US Pat. No. 9,584,550

EXPLOIT DETECTION BASED ON HEAP SPRAY DETECTION

Palo Alto Networks, Inc.,...

1. A system for exploit detection by detecting heap spray in memory, comprising:
a processor configured to:
execute a program in a virtual environment;
monitor the program during execution in the virtual environment; and
detect heap spray in memory while executing the program in the virtual environment based on a comparison of each of a plurality
of allocated blocks in memory, comprising to:

generate a first hash value of a first allocated block using a hash algorithm;
generate a second hash value of a second allocated block using the hash algorithm; and
determine whether the program is performing heap spraying based on a comparison of the first and second hash values; and
a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 9,596,155

ENCRYPTED PEER-TO-PEER DETECTION

Palo Alto Networks, Inc.,...

24. A method, comprising:
monitoring a network traffic sent from a first client to determine whether the first client is executing a peer-to-peer application;
and

generating a network traffic, using a processor, that emulates peer-to-peer network traffic sent from the peer-to-peer application
executing on the first client to a second client after detecting an unknown network traffic sent from the first client to
the second client, wherein the generating of the network traffic that emulates the peer-to-peer network traffic comprises:

sending, to the second client, the emulated peer-to-peer network traffic identifying non-existent peers or spoofed peers,
wherein the emulated peer-to-peer network traffic identifying the non-existent peers or the spoofed peers indicates that the
emulated peer-to-peer network traffic originated from a peer that does not exist; and

in the event that one of the non-existent peers or the spoofed peers is being contacted, emulating a peer-to-peer traffic
response including dummy data.

US Pat. No. 9,591,004

GEOGRAPHICAL INTRUSION RESPONSE PRIORITIZATION MAPPING THROUGH AUTHENTICATION AND FLIGHT DATA CORRELATION

Palo Alto Networks, Inc.,...

1. A method for displaying data associated with a cyber-attack threat against an airline, comprising:
receiving threat data associated with a network point of an airline, wherein the threat data relates to at least one of a
vulnerability or an intrusion;

retrieving flight identification data from a flight information database in response to receiving the threat data, wherein
the flight identification data comprises an Internet Protocol (IP) address of the network point;

retrieving flight location data from a flight location database using the flight identification data;
correlating the threat data, the flight identification data, and the flight location data to generate a record using a processor,
wherein the threat data comprises a source IP address and a destination IP address, and wherein correlating comprises associating
the IP address of the flight identification data with at least one of the source IP address of the threat data and the destination
IP address of the threat data; and

outputting a graphical representation reflecting the record.

US Pat. No. 9,473,528

IDENTIFICATION OF MALWARE SITES USING UNKNOWN URL SITES AND NEWLY REGISTERED DNS ADDRESSES

Palo Alto Networks, Inc.,...

1. A system, comprising:
a processor configured to:
perform a heuristic analysis for information associated with a network site, wherein performing the heuristic analysis for
information associated with the network site further comprises:

determine whether the network site has recently been registered, wherein in the event that the network site has been recently
registered, the network site has been registered within the last 9 months;

determine whether the network site has a change in domain name system (DNS) information, the change in DNS information including
a change in domain name, a change in ownership of a network uniform resource locator (URL), a new IP address outside of the
same subnet, or any combination thereof;

determine source information associated with the network site, wherein the source information includes geographical information
associated with the network site and IP network related source information; and

generate a list of potentially malicious network sites based on whether the network site has recently been registered, whether
the network site has a change in DNS information, and the source information associated with the network site; and

assign a score based on the heuristic analysis, wherein the score indicates whether the network site is potentially malicious,
wherein the assigning of the score comprises to assign the score based on whether the network site has recently been registered,
whether the network site has a change in DNS information, and the source information associated with the network site; and

a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 9,104,745

DISTRIBUTED LOG COLLECTOR AND REPORT GENERATION

Palo Alto Networks, Inc.,...

1. A system, comprising:
a processor configured to:
receive a query for retrieving stored log data that satisfies the query;
query each of a plurality of log collector clusters for stored log data that satisfies the query;
receive responses to the query from each of at least a subset of the plurality of log collector clusters, wherein to receive
responses to the query from each of at least a subset of the plurality of log collector clusters comprises to receive an aggregated
cluster response from a coordinator log collector of each of the at least subset of plurality of log collector clusters; and

aggregate the received responses from the at least subset of the plurality of log collector clusters to generate a log report
in response to the received query; and

a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 9,047,441

MALWARE ANALYSIS SYSTEM

Palo Alto Networks, Inc.,...

1. A system, comprising:
a first device comprising a first processor configured to execute a firewall, and a second device comprising a second processor
configured to execute a virtual machine, wherein the executing the firewall using the first processor of the first device
comprises:

using the firewall to identify an application type associated with a network traffic flow;
using the firewall to select a decoder to decode the network traffic flow based at least in part on the identified application
type, wherein decoding the network traffic flow includes assembling one or more packets associated with the network traffic
flow into a correct order;

using the firewall to decrypt the network traffic flow to generate a potential malware sample from at least a portion of the
network traffic flow, wherein a preexisting signature does not match the potential malware sample, wherein the potential malware
sample is related to a Portable Document Format (PDF) file; and

sending the potential malware sample from the firewall to the virtual machine; and
wherein the executing the virtual machine using the second processor of the second device comprises:
analyzing the potential malware sample using the virtual machine to determine if the potential malware sample is malware,
wherein analyzing the potential malware using the virtual machine includes monitoring behavior of the potential malware sample
during emulation using the virtual machine to identify malware, wherein the monitored behaviors that indicate potential malware
include one or more of the following: visiting a domain associated with a domain name length that exceeds a threshold, and
communicating using an HTTP header associated with a shorter than threshold length;

determining a score associated with one or more network traffic behaviors associated with the potential malware sample monitored
using the virtual machine;

automatically generating a signature using the virtual machine if the potential malware sample is determined to be malware,
wherein the determination of whether the potential malware sample comprises malware is based at least in part on the score,
wherein the signature in the event that the potential malware sample is determined to be malware is generated based at least
in part on at least a cross reference table included in the PDF file; and

sending the signature from the virtual machine to the firewall, wherein the firewall is configured to enforce a security policy
for network access based at least in part on the signature.

US Pat. No. 9,413,723

CONFIGURING AND MANAGING REMOTE SECURITY DEVICES

Palo Alto Networks, Inc.,...

1. A system, comprising:
a processor of a device for configuring and managing a plurality of remote security devices configured to:
receive a registration request for a remote security device, wherein the registration request includes a serial number of
the remote security device, a media access control (MAC) address of the remote security device, or a user entered unique identifier,
or any combination thereof;

verify the registration request to determine that the remote security device is an authorized remote security device for an
external network;

send a response identifying one or more security gateways to the remote security device, wherein the sending of the response
includes sending a certificate to the remote security device to establish an associated tunnel;

identify an updated prioritized list of two or more security gateways to the remote security device, wherein the remote security
device is automatically configured to connect to a second security gateway over the remote security device's associated tunnel,
wherein the second security gateway is included in the updated prioritized list of two or more security gateways, wherein
each of the two or more security gateways performs security processing on received outbound network traffic based on a security
policy, and wherein the remote security device routes traffic based on an availability of security gateways identified in
the updated prioritized list of two or more security gateways; and

revoke the certificate issued to the remote security device, wherein the remote security device can no longer connect to a
first security gateway after revocation of its certificate; and

a memory of the device for configuring and managing a plurality of remote security devices coupled to the processor of the
device for configuring and managing a plurality of remote security devices and configured to provide the processor of the
device for configuring and managing a plurality of remote security devices with instructions.

US Pat. No. 9,104,870

DETECTING MALWARE

Palo Alto Networks, Inc.,...

1. A system, comprising:
a processor configured to:
receive a candidate malware potentially including one or more malicious elements;
analyze the candidate malware using a virtual machine, including by:
evaluating one or more actions taken by the candidate malware, when executing in the virtual machine, to determine whether
the candidate malware is attempting to take an anti-virtual machine action;

determine that at least one action taken by the candidate malware when executing in the virtual machine is an anti-virtual
machine action, comprising an attempt to check that the candidate malware is running in a virtualized environment; and

in response to the determination, generate as output an alert that the candidate malware is malicious; and
a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 9,405,903

SINKHOLING BAD NETWORK DOMAINS BY REGISTERING THE BAD NETWORK DOMAINS ON THE INTERNET

Palo Alto Networks, Inc.,...

1. A system for sinkholing bad network domains by registering the bad network domains on the Internet, comprising:
a processor configured to:
generate one or more signatures for a plurality of bad network domains;
distribute the one or more signatures to a plurality of security devices to determine a set of candidate bad network domains
for sinkholing;

select a bad network domain included in the set of candidate bad network domains for sinkholing based on a detection of a
threshold number of connections that were attempted to the bad network domain based on logged signature matches, wherein the
bad network domain is associated with an identified malware;

register the bad network domain with a domain registry to a valid IP address in order to sinkhole the bad network domain,
wherein the bad network domain is sinkholed by registering the bad network domain such that an authoritative DNS server can
translate the registered bad network domain to the valid IP address, and wherein the valid IP address is associated with a
device controlled by a cloud security service provider; and

identify a host that is infected with the identified malware based on an attempt by the host to connect to the valid IP address,
wherein the host received a DNS query response that resolved the registered bad network domain to the valid IP address; and

a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 9,294,394

L2/L3 MULTI-MODE SWITCH INCLUDING POLICY PROCESSING

Palo Alto Networks, Inc.,...

1. A method for forwarding data packets in a computer network, the method comprising:
receiving a data packet;
examining the data packet using a processor to classify the data packet including classifying the data packet as a layer 2
(L2) or layer 3 (L3) packet;

performing a zone determination on the classified data packet including determining only a destination zone, but not a source
zone, associated with the classified data packet, wherein the destination zone is associated with at least one policy rule,
and wherein a policy includes one or more policy rules that are indexed by the destination zone;

determining one or more policies based on the zone determination;
processing the classified data packet in accordance with the one or more determined policies including:
performing content based pattern matching on the classified data packet in accordance with both content and header data including
determining one or more content based policies associated with matched packets; and

forwarding the classified data packets to an intended destination if the determined policies permit based on the destination
zone and content based pattern matching.

US Pat. No. 9,047,109

POLICY ENFORCEMENT IN VIRTUALIZED ENVIRONMENT

Palo Alto Networks, Inc.,...

1. A system, comprising:
a processor configured to:
receive a rule to be applied to network traffic associated with members of a specific dynamic address group, wherein membership
of a computing resource in the specific dynamic address group is determined at least in part by performing a query using a
set of one or more filters;

receive virtual machine information associated with a first virtual machine instance executing on a host machine;
determine, based at least in part on matching a portion of the received virtual machine information with the set of one or
more filters, that the first virtual machine instance is a member of the dynamic address group; and

in response to the determination, apply the rule to network traffic associated with the first virtual machine instance; and
a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 9,491,047

MANAGING NETWORK DEVICES

Palo Alto Networks, Inc.,...

1. A method performed by a first network device for configuring the first network device using a central management system,
the method comprising:
receiving a first request originating from the central management system to update a respective value of a first configuration
object corresponding to a shared configuration object that is stored at a central configuration database associated with the
central management system with a first new value, wherein a second configuration object corresponding to the shared configuration
object is stored at a second local configuration database associated with a second network device, wherein the second network
device is configured to receive the first request originating from the central management system and update the second configuration
object corresponding to the shared configuration object that is stored at the second local configuration database associated
with the second network device with the first new value;

determining that the first configuration object corresponding to the shared configuration object is not stored in a first
local configuration data store associated with the first network device;

determining whether the shared configuration object is relevant for the first network device, in the event that the shared
configuration object is determined to be relevant, creating the first configuration object corresponding to the shared configuration
object in the first local configuration data store associated with the first network device and updating the first configuration
object with the first new value, wherein determining whether the shared configuration object is relevant for the first network
device is based at least in part on comparing the shared configuration object with a list of relevant configuration objects;

receiving a second request to update the value of the first configuration object corresponding to the shared configuration
object in the first local configuration data store associated with the first network device with a second new value;

determining whether the second request originated from the central management system; and
in the event that the second request did not originate from the central management system, rejecting the second request to
update the value of the first configuration object.

US Pat. No. 9,471,514

MITIGATION OF CYBER ATTACKS BY POINTER OBFUSCATION

PALO ALTO NETWORKS, INC.,...

1. A method for protecting a computer when loading a computer program into a memory for execution by the computer and creating
a data structure for the computer program, comprising:
executing a pointer handling module which when loading a computer program into a memory for execution by the computer, and
before execution of the computer program, performs:

identifying a first pointer in the data structure created for the computer program, the first pointer indicating a first memory
address which can be used to access operating system functions and accordingly is considered to be vulnerable;

replacing the identified first pointer in the created data structure for the loaded computer program with a second pointer
selected to initiate an exception when accessed;

configuring the computer such that when the second pointer is accessed, control is transferred to a security program module
in two steps, a first step in which the computer attempts to access a memory location indicated by the second pointer, causing
an exception, and a second step in which an exception handling function transfers control to the security program module;

initiating execution of the computer program after replacing the first pointer; and
determining, by the security program module when invoked, whether an access to the second pointer which invoked the security
program module is a possible unauthorized access to the functionality of the computer.

US Pat. No. 9,391,863

SERVER RESOURCE MANAGEMENT, ANALYSIS, AND INTRUSION NEGOTIATION

Palo Alto Networks, Inc.,...

1. A method comprising:
monitoring a plurality of resources associated with a network server, the plurality of resources including a communication
interface of the network server and a processor of the network server, wherein monitoring the plurality of resources includes
determining a number of open network connections using the communication interface of the network server;

comparing activity levels of the plurality of resources to predetermined threshold activity levels; and
reducing usage of one of the plurality of resources when the activity level associated with the one of the plurality of resources
increases above the predetermined threshold activity level associated therewith, wherein reducing usage of the one of the
plurality of resources includes:

reducing the number of open network connections to obtain a first number of open network connections by closing open network
connections based on a priority of the open network connections, shutting down an open but inactive network connection, and
refusing to open new network connections;

comparing the first number of open network connections with a number of open network connections threshold; and
in the event that the first number of open network connections is greater than or equal to the number of open network connections
threshold, randomly close an open network connection.

US Pat. No. 9,306,911

CREDENTIALS MANAGEMENT IN LARGE SCALE VIRTUAL PRIVATE NETWORK DEPLOYMENT

Palo Alto Networks, Inc.,...

1. A system for credentials management in large scale virtual private network (VPN) deployment, comprising:
a processor of a satellite device configured to:
generate a public/private key pair and a certificate signing request;
automatically communicate the certificate signing request to a portal over a public, untrusted network to authenticate the
satellite device using a serial number associated with the satellite device, wherein the satellite device automatically communicates
with the portal at a portal address to register the satellite device with the portal by executing a boot-up process or script,
and wherein the certificate signing request and the serial number are verified by the portal;

receive a certificate from the portal for using to establish VPN connections and configuration information for the satellite
device, wherein the certificate includes a credential signed by the portal as a trusted certificate authority, and wherein
the configuration information includes gateway configuration information identifying a plurality of gateways to which the
satellite device is configured to connect using VPN connections; and

automatically attempt to connect the satellite device to each of the plurality of gateways using the certificate to authenticate
the satellite, wherein the satellite attempts to establish VPN connections with each of the plurality of gateways, wherein
each of the plurality of gateways verifies the certificate based on Online Certificate Status Protocol (OCSP) status information,
and in the event that the certificate is valid and has not been revoked, allows the attempt to establish the VPN connection,
and wherein de-authorization of the satellite device includes removing the serial number associated with the satellite device
from a portal configuration, and wherein the certificate for the satellite device is automatically revoked; and

a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 9,843,593

DETECTING ENCRYPTED TUNNELING TRAFFIC

Palo Alto Networks, Inc.,...

1. A network device for monitoring network communications, comprising:
a processor; and
a memory coupled with the processor, wherein the memory is configured to provide the processor with instructions which when
executed cause the processor to:

monitor encrypted network communications between a client and a remote server;
decrypt encrypted session traffic between the client and remote server;
monitor, within the decrypted encrypted session traffic, for a request from the client to create a tunnel using a first protocol
with the remote server by applying a trusted man-in-the-middle technique using a self-signed certificate to inspect monitored
traffic between the client and the remote server to facilitate deep packet inspection of the encrypted session traffic between
the client and remote server, comprising to:

determine, within the decrypted encrypted session traffic, if the client sends the request to create the tunnel using the
first protocol with the remote server; and

in response to a determination that the client sent the request to create the tunnel using the first protocol with the remote
server:

intercept the request to establish the tunnel using the first protocol with the remote server, wherein the request is found
within the decrypted encrypted session traffic;

block, after the intercepting of the request, the request to create the tunnel; and
send a response to the client, the response informing the client that tunneling using the first protocol is not supported
by the remote server;

perform a traffic analysis of the decrypted encrypted session traffic between the client and remote server, comprising to:
identify an application generating the monitored traffic, comprising to determine what type of traffic a session involves,
the type of traffic the session involves includes Hypertext Transfer Protocol (HTTP) traffic, File Transfer Protocol (FTP)
traffic, Secure Sockets Layer (SSL) traffic, Secure Shell (SSH) traffic, a Domain Name System (DNS) request, unclassified
application traffic, or any combination thereof;

identify a user generating the monitored traffic, comprising to determine a source IP of the monitored traffic; and
identify content relating to the monitored traffic, comprising to determine peer-to-peer activities, social networking activities,
web browsing on certain prohibited web sites, streaming music, streaming video, use of unauthorized protocols, use of unauthorized
applications, or any combination thereof;

determine whether a firewall policy is violated based on the traffic analysis of the encrypted session traffic between the
client and remote server; and

send a message to a cloud security service if the deep packet inspection determined that the client is using the encrypted
tunnel to evade a firewall policy, wherein the message includes identifying information associated with the remote server.

US Pat. No. 9,661,065

DETERMINATION OF DATA OBJECT EXPOSURE IN CLOUD COMPUTING ENVIRONMENTS

Palo Alto Networks, Inc.,...

1. A method of indicating data object exposure in a cloud computing environment, comprising:
receiving information about a data object from the cloud computing environment;
analyzing the information to determine a plurality of exposure characteristics for the data object, wherein each exposure
characteristic of the plurality of exposure characteristics comprises one or more items of the information that indicate exposure
of the data object, and wherein the exposure of the data object comprises accessibility of the data object beyond what is
desired by an interested party to the data object; and

determining an indication of the exposure of the data object based on the plurality of exposure characteristics.

US Pat. No. 9,613,210

EVALUATING MALWARE IN A VIRTUAL MACHINE USING DYNAMIC PATCHING

Palo Alto Networks, Inc.,...

1. A system, comprising:
a processor configured to:
initialize, as a copy-on-write overlay associated with an original virtual machine image, a first virtual machine instance;
apply one or more modifications to the first virtual machine instance, wherein at least one modification includes the installation
of startup instructions, and wherein at least one modification is associated with the installation of a honey file;

start the modified virtual machine instance, including by executing a selected first sample within the started virtual machine
instance;

capture a first set of modifications resulting from executing the first virtual machine instance; and
determine, based at least in part on an analysis of the captured modifications that the selected first sample is malicious;
and

a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 9,503,424

DYNAMIC RESOLUTION OF FULLY QUALIFIED DOMAIN NAME (FQDN) ADDRESS OBJECTS IN POLICY DEFINITIONS

Palo Alto Networks, Inc.,...

1. A system, comprising:
a processor configured to:
receive a network policy that includes a domain name, wherein the domain name includes a Fully Qualified Domain Name (FQDN);
periodically update Internet Protocol (IP) address information associated with the domain name by performing a Domain Name
Server (DNS) query, wherein update the IP address information comprises:

determine whether the domain name has been resolved;
in the event that the domain name has not been resolved, attempt to resolve the domain name; and
in the event that the domain name has been resolved, check whether the IP address information associated with the domain name
has changed; and

in the event that the network policy is to be enforced and the IP address information associated with the domain name has
not been updated, dynamically perform a resolution of the domain name to enforce the network policy based on the domain name;
and

a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 9,503,480

DEPLOYING POLICY CONFIGURATION ACROSS MULTIPLE SECURITY DEVICES THROUGH HIERARCHICAL CONFIGURATION TEMPLATES

Palo Alto Networks, Inc.,...

