标角色;以及 基于企业上下文信息库选择所选目标角色中的目标用户。 该方法还包括使验证请求被发送到所选择的目标用户; 并且当验证结果指示该活动指示可能的内部威胁时，产生警报。

公开(公告)号：US09456002B2

公开(公告)日：2016-09-27

申请号：US14833012

申请日：2015-08-21

申请人： Imperva, Inc.

发明人： Ido Kelson ,  Dmitry Babich

IPC分类号： H04L29/06 ,  H04L29/08

CPC分类号： H04L63/168 ,  H04L63/0281 ,  H04L63/0428 ,  H04L63/0435 ,  H04L63/0471 ,  H04L63/166 ,  H04L63/20 ,  H04L67/02

摘要： According to one embodiment, a transparent security gateway is coupled between a client end station (CES) and a web application server (WAS). The security gateway monitors an encryption protocol handshake between the CES and the WAS to capture, using a provided private key of the WAS, a generated symmetric key to be used for an encryption layer connection. Using the captured symmetric key, the security gateway receives an encrypted connection record of the encryption layer connection, decrypts the encrypted connection record to yield a plaintext connection record, modifies the plaintext connection record, encrypts the modified plaintext connection record using the symmetric key, and transmits one or more packets carrying the encrypted modification plaintext connection record instead of the received encrypted connection record such that neither the CES or WAS is aware of the modification of the encrypted data.

公开(公告)号：US09009832B2

公开(公告)日：2015-04-14

申请号：US13948153

申请日：2013-07-22

申请人： Imperva, Inc.

发明人： Tal Arieh Be'ery ,  Shelly Hershkovitz ,  Nitzan Niv ,  Amichai Shulman

IPC分类号： H04L29/06 ,  H04L29/08

CPC分类号： H04L63/14 ,  H04L63/1408 ,  H04L63/16 ,  H04L63/168 ,  H04L63/20 ,  H04L63/30 ,  H04L67/02

摘要： According to one embodiment, a computing device is coupled to a set of web application layer attack detectors (ADs), which are coupled between HTTP clients and web application servers. The computing device automatically learns a new condition shared by a plurality of alert packages reported by the set of ADs due to a triggering of one or more rules that is indicative of a web application layer attack. The computing device automatically generates a new set of attribute values by analyzing the plurality of alert packages to identify the condition shared by the plurality of alert packages, and transmits the new set of attribute values for delivery to the set of ADs for a different rule to be used to protect against the web application layer attack from the HTTP clients or any other HTTP client.

摘要翻译： 根据一个实施例，计算设备耦合到一组web应用层攻击检测器（AD），其耦合在HTTP客户端和web应用服务器之间。 由于触发一个或多个指示web应用层攻击的规则，计算设备自动学习由该组AD报告的多个警报包共享的新条件。 计算设备通过分析多个警报包来自动生成一组新的属性值，以识别由多个警报包共享的条件，并且将新的属性值集合发送给用于不同规则的AD集合 用于防止HTTP客户端或任何其他HTTP客户端的Web应用程序层攻击。