RADWARE, LTD. Patent applications |
Patent application number | Title | Published |
20160119304 | TECHNIQUES FOR OPTIMIZING AUTHENTICATION CHALLENGES FOR DETECTION OF MALICIOUS ATTACKS - A method and system for optimizing segregation between human-operated clients and machine-operated clients accessing computing resources are provided. The method comprises receiving, from a client, an authentication request, wherein the authentication request is received in response to a redirect request sent from a remote server to the client; dynamically selecting at least one authentication challenge from a plurality of different authentication challenges; sending the at least one generated authentication challenge to the client; determining whether a notification call is received from the client during a predefined time interval; and upon receiving the notification call during the predefined time interval, confirming that the client passes the authentication challenge, wherein a client that passes the authentication challenge is a human-operated client. | 04-28-2016 |
20150372929 | MULTI-LAYER TRAFFIC STEERING FOR SERVICE CHAINING OVER SOFTWARE DEFINED NETWORKS - A method and system for multi-layer traffic steering for enabling service chaining over a software defined network (SDN) are provided. The method is performed by a central controller of the SDN and includes receiving at least one service chaining rule defining at least one value-added service (VAS) to assign to an incoming traffic flow addressed to a destination server; analyzing each of the at least one received service chaining rule to determine if an application-layer steering is required; generating at least one application-layer steering rule, upon determining that an application-layer steering is required; generating at least one network-layer steering rule, upon determining that an application-layer steering is not required; and programming a multi-layer steering fabric with the generated at least one of network-layer steering rule and application-layer steering rule. | 12-24-2015 |
20150372904 | PREDICTIVE TRAFFIC STEERING OVER SOFTWARE DEFINED NETWORKS - A method for predicative traffic steering over a software defined network (SDN). The method includes programming network elements in the SDN to forward an incoming traffic flow to an application-layer analysis device; receiving application-layer analysis results from the application-layer analysis device, wherein the application-layer analysis results provide association between at least one network-layer parameter, at least one application-layer parameter, and at least one application-layer service associated with the at least one application-layer parameter; and steering subsequent incoming traffic flows to at least one server configured to provide the at least one application-layer service based on the application-layer analysis results. | 12-24-2015 |
20150156086 | BEHAVIORAL NETWORK INTELLIGENCE SYSTEM AND METHOD THEREOF - A method and system for determining the behavioral impact of applications and their respective users on a network carrier are provided. The method includes receiving data collected by at least one deep packet inspection (DPI) engine; classifying the received data at least per an application path respective of each of the applications; generating an application path profile data structure using the collected data; and generating, responsive to at least one behavioral rule, at least one degree of fulfillment (DoF) for the application path based on contents of the application path profile data structure, wherein the at least DoF defines an association of the application path with at least one behavior group, wherein the behavior group determines the behavioral impact of an application represented by the application path. | 06-04-2015 |
20150154494 | METHOD AND SYSTEM FOR CONFIGURING BEHAVIORAL NETWORK INTELLIGENCE SYSTEM USING NETWORK MONITORING PROGRAMMING LANGUAGE - A method and system for configuring a behavioral network intelligence system using a network monitoring programming language are provided. The method includes defining at least one target of a traffic segment to be monitored using at least one application path attribute of an application, wherein the application is accessed via at least one user device connected to a network, wherein the at least one application path attribute is defined respective of an application path keyword and an application path assessment keyword; and defining at least one condition representing the behavior of the at least one application path attribute of the application, the at least one target and the at least one condition can be interpreted by a monitoring system to allow for determining a behavioral impact of the application on the network. | 06-04-2015 |
20150143372 | METHOD FOR LIVE MIGRATION OF VIRTUAL MACHINES - A method and system for an assisted live migration of virtual machines are provided. The method monitoring, by an advisory server, at least a workload of physical machines in a datacenter; determining if at least one physical machine is overloaded based on the monitored workload; for each of the at least one physical machine determined to be overloaded, selecting at least one virtual machine resides in the respective physical machine, wherein the selection is based at least on a current load of the virtual machine; and initiating a live migration of the selected virtual machine when the current load is lower than a comfort load level. | 05-21-2015 |