1. A system for configuring a plurality of security devices, comprising:
a processor configured to:
receive a configuration input for a hierarchy of templates; and
implement central configuration management for the plurality of security devices using the hierarchy of templates that facilitates
device specific configuration based on local configuration information and template override of template based configuration
information, wherein the implementing of the central configuration management for the plurality of security devices comprises:

for each security device:
in the event that local configuration information conflicts with configuration information of a template, determine whether
a priority of the template is higher than a priority of an object associated with the each security device; and

in the event that the priority of the template is higher than the priority of the object associated with the each security
device, override the local configuration information with the configuration information of the template; and

a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 9,495,188

SYNCHRONIZING A HONEY NETWORK CONFIGURATION TO REFLECT A TARGET NETWORK ENVIRONMENT

Palo Alto Networks, Inc.,...

1. A method of synchronizing a honey network configuration to reflect a target network environment, comprising:
storing a plurality of attributes of each of a plurality of devices in the target network environment in a device profile
data store; and

instantiating a virtual clone of one or more of the plurality of devices in the target network environment using a virtual
machine (VM) image selected from a VM image library that is customized based on one or more attributes for a target device
in the device profile data store, wherein the VM image that is selected from the VM image library is customized by loading
and booting a base image of an instance of the VM image and then dynamically patching the base image of the instance of the
VM image selected from the VM image library based one or more attributes for the target device in the device profile store
including a last reboot time for the target device,

wherein the VM image library stores one or more VM images, and
wherein the virtual clone is executed on a VM server.

US Pat. No. 9,461,878

BLOCKING DOWNLOAD OF CONTENT

Palo Alto Networks, Inc.,...

1. A method, comprising:
receiving at a processor of a firewall appliance a response from a server to a first request for content originating from
a client of a private network, wherein the firewall appliance is configured to intercept communications between the client
and the server;

determining at the processor that the response is not known to be safe;
caching the response to the first request at the firewall appliance;
terminating a session between the client and the server associated with the first request;
providing the client a notification page having a unique identifier, wherein the notification page includes an option to accept
the response and an option to decline the response and wherein the unique identifier is associated with the option to accept
the response;

receiving at the processor of the firewall appliance a second request for the content from the client, wherein the second
request includes the unique identifier; and

in the event that the unique identifier remains valid, forwarding the cached response to the client;
wherein the content is only provided to the client in response to the second request for the content from the client generated
in response to a selection of the option to accept the response in the notification page provided to the client.

US Pat. No. 9,455,958

CREDENTIALS MANAGEMENT IN LARGE SCALE VIRTUAL PRIVATE NETWORK DEPLOYMENT

Palo Alto Networks, Inc.,...

13. A system, comprising:
a processor of a security device configured to:
generate a public/private key pair and a certificate signing request (CSR);
send the CSR to a portal over a public network to authenticate the security device using a serial number associated with the
security device, and wherein the CSR and the serial number are verified by the portal;

receive a certificate from the portal for using to establish virtual private network (VPN) connections and configuration information
for the security device, wherein the certificate includes a credential signed by the portal as a trusted certificate authority,
and wherein the configuration information includes gateway configuration information identifying a plurality of gateways to
which the security device is configured to connect using VPN connections;

attempt to connect the security device to each of the plurality of gateways using the certificate to authenticate the security
device, wherein the security device attempts to establish VPN connections with each of the plurality of gateways, wherein
each of the plurality of gateways verifies that the certificate is from the trusted certificate authority, and wherein each
of the plurality of gateways verifies that the certificate is still valid and has not expired; and

receive a list of configured routes from at least one of the plurality of gateways, wherein secure tunnels can then be established
using one or more of the configured routes, and wherein for secure tunnels with duplicate routes, the security device is configured
to determine route metrics based on a priority of each of the plurality of gateways; and

a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 9,443,019

OPTIMIZED WEB DOMAINS CLASSIFICATION BASED ON PROGRESSIVE CRAWLING WITH CLUSTERING

Palo Alto Networks, Inc.,...

1. A system for providing web domains classification based on progressive crawling with clustering, comprising:
a processor configured to:
distribute a first Uniform Resource Locator (URL) content categorization data feed to a first plurality of subscribers, comprising
to:

collect the first URL content categorization data feed based on progressive crawling with clustering to determine which category
clusters to publish for each categorized web domain, comprising to:

automatically classify content for a first web domain, comprising to:
receive the first web domain from a first security device associated with one of the first plurality of subscribers, comprising
to:

crawl a plurality of pages in the first web domain; and
determine a category for the plurality of pages in the first web domain, to group more than one page having the same category
into a first cluster, comprising to:

determine whether a number of the more than one page of the first cluster exceeds a first threshold;
in the event that the number of the more than one page of the first cluster does not exceed the first threshold, select a
new page within the web domain to crawl; and

classify the new page; and
send a classification determined for the content for the first web domain to the first security device associated with one
of the first plurality of subscribers; and

a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 9,325,735

SELECTIVE SINKHOLING OF MALWARE DOMAINS BY A SECURITY DEVICE VIA DNS POISONING

Palo Alto Networks, Inc.,...

1. A system for selective sinkholing of malware domains by a security device via DNS poisoning, comprising:
a processor configured to:
intercept a DNS query for a network domain from a local DNS server at the security device, wherein the network domain was
determined to be a bad network domain, wherein the security device is separate from the local DNS server, and wherein the
bad network domain was determined to be associated with malware; and

generate a DNS query response to the DNS query to send to the local DNS server, wherein the DNS query response includes a
time to live (TTL) set to a predetermined period of time, the predetermined period of time being set to a value to allow subsequent
queries from local hosts to the local DNS server for the bad network domain to result in a local DNS server cache miss, wherein
the DNS query response includes a designated sinkholed IP address for the bad network domain to facilitate identification
of an infected host by the security device, wherein the DNS query response is a spoofed DNS query response, the spoofed DNS
query response including a non-existent IP address, a reserved IP address, or a loopback address, and wherein a cache of the
local DNS server is polluted with the designated sinkholed IP address for the bad network domain as a result of the spoofed
DNS query response; and

a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 9,491,142

MALWARE ANALYSIS SYSTEM

Palo Alto Networks, Inc.,...

1. A system, comprising:
a first device comprising a first processor configured to execute a firewall, and a second device comprising a second processor
configured to execute a virtual machine,

wherein the executing the firewall using the first processor of the first device comprises:
identifying an application type associated with a network traffic flow;
selecting a decoder to decode the network traffic flow based at least in part on the identified application type, wherein
decoding the network traffic flow includes assembling one or more packets associated with the network traffic flow into a
correct order;

using the firewall to generate a potential malware sample from at least a portion of the network traffic flow;
determining that the potential malware sample does not match a preexisting signature;
determining whether to perform virtual machine emulation malware analysis on the potential malware sample based at least in
part on a policy associated with the virtual machine emulation malware analysis, wherein the policy is associated with the
application type associated with the potential malware sample;

in response to the determination to perform the virtual machine emulation malware analysis on the potential malware sample,
sending the potential malware sample from the firewall to the virtual machine; and

sending log information related to the potential malware sample to the virtual machine, wherein the log information includes
session information, application identification information, URL category information or vulnerability alert information;
and

wherein the executing the virtual machine using the second processor of the second device comprises:
using the virtual machine to monitor behavior of the potential malware sample during emulation to identify malware;
automatically generating a signature using the virtual machine in the event that the potential malware sample is determined
to be malware;

sending the signature from the virtual machine to the firewall, wherein the firewall is configured to enforce a security policy
for network access based at least in part on the signature, wherein the signature is also distributed to at least one or more
of: a security device and a security service; and

performing post analysis using the log information to determine if the potential malware sample is malware.

US Pat. No. 9,461,967

PACKET CLASSIFICATION FOR NETWORK ROUTING

Palo Alto Networks, Inc.,...

1. A system for a security controller that performs packet classification for network routing, comprising:
a processor configured to:
receive packets associated with a flow from a network device, wherein the network device performs packet forwarding;
classify the flow, comprising to:
determine application associated with the flow, comprising to:
determine type of traffic related to the flow; and
perform application signature matching based on the type of traffic to determine the application; and
determine user associated with the flow, comprising to:
extract username, password, or a combination thereof being submitted to an external site from the received packets to determine
the user;

determine an action for the flow based on a policy, comprising:
determine the action for the flow based on the application and the user;
instruct the network device to perform the action for the flow, wherein the action is to drop the flow, ignore the flow, or
shunt the flow; and

receive additional packets associated with a new flow from the network device, wherein the security controller performs further
classification of the new flow; and

a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 9,336,386

EXPLOIT DETECTION BASED ON HEAP SPRAY DETECTION

Palo Alto Networks, Inc.,...

1. A system for exploit detection by detecting heap spray in memory, comprising:
a processor configured to:
execute a program in a virtual environment; and
detect heap spray in memory while executing the program in the virtual environment, comprising to:
for each newly allocated block of memory of a plurality of allocated blocks allocated during the execution of the program,
compare a sequence of bytes of the each newly allocated block of memory with a predetermined sequence of bytes;

count a number of allocated blocks of the plurality of allocated blocks having the sequence of bytes match the predetermined
sequence of bytes; and

in the event that the number of allocated blocks of the plurality of allocated blocks having the sequence of bytes match the
predetermined sequence of bytes exceeds a first threshold, determine the program is performing the heap spray in memory; and

a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 9,300,629

PASSWORD CONSTRAINT ENFORCEMENT USED IN EXTERNAL SITE AUTHENTICATION

Palo Alto Networks, Inc.,...

1. A system for password constraint enforcement used in external site authentication, comprising:
a processor configured to:
monitor encrypted network communications between a client of a plurality of clients and an external site, wherein the encrypted
network communications are encrypted using a first protocol, comprising:

decrypt the monitored encrypted network communications between the client and the external site to implement password constraint
enforcement used in the external site authentication; and

determine if the client sends a request to create user credentials for an external site authentication, comprising:
determine whether the encrypted network communications includes the request received via a network from the client to be forwarded
to the external site; and

in the event that the encrypted network communications includes the request received via the network from the client, determine
whether the request relates to creating a new user account on the external site, the request including a new password associated
with the new user account;

in the event that the client sends the request to create user credentials for the external site authentication:
perform password constraint enforcement used in the external site authentication, wherein the password constraint enforcement
includes password complexity constraints for internal users, password complexity constraints for internal users creating authentication
credentials on external sites, a policy not to use the same password on a plurality of external sites, a policy not to use
a user's enterprise password on an external site, or any combination thereof; and

a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 9,124,627

DYNAMIC RESOLUTION OF FULLY QUALIFIED DOMAIN NAME (FQDN) ADDRESS OBJECTS IN POLICY DEFINITIONS

Palo Alto Networks, Inc.,...

1. A system, comprising:
a processor executing instructions to:
receive a network policy that includes a domain name, wherein the domain name includes a Fully Qualified Domain Name (FQDN);
periodically update Internet Protocol (IP) address information associated with the domain name by performing a Domain Name
Server (DNS) query, wherein the updating of the IP address information comprises:

determine whether the domain name has been resolved;
in the event that the domain name has not been resolved, attempt to resolve the domain name; and
in the event that the domain name has been resolved, check whether the IP address information associated with the domain name
has changed; and

in the event that the IP address information is not updated, disable or block network traffic associated with the IP address
information that is not updated; and

a memory coupled to the processor and configured to provide the processor with the instructions with instructions.

US Pat. No. 9,467,421

USING DNS COMMUNICATIONS TO FILTER DOMAIN NAMES

Palo Alto Networks, Inc.,...

1. A system, comprising:
a processor configured to:
intercept a DNS (Domain Name System) request from a client on a private network, wherein the processor is part of a security
appliance configured to intercept communications associated with the private network and wherein the DNS request is directed
to a DNS server;

extract a domain name from the DNS request;
determine that the domain name is unknown;
determine that at least a prescribed number of DNS requests including the DNS request to resolve unknown domain names have
been received from the client;

flag the unknown domain names as suspicious or malicious; and
respond to the DNS request from the client with a spoofed DNS response comprising a non-existent or unavailable IP (Internet
Protocol) address;

wherein the processor blocks the DNS request from being transmitted to any DNS server; and
a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 9,461,964

DYNAMIC ADDRESS POLICY ENFORCEMENT

Palo Alto Networks, Inc.,...

1. A system, comprising:
an interface configured to:
receive a first identity notification from a network device at a first time, and receive a second identity notification from
the network device at a second time that is after the first time, wherein the first and second identity notifications are
different;

a processor configured to:
determine, in response to the receipt of the second identity notification from the network device, that an IP address associated
with the network device has changed from a first IP address to a second IP address;

update a mapping between an identifier associated with the device and the first IP address to a mapping between the identifier
and the second IP address; and

in response to a notification that a mapping between the identifier associated with the device and an IP address has been
updated, update a policy using the updated mapping; and

enforce the updated policy; and
a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 9,418,227

DETECTING MALICIOUS SOFTWARE

Palo Alto Networks, Inc.,...

1. A method for detecting a malicious software component, the method comprising:
monitoring a series of calls made by a potentially malicious software component to determine a respective series of call types
to a plurality of software components named in the series of calls while executing the potentially malicious software component
in an emulated data processing system executed on a first data processing system that emulates hardware and an operating system
environment of the first data processing system, the potentially malicious software component making a series of calls specified
by the potentially malicious software component to the emulated data processing system;

determining whether the respective series of call types is indicative of a malicious behavior based on a comparison of the
respective series of call types to named software components with a set of predetermined call patterns indicative of malicious
behavior for the potentially malicious software component, wherein the respective series of call types to named software components
include executable files, data files, configuration files, Universal Resource Locators, Universal Resource Names, Universal
Resource Identifiers, Active X controls, object linking and embedding (OLE) controls, Java™ programs, applets, or any combination
thereof; and

preventing the potentially malicious software component from being executed or stored on a second data processing system in
response to determining the respective series of call types to the plurality of software components named in the series of
calls is indicative of the malicious behavior based on a policy, wherein the policy includes a set of rules and/or a set of
patterns that determines whether the respective series of call types to named software components indicates that the potentially
malicious software component is malicious.

US Pat. No. 9,413,774

DYNAMIC MALWARE ANALYSIS OF A URL USING A BROWSER EXECUTED IN AN INSTRUMENTED VIRTUAL MACHINE ENVIRONMENT

Palo Alto Networks, Inc.,...

1. A system for performing dynamic malware analysis of Uniform Resource Locator (URL) samples using a browser executed in
an instrumented virtual machine environment, comprising:
the instrumented virtual machine environment executed on a processor that receives a URL sample for dynamic malware analysis
using the browser executed in the instrumented virtual machine environment; and

a dynamic time allocator executed on the processor that dynamically determines a period of time allocated for performing the
dynamic malware analysis of the URL sample using the browser executed in the instrumented virtual machine environment, wherein
the URL sample is rendered using the browser executed in the instrumented virtual machine environment and monitored using
the instrumented virtual machine environment for the period of time allocated for performing the dynamic malware analysis
of the URL sample, wherein the determining of the period of time allocated for performing the dynamic malware analysis of
the URL sample using the browser executed in the instrumented virtual machine environment comprises:

reducing a time-out delay of the URL sample to be shorter;
modifying a refresh delay of the URL sample to be shorter; and
triggering execution of content of the URL sample.

US Pat. No. 9,391,954

SECURITY PROCESSING IN ACTIVE SECURITY DEVICES

Palo Alto Networks, Inc.,...

1. A method for processing packets at a first security device, the method comprising:
receiving a packet at the first security device;
determining whether the packet is associated with a flow assigned to a second security device, wherein the second security
device is distinct from the first security device;

in the event that the packet is associated with the flow assigned to the second security device:
sending the packet to the second security device; and
after the second security device performs security processing using the packet, receiving from the second security device
a message regarding the packet;

in the event that the packet is not associated with the flow assigned to the second security device:
determining whether the packet is associated with a previously assigned flow;
in the event that the packet is not associated with the previously assigned flow:
storing a new flow relating to the packet in the first security device; and
notifying the second security device that the new flow is stored in the first security device; and
performing, using the first security device, security processing using the packet; and
transmitting the packet from the first security device.

US Pat. No. 9,215,235

USING EVENTS TO IDENTIFY A USER AND ENFORCE POLICIES

Palo Alto Networks, Inc.,...

1. A system, comprising:
a processor configured to:
receive log data generated in response to a first user-provided device authenticating to an electronic mail server on a first
network, wherein the generated log data includes at least a username portion of an email address of the user, wherein the
first user-provided device is not authenticating to a directory service provider accessible via the first network, and wherein
the first user-provided device has not authenticated to the directory service provider;

receive, from the first user-provided device, a request for a first resource that is external to the first network, wherein
the first user-provided device has an IP address;

determine an identity of the user of the first user-provided device based at least in part on correlating at least a portion
of the received log data, including the username portion of the email address, and identity information associated with the
user and stored in the directory service provider;

determine a mapping between the IP address of the first device and the identity of the first user-provided device; and
apply a policy with respect to the request for the first resource based at least in part on the identity of the user of the
first user-provided device; and

a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 9,215,239

MALWARE DETECTION BASED ON TRAFFIC ANALYSIS

Palo Alto Networks, Inc.,...

1. A system, comprising:
a processor configured to:
receive a representation of network traffic indicative of one or more benign applications executing, wherein each of the one
or more benign applications is categorized as having a first predetermined application type that corresponds to at least one
type of functionality provided by each of the respective one or more applications, and wherein the one or more benign applications
are not malicious applications;

cause a candidate malware application to be executed using a virtual machine, wherein the candidate malware application has
been identified as also having the first predetermined application type, and wherein the candidate malware application is
potentially a malicious application;

perform traffic analysis on network traffic associated with the execution of the candidate malware application; and
determine that the candidate malware application is a malicious application based at least in part on a comparison of one
or more results of the traffic analysis of the candidate malware application and the received representation of network traffic
indicative of the one or more benign applications executing; and

a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 9,077,702

FLOW OWNERSHIP ASSIGNMENT IN A DISTRIBUTED PROCESSOR SYSTEM

Palo Alto Networks, Inc.,...

1. A security device for processing a plurality of network flows, comprising:
one or more packet processing cards, each packet processing card having one or more packet processors formed thereon, each
packet processing card having a data port for receiving and transmitting data packets and a local flow table, the one or more
packet processors on each packet processing card being configured to receive incoming data packets associated with one or
more network flows, at least one of the packet processors being assigned as an owner of one or more network flows, and each
packet processor processing data packets associated with network flows for which it is the assigned owner and each network
flow being assigned to only one owner packet processor, each owner packet processor processing data packets associated with
a network flow to enforce a security policy;

a packet processing manager configured to assign ownership of network flows to the one or more packet processors on the one
or more packet processing cards, the packet processing manager comprising a global flow table containing entries mapping network
flows to packet processor ownership assignments; and

a switching fabric in communication with the one or more packet processing cards and the packet processing manager,
wherein, in response to the packet processing manager receiving a first data packet belonging to a first network flow for
which no entry for the first network flow is found in the global flow table, the packet processing manager assigns a first
packet processor on a first packet processing card as the owner of the first network flow and adds an entry to the global
flow table mapping the first network flow to the first packet processor as the owner of the first network flow, the entry
being in a tentative state, the packet processing manager informs the first packet processor of the ownership assignment and
forwards the first data packet to the first packet processor; and, in response to the first packet processor accepting the
ownership assignment and in response to receiving at a second packet processor a second data packet belonging to the first
network flow, the packet processing manager store a binding entry in the global flow table mapping the first network flow
to the owner packet processor, the second packet processor learns of the ownership assignment of the first network flow from
the packet processing manager, the packet processing card associated with the second packet processor storing in the local
flow table an entry mapping the first network flow to the first packet processor ownership assignment and the second packet
processor forwards the second data packet to the first packet processor for processing.

US Pat. No. 9,590,979

PASSWORD CONSTRAINT ENFORCEMENT USED IN EXTERNAL SITE AUTHENTICATION

Palo Alto Networks, Inc.,...

1. A system, comprising:
a processor configured to:
monitor encrypted network communications between a client and an external site;
process the encrypted network communications between the client and the external site to decrypt the encrypted network communications
between the client and the external site and to detect a request from the client to create user credentials for user authentication
on the external site; and

determine whether the request from the client to create user credentials for user authentication on the external site violates
a policy for password constraint enforcement for user authentication on external sites, the user credentials including a username,
a password, or a combination thereof, wherein the determining of whether the request from the client to create the user credentials
for the user authentication on the external site violates the policy for password constraint enforcement comprises to:

determine whether the user credentials of the external site match other user credentials for user authentication on another
external site, the other user credentials including a username, a password, or a combination thereof; and

in the event that the user credentials of the external site match the other user credentials for user authentication on the
other external site, determine that the request violates the policy for password constraint enforcement; and

a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 9,165,142

MALWARE FAMILY IDENTIFICATION USING PROFILE SIGNATURES

Palo Alto Networks, Inc.,...

1. A system for malware family identification using profile signatures, comprising:
a processor configured to:
receive, from a security device, a potential malware sample, wherein the security device is configured to, in the event an
unknown file is encountered by the security device, send the unknown file to the processor as the potential malware sample;

execute the potential malware sample in a virtual machine environment, including by monitoring interaction during execution
in the virtual machine environment between: (1) the potential malware sample and (2) an application programming interface
(API) in order to obtain an API log which includes: (a) one or more files created by the potential malware sample using the
API during execution in the virtual machine environment and (b) one or more files registered in a run key by the potential
malware sample using the API during execution in the virtual machine environment; and

determine whether the potential malware sample is associated with a known malware family based on a profile signature, including
by:

comparing (1a) the files created by the potential malware in the API log against (1b) one or more files created by the known
malware family in the profile signature and (2a) the files registered in the run key in the API log against (2b) one or more
files registered in the run key by the known malware family in the profile signature; and

in the event (1a) matches (1b) and (2a) matches (2b), identifying the potential malware sample as being a member of the known
malware family; and

a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 9,419,942

DESTINATION DOMAIN EXTRACTION FOR SECURE PROTOCOLS

Palo Alto Networks, Inc.,...

1. A system for destination domain extraction for secure protocols, comprising:
a security device;
a processor configured to:
monitor network communications between a client and a remote server;
determine if the client sends a request to create a secure connection with the remote server, wherein the secure connection
utilizes a secure protocol, the secure protocol being a secure sockets layer (SSL) protocol or transport layer security (TLS)
protocol; and

extract a destination domain from the request to create the secure connection with the remote server, comprising:
before the secure connection is created, extract the destination domain from a server name indication (SNI) of a client hello
message sent from the client to the remote server, the secure connection including an encrypted message, wherein the extracting
of the destination domain from the SNI of the client hello message sent from the client to the remote server comprises to:

identify the SNI from the client hello message during a handshaking process for setting the secure connection between the
client and the remote server;

extract a domain identified in a public certificate sent from the remote server to the client;
compare the destination domain and the domain identified in the public certificate; and
in the event that the destination domain matches the domain identified in the public certificate, apply a security policy
based on the destination domain to filter traffic at the security device, wherein the security policy includes a whitelist/blacklist
policy; and

a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 9,240,975

SECURITY DEVICE IMPLEMENTING NETWORK FLOW PREDICTION

Palo Alto Networks, Inc.,...

1. A security device for processing a plurality of network flows, comprising:
one or more packet processors configured to receive incoming data packets associated with one or more network flows, at least
one of the packet processors being assigned as an owner of one or more network flows, and each packet processor processing
data packets associated with flows for which it is the assigned owner and each network flow being assigned to only one owner
packet processor, each owner packet processor processing data packets associated with a network flow to enforce a security
policy; and

a packet processing manager configured to assign ownership of network flows to the one or more packet processors, the packet
processing manager comprising a global flow table containing global flow table entries mapping network flows to packet processor
ownership assignments and a predict flow table containing predict flow entries mapping predicted network flows to packet processor
ownership assignments,

wherein each predict flow entry comprises a predict key identifying in part a predicted network flow being a child flow corresponding
to a parent flow in a connection session, the child flow being derived from information relating to the parent flow, and a
packet processor ownership assignment associated with the parent flow corresponding to the child flow, the predict key comprising
a plurality of data fields identifying the predicted network flow where the value of one or more of the data fields is unknown;
and

wherein in response to a first packet processor receiving data packets associated with a first parent flow for a connection
session that indicates a first child flow to be determined, the packet processing manager adds a first predict flow entry
in the predict flow table, the first predict flow entry includes a predict key identifying the first child flow as the predicted
network flow with the value of one or more of the data fields in the predict key having wildcard values, the first predict
flow entry mapping the predicted network flow to the packet processor assigned as the owner of the first parent flow so that
the packet processor assigned as the owner of the first parent flow is also assigned to process data packets associated with
the first child flow associated with the first parent flow; and

wherein in response to a second data packet being forwarded to the packet processing manager and in response to the network
flow for the second data packet being found in the predict flow table, the packet processing manager adds an entry in the
global flow table to identify the first packet processor as the owner packet processor of the second data packet; and in response
to receiving a message from the owner packet processor indicating acceptance of the ownership assignment, the packet processing
manager stores a binding entry in the global flow table mapping the network flow to the owner packet processor.

US Pat. No. 9,143,522

HEURISTIC BOTNET DETECTION

Palo Alto Networks, Inc.,...

1. A system, comprising:
a processor configured to:
monitor network traffic to identify suspicious network traffic, wherein the monitoring of the network traffic includes:
identify a uniform resource locator (URL) in the network traffic;
determine whether the network traffic includes a malware URL, an unclassified URL, or a combination thereof; and
in the event that the network traffic includes the malware URL, the unclassified URL, or a combination thereof, assign the
network traffic as the suspicious network traffic;

detect a bot based on a heuristic analysis of the suspicious network traffic behavior, wherein the suspicious network traffic
behavior includes command and control traffic associated with a bot master;

monitor behavior indicated in the network traffic to identify malware, wherein the monitored behaviors that indicate potential
malware include connecting to a non-standard HTTP port for HTTP traffic, visiting a non-existent domain, downloading executable
files with non-standard executable file extensions, performing a DNS query for an email server, communicating using a post
method in HTTP traffic, connecting to a non-standard IRC port for IRC traffic, communicating using an intrusion prevention
system evasion technique, communicating unclassified traffic over an HTTP port, visiting a dynamic DNS domain, or any combination
thereof; and

monitor visited domain related behavior to identify a malicious domain based on whether a visited domain is a dynamic DNS
domain; and

a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 9,065,769

APPLICATION NON DISRUPTIVE TASK MIGRATION IN A NETWORK EDGE SWITCH

Palo Alto Networks, Inc.,...

1. A network device, the network device comprising:
a plurality of forwarding engines and a control processor, wherein the plurality of forwarding engines include a first forwarding
engine and a second forwarding engine;

a control processor, wherein the control processor migrates packet traffic to be routed to a destination by the first forwarding
engine to the second forwarding engine; and

a first switch connected to the first and the second forwarding engines, wherein during migration of the packet traffic from
the first forwarding engine to the second forwarding engine, the packets are routed from the first forwarding engine to the
second forwarding engine through the first switch with no datagram reordering.

US Pat. No. 9,467,422

EVENT AGGREGATION IN A DISTRIBUTED PROCESSOR SYSTEM

Palo Alto Networks, Inc.,...

1. A method in a security device for processing a plurality of network flows, comprising:
receiving and transmitting data packets at one or more packet processing cards, each packet processing card having one or
more packet processors and a local counter memory formed thereon;

storing, in the local counter memory of each packet processing card, local counter values for one or more events being handled
by the one or more packet processors;

providing, at a packet processing manager, global event counters to maintain event statistics for the one or more events,
each global event counter being identified by a counter identifier and being associated with a global threshold value and
a global counter sum value;

receiving, at the packet processing manager, messages from the packet processing cards, each message containing a local counter
value for an event being handled by one of the packet processors;

storing, in a counter memory associated with the packet processing manager, the local counter values for the one or more events
received in the messages;

summing the local counter values of a first event stored in the counter memory to generate the global counter sum value for
the first event; and

storing the global counter sum value in a first global event counter associated with the first event.

US Pat. No. 9,384,350

SIGNATURE COMPILATION ON A SECURITY DEVICE

Palo Alto Networks, Inc.,...

1. A system, comprising:
a set of one or more interfaces configured to:
receive, from a first remote server, a first set of malware signatures; and
receive, from a second remote server, a second set of malware signatures;
a set of one or more processors configured to:
compile the received first set of malware signatures at a first time and load a compiled first set into a first area of RAM;
compile the received second set of malware signatures at a second time that is different from the first time and load a second
compiled set into a second area of RAM;

perform a scan using at least one of: information stored in the respective first and second areas of RAM;
determine, based at least in part on a result of the performed scan that a file is malicious; and
in response to the determination that the file is malicious, prevent the file from reaching a device; and
a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 9,378,784

SECURITY DEVICE USING HIGH LATENCY MEMORY TO IMPLEMENT HIGH UPDATE RATE STATISTICS FOR LARGE NUMBER OF EVENTS

Palo Alto Networks, Inc.,...

1. A security device, comprising:
a controller configured to receive incoming data packets and to determine a flow identifier associated with a received data
packet, the controller further determining an event counter associated with the flow and providing a counter identifier to
a memory controller; and

a counter memory comprising a plurality of memory banks, each memory bank storing a partial counter value for one or more
event counters, the counter memory being in communication with the memory controller and indexed by the counter identifier,

wherein the memory controller marks the memory bank last selected and, in response to the memory controller receiving the
counter identifier from the controller, the memory controller selects for access a single memory bank in the counter memory
that was not marked as the memory bank last selected, the memory controller accessing the plurality of memory banks in the
counter memory in any order with the same memory bank not being selected for access in consecutive counter updates, and the
memory controller retrieves the partial counter value associated with only one counter identifier in the selected memory bank
and the memory controller updates the partial counter value, the updated partial counter value being written back to the selected
memory bank; and

wherein the memory controller selects a first memory bank to update the partial counter value for a first counter identifier
and marks the first memory bank, and the memory controller next selects a second memory bank not marked to update a partial
counter value, the memory controller is configured to select a second counter identifier different from the first counter
identifier to update the partial counter value in the second memory bank during the latency window of the update of the partial
counter value of the first counter identifier.

US Pat. No. 9,202,054

DETECTING A HEAP SPRAY ATTACK

Palo Alto Networks, Inc.,...

1. A system for exploit detection by detecting heap spray in memory, comprising:
a processor configured to:
execute a program in a virtual environment;
monitor a heap of the memory while executing the program in the virtual environment; and
detect a potential heap spray attack based on detecting a burst allocation of a first plurality of blocks in the heap of the
memory, comprising:

determine whether 1) each of the first plurality of blocks is stored in the predefined address range of the memory and 2)
the first plurality of blocks in the heap of the memo exceeds a threshold size within a predetermined period of time; and

in the event that 1) each of the first plurality of blocks is stored in the predefined address range of the memory and 2)
the first plurality of blocks in the heap of the memory exceeds the threshold size within the predetermined period of time:

calculate a hash of each of a second plurality of blocks allocated in the heap of the memory, wherein each of the second plurality
of blocks is stored in the predefined address range of the memory; and

detect a heap spray in memory based on the calculated hashes;
a computer data storage coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 9,619,260

POLICY ENFORCEMENT IN A VIRTUALIZED ENVIRONMENT

Palo Alto Networks, Inc.,...

1. A system, comprising:
a processor configured to:
receive a rule to be applied to network traffic associated with members of a dynamic address group;
receive virtual machine information associated with a first virtual machine instance executing on a host machine;
determine, based at least in part on at least a portion of the received virtual machine information, that the first virtual
machine instance belongs to the dynamic address group;

in response to the determination, apply the rule to network traffic associated with the first virtual machine instance;
at a time subsequent to applying the rule to network traffic associated with the first virtual machine instance, determine
that the rule should be recompiled into a recompiled rule, at least in part based on a change to membership in the dynamic
address group, wherein the change to membership includes at least one of:

(1) an addition of an additional virtual machine instance to the dynamic address group; and
(2) a removal of the first virtual machine instance from the dynamic address group; and
in the event the change to the membership in the dynamic address group includes the addition of the additional virtual machine
instance to the dynamic address group, applying the recompiled rule to network traffic associated with additional virtual
machine instance; and

in the event the change to the membership in the dynamic address group includes removal of the first virtual machine instance
from the dynamic address group, not applying the recompiled rule to network traffic associated with the first virtual machine
instance; and

a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 9,553,870

PASSWORD CONSTRAINT ENFORCEMENT USED IN EXTERNAL SITE AUTHENTICATION

Palo Alto Networks, Inc.,...

1. A system, comprising:
a processor configured to:
monitor encrypted network communications between a client and an external site;
process the encrypted network communications between the client and the external site to decrypt the encrypted network communications
between the client and the external site and to detect a request from the client to create user credentials for user authentication
on the external site; and

determine whether the request from the client to create user credentials for user authentication on the external site violates
a policy for password constraint enforcement for user authentication on external sites, the user credentials including a username,
a password, or a combination thereof, wherein the determining of whether the request from the client to create the user credentials
for the user authentication on the external site violates the policy for password constraint enforcement comprises to:

determine whether the user credentials of the external site match other user credentials for user authentication on another
external site, the other user credentials including a username, a password, or a combination thereof; and

in the event that the user credentials of the external site match the other user credentials for user authentication on the
other external site, determine that the request violates the policy for password constraint enforcement; and

a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 9,542,556

MALWARE FAMILY IDENTIFICATION USING PROFILE SIGNATURES

Palo Alto Networks, Inc.,...

1. A system, comprising:
a security device configured to send a potential malware sample to a server associated with a security cloud service; and
the server associated with the security cloud service which is configured to:
execute the potential malware sample in a sandbox environment on the server, including by monitoring network activity initiated
by the potential malware sample using a packet capture process in order to obtain observed network activity;

determine whether the potential malware sample matches a signature profile associated with a known command and control malware
family, including by comparing the signature profile and the observed network activity in order to determine if there is a
pattern match between the signature profile and the observed network activity in a portion of a uniform resource identifier
(URI) that is associated with a HyperText Transfer Protocol (HTTP) request; and

in the event it is determined that the potential malware sample is associated with the known command and control malware family,
generating an alert.

US Pat. No. 9,489,516

DETECTION OF MALWARE USING AN INSTRUMENTED VIRTUAL MACHINE ENVIRONMENT

Palo Alto Networks, Inc.,...

1. A system for detection of malware using an instrumented virtual machine environment, comprising:
a processor configured to:
instantiate a first virtual machine in the instrumented virtual machine environment, wherein the first virtual machine is
configured to support installation of two or more versions of a resource;

install a first version of the resource on the first virtual machine and monitor the instrumented virtual machine environment
while executing the first version of the resource with a malware sample opened using the first version of the resource, comprising
to:

store the first version of the resource using a first dummy file name for a registry file associated with the resource and
a first executable file associated with the resource;

install a second version of the resource on the first virtual machine and monitor the instrumented virtual machine environment
while executing the second version of the resource with the malware sample opened using the second version of the resource,
comprising to:

store the second version of the resource using a second dummy file name for the registry file and a second executable file
associated with the resource; and

monitor the instrumented virtual machine environment while executing each version of the resource with the malware sample
opened using each version of the resource for at least a predetermined period of time or until malicious behavior is detected,
comprising to:

rename the first dummy file name to a first expected file name in order to execute the first version of the resource;
execute the first version of the resource based on the first expected file name and the first executable file;
rename the second dummy file name to a second expected file name in order to execute the second version of the resource; and
execute the second version of the resource based on the second expected file name and the second executable file; and
a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 9,178,851

HIGH AVAILABILITY SECURITY DEVICE

Palo Alto Networks, Inc.,...

1. A method implemented by a security device, comprising:
filtering a plurality of packets into a filtered first plurality of packets and a filtered second plurality of packets based
on header information of each of the plurality of packets, wherein the filtering the plurality of packets comprises:

filtering the plurality of packets into the filtered second plurality of packets in response to the header information of
the corresponding packets being associated with Domain Name Service (DNS) traffic or a peer-to-peer networking application,
wherein the DNS traffic relates to communications with a trusted DNS server, the trusted DNS server being a closely-controlled
DNS server, and wherein the peer-to-peer networking application relates to a file download using the peer-to-peer networking
application;

processing the filtered first plurality of packets using one or more processors of the security device and maintaining one
or more flow records associated with the filtered first plurality of packets, and

processing the filtered second plurality of packets using one or more processors of the security device without maintaining
flow records associated with the filtered second plurality of packets and allowing the filtered second plurality of packets
to pass to one or more destinations, where processing the filtered second plurality of packets includes:

receiving a second packet;
determining not to maintain a flow record for a second flow associated with the second packet; and
allowing the second packet to pass to one of the one or more destinations.

US Pat. No. 9,602,539

EXTERNALLY DEFINED OBJECTS IN SECURITY POLICY

Palo Alto Networks, Inc.,...

1. A system, comprising:
a processor configured to:
obtain a plurality of external object lists from a plurality of external list servers that publish the plurality of external
object lists, wherein:

at least one external object list of the plurality of external list servers includes a virtual system;
the at least one external object list includes zones; and
the obtaining of the plurality of external object lists from the plurality of external list servers comprises to:
periodically obtain, at a first frequency, a first external object list from a first external list server; and
periodically obtain, at a second frequency, a second external object list from a second external list server, the first frequency
being different from the second frequency; and

for one of the plurality of external object lists:
define a security policy comprising one or more rules based at least in part on one or more externally defined objects comprising
the one external object list and based at least in part on one or more locally defined objects, wherein a rule of the one
or more rules includes a source zone and a destination zone;

enforce the security policy with respect to a device;
automatically check a corresponding external list server for updates of the one external object list and update or refresh
locally stored external objects obtained from the one external object list to reflect changes in the one external object list
published by the corresponding external list server, wherein any changes in locally stored external objects automatically
and dynamically update the security policy as applicable, wherein the updating of the security policy is performed without
administrative intervention, and wherein the updating or refreshing of the locally stored external objects obtained from the
one external object list comprises to:

determine whether the updates of the one external object list remove an external object from a previous external object list;
and

in the event that the updates of the one external object list remove the external object from the previous external object
list, remove the external object from the locally stored external objects to obtain updated or refreshed locally stored external
objects; and

receive an update to the at least one external object list as a push from the corresponding external list server; and
a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 9,497,083

DISCOVERING NETWORK NODES

Palo Alto Networks, Inc.,...

1. A system for discovering nodes of a network,
comprising: a communication interface configured to
send to a multicast group of the network an Internet Protocol version 6 multicast packet that requires a receiver of the packet
to provide a response packet, wherein the response packet is required to be provided as a direct reply to the Internet Protocol
version 6 multicast packet and the Internet Protocol version 6 multicast packet specifies an invalid option that requires
a recipient to provide the response packet in direct reply to the Internet Protocol version 6 multicast packet: and

receive a plurality of Internet Control Message Protocol version 6 replies from all nodes that belong to the multicast group
in reply to the single Internet Protocol version 6 multicast packet, wherein every one of the plurality of Internet Control
Message Protocol version 6 replies identify a communication error associated with the Internet Protocol version 6 multicast
packet; and

a processor coupled with the communication interface and configured to use the received communication error replies to the
multicast packet to determine a listing of all nodes of at least the multicast group of the network, wherein determining the
listing of all nodes of at least the multicast group of the network includes discovering the nodes of the network that have
not been previously discovered to be in the multicast group by identifying that a previously undiscovered node provided a
communion error response in direct reply to the Internet Protocol version 6 multicast packet requiring the receiver of the
packet to provide the communion error response;

wherein the multicast group was determined by incrementing or decrementing a previous multicast group number in response to
a determination that a response associated with the previous multicast group number was received and the listing of all nodes
includes identifications of all nodes belonging to the previous multicast group number in addition to identifications of all
nodes belonging to the multicast group.