20150089566 | ESCALATION SECURITY METHOD FOR USE IN SOFTWARE DEFINED NETWORKS - A method for performing an escalation security policy in a software defined network (SDN) includes receiving at least one attack indication performed against at least one destination server; upon determination that an attack is being performed against the at least one destination server, for each client sending traffic to the at least one destination server: determining a risk state for a user of the each client; obtaining an escalation security policy respective of the determined risk state of the user, wherein the escalation security policy defines a sequence of at least one challenge action for challenging the each client, an order and at least one condition for execution of the sequence of at least one challenge action; and causing network elements of the SDN to divert incoming traffic from the each client to security servers connected to the SDN and configured to perform the at least one challenge action. | 03-26-2015 |
20140373143 | METHOD AND SYSTEM FOR DETECTING AND MITIGATING ATTACKS PERFORMED USING CRYPTOGRAPHIC PROTOCOLS - A method and system for detecting and mitigating attacks performed using a cryptographic protocol are provided. The method comprises establishing an encrypted connection with the client using the cryptographic protocol, upon receiving an indication about a potential attack; receiving an inbound traffic from a client, wherein the inbound traffic is originally directed to a protected entity; analyzing application layer attributes of only the inbound traffic received on the encrypted connection to detect at least one encrypted attack; and causing to establish a new encrypted connection between the client and the protected entity, if the at least one encrypted attack at the application layer has not been detected. | 12-18-2014 |
20140330983 | LOAD BALANCING - A method and network device for managing a multi-homed network are provided. The method comprises receiving a request from a client within a client computer network directed to a remote server computer within a remote computer network, wherein the client and the remote server computer are connected through a plurality of data routes, each of the plurality of data routes is connected to a router; selecting a data route from the plurality of data routes to route the received request, wherein the selection of the data route is based on a decision function; translating a source IP address of the client to an IP address corresponding to the selected data route; and routing the received request from the client to the remote server computer over the selected data route. | 11-06-2014 |
20140283051 | SYSTEM AND METHOD THEREOF FOR MITIGATING DENIAL OF SERVICE ATTACKS IN VIRTUAL NETWORKS - A method for efficient mitigation of denial of service (DoS) attacks in a virtual network. The method maintains a security service level agreement (SLA) guaranteed to protected objects. The method comprises ascertaining that a denial of service (DoS) attack is performed in the virtual network; checking if the DoS attack affects at least one physical machine hosting at least one protected object, wherein the protected object is provisioned with at least a guaranteed security service level agreement (SLA); determining, by a central controller of the virtual network, an optimal mitigation action to ensure the at least one security SLA guaranteed to the least one protected object; and executing the determined optimal mitigation action to mitigate the DoS attack, wherein the optimal mitigation action is facilitated by means of resources of the virtual network. | 09-18-2014 |
20140189151 | METHOD AND SYSTEM FOR SPOOLING DIAMETER TRANSACTIONS - A method for spooling diameter transactions is provided. The method comprises receiving from a Diameter client a Diameter request message; determining based in part on a type of the received request message if the received request message should be spooled; determining if a current transaction rate exceeds a predefined spooling threshold, if the received request message should be spooled; and queuing the received request message if the current transaction rate exceeds the spooling threshold. | 07-03-2014 |
20140068073 | METHOD AND SYSTEM FOR EFFICIENT DEPLOYMENT OF WEB APPLICATIONS IN A MULTI-DATACENTER SYSTEM - A system for computing an optimal deployment of at least one web application in a multi-datacenter system comprising a collector for collecting performance measurements with regard to a web application executed in the multi-datacenter system and grouping the performance measurements according to locations of a plurality of clients accessing the web application; a data repository for maintaining at least a performance table including at least the performance measurements grouped according to the plurality of client locations and a service level agreement (SLA) guaranteed to clients in the plurality of client locations; and an analyzer for processing at least information stored in the performance table for generating a recommendation on an optimal deployment of the web application in at least one combination of datacenters in the multi-datacenter system by computing an expected SLA that can be guaranteed to the clients in each combination of datacenters. | 03-06-2014 |