US Pat. No. 9,749,336

MALWARE DOMAIN DETECTION USING PASSIVE DNS

Palo Alto Networks, Inc.,...

1. A system for malware domain detection using passive Domain Name Service (DNS), comprising:
a processor; and
a memory coupled with the processor, wherein the memory is configured to provide the processor with instructions which when
executed cause the processor to:

generate a malware association graph that associates a plurality of malware samples with malware source information, wherein
the malware association graph includes a searchable directed graph that associates related Internet Protocol (IP) address
information and related domain information with a first malware sample, and wherein the malware source information includes
a first domain of the malware association graph, the first domain being associated with the first malware sample;

generate a reputation score for the first domain using the malware association graph and passive DNS information, wherein
the generating of the reputation score comprises to:

identify a first path and a second path both linking the first domain to a known malware node of the malware associate graph,
the first path having a first relation type and the second path having a second relation type, each relation type being associated
with resolving to the same Internet Protocol (IP) address of the known malware node, resolving using the same name server
(NS) as the known malware node, having an IP address belonging to the same border gateway protocol (BGP) prefix as the known
malware node, having an IP address belonging to the same autonomous system (AS) as the known malware node, or any combination
thereof, the first relation type being different from the second relation type;

determine, for the first relation type, a first score based on a first damping factor associated with the first relation type
and the first relation type;

weigh the first score by a first weight to obtain a first weighted reputation;
determine, for the second relation type, a second score based on a second damping factor associated with the second relation
type and the second relation type;

weigh the second score by a second weight to obtain a second weighted reputation; and
generate the reputation score of the first domain based at least in part on the first weighted reputation and the second weighted
reputation;

determine whether the first domain is a malware domain based on the reputation score for the first domain; and
in response to a determination that the first domain is the malware domain, perform a responsive action, wherein the response
action includes generate a new signature for a new malware, generate an alert and/or a notification to a user, or a combination
thereof, and associate the new malware with the malware domain.

US Pat. No. 9,542,554

DEDUPLICATING MALWARE

Palo Alto Networks, Inc.,...

1. A system, comprising:
a processor configured to:
set a first guest clock to a first value in a first virtual machine instance and execute a first malware sample in the first
virtual machine instance;

set a second guest clock value to the first value in a second virtual machine instance and execute a second malware sample
in the second virtual machine instance; and

perform a comparison of attempted external contacts generated by executing each of the respective first and second malware
samples, and determine that the first malware sample and the second malware sample are the same, based at least in part by
determining that a threshold number of duplicate attempted external contacts were generated by both the first malware sample
and the second malware sample; and

a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 9,660,992

USER-ID INFORMATION PROPAGATION AMONG APPLIANCES

Palo Alto Networks, Inc.,...

1. A system, comprising:
a processor configured to:
receive, at a first appliance, log data generated in response to a user-provided device authenticating to an electronic mail
server on a first network, wherein the user-provided device is not authenticating to a directory service provider accessible
via the first network;

determine a first mapping between an IP address of the user-provided device and an identity of a user based at least in part
on correlating at least a portion of the received log data, including a username portion of an email address, and identity
information associated with the user and stored in the directory service provider;

receive, at a third appliance, and from the first appliance, the first mapping between the IP address of the device and the
user identity, wherein the first appliance is responsible for controlling access to resources on the first network, wherein
the third appliance is responsible for controlling access to resources on a third network, and wherein access by the device
to a resource on the third network is determined by the third appliance based at least in part on a policy associated with
the user identity;

receive, at the third appliance, and from a second appliance, a conflicting second mapping between at least one of the IP
address and the user identity, wherein the second appliance is responsible for controlling access to resources on a second
network; and

determine, in response to receiving conflicting mappings from the respective first and second appliances, which of the received
first and second mappings should be used in determining whether to permit access to the resource on the third network, at
least in part by determining a respective priority associated with the first appliance as a source of information and the
second appliance as a source of information; and

a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 9,686,311

INTERDICTING UNDESIRED SERVICE

Palo Alto Networks, Inc.,...

1. A system for interdicting an undesired service, comprising:
a processor configured to identify the undesired service and identify a vulnerability of the undesired service, wherein the
identified undesired service is associated with a malicious code, the vulnerability of the identified undesired service has
been identified for the identified undesired service after the identified undesired service has been identified; and

a communication interface coupled with the processor and configured to interdict the undesired service according to the vulnerability,
wherein interdicting the undesired service includes affecting a network capability of the undesired service.

US Pat. No. 9,531,673

HIGH AVAILABILITY SECURITY DEVICE

Palo Alto Networks, Inc.,...

1. A system comprising:
a processor of a security device configured to:
filter a plurality of packets into a filtered first plurality of packets and a filtered second plurality of packets based
on header information of each of the plurality of packets, wherein the filtering the plurality of packets comprises filtering
the packets into the filtered second plurality of packets in response to the header information of the filtered second plurality
of packets being associated with a peer-to-peer networking application, traffic between trusted zones, or traffic between
trusted devices;

process the filtered first plurality of packets and maintaining one or more flow records associated with the filtered first
plurality of packets, wherein processing the filtered first plurality of packets includes receiving a first packet and, based
on first header information of the first packet, determining whether a first flow record exists for a first flow associated
with the first packet, wherein the first flow associated with the first packet comprises a sequence of one or more packets
received to which the first packet belongs;

process the filtered second plurality of packets without maintaining flow records associated with the filtered second plurality
of packets, wherein processing the filtered second plurality of packets comprises:

receiving a second packet;
determining not to maintain a second flow record for a second flow associated with the second packet based on second header
information of the second packet, wherein the second flow associated with the second packet comprises a sequence of one or
more packets received to which the second packet belongs; and

allowing the second packet to pass to one of one or more destinations based on the second header information and/or content
of the second packet or blocking the second packet based on the second header information and/or the content of the second
packet; and

a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 9,804,800

DETECTING HEAP-SPRAY IN MEMORY IMAGES

PALO ALTO NETWORKS, INC.,...

1. A method for protecting a computer, comprising the steps of:
executing in a computer processor application and system processes that allocate, utilize and deallocate a heap memory;
while executing the application and system processes, the processor performing the steps of:
identifying blocks having respective sizes in the heap memory;
associating the blocks in buckets according to the sizes thereof;
selecting one of the buckets;
choosing a first block and a second block from the selected bucket;
making a content comparison of the first block with the second block;
accumulating a positive result when the comparison meets a predetermined criterion of similarity; and
reporting a heap spray detection when the accumulated positive results in repeated performances of the steps of selecting,
choosing, making a comparison and accumulating exceed a predetermined threshold.

US Pat. No. 9,804,869

EVALUATING MALWARE IN A VIRTUAL MACHINE USING DYNAMIC PATCHING

Palo Alto Networks, Inc.,...

1. A system, comprising:
a hardware processor configured to:
initialize, as a copy-on-write overlay associated with an original virtual machine image, a first virtual machine instance,
wherein the first virtual machine instance is an overlay of a hierarchy of virtual machine images, and wherein the original
virtual machine image comprises the root of the hierarchy;

apply a set of one or more modifications to the first virtual machine instance;
start the modified virtual machine instance;
capture a first set of data resulting from executing a first sample in the modified virtual machine instance; and
determine, based at least in part on an analysis of the captured data that the first sample is malicious; and
a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 9,805,193

COLLECTING ALGORITHMICALLY GENERATED DOMAINS

Palo Alto Networks, Inc.,...

1. A system, comprising:
a processor configured to:
execute, in an accelerated computing environment comprising a non-virtualized platform, a malware sample, wherein a guest
time associated with the accelerated computing environment is advanced by an operating system such that the guest time advances
faster than a host time advances and such that the malware is unable to detect that a current guest time is different from
a current host time, and wherein the operating system associated with the accelerated computing environment is configured
to accelerate the guest time using at least one of a time interrupt customization and a time polling customization;

record a set of attempts made by the executing malware sample to contact external resources, wherein at least some of the
resources the executing malware sample attempts to contact are algorithmically generated domain names, generated by the executing
malware; and

provide the set of attempted external contacts as output; and
a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 9,787,635

IDENTIFYING EXTERNAL USER NAMES AND ENFORCING POLICIES

Palo Alto Networks, Inc.,...

1. A system, comprising:
a processor configured to:
identify, using network traffic received from a client device within a first network, a request by the client device to access
an external user account associated with an external application that is outside of the first network;

determine, based at least in part on a username corresponding to the external user account, a policy to apply to the received
request; and

apply the policy; and
a memory coupled to the set of one or more processors and configured to provide the set of one or more processors with instructions.

US Pat. No. 9,710,646

MALWARE DETECTION USING CLUSTERING WITH MALWARE SOURCE INFORMATION

Palo Alto Networks, Inc.,...

1. A system for malware detection using clustering with malware source information, comprising:
a processor configured to:
generate a first cluster of source information associated with a first malware sample, wherein the first malware sample was
determined to be malware, wherein the first malware sample was determined to be downloaded from a first source, and wherein
the generating of the first cluster of source information comprises:

generate a directed graph associating a plurality of source information with the first malware sample to generate the first
cluster of source information, the directed graph including a set of nodes and a set of edges, at least one node of the set
of nodes relating to source information of a known malware, at least one edge of the set of edges representing a relationship
based a first node of the set of nodes and a second node of the set of nodes, source information of the at least one node
includes a domain, an IP address, or a combination thereof; the generating of the first cluster of source information being
based at least in part on a clustering algorithm, the clustering algorithm including a recursive algorithm to find samples
and domains that are correlated, the directed graph including:

source information of the first malware sample including at least one of a) a source domain, a source Internet Protocol (IP)
address, or a combination thereof, and b) a visiting domain, a visiting IP address, or a combination thereof, the visiting
domain being a domain that the first malware sample attempted to send information thereto and/or receive information therefrom,
and the visiting IP address being an IP address that the first malware sample attempted to send information thereto and/or
receive information therefrom;

obtain a second malware sample for analysis;
determine whether a second source of the second malware sample is associated with malware based on the first cluster, comprising;
traverse the directed graph to determine whether the second malware sample associated with the second source is associated
with the first cluster, comprising to:

determine whether the second source is associated with at least one source of the first cluster of source information, comprising
to:

 determine whether an edge of the set of edges is connected to the second source of the second malware sample, the second
source having an association with a) a source domain, a source Internet Protocol (IP) address, or a combination thereof, and
b) a visiting domain, a visiting IP address, or a combination thereof; and

 in the event that the edge of the set of edges is connected to the second source, determine that the second source is associated
with at least one source of the first cluster of source information; and

in the event that the second malware sample is associated with the first cluster:
extract a signature from the second malware sample;
store the extracted signature in a database; and
send the extracted signature to a security device; and
a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 9,641,544

AUTOMATED INSIDER THREAT PREVENTION

Palo Alto Networks, Inc.,...

1. A system for automated insider threat prevention, comprising:
a processor of a network device configured to:
monitor network communications at the network device, wherein monitor network communications at the network device comprises:
monitor encrypted network communications between a client device and an external site, wherein the encrypted network communications
are encrypted using a first protocol;

decrypt the encrypted network communications between the client device and the external site; and
determine if the encrypted network communications between the client device and the external site include a file transfer
activity from the client device to the external site;

detect an anomalous activity based on the monitored network communications associated with a user based on a behavior profile
for the user, wherein the anomalous activity includes an anomalous file transfer activity associated with the user, and wherein
the anomalous activity is determined to be suspicious based on one or more file transfer application activities associated
with the user based on a threshold comparison with the behavior profile for the user;

perform an action in response to the detected anomalous activity based on a policy, wherein perform the action in response
to the detected anomalous activity based on the policy comprises: throttle the anomalous file transfer activity; and

receive a notification associated with another anomalous activity associated with another user, wherein the another anomalous
activity is detected based on monitored network communications associated with the another user based on another behavior
profile for the another user; and

a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 9,811,665

STATIC AND DYNAMIC SECURITY ANALYSIS OF APPS FOR MOBILE DEVICES

Palo Alto Networks, Inc.,...

14. A method, comprising:
performing static analysis on a mobile device application using a static analysis engine to generate a static analysis report
associated with the application;

performing dynamic analysis of the application using a dynamic analysis engine, wherein the dynamic analysis is customized
based on results of the static analysis, wherein performing dynamic analysis includes emulating a mobile device, wherein performing
dynamic analysis includes simulating an event external to the mobile device, and wherein performing dynamic analysis includes:
(1) performing a first stage of dynamic analysis, (2) initiating a reboot event, and (3) performing a second stage of dynamic
analysis after the reboot event occurs; and

determining whether the application is malicious based at least in part on the dynamic analysis.

US Pat. No. 10,032,026

STATIC AND DYNAMIC SECURITY ANALYSIS OF APPS FOR MOBILE DEVICES

Palo Alto Networks, Inc.,...

13. A method, comprising:performing static analysis on a mobile device application using a static analysis engine to generate a static analysis report associated with the application, wherein the static analysis engine is configured to perform static analysis on the mobile device application at least in part by evaluating a set of static analysis rules;
performing dynamic analysis of the application using a dynamic analysis engine, wherein the dynamic analysis is customized based on results of the static analysis;
determining whether the application is malicious based at least on the dynamic analysis; and
revising at least one static analysis rule included in the set of static analysis rules based on a result of the dynamic analysis.

US Pat. No. 9,979,739

AUTOMATED FORENSICS OF COMPUTER SYSTEMS USING BEHAVIORAL INTELLIGENCE

Palo Alto Networks (Israe...

1. A method for computer system forensics, comprising:collecting behavioral intelligence from sensors monitoring traffic passing through network switching elements in a computer network;
based on the collected behavioral intelligence, identifying a plurality of host computers on the network that exhibited an anomalous behavior;
assembling a plurality of respective positive images of the identified plurality of host computers using image information collected with regard to a configuration of software components running on the host computers, by respective monitoring programs running on the host computers;
assembling a plurality of negative images using image information collected with respect to a plurality of host computers not currently exhibiting the anomalous behavior or collected with respect to the at least one host computer prior to the anomalous behavior;
making a comparison between the plurality of positive images and the plurality of negative images using the following criteria:
an exact match, an approximate match, or a probabilistic match; wherein the match is between properties among the assembled positive images; and
a negative match which is between properties that exist in the assembled negative images and do not exist in the assembled positive images; and
based on the comparison, extracting from the positive and negative images a feature of the configuration of the software components that distinguishes between the positive and negative images, to serve as a forensic indicator of the anomalous behavior.

US Pat. No. 9,906,495

NETWORK DEVICE IMPLEMENTING TWO-STAGE FLOW INFORMATION AGGREGATION

Palo Alto Networks, Inc.,...

1. A network security device for processing a plurality of network flows, the network security device comprising:
a flow engine implemented in a hardware processor of the network security device and configured to receive incoming data packets
associated with one or more network flows, the flow engine being configured to process and identify network flows associated
with the received data packets and, based on the identified network flows, to forward the received data packets to respective
packet processors for processing and to separately forward network flow information for statistics processing;

a network flow statistics processing engine implemented in the hardware processor of the network security device and configured
to process the network flow information received from the flow engine and related to the network flows being handled by the
flow engine, the network flow information comprising at least a flow identifier and count information of the received data
packets for each network flow, the network flow statistics processing engine comprising:

a first processing stage configured to store and aggregate network flow information for each network flow handled by the flow
engine on a per-flow basis, the first processing stage exporting the stored network flow information associated with a given
network flow in response to a network flow information data for that network flow exceeding a flow information threshold or
a first elapsed time for that network flow exceeding a flow timeout, the first elapsed time being a time duration from a first
timestamp associated with that network flow and a current time; and

a second processing stage configured to receive the exported network flow information from the first processing stage, the
second processing stage being configured to store the received network flow information on a per-destination basis into a
per-destination storage, each destination being associated with a peer system component in the network security device and
subscribing to the network flow information of one or more network flows, the second processing stage exporting the stored
network flow information to a destination system component associated with a given destination in response to the destination
having accumulated network flow information exceeding an accumulation threshold or a second elapsed time for that destination
exceeding a destination timeout, the second elapsed time being a time duration from a second timestamp associated with that
destination and a current time;

wherein the network flow statistics processing engine provides the network flow information to the subscribing destination
system component of the network security device, the network flow information being used by the destination system component
to perform management functions or to enforce security policy on the incoming data packets at the respective packet processors.

US Pat. No. 9,860,208

BRIDGING A VIRTUAL CLONE OF A TARGET DEVICE IN A HONEY NETWORK TO A SUSPICIOUS DEVICE IN AN ENTERPRISE NETWORK

Palo Alto Networks, Inc.,...

1. A system, comprising:
a processor configured to:
store a plurality of attributes of each of a plurality of devices in a target network environment in a device profile data
store;

receive an identification of a suspicious device in the target network environment, wherein the suspicious device is suspected
of being compromised by malware;

receive an identification of a target device in the target network environment, wherein an internal network communication
is directed from the suspicious device in the target network environment to the target device in the target network environment,
and wherein the target device corresponds to one of the plurality of devices in the target network environment;

instantiate a first virtual clone in a honey network of the target device in the target network environment using a virtual
machine (VM) image selected from a VM image library that is customized based on one or more attributes for the target device
in the device profile data store, wherein the first virtual clone in the honey network emulates the target device to facilitate
interactions with the first virtual clone in the honey network, wherein the target device corresponds to a first device in
the target network environment;

dynamically instantiate a second virtual clone in the honey network corresponding to a second device in the target network
environment using another VM image selected from the VM image library that is customized based on one or more attributes for
the second device in the device profile data store corresponding to the second device in the target network environment, wherein
the first virtual clone and the second virtual clone executed in the instrumented VM environment correspond to the honey network,
and wherein the second virtual clone in the honey network is dynamically instantiated based on one or more logged interactions
between the target device and the second device in the target network environment that were logged using an agent executed
on the target device;

route the internal network communication from the suspicious device in the target network environment to the first virtual
clone in the honey network based on a honey network policy, wherein the honey network includes the first virtual clone and
the second virtual clone, and wherein the virtual clones are executed in an instrumented virtual machine (VM) environment;
and

monitor one or more activities of the virtual clones executed in the instrumented VM environment, wherein the monitored one
or more activities are logged in a honey network log; and

a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 10,044,675

INTEGRATING A HONEY NETWORK WITH A TARGET NETWORK TO COUNTER IP AND PEER-CHECKING EVASION TECHNIQUES

Palo Alto Networks, Inc.,...

1. A system, comprising:a processor coupled to a memory, wherein the processor is configured to:
generate a device profile data store that includes a plurality of attributes of each of a plurality of devices in a target network environment;
instantiate a virtual clone in a honey network of one or more devices in the target network environment based on a honey network policy and based on one or more attributes for a target device in the device profile data store using a virtual clone manager, wherein the honey network is hosted by a cloud security service;
receive a malware sample at the cloud security service for detonation on the virtual clone for the target device in the honey network, wherein the malware sample is based at least in part on a suspicious network communication destined for the target device in the target network environment that was detected at a firewall device in the target network environment;
detonate the malware sample executed on the virtual clone for the target device in the honey network; and
route an external network communication that is initiated from the malware sample executed on the virtual clone for the target device in the honey network to an external device through the firewall device in the target network environment for proxying the external communication through the target network environment to the external device based on a honey network routing table that provides a mapping between a first IP address of the virtual clone and a second IP address of the target device, wherein the external communication from the malware sample is routed through the firewall device in the target network environment so that the external communication from the malware sample to the external device is from an external IP address assigned to an Internet-facing interface of the firewall device in the target network environment to appear to the external device to be associated with the target network environment as opposed to another IP address associated with the cloud security service facilitating the honey network, wherein the honey network routing table includes IP-based routing rules for integration of the target network environment with the honey network to indicate whether or not a communication from a compromised device to the target device should be redirected to the virtual clone in the honey network if the virtual clone that was previously instantiated is available, and wherein the external device is external to the target network environment and is external to the honey network.

US Pat. No. 9,894,099

AUTOMATICALLY CONFIGURING MOBILE DEVICES AND APPLYING POLICY BASED ON DEVICE STATE

Palo Alto Networks, Inc.,...

9. A method for automatically configuring mobile device settings based on a Host Information Profile (HIP) report, comprising:
receiving a list of known malware and application characteristics from an external service;
receiving the HIP report for a mobile device, wherein the HIP report includes applications installed on the mobile device,
device state information, and device configuration information, wherein the device state information and the device configuration
information both comprise one or more features;

performing a policy match based on the HIP report for the mobile device, comprising:
determining whether the HIP report indicates that one or more features are missing or one or more features are disabled causing
the mobile device to fail the policy match;

determining whether an application installed on the mobile device is found on the list of known malware and application characteristics;
and

in response to a determination that the application installed on the mobile device is found on the list of known malware and
application characteristics:

determining whether the application is found on an exclude list, the exclude list being locally generated by an administrator;
in response to a determination that the application is found on the exclude list, determining that the policy match has not
failed; and

in response to a determination that the application is not found on the exclude list, determining that the policy match has
failed; and

performing an action based on the policy match based on the HIP report for the mobile device, comprising:
in response to a determination that the HIP report matches a first HIP policy, granting access to a network;
in response to a determination that the HIP report matches a second HIP policy:
performing one or more of the following:
automatically installing the one or more missing features or enabling the one or more features on the mobile device in response
to a determination that the policy match has failed when the HIP report indicates that the one or more features are missing
or the one or more features are disabled; or

automatically uninstalling the application installed on the mobile device in response to a determination that the policy match
has failed when the application is found on the list of known malware and application characteristics; and

granting access to a network, the first HIP policy being different from the second HIP policy; and
in response to a determination that the HIP report does not match the first HIP policy or the second HIP policy, refusing
access to the network.

US Pat. No. 9,860,166

STATEFUL PACKET INSPECTION AND CLASSIFICATION

Palo Alto Networks, Inc.,...

13. A method, comprising:
determining, for a first packet associated with a network traffic flow and originating from an application, a first differentiated
services header value (DSHV) to associate with the first packet, wherein the first DSHV is determined based at least in part
by determining a context in which the application is used, and wherein determining the context in which the application is
used includes evaluating a user identifier associated with an originator of the first packet;

using the first DSHV to perform a lookup of a first quality of service treatment associated with the first DSHV and applying
the first quality of service treatment to the first packet;

determining that the context in which the application is used has changed, and in response, determining, for a second packet
associated with the network traffic flow originating from the application, a second DSHV to associate with the second packet,
wherein the second DSHV is different from the first DSHV; and

using the second DSHV to perform a lookup of a second quality of service treatment associated with the second DSHV and applying
the second quality of service treatment to the second packet, wherein the first quality of service treatment and the second
quality of service treatment are different.

US Pat. No. 10,075,461

DETECTION OF ANOMALOUS ADMINISTRATIVE ACTIONS

PALO ALTO NETWORKS (ISRAE...

1. A method for monitoring, comprising:collecting, by a processor, data regarding activities of a plurality of computers in a computer system;
identifying in the plurality of computers, computers whose users identify as administrators;
identifying programs run by the computers identified as administrative;
generating a list of administrative activities of a plurality of different types, involving access to other computers, responsive to the identified programs and ports used by the identified programs;
identifying in the collected data, activities included in the generated list of administrative activities involving access to other computers;
assigning respective weights to the administrative activities in the generated list responsively to respective frequencies of performance of the administrative activities in the computer system, such that the respective weights decrease as the respective frequencies increase;
determining for each of the identified activities, a target computer of the activity;
establishing, for each of a plurality of computers in the computer system, a respective baseline including the targets accessed by the computer using one or more of the types of administrative activities in the generated list, and the specific types of administrative activities used in accessing each of the targets by the computer;
determining based on the collected data, the administrative activities performed by at least a group of the computers in the system, over a predetermined period, and the corresponding targets of the administrative activities;
determining pairs of the administrative activities and corresponding targets performed over the predetermined period by each of the computers in the group, not included in the respective established baseline of the computer;
computing, by the processor, a score for each of the computers, as a sum of the weights of the determined pairs of the administrative activities and corresponding targets performed by the computer during the predetermined period, that are not in the respective baseline, and deciding that the combination of the administrative activities performed by the computer is anomalous if the score exceeds a predefined threshold; and
upon detecting that a given computer in the system has performed an anomalous combination of administrative activities, initiating an action to inhibit malicious exploitation of the given computer,
wherein the different types of the administrative activities comprise accessing non-existent network addresses and non-existent subnets, and
wherein assigning the respective weights comprises calculating a respective weight for each type of administrative activity in inverse proportion to a number of the computers performing the administrative activity.

US Pat. No. 10,075,472

POLICY ENFORCEMENT USING HOST INFORMATION PROFILE

Palo Alto Networks, Inc.,...

1. A system, comprising:a client device configured to:
send queries to a plurality of gateways;
receive responses from the plurality of gateways; and
select a gateway to send network traffic based on a response time for receiving a response; and
a hardware processor of the selected gateway configured to:
establish a secure connection between the selected gateway and the client device, wherein the client device, based on availability and using a prioritized attempt sequence, geography, work load, user group, device type, or any combination thereof, selects, from a plurality of gateways, the selected gateway for communication with an enterprise network, wherein the client device is located outside of the enterprise network, and wherein the selected gateway is located within the enterprise network;
receive a host information profile report from the client device, wherein the host information profile report includes device profile information associated with the client device;
determine a user name relating to the client device, wherein the user name is associated with an Internet Protocol (IP) address of the client device;
identify an application generating network traffic from the client device, wherein the network traffic involves Hypertext Transfer Protocol (HTTP) traffic, File Transfer Protocol (FTP) traffic, a Domain Name System (DNS) request, unknown traffic, or any combination thereof;
match the host information profile report from the client device with a host information profile of a plurality of host information profiles, wherein the plurality of host information profiles include a first host information profile and a second host information profile and are configured by an administrator, the first host information profile is different from the second host information profile; and
enforce a security policy for network access based on the determined user name, the identified application, the host information profile report, and whether the host information profile report matches the host information profile, wherein the host information profile report includes a) device hardware information including a type of device, a general processor, a network processor, or any combination thereof, b) device software information including an operating system identifier, an operating system patch level, a security application, security data file level, and date of last scan performed by the security application, or any combination thereof, and c) the device software information including remediation information, or any combination thereof, wherein the host information profile report includes device location information for identifying whether the client device is in a trusted zone or an untrusted zone, and wherein the enforcing of the security policy for network access comprises to:
determine that the host information profile report matches the first host information profile report, the second host information profile report, or neither;
in response to a determination that the host information profile report matches the first host information profile report or the second host information profile report, select a first security policy or a second security policy depending on whether the host information profile report is associated with the first host information profile report or the second host information profile report, respectively, the first security policy being different from the second security policy, wherein the first security policy allows access to a first set of network services, and wherein the second security policy allows access to a second set of network services; and
in response to a determination that the host information profile report does not match the first host information profile report or the second host information profile report, select a third security policy, the third security policy denying access to all network services; and
a memory coupled to the hardware processor and configured to provide the hardware processor with instructions.

US Pat. No. 9,979,742

IDENTIFYING ANOMALOUS MESSAGES

Palo Alto Networks (Israe...

1. A method for computer system forensics, comprising:monitoring traffic passing through network switching elements in a computer network comprising multiple host computers;
identifying an anomalous message in the monitored traffic passing through network switching elements;
defining a filter responsive to the identified anomalous message;
transmitting the filter to respective monitoring programs running on the multiple host computers;
monitoring messages transmitted by the multiple host computers, by the respective monitoring programs, so as to detect messages matching the defined filter;
detecting, by the respective monitoring programs on the multiple host computers, for each message matching the defined filter, a respective process that initiated the message;
sampling by a forensic analyzer of the computer network from the multiple host computers, lists of messages matching the defined filter and corresponding processes that initiated the message;
responsively to the sampled lists from the multiple host computers, extracting a forensic indicator characteristic of the respective processes that initiated the matching messages; and
applying preventive actions to processes matching the extracted forensic indicator, on the multiple host computers.

US Pat. No. 9,807,182

DETERMINATION OF USER REPUTATION REGARDING DATA OBJECT EXPOSURE IN CLOUD COMPUTING ENVIRONMENTS

Palo Alto Networks, Inc.,...

1. A method of determining user reputation regarding data object exposure in a cloud computing environment, comprising:
in a reputation analysis system, using at least one Application Programming Interface (API) call to execute code in the cloud
computing environment that instructs the cloud computing environment on behalf of the reputation analysis system to transfer
information regarding behavior of a user in the cloud computing environment to the reputation analysis system either periodically
or upon at least one trigger;

in the reputation analysis system, receiving the information from the cloud computing environment;
analyzing the information to determine a plurality of exposure characteristics for the user, wherein each exposure characteristic
of the plurality of exposure characteristics comprises one or more items of the information that indicate exposure of a plurality
of data objects associated with the user and include one or more of a number of container objects created by the user, a number
of objects created by the user in the cloud computing environment, and a ratio of the number of container objects created
by the user to a number of non-container objects created by the user, and wherein the exposure of the plurality of data objects
comprises accessibility of the plurality of data objects beyond what is desired by an interested party to the plurality of
data objects; and

determining a reputation of the user for exposing the plurality of data objects in the cloud computing environment based on
the plurality of exposure characteristics.

US Pat. No. 9,762,543

USING DNS COMMUNICATIONS TO FILTER DOMAIN NAMES

Palo Alto Networks, Inc.,...

14. A system, comprising:
a processor configured to:
receive a DNS (Domain Name System) request;
extract a domain name from the received DNS request;
determine based on a policy that access to the domain name is not permitted; and
block the DNS request from being transmitted to any DNS server;
wherein the policy is applied at the DNS communications stage and before the DNS request is transmitted to any DNS server
and wherein to determine based on the policy that access to the domain name is not permitted comprises to determine that the
domain name is unknown; and

a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 9,634,992

PROBABILISTIC DUPLICATE DETECTION

Palo Alto Networks, Inc.,...

1. A system, comprising:
an interface configured to receive a first unclassified uniform resource locator (URL);
a processor configured to:
initialize an originally primary bloom filter;
initialize a secondary bloom filter;
in response to receiving a “no match” result from querying the primary bloom filter for the received first unclassified URL,
perform insert operations on both the originally primary bloom filter and the secondary bloom filter; and

at a time subsequent to inserting the first unclassified URL into both the originally primary and secondary bloom filters,
designate the secondary bloom filter as a replacement primary, wherein the designation is made in response to a determination
that a current false positive false positive rate associated with the originally primary bloom filter exceeds a threshold
and wherein the current false positive rate associated with the originally primary bloom filter is larger than an original
false positive rate associated with the originally primary bloom filter; and

a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 9,537,891

POLICY ENFORCEMENT BASED ON DYNAMICALLY ATTRIBUTE-BASED MATCHED NETWORK OBJECTS

Palo Alto Networks, Inc.,...

1. A system, comprising:
a processor configured to:
receive a policy that includes an address group object, wherein the address group object abstracts a set of computing assets;
compile the policy into a set of one or more rules, at least in part by substituting, for the address group object, a set
of one or more IP addresses of computing assets determined to be members of an address group corresponding to the address
group object, wherein determining the members of the address group includes querying a set of one or more repositories of
computing asset information using a set of match criteria, wherein at least one criterion in the set of match criteria pertains
to a characteristic of a computing asset;

determine, based at least in part on a detected change to the address group, that at least one rule included in the set of
rules should be recompiled;

in response to the determination, perform a recompilation, including by substituting a first IP address in an out-of-date
rule for a second IP address to create an updated rule; and

enforce the updated rule at least one rule; and
a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 9,916,443

DETECTING AN ATTEMPT TO EXPLOIT A MEMORY ALLOCATION VULNERABILITY

Palo Alto Networks, Inc.,...

1. A system for detecting an attempt to exploit a memory allocation vulnerability, comprising:
a processor configured to:
receive a malware sample;
monitor an array operation performed by the malware sample using a memory monitoring component; and
determine whether the array operation performed by the malware sample is suspicious, comprising to:
perform three or more of the following:
A) determine whether a vector size associated with the array operation exceeds a predefined threshold; and
in response to a determination that the vector size exceeds the predefined threshold, determine that the malware sample is
suspicious;

B) compare a vector size associated with the array operation with a corresponding vector size in a size record; and
in response to a determination that the vector size associated with the array operation does not match the corresponding vector
size in the size record, determine that the malware sample is suspicious;

C) compare a structure hash on the array operation with a previously calculated structure hash; and
in response to a determination that the structure hash on the array operation does not match the previously calculated structure
hash, determine that the malware sample is suspicious; or

D) append a cookie at an end of an allocated buffer;
compare a pre-stored value associated with the cookie with a current value of the cookie during the array operation; and
in response to a determination that the pre-stored value associated with the cookie does not match current value of the cookie
during the array operation, determine that the malware sample is suspicious; and

a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 9,838,356

ENCRYPTED PEER-TO-PEER DETECTION

Palo Alto Networks, Inc.,...

23. A method, comprising:
monitoring a network traffic sent from a first client to determine whether the first client is executing a peer-to-peer application;
and

generating a network traffic, using a processor, emulating peer-to-peer network traffic sent from the peer-to-peer application
executing on the first client to a second client after detecting an unknown network traffic sent from the first client to
the second client, wherein generating the network traffic emulating the peer-to-peer network traffic comprises:

sending, to the second client, the emulated peer-to-peer network traffic identifying non-existent peers or spoofed peers,
wherein the emulated peer-to-peer network traffic identifying the non-existent peers or the spoofed peers indicates that the
emulated peer-to-peer network traffic originated from a non-existent peer.

US Pat. No. 9,742,796

AUTOMATIC REPAIR OF CORRUPT FILES FOR A DETONATION ENGINE

Palo Alto Networks, Inc.,...

1. A system for automatic repairing of malware sample files for a detonation engine, comprising:
a processor; and
a memory coupled with the processor, wherein the memory is configured to provide the processor with instructions which when
executed cause the processor to:

receive a malware sample from a network device;
determine whether the malware sample includes a corrupt file, wherein the corrupt file fails to execute in a target execution
environment; and

in an event that the malware sample is determined to include the corrupt file, repair the corrupt file for the detonation
engine, comprising to:

perform the following:
A) determine whether the corrupt file includes a portable executable file, comprising to:
determine that header information of the portable executable file indicates that a file length of the portable executable
file is different from an actual file length of the portable executable file to determine that the corrupt file includes the
portable executable file; and

in the event that the corrupt file includes the portable executable file,
add data to the portable executable file in order for the file length of the header information of the portable executable
file to match the actual file length of the portable executable file;

B) determine whether the corrupt file includes a Microsoft Office formatted file; and
in the event that the corrupt file includes the Microsoft Office formatted file, fix a page count in a header;
C) determine whether the corrupt file includes a portable document format file; and
in the event that the corrupt file includes the portable document format file, replace a missing terminator or a missing end
of file;

D) determine whether the corrupt file includes a zip formatted file; and
in the event that the corrupt file includes the zip formatted file, recreate a central directory that is located at an end
of the zip formatted file; and

E) determine whether the corrupt file includes a Hypertext Markup Language (HTML) formatted file; and
in the event that the corrupt file includes the HTML formatted file, add a missing terminator;
allow the malware sample to be executed in an instrumented virtual environment using the detonation engine; and
determine that the malware sample includes the corrupt file during a dynamic analysis of the malware sample based on a failed
attempt to detonate the malware sample using the detonation engine.

US Pat. No. 9,716,727

GENERATING A HONEY NETWORK CONFIGURATION TO EMULATE A TARGET NETWORK ENVIRONMENT

Palo Alto Networks, Inc.,...

1. A system, comprising:
a processor configured to:
receive a network scan survey of a target network;
generate a honey network configuration to emulate the target network using the network scan survey of the target network,
wherein generating the honey network configuration includes generating a trigger table; and

execute a honey network using the honey network configuration, wherein executing the honey network using the honey network
configuration includes determining a set of responses for each of a plurality of devices on the target network and each service
in response to probes received from a scanning tool using the trigger table, wherein the trigger table includes a set of data
that indicates responses used by the scanning tool to identify a device type, an operating system (OS) type and OS version,
and/or a service provided by a device; and

a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 9,560,072

DISCOVERING AND SELECTING CANDIDATES FOR SINKHOLING OF NETWORK DOMAINS

Palo Alto Networks, Inc.,...

1. A system for discovering and selecting candidates for sinkholing of network domains, comprising:
a hardware processor configured to:
collect passive DNS data from a plurality of security devices to discover candidates for sinkholing of domain names;
select one or more domain names that are most commonly queried by distinct client devices based on the passive DNS data, wherein
each of the one or more domain names is not yet registered, wherein the selecting of the one or more domain names that are
most commonly queried comprises to:

rank commonly queried domain names based on number of queries by the distinct client devices; and
select N most commonly queried domain names to obtain the one or more domain names, N being an integer greater than zero;
apply a Domain Generation Algorithm (DGA) filter to remove any DGA generated domain names from the candidates for sinkholing
of domain names, wherein the DGA filter includes a plurality of DGA generated domain names based on an emulated analysis of
malware, wherein the applying of the DGA filter comprises to:

determine whether a domain name of the one or more domain names has not been queried by at least a threshold number of distinct
hosts, the distinct hosts corresponding to unique IP addresses; and

in the event that the domain name of the one or more domain names has not been queried by at least the threshold number of
distinct hosts, remove the domain name from the one or more domain names; and

automatically register each of the one or more domain names with a domain registry to a sinkholed IP address in order to sinkhole
each of the one or more domain names; and

a memory coupled to the hardware processor and configured to provide the hardware processor with instructions.

US Pat. No. 10,027,709

GENERATING A HONEY NETWORK CONFIGURATION TO EMULATE A TARGET NETWORK ENVIRONMENT

Palo Alto Networks, Inc.,...

1. A system, comprising:a hardware processor configured to:
receive a network scan survey of a target network;
generate a honey network configuration to emulate the target network using the network scan survey of the target network, wherein generating the honey network configuration includes generating a trigger table based on the honey network configuration for emulating at least a subset of the target network;
execute the honey network using the honey network configuration, wherein executing the honey network using the honey network configuration includes determining a set of responses for each of a plurality of devices on the target network and each service in response to probes received from a scanning tool using the trigger table, wherein the trigger table includes a set of data that indicates responses used by the scanning tool to identify a device type, an operating system (OS) type and OS version, and a service provided by a device;
receive a probe from the scanning tool sent to an IP address that is in the honey network;
generate a response to the probe using the trigger table based on the honey network configuration; and
send the response to the scanning tool, wherein the scanning tool is unable to detect that the response is associated with an emulated device and/or an emulated service in the honey network; and
a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 9,992,214

GENERATING MALWARE SIGNATURES BASED ON DEVELOPER FINGERPRINTS IN DEBUG INFORMATION

Palo Alto Networks, Inc.,...

1. A system, comprising:a processor configured to:
receive a sample, wherein the sample includes a binary executable file;
match one or more paths in content of the binary executable file based on a plurality of patterns, comprising to:
extract a first string from the binary executable file, wherein the first string relates to debug information of the binary executable file;
determine whether a path associated with the first string matches a pattern of the plurality of patterns, the pattern including a regular expression; and
in response to a determination that the path matches the pattern, determine that the path is a matched path;
extract meta information from the one or more matched paths, comprising to:
parse a second string associated with the one or more matched paths to obtain the meta information, wherein the meta information is obtained from the second string itself, a subset of the second string, or both; and
automatically generate a signature based on the extracted meta information; and
a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 9,904,792

INHIBITION OF HEAP-SPRAY ATTACKS

PALO ALTO NETWORKS, INC, ...