20130283374 | TECHNIQUES FOR SEPARATING THE PROCESSING OF CLIENTS' TRAFFIC TO DIFFERENT ZONES IN SOFTWARE DEFINED NETWORKS - A method and system for separation of traffic processing in a software defined network (SDN). The method comprises allocating a first group of computing resources of a computing farm to a trusted zone and a second group of computing resources to an un-trusted zone; assigning the computing resources in the first group to a first ADC and the computing resources in the second group with a second ADC; triggering a zoning mode in the computing frame to mitigate a potential cyber-attack; and causing at least one network element in the SDN to divert traffic from a trusted client to the first group of computing resources and traffic from an un-trusted client to the second group of computing resources based on a plurality of zoning rules implemented by the at least one network element. | 10-24-2013 |
20130283373 | TECHNIQUES FOR SEPARATING THE PROCESSING OF CLIENTS' TRAFFIC TO DIFFERENT ZONES - A system and method for separation of traffic processing in a computing farm. The method comprises allocating a first group of computing resources of the computing farm to a trusted zone and a second group of computing resources to an un-trusted zone, wherein the computing resources in the first group are allocated to ensure at least service-level agreements (SLA) guaranteed to a group of trusted clients; determining, based on a plurality of security risk indication parameters, if a client associated with an incoming traffic is a trusted client or an un-trusted client; forwarding the incoming traffic to the second group of computing resources when the client is determined to be an un-trusted client; and diverting the incoming traffic to the first group of computing resources when the client is determined to be a trusted client, thereby ensuring at least the SLA guaranteed to the trusted client. | 10-24-2013 |
20130268646 | TECHNIQUES FOR PROVIDING SCALABLE APPLICATION DELIVERY CONTROLLER SERVICES - A method for managing an application delivery controller (ADC) cluster operable in a software defined networking (SDN)-based network and including a plurality of ADC virtual appliances (VAs). The method comprises creating, by a central controller, a hash table including a plurality of buckets allocated to active VAs out of the plurality of VAs, each bucket is assigned to a range of a source internet protocol (IP) addresses of a client; and programming by the central controller at least one ingress network element connected to the ADC cluster and receive incoming traffic from clients to perform a balanced incoming traffic distribution among the plurality of VAs, wherein the traffic distribution is based in part on the allocation of the buckets to the plurality of VAs and the SIP addresses of the clients originating the incoming traffic. The plurality of VAs are virtual ADC instances operable i the plurality of physical devices. | 10-10-2013 |
20130254879 | METHOD AND SYSTEM FOR DETECTING AND MITIGATING ATTACKS PERFORMED USING CRYPTOGRAPHIC PROTOCOLS - A method and security system for detecting and mitigating encrypted denial-of-service (DoS) attacks. The system includes a DoS defense (DoSD) module configured to detect an encrypted DoS attack in an inbound traffic by analyzing attributes only in the inbound traffic that relate to at least one of a network layer and an application layer, wherein the DoSD module is further configured to mitigate a detected encrypted attack, the inbound traffic originates at a client and is addressed to a protected server; and a cryptographic protocol engine (CPE) configured to establish a new encrypted session between the client and the security system, decrypt requests included in the inbound traffic, and send encrypted responses to the client over the new encrypted session between the client and the security system. | 09-26-2013 |
20130139214 | MULTI DIMENSIONAL ATTACK DECISION SYSTEM AND METHOD THEREOF - A method and system for protecting a protected entity using a multi-dimensional protection surface. The method comprises detecting at least one potential attack against the protected entity in incoming data traffic directed to the protected entity; detecting a type of each attack tool committing the at least one potential attack; generating a multi-dimensional protection surface by correlating a plurality of inputs related to the at least one detected attack, wherein the plurality of inputs include at least a first input identifying the at least one detected attack and a second input identifying each attack tool that performs the at least one detected attack, wherein the protection multi-dimensional surface includes at least one protection point that defines at least one attack mitigation action to mitigate the at least one detected attack; and executing the at least one attack mitigation action defined in the multi-dimensional protection surface. | 05-30-2013 |