1. A method for protecting a computer having a memory, the method comprising:
identifying potential NOP-sled target addresses in a heap within the memory; and
using a security program module running on the computer, before a predetermined user-level process can be loaded preallocating
blocks of the heap for use by the predetermined user-level process, the blocks containing the identified target addresses
so as to prevent exploitation of the identified target addresses by a heap-spray attack.

US Pat. No. 9,800,491

APPLICATION BASED PACKET FORWARDING

Palo Alto Networks, Inc.,...

1. A system for processing packets at a network device, comprising:
a processor configured to:
receive a plurality of packets associated with a flow, wherein one or more of the plurality of packets has associated header
data and content;

identify an application associated with the flow based on a content of two or more first packets in the plurality of packets,
wherein none of the first packets is addressed to the network device, and wherein identifying the application includes performing
an analysis on the content of the two or more of the first packets; and

determine a forwarding destination is a first destination for one or more second packets associated with the flow based on
the application associated with the flow using an application based policy, wherein the application based policy indicates
that the one or more second packets are forwarded to the first destination and a non-application based policy indicates that
the one or more second packets are forwarded to a second destination, and wherein the network device is configured with a
rule that the application based policy has preference over the non-application based policy; and

forward the one or more second packets to the first destination; and
a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 9,531,672

NETWORK DEVICE IMPLEMENTING TWO-STAGE FLOW INFORMATION AGGREGATION

Palo Alto Networks, Inc.,...

1. A network security device for processing a plurality of network flows, the network security device comprising:
a flow engine implemented in a hardware processor of the network security device and configured to receive incoming data packets
associated with one or more network flows, the flow engine being configured to process and identify network flows associated
with the received data packets;

a network flow statistics processing engine implemented in the hardware processor of the network security device and configured
to process network flow information received from the flow engine and related to the network flows being handled by the flow
engine, the network flow information including a flow identifier, a packet count, and a byte count of the received data packets
for each network flow, the network flow statistics processing engine comprising:

a first processing stage configured to store and aggregate network flow information for each network flow handled by the flow
engine on a per-flow basis, the first processing stage exporting the stored network flow information associated with a given
network flow in response to a network flow information data for that network flow exceeding a flow information threshold or
a first elapsed time for that network flow exceeding a flow timeout, the first elapsed time being a time duration from a first
timestamp associated with that network flow and a current time; and

a second processing stage configured to receive the exported network flow information from the first processing stage, the
second processing stage being configured to store the received network flow information on a per-destination basis into a
per-destination storage including a plurality of memory queues, wherein each memory queue in the plurality of memory queues
is assigned to a destination, the destination being a peer system component in the network security device subscribing to
the network flow information associated with the one or more network flows, the second processing stage exporting the stored
network flow information to a destination system component associated with a given destination in response to the destination
having accumulated network flow information exceeding an accumulation threshold or a second elapsed time for that destination
exceeding a destination timeout, the second elapsed time being a time duration from a second timestamp associated with that
destination and a current time;

wherein the network flow statistics processing engine provides the network flow information to the destination system component
of the network security device, the network flow information being used by the destination system component to perform management
functions or to enforce security policy on the incoming data packets.

US Pat. No. 10,135,864

LATENCY-BASED POLICY ACTIVATION

Palo Alto Networks, Inc.,...

1. A system for latency-based policy activation, comprising:a processor of a network device configured to:
collect a plurality of latency measures associated with monitored network communications;
correlate the plurality of latency measures associated with the monitored network communications to detect anomalous network activity based on a profile, comprising to:
determine whether a latency of a specific application function exceeds a predetermined threshold; and
in response to a determination that the latency of the specific application function exceeds the predetermined threshold, determine that the latency of the specific application function is abnormal; and
perform a mitigation response to the anomalous network activity based on a policy; and
a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 10,051,001

EFFICIENT AND SECURE USER CREDENTIAL STORE FOR CREDENTIALS ENFORCEMENT USING A FIREWALL

Palo Alto Networks, Inc.,...

1. A system for a credentials store for credentials enforcement using a firewall, comprising:a processor of a network device configured to:
receive a plurality of user credentials from an authentication server;
transform the plurality of user credentials for storage at the network device, comprising to:
transform the plurality of user credentials into a bloom filter; and
store the plurality of user credentials in a cache on the network device, wherein network traffic is monitored at the network device to perform credentials enforcement based on one or more of the plurality of user credentials, wherein the bloom filter is stored in the cache;
monitor network communications between a client and an external site;
determine if the client sends a request that includes user credentials for authentication at the external site using the bloom filter; and
perform an action in response to a determination that the client sent the request that includes user credentials for authentication at the external site that match one or more of the plurality of user credentials stored at the network device, wherein the action includes activating an additional authentication request based on a two-factor authentication when an attempt to access a protected resource is detected; and
a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 10,013,556

DEDUPLICATING MALWARE

Palo Alto Networks, Inc.,...

1. A system, comprising:a processor; and
a memory coupled with the processor and configured to provide the processor with instructions which when executed cause the processor to:
set a first virtual guest clock to a first time value in a first virtual machine instance, and execute a first malware sample in the first virtual machine instance;
set a second virtual guest clock to the first time value in a second virtual machine instance, and execute a second malware sample in the second virtual machine instance;
perform a comparison of attempted domain contacts generated by executing each of the respective first and second malware samples; and
determine that the first malware sample and second malware sample are related, based at least in part on a result of the comparison.

US Pat. No. 10,003,574

PROBABILISTIC DUPLICATE DETECTION

Palo Alto Networks, Inc.,...

8. A system, comprising:a processor configured to:
initialize a first bloom filter for tracking probabilistic receipt of data strings at a security appliance, including by designating the first bloom filter as authoritative;
initialize a second bloom filter, wherein the second bloom filter is initially not designated as authoritative;
receive a first data string and perform a first insertion operation on the first bloom filter, using the first data string;
at a time subsequent to receiving the first data string, receive a second data string, and perform a second insertion operation, wherein the second insertion operation is performed, respectively, on both the first bloom filter and the second bloom filter, using the second data string, and wherein the first bloom filter is designated as authoritative and the second bloom filter is not designated as authoritative at a time when the second insertion operation is performed;
in response to a first triggering event occurring, designate the second bloom filter as authoritative; and
receive a third data string and perform a third insertion operation, wherein the third insertion operation is performed on the second bloom filter; and
a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 10,003,608

AUTOMATED INSIDER THREAT PREVENTION

Palo Alto Networks, Inc.,...

1. A system for automated insider threat prevention, comprising:a processor of a network device configured to:
monitor network communications at the network device, wherein monitor network communications at the network device comprises:
monitor encrypted network communications between a client device and an external site, wherein the encrypted network communications are encrypted using a first protocol;
decrypt the encrypted network communications between the client device and the external site; and
determine if the encrypted network communications between the client device and the external site include a file transfer activity from the client device to the external site;
detect a plurality of anomalous file transfer activities based on the monitored network communications associated with a user based on a behavior profile for the user, wherein the monitored network communications associated with the user include the file transfer activity from the client device to the external site, and wherein the file transfer activity from the client device to the external site is determined to be an anomalous activity based on the behavior profile for the user; and
perform an action in response to the plurality of anomalous file transfer activities based on a policy; and
a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 10,003,616

DESTINATION DOMAIN EXTRACTION FOR SECURE PROTOCOLS

Palo Alto Networks, Inc.,...

1. A system for destination domain extraction for secure protocols, comprising:a processor configured to:
monitor network communications between a client and a remote server;
determine if a resumed session of a secure connection has occurred, wherein the resumed session omits including a public certificate sent from the remote server;
extract a destination domain from the resumed session to resume the secure connection with the remote server, comprising to:
extract the destination domain from a server name indication (SNI) of a client hello message sent from the client to the remote server, comprising to:
identify the SNI from the client hello message by parsing handshaking traffic for setting the resumed session between the client and the remote server; and
resume the secure connection based on the extracted destination domain without requiring decryption of the secure connection; and
a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 9,996,695

DYNAMIC MALWARE ANALYSIS OF A URL USING A BROWSER EXECUTED IN AN INSTRUMENTED VIRTUAL MACHINE ENVIRONMENT

Palo Alto Networks, Inc.,...

1. A system, comprising:a processor configured to:
receive a Uniform Resource Locator (URL) sample for dynamic malware analysis using a browser executed in an instrumented virtual machine environment executed on the processor; and
dynamically determine a period of time allocated for performing the dynamic malware analysis of the URL sample using the browser executed in the instrumented virtual machine environment, wherein the URL sample is rendered using the browser executed in the instrumented virtual machine environment and monitored using the instrumented virtual machine environment for the period of time allocated for performing the dynamic malware analysis of the URL sample, wherein the determining of the period of time allocated for performing the dynamic malware analysis of the URL sample comprises to:
determine, using the browser executed in the instrumented virtual machine environment, whether the URL sample is waiting for a user interface (UI) event to trigger one or more functions that are triggered in response to the UI event; and
in response to a determination that the URL sample is waiting for the UI event, generate, using the browser executed in the instrumented virtual machine environment, the UI event without delay to trigger the one or more functions that are triggered in response to the generated UI event, the UI event including include OnClick, OnMouseMove, OnKeyDown, OnKeyUp, or any combination thereof, the one or more functions being associated with the URL sample; and
a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 9,917,852

DGA BEHAVIOR DETECTION

Palo Alto Networks, Inc.,...

1. A system for Domain Generation Algorithm (DGA) behavior detection, comprising:
a processor of a security device configured to:
receive passive Domain Name System (DNS) data that comprises a plurality of DNS responses; and
apply a signature to the passive DNS data to detect DGA behavior, wherein apply the signature to the passive DNS data to detect
DGA behavior further comprises to:

parse each of the plurality of DNS responses to determine whether one or more of the plurality of DNS responses correspond
to a non-existent domain (NXDOMAIN) response, comprising to:

determine whether a length of a top-level domain (TLD) of a domain name associated with a DNS response is equal to zero or
is greater than three, the DNS response corresponding to the NXDOMAIN response; and

in response to a determination that the length of the TLD is equal to zero or is greater than three, disregard the DNS response
with respect to the DGA behavior; and

a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 9,882,929

DYNAMIC SELECTION AND GENERATION OF A VIRTUAL CLONE FOR DETONATION OF SUSPICIOUS CONTENT WITHIN A HONEY NETWORK

Palo Alto Networks, Inc.,...

1. A system for dynamic selection and generation of detonation location of suspicious content with a honey network, comprising:
a computer comprising a processor and further comprising:
a VM instance launcher executed on the processor that launches a first virtual clone in the honey network of a target device
of a plurality of devices in an enterprise network, wherein a malware sample received from the enterprise network was destined
for the target device, and wherein the first virtual clone has one or more attributes that are synchronized with one or more
attributes of the target device in the enterprise network so that the malware sample would detect that the virtual clone has
previously observed and/or expected attributes associated with the target device, and wherein the VM instance launcher executed
on the processor dynamically launches a second virtual clone in the honey network of a second device of the plurality of devices
in the enterprise network based on one or more logged interactions between the target device and the second device in the
enterprise network that were logged using an agent executed on the target device wherein the second virtual clone in the honey
network is instantiated to emulate the second device in the enterprise network to facilitate interactions in the honey network
between the first virtual clone that corresponds to the target device and the second virtual clone that corresponds to the
second device;

a virtual machine (VM) instance manager executed on the processor that manages a plurality of virtual clones including the
first virtual clone and the second virtual clone executed in an instrumented VM environment, wherein the plurality of virtual
clones executed in the instrumented VM environment correspond to the honey network that emulates the plurality of devices
including the target device in the enterprise network, and wherein each of the plurality of virtual clones in the honey network
have one or more attributes that are synchronized with one or more attributes of a corresponding device of the plurality of
devices in the enterprise network; and

an intelligent malware detonator executed on the processor that receives at the honey network the malware sample from the
enterprise network, wherein the malware sample includes suspicious content, and wherein the malware sample was destined for
the targeted device of the plurality of devices in the enterprise network, and the intelligent malware detonator detonates
the malware sample in the first virtual clone of the plurality of virtual clones executed in the instrumented VM environment,
and wherein one or more activities of the detonated malware sample are monitored in the instrumented VM environment and logged
in a honey network log.

US Pat. No. 9,800,697

L2/L3 MULTI-MODE SWITCH INCLUDING POLICY PROCESSING

Palo Alto Networks, Inc.,...

1. A method for forwarding data packets in a computer network, the method comprising:
receiving a data packet;
examining the data packet using a processor to classify the data packet including classifying the data packet as a layer 2
(L2) or layer 3 (L3) packet;

determining a destination zone, but not a source zone, associated with the classified data packet, wherein the destination
zone is associated with at least one policy rule, and wherein a policy includes one or more policy rules that are indexed
by the destination zone;

performing a policy look-up based on the destination zone to determine one or more policies;
processing the classified data packet in accordance with the one or more determined policies including:
performing content based pattern matching on the classified data packet;
setting up a session if the classified data packet is associated with a new flow; and
forwarding or performing other processing on the classified data packet to an intended destination if the determined policies
permit based on the destination zone and content based pattern matching, wherein the other processing on the classified data
packet includes logging information about the classified data packet, holding the classified data packet, setting an alarm,
dropping the classified data packet, modifying the classified data packet, dropping or banning an entire flow associated with
the classified data packet, or any combination thereof.

US Pat. No. 9,762,538

FLOW OWNERSHIP ASSIGNMENT IN A DISTRIBUTED PROCESSOR SYSTEM

Palo Alto Networks, Inc.,...

1. A security device that includes hardware processor coupled to memory for processing a plurality of network flows, comprising:
a first packet processor and a second packet processor each configured to receive incoming data packets associated with one
or more network flows, at least one of the first and second packet processors being assigned as an owner of one or more network
flows, and each packet processor processing data packets associated with network flows for which it is the assigned owner
and each network flow being assigned to only one owner packet processor, each owner packet processor processing data packets
associated with a network flow to enforce a security policy;

a packet processing manager configured to assign ownership of network flows to the first or second packet processor, the packet
processing manager comprising a global flow table containing entries mapping network flows to packet processor ownership assignments;
and

a switching fabric in communication with the first and second packet processors and the packet processing manager,
wherein in response to the packet processing manager receiving a first data packet belonging to a first network flow for which
no entry for the first network flow is found in the global flow table, the packet processing manager assigns the first packet
processor as an owner of the first network flow, and informs the first packet processor of the ownership assignment, and the
second packet processor learns of ownership assignments of network flows from the packet processing manager as data packets
are being received and the second packet processor forwards received data packets belonging to the first network flow to the
first packet processor for processing; and

wherein in response to assigning the first network flow to the first packet processor, the packet processing manager adds
an entry to the global flow table mapping the first network flow to the first packet processor as the owner of the first network
flow, the entry being in a tentative state.

US Pat. No. 9,762,608

DETECTING MALWARE

Palo Alto Networks, Inc.,...

1. A system, comprising:
an interface configured to:
receive a candidate malware potentially including at least one malicious element;
a processor configured to:
execute the candidate malware using a virtualized environment;
determine that the candidate malware, while executing using the virtualized environment, has performed at least one anti-virtual
machine action, wherein the at least one anti-virtual machine action comprises: (1) an attempt to detect whether the virtualized
environment has been hotpatched; and (2) an attempt to revert a hotpatch applied in the virtualized environment; and

in response to the determination that the candidate malware, while executing using the virtualized environment, has taken
at least one anti-virtual machine action, generate as output an alert that the candidate malware is malicious; and

a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 9,705,919

SECURITY POLICY ENFORCEMENT FOR MOBILE DEVICES BASED ON DEVICE STATE

Palo Alto Networks, Inc.,...

8. A method for a security device that provides network-based security for mobile devices based on device state, comprising:
receiving a Host Information Profile (HIP) report for a mobile device from a mobile device management (MDM) service at the
security device, wherein the HIP report includes device state information for the mobile device, and wherein the HIP report
for the mobile device includes configuration information of the mobile device, the configuration information of the mobile
device including a list of installed malware apps;

applying a policy based on the HIP report for the mobile device; device, comprising:
comparing a first app included in the list of installed malware apps with a second app in an exclude list; and
in the event that the first app included in the list of installed malware apps matches with the second app in the exclude
list, omitting applying the policy; and

performing access control at the security device based on the policy based on the HIP report for the mobile device.

US Pat. No. 9,667,544

SECURITY DEVICE IMPLEMENTING FLOW LOOKUP SCHEME FOR IMPROVED PERFORMANCE

Palo Alto Networks, Inc.,...

1. A security device performing flow classification and storing flow information in a flow table, the security device comprising:
a flow engine configured to receive incoming data packets and to generate a flow key identifying a flow to which the received
data packet belongs, the flow engine further configured to apply a hash function to the flow key to generate a flow hash value
and an entry hash value, the hash function comprising first and second orthogonal hash functions, wherein the flow engine
is configured to apply the first and second orthogonal hash functions to the flow key to generate the flow hash value from
the first orthogonal hash functions and to generate the entry hash value from the second orthogonal hash function, the flow
hash value and the entry hash value being independent and orthogonal to each other;

a hash map table including N buckets where each bucket includes W entries, each entry storing a stored entry hash value, the
hash map table being indexed by the flow hash value and an entry index value is derived from the entry hash value; and

a flow data table including N buckets where each bucket includes W entries, each entry storing a flow record associated with
a flow of the incoming data packets, each flow record including a flow key with an associated flow attribute, the flow data
table being indexed by the flow hash value and the entry index value to return at least a retrieved flow key from the flow
record in the indexed entry,

wherein the flow hash value is used to index a specific bucket in the hash map table and the flow data table, the entry hash
value is used to derive an entry index value in the indexed bucket in the hash map table, and the entry index value is used
to index a specific entry in the indexed bucket of the flow data table in which a flow record associated with the received
data packet is stored.

US Pat. No. 9,565,097

APPLICATION BASED PACKET FORWARDING

Palo Alto Networks, Inc.,...

1. A network device for processing packets, the network device comprising a processor, and the network device further comprising:
an interface for receiving a plurality of packets associated with a flow, one or more of the plurality of packets having associated
header data and content;

a multi-mode classification engine in communication with the interface, the multi-mode classification engine comprising a
header classification engine for identifying an application associated with the flow based on a content of two or more first
packets in the plurality of packets, wherein none of the first packets is addressed to the network device, and wherein identifying
the application includes performing an analysis on the content of the two or more of the first packets; and

a routing engine in communication with the multi-mode classification engine, the routing engine comprising an application
based routing engine for determining a forwarding destination for one or more second packets associated with the flow based
on the application associated with the flow using an application based policy and a non-application based policy, wherein
if the application based policy indicates that the one or more second packets are forwarded to a first destination and the
non-application based policy indicates that the one or more second packets are forwarded to a second destination, and wherein
the network device is configured with a rule indicating whether to give a preference to the application based policy or to
the non-application based policy, then the network device applies the rule to determine whether to forward the one or more
second packets to the first destination or to the second destination as the forwarding destination, and forwarding the one
or more second packets according to the determined forwarding destination using the interface.

US Pat. No. 10,110,563

REDUCTION AND ACCELERATION OF A DETERMINISTIC FINITE AUTOMATON

Palo Alto Networks, Inc.,...

1. A system, comprising: a processor configured to: receive an input value for a deterministic finite automaton, wherein the deterministic finite automaton is reduced by translating the deterministic finite automaton into a bitmap table, a rule table, and a default state table; perform a reduced deterministic finite automaton lookup using a lookup key, wherein the lookup key comprises a current state and the input value, comprising to: perform a lookup in the bitmap table using the lookup key to determine whether to obtain a next state from the default state table or from the rule table, comprising to: determine whether the bitmap table returns a default state or a valid state using the lookup key, the default state corresponding to a most commonly occurring next-state pointer, the default state being different from the valid state; and in response to a determination that the bitmap table returns the valid state, determine that the next state is to be obtained from the rule table; and determine the next state based on the lookup key, comprising to: in response to a determination that the next state is to be obtained from the rule table, obtain the next state from the rule table based on the lookup key; and a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 10,104,128

AUTOMATICALLY CONFIGURING MOBILE DEVICES AND APPLYING POLICY BASED ON DEVICE STATE

Palo Alto Networks, Inc.,...