20130055260 | TECHNIQUES FOR WORKLOAD BALANCING AMONG A PLURALITY OF PHYSICAL MACHINES - A method for workload balancing among a plurality of physical machines hosting a plurality of virtual machines (VMs) is disclosed. The method comprises periodically measuring a utilization of each hardware resource in each of the plurality of physical machines; computing a resource utilization score for each hardware resource based on its respective measured utilization; computing a total physical machine utilization score for each physical machine based on the computed resource utilization scores of its respective resources; and upon reception of a client request corresponding to a software application, selecting one physical machine of the plurality of physical machines to serve the client request, wherein the selection is based on the computed total physical machine utilization. | 02-28-2013 |
20130054813 | METHOD FOR LIVE MIGRATION OF VIRTUAL MACHINES - A method for an assisted live migration of virtual machines is disclosed. The method comprises receiving an assist request for assisting in a migration of a virtual machine, wherein the assist request includes at least a comfort load level; determining a current load of the virtual machine to be migrated; comparing the current load to the comfort load level; reducing a load on the virtual machine to be migrated until the current load is lower than the comfort load level; and initiating a live migration of the virtual machine to be migrated when the current load is lower than the comfort load level. | 02-28-2013 |
20120303784 | LOAD BALANCING - A network management system, device and method for managing a computer network. The device is connected to the Internet through a plurality of routes, wherein the plurality of routes are assigned with respective IP addresses. The device includes a controller receiving a DNS resolution query from a remote computer for a domain name within the computer network, selecting one of the plurality of routes connecting the device to the Internet, and responding to the DNS resolution query with an IP address associated with the selected route. The IP address is used for resolution of the domain name. | 11-29-2012 |
20120227039 | METHOD FOR EXECUTING VIRTUAL APPLICATION DELIVERY CONTROLLERS HAVING DIFFERENT APPLICATION VERSIONS OVER A COMPUTING DEVICE - A method for executing virtual application delivery controllers (vADCs) having different application versions over a computing device. The method comprises installing a virtualization infrastructure in the computing device; creating by the virtualization infrastructure a plurality of vADCs having different application versions, wherein each vADC is created from a software image maintained in a hardware infrastructure of the computing device; gathering version information associated with each of the plurality of vADCs; independently executing the plurality of vADCs over an operating system of the computing device; and controlling the execution of the plurality of the vADCs over an operating system of the computing device using the virtualization infrastructure using in part the version information. In one embodiment, each of the plurality of vADCs does not execute its own guest operating system. | 09-06-2012 |
20120226810 | TECHNIQUES FOR VIRTUALIZATION OF APPLICATION DELIVERY CONTROLLERS - A virtualized application delivery controller (ADC) device operable in a communication network comprises a hardware infrastructure including at least a memory, a plurality of core processors, and a network interface; a plurality of instances of virtual ADCs (vADCs), the plurality of vADCs are executed over the hardware infrastructure, each of the plurality of vADCs utilizes a portion of hardware resources of the hardware infrastructure, the portion of hardware resources are determined by at least one ADC capacity unit allocated for each of the plurality of the vADCs; a management module for at least creating the plurality of instances of the vADCs; and a traffic distributor for distributing incoming traffic to one of the plurality of vADCs and scheduling execution of the plurality of vADCs on the plurality of core processors, wherein each of the plurality of vADCs is independently executed on at least one of the plurality of core processors. | 09-06-2012 |
20120136697 | METHOD AND SYSTEM FOR EFFICIENT DEPLOYMENT OF WEB APPLICATIONS IN A MULTI-DATACENTER SYSTEM - A system for computing an optimal deployment of at least one web application in a multi-datacenter system comprising a collector for collecting performance measurements with regard to a web application executed in the multi-datacenter system and grouping the performance measurements according to locations of a plurality of clients accessing the web application; a data repository for maintaining at least a performance table including at least the performance measurements grouped according to the plurality of client locations and a service level agreement (SLA) guaranteed to clients in the plurality of client locations; and an analyzer for processing at least information stored in the performance table for generating a recommendation on an optimal deployment of the web application in at least one combination of datacenters in the multi-datacenter system by computing an expected SLA that can be guaranteed to the clients in each combination of datacenters. | 05-31-2012 |
20120102541 | Method and System for Generating an Enforceable Security Policy Based on Application Sitemap - A system for generating a security policy for protecting an application-layer entity. The system comprises a security sitemap generator for generating a security sitemap of a protected application-layer entity, the security sitemap is stored in a first repository connected to the security sitemap generator; and a policy builder for generating a security policy for the application-layer entity based on the security sitemap, the security policy is stored in a second repository connected to the policy builder, wherein the security policy includes a plurality of enforcement rules for at least one of a resource, a group of resources, and a client-side input parameter of at least a portion of the protected application-layer entity. | 04-26-2012 |
20120071131 | METHOD AND SYSTEM FOR PROFILING DATA COMMUNICATION ACTIVITY OF USERS OF MOBILE DEVICES - A method for profiling data communication activity of users of mobile devices, comprises sniffing traffic flows between a mobile device and the Internet through a cellular network; extracting a plurality of traffic attributes included in the traffic flows and associated with the mobile device; logging the extracted plurality of traffic attributes; analyzing the plurality of traffic attributes for generating a user profile for a user of the mobile device based on the plurality of traffic attributes, wherein the user profile includes at least one of an advertising targeted user profile and a security targeted user profile; and sharing information and alerts related to the generated user profile with at least one external system. | 03-22-2012 |
20090265467 | Method and System for Load Balancing over a Cluster of Authentication, Authorization and Accounting (AAA) Servers - A method and system for load balancing over a cluster of authentication, authorization and accounting (AAA) servers. The method performs a distribution of AAA requests among AAA servers having an active AAA connection with an AAA client. The method includes establishing TCP connections with a plurality of AAA servers, using a TCP connection request received from at least one AAA client; opening AAA connections with a plurality of AAA servers, using an AAA connection request received from at least one AAA client, and distributing AAA requests to AAA servers with an active AAA connection according to a predefined load balancing algorithm. The invention is further capable of multiplexing outbound messages and requests received from a plurality of AAA servers. The AAA protocol supported by the invention includes, but is not limited to, a Diameter protocol, a lightweight directory access protocol (LDAP), and the likes. | 10-22-2009 |
20090132714 | Method and System for Providing Connection Resiliency - A system, method and device for providing connection resiliency. The method including maintaining, by a first proxy, a TCP connection with a TCP client and a TCP connection with a TCP server through one or more TCP networks; maintaining information of both TCP connections by a forwarding component between the TCP networks and the first proxy; establishing, by the forwarding component, a new TCP connection with a second proxy for each of the TCP connections maintained by the first proxy; and forwarding data, to and from both the client and the server, to and from the second proxy without disconnection of the TCP connections of the TCP client and TCP server. | 05-21-2009 |
20090043724 | Method, System and Computer Program Product for Preventing SIP Attacks - A method for preventing session initiation protocol (SIP) attacks is provided. The method includes receiving a plurality of SIP response messages comprising at least one pre-defined SIP response code, and extracting at least one user identifier from the plurality of SIP response messages. The method further includes computing at least one of a frequency of the plurality of SIP response messages and a count of the plurality of SIP response messages corresponding to each user identifier of the at least one user identifier. The method further includes calculating a degree of attack corresponding to each user identifier using at least one of the frequency and the count. The method further includes determining a monitoring interval for each user identifier based upon the degree of attack for monitoring the plurality of SIP response messages. An apparatus and a computer program product for preventing SIP attacks are also provided. | 02-12-2009 |
20080282254 | Geographic Resiliency and Load Balancing for SIP Application Services - A mechanism for achieving resiliency and load balancing for SIP application services and, in particular, in geographic distributed sites. A method performs a distribution of SIP requests among SIP servers, where at least two sites with a load balancer in each site is configured. The method includes receiving a SIP request by a first load balancer in a first site; determining whether the SIP request should be redirected to a second site; and redirecting the SIP request to an address of a second load balancer in the second site. The invention also includes a SIP proxy including a receiving unit receiving SIP requests; a load balancing unit distributing SIP requests between SIP entities; and a health monitoring unit verifying availability of the SIP entities. The SIP proxy may further be configured with a proximity measuring unit determining a proximity to a SIP entity. | 11-13-2008 |