1. A system for automatically configuring mobile devices and applying policies based on a Host Information Profile (HIP) report, comprising:a processor configured to:
receive a list of known malware and application characteristics from an external service;
receive the Host Information Profile (HIP) report for a mobile device, wherein the HIP report includes applications installed on the mobile device, device state information, and device configuration information, wherein the device state information and the device configuration information both comprise one or more features;
perform a policy match based on the HIP report for the mobile device, comprising to:
determine whether the HIP report indicates that one or more features are missing or one or more features are disabled causing the mobile device to fail the policy match;
determine whether an application installed on the mobile device is found on the list of known malware and application characteristics;
determine whether the HIP report from the mobile device matches with a first host information profile or a second host information profile;
determine a security policy based on a host information profile that matches the HIP report, the security policy being associated with a first security policy or a second security policy, the first host information profile being different from the second host information profile, the first security policy including granting access to a first enterprise resource, the second security policy including granting access to a second enterprise resource; and
in response to a determination that the security policy does not match the first host information profile or the second host information profile, determine that the security policy includes denying access to enterprise resources; and
perform an action based on the policy match based on the HIP report for the mobile device, comprising to:
in response to a determination that the HIP report matches a first security policy, grant access to a first enterprise resource; and
in response to a determination that the HIP report matches a second security policy:
perform one or more of the following:
 automatically install the one or more missing features or enable the one or more features on the mobile device in response to a determination that the policy match has failed when the HIP report indicates that the one or more features are missing or the one or more features are disabled; or
 automatically uninstall the application installed on the mobile device in response to a determination that the policy match has failed when the application is found on the list of known malware and application characteristics; and
grant access to a second enterprise resource, the first security policy being different from the second security policy; and
a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 10,097,418

DISCOVERING NETWORK NODES

Palo Alto Networks, Inc.,...

1. A method for discovering nodes of a network, comprising:sending to a multicast group of the network an Internet Protocol multicast packet that requires a receiver of the packet to provide a response packet, wherein the response packet is required to be provided as a direct reply to the Internet Protocol multicast packet and the Internet Protocol multicast packet specifies an invalid option that requires a recipient to provide the response packet in direct reply to the Internet Protocol multicast packet;
receiving a plurality of Internet Control Message Protocol replies from all nodes that belong to the multicast group in reply to the single Internet Protocol multicast packet, wherein every one of the plurality of Internet Control Message Protocol replies identify a communication error associated with the Internet Protocol multicast packet; and
using a processor to determine, using the received communication error replies to the Internet Protocol multicast packet to determine a new listing of all nodes of at least the multicast group of the network that provided the communication error replies to the Internet Protocol multicast packet, wherein a previously undiscovered node provided at least one communication error reply of the communication error replies in direct reply to the Internet Protocol multicast packet that requires the receiver of the packet to provide the at least one communication error reply; and
comparing at least the new listing of all nodes that provided the communication error replies to the Internet Protocol multicast packet with a previous listing of nodes that provided a previous set of communication error replies to a previous Internet Protocol multicast packet to discover a change in a membership of nodes belong to the network.

US Pat. No. 10,050,936

SECURITY DEVICE IMPLEMENTING NETWORK FLOW PREDICTION

Palo Alto Networks, Inc.,...

1. A security device for processing a plurality of network flows, comprising:one or more packet processors configured to receive incoming data packets associated with one or more network flows, at least one of the packet processors being assigned as an owner of one or more network flows, and each packet processor processing data packets associated with flows for which it is the assigned owner and each network flow being assigned to only one owner packet processor, each owner packet processor processing data packets associated with a network flow to enforce a security policy; and
a packet processing manager configured to assign ownership of network flows to the one or more packet processors, the packet processing manager comprising a global flow table containing global flow table entries mapping network flows to owner packet processors and a predict flow table containing predict flow entries mapping predicted network flows to the owner packet processors assigned to parent flows for connection sessions that indicate child flows to be determined,
wherein in response to a first data packet being received by one of the one or more packet processors and being associated with a first parent flow for a connection session that indicates a first child flow to be determined, the packet processing manager adds a first predict flow entry in the predict flow table, the first predict flow entry mapping a predicted network flow to the packet processor assigned as the owner of the first parent flow, and in response to a second data packet being received by one of the one or more packet processors and the network flow for the second data packet being found in the predict flow table as matching the first predict flow entry, the packet processing manager adds an entry in the global flow table to map the network flow of the second data packet to the owner packet processor of the first parent flow; and in response to receiving a message from the owner packet processor indicating acceptance of the ownership assignment, the packet processing manager stores a binding entry in the global flow table mapping the network flow of the second data packet to the owner packet processor of the first parent flow.

US Pat. No. 10,015,179

INTERROGATING MALWARE

Palo Alto Networks, Inc.,...

1. A method for identifying a behavior of a malware service, comprising:scanning a network communication port of a receiver, wherein a communication protocol operating on the network communication port is determined using a result of the scan;
sending to the network communication port of the receiver an interrogation packet that corresponds to a malware service, wherein the interrogation packet has been selected based at least in part on the communication protocol operating on the network, the interrogation packet is one of a plurality of interrogation packets sent to the network communication port and the predetermined interrogation packet invites an expected action that, when detected, at least in part confirms that a behavior of the malware service is operating;
using a processor to detect the expected action; and
based at least in part in detecting the expected action, determining that the malware service is potentially is operating on the network communication port as indicated by a confidence level indicator that indicates a level of confidence that the malware service is potentially operating on the network communication port;
wherein the method further comprises one or more of the following:
(1) confirming that the behavior of the malware service is operating including by confirming that a proxy service is operating on the network communication port;
(2) confirming that the behavior of the malware service is operating including by confirming that a dynamic reverse shell is operating on the network communication port; and
(3) sending to a second communication port of the receiver, a second interrogation packet that corresponds to the same malware service, wherein the initial interrogation packet causes a listening service to become active on the second communication port.

US Pat. No. 10,015,198

SYNCHRONIZING A HONEY NETWORK CONFIGURATION TO REFLECT A TARGET NETWORK ENVIRONMENT

Palo Alto Networks, Inc.,...

1. A method comprising:synchronizing a honey network configuration to reflect at least a subset of a target network environment that includes a plurality of devices, wherein synchronizing the honey network configuration to reflect at least a subset of the target network environment comprises:
instantiating high-interaction virtual clones for two or more of the plurality of devices in the target network environment using a virtual machine (VM) image selected from a VM image library that is customized based on one or more attributes for a corresponding target device in a device profile data store;
customizing the VM image that is selected from the VM image library by loading and booting a base image of an instance of the VM image and then dynamically patching the base image of the instance of the VM image selected from the VM image library based one or more attributes for the corresponding target device in the device profile store including one or more of the following: a last reboot time for the corresponding target device, a logged in user name for the corresponding target device, a configured domain controller for the corresponding target device, a configured Domain Name System (DNS) for the corresponding target device, a configured IP address for the corresponding target device, browser proxy settings for the corresponding target device, a configured local time zone for the corresponding target device, an installed Operating System (OS)/application language pack for the corresponding target device, and a network session log for the corresponding target device; and
downgrading at least one of the high-interaction virtual clones to a low-interaction virtual clone performed on demand for the high-interaction virtual clones based on resource availability for executing the honey network, wherein the low-interaction virtual clone responds to a probe during a network scan.

US Pat. No. 9,967,236

CREDENTIALS ENFORCEMENT USING A FIREWALL

Palo Alto Networks, Inc.,...

1. A system for credentials enforcement using a firewall, comprising:a processor of a network device configured to:
store a plurality of user credentials at the network device;
monitor network traffic at the network device to determine if there is a match between the plurality of user credentials and one or more of the plurality of user credentials for external site authentication, comprising to:
monitor network communications between a client and an external site; and
determine if the client sends a request that includes user credentials for authentication at the external site, comprising to:
determine whether a bloom filter accepts the user credentials included in the request, wherein the bloom filter is generated based at least in part on the stored plurality of user credentials, the bloom filter being located in the network device, the bloom filter being configured to have a false positive rate set to a predetermined threshold, the predetermined threshold being non-zero, wherein the determining of whether the bloom filter accepts the user credentials comprises to:
 determine whether a first hash of a first portion and a second portion of a first user credential of the user credentials included in the request corresponds to a second hash of a third portion and a fourth portion of a second user credential of the stored plurality of user credentials, the first portion and the second portion being non-overlapping and non-adjacent portions of the first user credential, the third portion and the fourth portion being non-overlapping and non-adjacent portions of the second user credential; and
 in response to a determination that the first hash corresponds to the second hash, determine that the bloom filter accepts the user credentials included in the request; and
in response to a determination that the bloom filter accepts the user credentials included in the request:
 send the user credentials included in the request to an enterprise data store to query the enterprise data store whether the user credentials included in the request are enterprise user credentials, the external site being separate from the enterprise data store, the enterprise data store being separate from the network device; and
 receive, from the enterprise data store, query results indicating whether or not the user credentials match the enterprise user credentials; and
perform an action if the match between the plurality of user credentials and the one or more of the plurality of user credentials for external site authentication is determined, wherein the action corresponds to blocking the network traffic, generating an alert, sending a block page that notifies the user that using enterprise credentials on this external site is not recommended or is prohibited, logging network activity, or any combination thereof; and
a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 9,942,251

MALWARE DETECTION BASED ON TRAFFIC ANALYSIS

Palo Alto Networks, Inc.,...

1. A system, comprising:a processor configured to:
analyze captured network traffic attributable to execution of a candidate malware application in a virtual machine;
compare a representation of previously captured network traffic attributable to one or more benign applications executing to one or more results of analysis of the captured network traffic attributable to the execution of the candidate malware application;
determine that the candidate malware application is malicious based at least in part on the comparison; and
provide the determination as output; and
a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 9,762,596

HEURISTIC BOTNET DETECTION

Palo Alto Networks, Inc.,...

1. A system, comprising:
a processor configured to:
monitor network traffic to identify suspicious network traffic, wherein the monitoring of the network traffic includes:
monitor visited domain related behavior to identify a previously unclassified URL as a new malware URL, wherein the monitored
visited domain related behavior indicates a potentially malicious domain based on one or more of the following: a domain name
length of a visited domain, whether a visited domain is a dynamic DNS domain, whether a visited domain is a fast-flux domain,
and whether a visited domain is a recently created domain;

identify a uniform resource locator (URL) in the network traffic using a URL filter;
determine whether the network traffic includes a malware URL, an unclassified URL, or a combination thereof;
in response to a determination that the network traffic includes the malware URL, the unclassified URL, or a combination thereof,
assign the network traffic as the suspicious network traffic;

identify the network traffic as the suspicious network traffic using an application identifier, wherein the suspicious network
traffic includes one or more of the following: HTTP traffic, IRC traffic, and unclassified application traffic;

in response to a determination that the network traffic is identified as the unclassified application traffic or includes
the unclassified URL, forward the network traffic to a security cloud service for further analysis, wherein the further analysis
performed by the security cloud service includes behavior correlation, and wherein the security cloud service aggregates botnet
reports received from a plurality of network sites to facilitate botnet detection based on behavior correlation; and

detect a bot based on a heuristic analysis of the suspicious network traffic behavior, wherein the suspicious network traffic
behavior includes command and control traffic associated with a bot master; and

a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 9,762,610

LATENCY-BASED POLICY ACTIVATION

Palo Alto Networks, Inc.,...

1. A system for latency-based policy activation, comprising:
a processor of a network device configured to:
collect a plurality of latency measures associated with monitored network communications;
correlate the plurality of latency measures associated with the monitored network communications to detect anomalous network
activity based on a profile, comprising to:

perform one or more of the following:
A) determine whether a latency of an Internet Control Message Protocol (ICMP) ping between the network device and a monitored
service's IP address exceeds a first predetermined threshold; and

in response to a determination that the latency of the ICMP ping between the network device and the monitored service's IP
address exceeds the first predetermined threshold, determine that the latency of the ICMP ping is abnormal;

B) determine whether a latency between a new TCP session's SYN and a server's SYN/ACK response exceeds a second predetermined
threshold; and

in response to a determination that the latency between the new TCP session's SYN and the server's SYN/ACK response exceeds
the second predetermined threshold, determine that the latency between the new TCP session's SYN and the server's SYN/ACK
response is abnormal;

C) determine whether a latency between a new UDP session's initial packets exceeds a third predetermined threshold; and
in response to a determination that the latency between the new UDP session's initial packets exceeds the third predetermined
threshold, determine that the latency between the new UDP session's initial packets is abnormal; or

D) determine whether a latency of an HTTP GET operation or an HTTP POST operation exceeds a fourth predetermined threshold;
and

in response to a determination that the latency of the HTTP GET operation or the HTTP POST operation exceeds the fourth predetermined
threshold, determine that the latency of the HTTP GET operation or the HTTP POST operation is abnormal;

perform a mitigation response to the anomalous network activity based on a policy; and
a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 10,310,992

MITIGATION OF CYBER ATTACKS BY POINTER OBFUSCATION

PALO ALTO NETWORKS INC., ...

1. A method for protecting a computer when loading a computer program into a memory for execution by the computer, comprising:before execution of the computer program by the computer, identifying a pointer, which points to a first memory address for accessing an operating system function in a data structure created for the computer program, and rewriting the identified pointer in the data structure for the computer program so that the identified pointer points to a second memory address, different from the first memory address, wherein the second memory address is defined with a permission setting which does not allow access, such that any attempt to access the second memory address will raise an exception; and
configuring the computer to transfer control to program code that determines whether an access to the second memory address during execution of the computer program is a possible unauthorized access to the functionality of the computer, when the second memory address is accessed during execution of the computer program,
wherein determining whether the access to the second memory address is a possible unauthorized access comprises analyzing a source of an attempt to access the second memory address, and upon finding the source to be an authorized operation of the computer, correcting the pointer in the data structure created for the computer program to point to the first memory address, and permitting the authorized operation to resume using the first memory address.

US Pat. No. 10,296,836

DATA BLAMING

Palo Alto Networks, Inc.,...

1. A system, comprising:a processor configured to:
receive an identification of an item that was misclassified by a classification model constructed in accordance with a machine learning technique;
identify a subset of a training data set that is associated with the misclassified item, wherein the training data was previously used to construct the classification model, wherein identifying the subset of the training data set includes querying a blame forest, and wherein the blame forest comprises links to examples in the training set; and
cause at least one member to be removed from the training set; and
a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 10,230,749

AUTOMATICALLY GROUPING MALWARE BASED ON ARTIFACTS

Palo Alto Networks, Inc.,...

1. A computer-implemented method, comprising:receiving a plurality of samples for performing automated malware analysis to generate log files based on the automated malware analysis;
processing the log files to extract features associated with malware, wherein each of the extracted features corresponds to a line or a sub-line in one or more of the log files determined to be an artifact associated with malware;
clustering the plurality of samples based on the extracted features, wherein clustering the plurality of samples based on the extracted features further comprises:
selecting one or more of the extracted features and assigning values to each indicator, wherein selecting one or more of the extracted features includes performing a pre-filtering operation to select the extracted features for clustering based on a threshold association between the line or the sub-line in the one or more of the log files and known malware;
collecting the assigned values in an array for each of the plurality of samples;
comparing the assigned values of the array between two of the plurality of samples; and
calculating a distance between the two samples, wherein the samples within a defined threshold of distance are clustered; and
performing an action based on an output of clustering the plurality of samples based on the extracted features, wherein the action based on the output of clustering the plurality of samples based on the extracted features further comprises validate the output of clustering the plurality of samples based on the extracted features based on tags to identify previously identified malware groups.

US Pat. No. 10,216,931

DETECTING AN ATTEMPT TO EXPLOIT A MEMORY ALLOCATION VULNERABILITY

Palo Alto Networks, Inc.,...

1. A system for detecting an attempt to exploit a memory allocation vulnerability, comprising:a processor configured to:
receive a malware sample;
monitor an array operation performed by the malware sample using a memory monitoring component; and
determine whether the array operation performed by the malware sample is suspicious based on one or more of the following: a vector size of a vector associated with the array operation, a change in a vector size of a vector associated with the array operation, or a cookie appended at an end of an allocated buffer during the array operation, wherein the determining of whether the array operation performed by the malware sample is suspicious comprises to:
perform one or more of the following:
A) determine whether the vector size of the vector associated with the array operation exceeds a predefined threshold, wherein the determining operation is performed during a read operation on the vector, a write operation on the vector, or a get-size operation on the vector; and
in response to a determination that the vector size exceeds the predefined threshold, determine that the malware sample is suspicious;
B) compare the vector size of the vector associated with the array operation with a corresponding vector size in a size record, wherein the comparing operation is performed during a read operation on the vector, a write operation on the vector, or a get-size operation on the vector; and
in response to a determination that the vector size associated with the array operation does not match the corresponding vector size in the size record, determine that the malware sample is suspicious; or
C) append the cookie at the end of the allocated buffer;
compare a pre-stored value associated with the cookie with a current value of the cookie during the array operation, wherein the comparing operation is performed during a pre-read operation on the allocated buffer, a post-write operation on the allocated buffer, or a get-size operation on the allocated buffer; and
in response to a determination that the pre-stored value associated with the cookie does not match current value of the cookie during the array operation, determine that the malware sample is suspicious; and
a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 10,152,597

DEDUPLICATING MALWARE

Palo Alto Networks, Inc.,...

1. A system, comprising:a processor; and
a memory coupled with the processor and configured to provide the processor with instructions which when executed cause the processor to:
set a first virtual guest clock to a first time value in a first virtual machine instance, and execute a first malware sample in the first virtual machine instance;
set a second virtual guest clock to the first time value in a second virtual machine instance, and execute a second malware sample in the second virtual machine instance;
perform a comparison of attempted domain contacts generated by executing each of the respective first and second malware samples; and
determine that the first malware sample and second malware sample are related, based at least in part on a result of the comparison.

US Pat. No. 10,019,575

EVALUATING MALWARE IN A VIRTUAL MACHINE USING COPY-ON-WRITE

Palo Alto Networks, Inc.,...

1. A system, comprising:a processor configured to:
copy an original virtual machine image to a RAM disk, wherein the original virtual machine image corresponds to a base installation of a first operating system;
create a plurality of copy-on-write overlays, wherein a first overlay and a second overlay included in the plurality of copy-on-write overlays are associated with installation of a respective first application and second application on top of the original virtual machine instance, wherein the first application and second application are different;
initialize a first virtual machine instance as a copy-on-write overlay of the first copy-on-write overlay, wherein any changes to the first virtual machine will be captured in a first copy-on-write overlay file;
start the first virtual machine instance, and execute a sample inside the first virtual machine instance;
initialize a second virtual machine instance as a copy-on-write overlay of the second copy-on-write overlay, wherein any changes to the second virtual machine will be captured in a second copy-on-write overlay file;
start the second virtual machine instance, and execute the sample inside the second virtual machine instance;
determine, based at least in part on an analysis of the first copy-on-write overlay file and the second copy-on-write overlay file, that the sample acts maliciously when executed in the first virtual machine instance, and that the sample does not act maliciously when executed in the second virtual machine instance; and
a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 10,313,370

GENERATING MALWARE SIGNATURES BASED ON DEVELOPER FINGERPRINTS IN DEBUG INFORMATION

Palo Alto Networks, Inc.,...

1. A system, comprising:a processor configured to:
receive a sample, wherein the sample includes a binary executable file;
match one or more specific file paths in content of the binary executable file based on a plurality of pre-defined patterns, wherein each of the one or more specific file paths is associated with a development environment, a development project's profile, and/or other meta information associated with a malware author, comprising to:
extract a first string from the binary executable file, wherein the first string relates to debug information of the binary executable file;
determine whether a specific file path associated with the first string matches a pattern of the plurality of pre-defined patterns, the pattern including a regular expression; and
in response to a determination that the specific file path matches the pattern, determine that the specific file path is a matched specific file path;
extract meta information from the one or more matched specific file paths, wherein the extracted meta information includes extracted strings or fields that are not executable code;
automatically generate a signature based on the one or more matched specific file paths and the extracted meta information; and
send the signature to a firewall device or a host agent, wherein the firewall device or the host agent can perform an action based on the signature; and
a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 10,257,221

SELECTIVE SINKHOLING OF MALWARE DOMAINS BY A SECURITY DEVICE VIA DNS POISONING

Palo Alto Networks, Inc.,...

1. A system, comprising:a processor of a cloud security service configured to:
receive a sample at the cloud security service;
automatically analyze the sample using the cloud security service to determine whether the sample is associated with malware and to identify one or more bad network domains associated with the malware, comprising to:
identify a bad network domain that the sample attempts to access;
determine whether the bad network domain has been registered; and
in response to a determination that the bad network domain has not been registered, register the bad network domain that has not been registered to an IP address associated with a device of the cloud security service or controlled by the cloud security service;
generate one or more domain name system (DNS) signatures for the one or more bad network domains;
publish the one or more DNS signatures to automatically distribute the one or more DNS signatures from the cloud security service to a plurality of security devices of customers of the cloud security service to facilitate selective sinkholing of malware domains by the plurality of security devices via DNS poisoning;
intercept a DNS query for a network domain from a local DNS server at security device, wherein the network domain was determined to be one of the one or more bad network domains; and
generate a DNS query response to the DNS query to send to the local DNS server, wherein the DNS query response includes a time to live (TTL) set to a predetermined period of time, the predetermined period of time being set to a value to allow subsequent queries from local hosts to the local DNS server for the one bad network domain to result in a local DNS server cache miss and corresponding to 1, wherein the DNS query response includes a designated sinkholed IP address for the one bad network domain to facilitate identification of an infected host by the security device, and wherein the DNS query response is a spoofed DNS query response, the spoofed DNS query response including a non-existent IP address, a reserved IP address, or a loopback address; and
a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 10,268,656

USING CACHE AND BLOOM FILTERS FOR URL LOOKUPS

Palo Alto Networks, Inc.,...

1. A system, comprising:a processor configured to:
generate a bloom filter associated with a database of uniform resource locator (URL) information, wherein the database of URL information includes, for a given URL included in the database, at least one categorization of the given URL;
receive, from a client device, a request to access a first URL;
determine that a representation of the first URL is not present in a first cache and in response insert a temporary entry into the first cache, wherein the temporary entry indicates that a categorization of the first URL is being resolved, and wherein any additional requests received for access to the first URL will be queued pending a resolution;
match the representation associated with the first URL against the bloom filter;
determine that a false positive response, incorrectly indicating that the database includes a categorization for the first URL, is returned by the bloom filter, at least in part by:
in response to receiving an “accept” as a result of the match against the bloom filter, performing a first query of a first data source that is different from the bloom filter, and receiving a “no match” result for the first query from the first data source;
in response to determining that the bloom filter returned a false positive response, determine a modification to make to the first query and use the modification to perform a second query, wherein the modification comprises at least one of: altering a query string, and altering a query source; and
based at least in part on a category received as a result of the second query:
update the temporary cache entry, at least in part by: associating the received category with the first URL in the first cache, and cease to indicate that the categorization of the first URL is being resolved; and
enforce a policy with respect to the request to access the first URL; and
a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 10,237,283

MALWARE DOMAIN DETECTION USING PASSIVE DNS

Palo Alto Networks, Inc.,...

1. A system for malware domain detection using passive Domain Name Service (DNS), comprising:a processor configured to:
generate a malware association graph including a plurality of source information associated with a plurality of known malware samples, the plurality of known malware samples being determined to be malicious, the plurality of source information representing known malicious Internet Protocol (IP) Addresses, known malicious domains, or any combination thereof, the malware association graph including a set of nodes and a set of edges, a node of the set of nodes representing a source domain name, a source IP address, or a combination thereof, an edge of the set of edges representing a relationship between two nodes of the set of nodes;
generate a cluster representing the set of nodes based at least in part on a clustering algorithm, the set of nodes representing the plurality of known malware samples and the plurality of source information, the clustering algorithm including a recursive algorithm to identify malware samples and source information that are correlated;
receive a first malware sample for analysis, wherein the first malware sample is downloaded from a first domain;
insert a first node and a second node into the malware association graph, the first node representing the first malware sample, the second node representing the first domain;
generate a reputation score for the first domain using the malware association graph and passive DNS information, wherein the generating of the reputation score comprises to:
identify a first edge and a second edge both linking the first domain to at least one node of the set of nodes of the malware associate graph, the first edge having a first relation type and the second edge having a second relation type, each relation type being associated with resolving to a same IP address of the node of the set of nodes, resolving using a same name server (NS) as the node of the set of nodes, having an IP address belonging to the same border gateway protocol (BGP) prefix as the node of the set of nodes, having an IP address belonging to the same autonomous system (AS) as the node of the set of nodes, or any combination thereof, the first relation type being different from the second relation type;
determine, for the first relation type, a first score based on a first damping factor associated with the first relation type and the first relation type;
weigh the first score by a first weight to obtain a first weighted reputation;
determine, for the second relation type, a second score based on a second damping factor associated with the second relation type and the second relation type;
weigh the second score by a second weight to obtain a second weighted reputation; and
generate the reputation score of the first domain based at least in part on the first weighted reputation and the second weighted reputation;
determine that the first domain is a malware domain based on the reputation score exceeding a threshold score; and
in response to a determination that the first domain is the malware domain:
determine that the first malware sample is malicious;
extract a first signature from the first malware sample; and
store the extracted first signature in a database located on a
security device, the security device being configured to detect malware using the database; and
a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 10,235,521

MALWARE DETECTION USING CLUSTERING WITH MALWARE SOURCE INFORMATION

Palo Alto Networks, Inc.,...

1. A system, comprising:a processor configured to:
generate a graph including a plurality of source information associated with a plurality of known malware samples, the plurality of known malware samples being determined to be malicious, the plurality of source information including a download hostname, a download Uniform Resource Identifier (URI), a download Uniform Resource locator (URL), a download application, a download Internet Protocol (IP) address and port, a victim's IP address and port, a firewall IP address, geo-location information, or any combination thereof, the graph including a set of nodes and a set of edges, each node of the set of nodes representing a source domain name, a source IP address, or a combination thereof, each edge of the set of edges representing a relationship between two nodes of the set of nodes;
generate clusters representing the set of nodes based at least in part on a clustering algorithm, the set of nodes representing the plurality of known malware samples and the plurality of source information, the clustering algorithm including a recursive algorithm to identify malware samples and source information that are correlated;
receive a first malware sample for analysis, wherein the first malware sample was downloaded from a first source;
insert a first node and a second node into the graph, the first node representing the first malware sample, the second node representing the first source;
determine, based on a traversal of the graph, that the first source is associated with malware, wherein an edge related to the first source is connected to at least one cluster;
determine that the first malware sample is malicious in response to a determination that the first source is associated with the at least one cluster;
extract a first signature from the first malware sample;
store the extracted first signature in a database located on a security device; and
detecting the malware based on the first signature;
and
a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 10,230,689

BRIDGING A VIRTUAL CLONE OF A TARGET DEVICE IN A HONEY NETWORK TO A SUSPICIOUS DEVICE IN AN ENTERPRISE NETWORK

Palo Alto Networks, Inc.,...

1. A system, comprising:a processor configured to:
instantiate a first virtual clone in a honey network of a target device in a target network environment using a virtual machine (VM) image selected from a VM image library that is customized based on one or more attributes for the target device, wherein the first virtual clone in the honey network emulates the target device to facilitate interactions with the first virtual clone in the honey network, wherein the target device corresponds to a first device in the target network environment, wherein an internal network communication is directed from a suspicious device in the target network environment to the target device in the target network environment, wherein the suspicious device is suspected of being compromised by malware, and wherein the target device corresponds to one of a plurality of devices in the target network environment;
dynamically instantiate a second virtual clone in the honey network corresponding to a second device in the target network environment using another VM image selected from the VM image library that is customized based on one or more attributes for the second device corresponding to the second device in the target network environment, wherein the first virtual clone and the second virtual clone executed in an instrumented VM environment correspond to the honey network, and wherein the second virtual clone in the honey network is dynamically instantiated based on one or more logged interactions between the target device and the second device in the target network environment that were logged using an agent executed on the target device; and
route the internal network communication from the suspicious device in the target network environment to the first virtual clone in the honey network based on a honey network policy, wherein each of the virtual clones is executed in an instrumented virtual machine (VM) environment, and wherein one or more activities of the virtual clones executed in the instrumented VM environment are monitored; and
a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 10,204,221

DETECTION OF MALWARE USING AN INSTRUMENTED VIRTUAL MACHINE ENVIRONMENT

Palo Alto Networks, Inc.,...

1. A system for detection of malware using an instrumented virtual machine environment, comprising:a processor configured to:
instantiate a first virtual machine in the instrumented virtual machine environment, wherein the first virtual machine is configured to support installation of two or more versions of a resource;
preload one or more system files that are used by a first version of the resource, a second version of the resource into a new resource system file location directory, or both, comprising to:
preload a dynamically loaded library (DLL) used by a version of the resource into a local directory, the new resource system file location directory corresponding to the local directory;
override an installer for the resource to redirect the installer to the new resource system file location directory, comprising to:
modify the installer to load the DLL from the new resource system file location directory;
install, via the installer, the first version of the resource on the first virtual machine and monitor the instrumented virtual machine environment while executing the first version of the resource with a malware sample opened using the first version of the resource;
install, via the installer, the second version of the resource on the first virtual machine and monitor the instrumented virtual machine environment while executing the second version of the resource with the malware sample opened using the second version of the resource; and
monitor the instrumented virtual machine environment while executing each version of the resource with the malware sample opened using each version of the resource; and
a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 10,165,008

USING EVENTS TO IDENTIFY A USER AND ENFORCE POLICIES

Palo Alto Networks, Inc.,...

1. A system, comprising:a processor configured to:
receive, from a first server comprising an instant messaging server and internal to a first network, event data generated in response to a device exchanging communications with the first server, wherein the event data includes a username associated with a user of the device, wherein an authentication of the device is performed by the first server, wherein the authentication is performed at least in part by the first server contacting a directory server using the first network, and wherein the first server is different from the directory server;
use, at a security appliance, the received event data to associate the username and an IP address of the device into a mapping;
receive, at the security appliance, from the device, a request to access a second server that is external to the first network;
determine a policy to apply to communications exchanged between the device and the second server based at least in part on the mapping; and
apply the policy to at least one of the device and the second server, wherein applying the policy includes permitting communications between the device and the second server only in the event it is determined that the user is associated with an approved group object, and wherein the approved group object comprises a plurality of devices as members; and
a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 10,135,786

DISCOVERING AND SELECTING CANDIDATES FOR SINKHOLING OF NETWORK DOMAINS

Palo Alto Networks, Inc.,...

1. A system, comprising:a hardware processor configured to:
collect passive DNS data from a plurality of security devices to discover candidates for sinkholing of domain names, wherein the passive DNS data from the plurality of security devices includes DNS responses to DNS queries for non-existent domains (NXDOMAINs), and wherein each of the DNS responses includes a destination IP address that corresponds to a client device requesting a domain name resulting in an NXDOMAIN DNS response;
select one or more domain names that are most commonly queried by distinct client devices based on the passive DNS data, wherein each of the one or more domain names is not yet registered, wherein the selecting of the one or more domain names that are most commonly queried comprises to:
rank commonly queried domain names based on number of queries by the distinct client devices; and
select N most commonly queried domain names to obtain the selected one or more domain names, N being an integer greater than zero;
filter a domain name that is not associated with command and control malware from the selected one or more domain names to obtain the one or more filtered domain names;
select one or more candidate domain names for sinkholing based on the one or more filtered domain names satisfying a threshold ranking in a popular NX domains listing satisfying or exceeding a preset time period; and
automatically register each of the one or more candidate domain names with a domain registry to a sinkholed IP address in order to sinkhole each of the one or more domain names; and
a memory coupled to the hardware processor and configured to provide the hardware processor with instructions.

US Pat. No. 10,348,765

POLICY ENFORCEMENT BASED ON DYNAMICALLY ATTRIBUTE-BASED MATCHED NETWORK OBJECTS

Palo Alto Networks, Inc.,...

1. A system, comprising:a processor configured to:
receive a policy that includes an address group as an element of the policy, wherein the address group abstracts a set of computing assets;
compile the policy into a set of one or more rules, at least in part by substituting, for the address group, a set of one or more IP addresses of computing assets determined to be members of the address group included in the policy;
determine, based at least in part on a detected change to the address group, that one or more rules included in the set of rules should be recompiled and in response, recompile the one or more rules; and
enforce an updated rule;
a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 10,333,948

ALERTING AND TAGGING USING A MALWARE ANALYSIS PLATFORM FOR THREAT INTELLIGENCE MADE ACTIONABLE

Palo Alto Networks, Inc.,...

1. A computer-implemented method, comprising:receiving a plurality of samples for performing automated malware analysis to generate log files based on the automated malware analysis;
processing the log files to extract artifacts associated with the log files;
receiving a configuration to enable an alert action based on a tag type for matching any of the plurality of samples, wherein the tag type is configured for the alert action for a tag based on a plurality of conditions associated with one or more artifacts, wherein the alert action is configured to match private samples and public samples, and wherein the alert action is configured as a prioritized alert based on the tag;
determining whether the tag matches any of the plurality of samples based on the plurality of conditions associated with one or more artifacts; and
performing an action based on whether the tag matches any of the plurality of samples including to trigger the alert action based on the determination that the tag matches a sample detected on a monitored enterprise network, wherein the sample is a public sample and the monitored enterprise network is associated with another subscriber's enterprise network.

US Pat. No. 10,305,927

SINKHOLING BAD NETWORK DOMAINS BY REGISTERING THE BAD NETWORK DOMAINS ON THE INTERNET

Palo Alto Networks, Inc.,...

1. A system, comprising:a processor configured to:
register a bad network domain with a domain registry to a valid IP address in order to sinkhole the bad network domain, wherein the bad network domain is sinkholed by registering the bad network domain such that an authoritative DNS server can translate the registered bad network domain to the valid IP address, and wherein the valid IP address is associated with a device controlled by a cloud security service provider; and
identify a host that is infected with an identified malware based on an attempt by the host to connect to the valid IP address, wherein the host received a DNS query response that resolved the registered bad network domain to the valid IP address; and
a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 10,298,610

EFFICIENT AND SECURE USER CREDENTIAL STORE FOR CREDENTIALS ENFORCEMENT USING A FIREWALL

Palo Alto Networks, Inc.,...

1. A system for a credentials store for credentials enforcement using a firewall, comprising:a processor of a network device configured to:
receive a bloom filter from an agent executed on an authentication server, wherein the bloom filter is generated by the agent based on a transformation of a plurality of user credentials extracted from the authentication server and/or intercepted at the authentication server, wherein one or more of the plurality of user credentials includes a username and a password;
store the bloom filter in a cache on the network device;
monitor network traffic at the network device to perform credentials enforcement using the bloom filter, wherein to monitor the network traffic comprises to monitor network communications between a client and an external site;
determine if the client sends a request that includes user credentials for authentication at the external site using the bloom filter; and
perform an action based on a security policy if a match is determined with one or more of the plurality of user credentials, wherein to perform the action comprises to perform the action in response to a determination that the client sent the request that includes the user credentials for authentication at the external site that match the one or more of the plurality of user credentials stored at the network device, wherein the action includes blocking the user from accessing the external site until a different user credential is created; and
a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 10,200,389

MALWARE ANALYSIS PLATFORM FOR THREAT INTELLIGENCE MADE ACTIONABLE

Palo Alto Networks, Inc.,...

1. A computer-implemented method, comprising:receiving a plurality of samples for performing automated malware analysis to generate log files based on the automated malware analysis;
processing the log files to determine artifacts associated with malware, wherein a raw log file generated for each of the plurality of samples comprises one or more lines based on results of the automated malware analysis for each of the plurality of samples, and wherein processing the log files to determine artifacts associated with malware further comprises:
processing the raw log files for each of the plurality of samples to generate processed log files, wherein each of the processed log files provides a human readable format of the automated malware analysis; and
identifying distinct lines in each of the processed log files for performing line counts to provide a statistical view of the results of the automated malware analysis; and
determining line counts for each of the log files to provide a statistical view of malware analysis results data that includes how many times each distinct line is associated with malware samples and with benign samples.

US Pat. No. 10,200,390

AUTOMATICALLY DETERMINING WHETHER MALWARE SAMPLES ARE SIMILAR

Palo Alto Networks, Inc.,...

8. A system, comprising:a processor configured to:
receive a plurality of samples for performing automated malware analysis to generate log files based on the automated malware analysis;
process the log files to determine artifacts associated with malware, wherein a raw log file generated for each of the plurality of samples comprises one or more lines based on results of the automated malware analysis for each of the plurality of samples, and wherein process the log files to determine artifacts associated with malware further comprises:
process the raw log files for each of the plurality of samples to generate processed log files, wherein each of the processed log files provides a human readable format of the automated malware analysis; and
identify distinct lines in each of the processed log files; and
compare the processed log files based on the automated malware analysis;
determine whether any of the plurality of samples are similar based on comparing the processed log files based on the automated malware analysis based on a threshold comparison of a textual representation of one or more artifacts; and
perform an action based on determining that at least two samples are similar; and
a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 10,200,412

SECURITY POLICY ENFORCEMENT FOR MOBILE DEVICES BASED ON DEVICE STATE

Palo Alto Networks, Inc.,...

6. A method, comprising:receiving a Host Information Profile (HIP) report for a mobile device from a mobile device management (MDM) service at a security device, wherein the HIP report includes device state information for the mobile device;
applying a policy based on the HIP report for the mobile device, comprising:
determining whether the HIP report matches one of a plurality of policy reports, the one policy report including disk encryption not being enabled on the mobile device; and
in response to a determination that the HIP report matches the one policy report, removing a required certificate for accessing an enterprise resource;
and
performing access control at the security device based on the policy based on the HIP report for the mobile device, comprising:
determining whether the required certificate for accessing the enterprise resource has been removed; and
in response to a determination that the required certificate for accessing the enterprise resource has been removed, denying the mobile device access to the enterprise resource.

US Pat. No. 10,169,579

MALICIOUS PDF DETECTION

Palo Alto Networks, Inc.,...

1. A system, comprising:a processor configured to:
receive a first Portable Document Format (PDF) document;
classify the received first PDF document using a classifier trained at least in part using a set of features extracted from a plurality of training PDF documents, wherein a first classification that can be determined for the first PDF document is a classification of “likely benign” and wherein a second classification that can be determined for the first PDF document is a classification of “likely malicious”, and wherein the plurality of training PDF documents comprise a set of PDF documents that were, at a time previous to the training of the classifier, known to be benign, and are labeled as belonging to a benign set, and wherein the plurality of training PDF documents further comprise a set of PDF documents that were, at a time previous to the training of the classifier, known to be malicious, and are labeled as belonging to a malicious set; and
wherein at least one feature extracted from the malicious set includes a feature associated with at least two stream filters cascaded to form a decoding pipeline; and
wherein, in the event the received first PDF document is classified as likely malicious, additional analysis of potential maliciousness of the first PDF document is caused to be performed, and wherein, in the event the received first PDF document is classified as likely benign, additional analysis of potential maliciousness of the first PDF document is not caused to be performed; and
a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 10,320,810

MITIGATING COMMUNICATION AND CONTROL ATTEMPTS

Palo Alto Networks, Inc.,...

1. A system, comprising:a processor configured to:
transmit an initial communication and control profile to a first network monitoring system, wherein the initial communication and control profile includes at least one domain, extracted from a first application sample comprising at least one file during at least one of: a static analysis and a dynamic analysis of the first application sample, and corresponding to a communication and control channel;
at least in part in response to information received from a second network monitoring system that is different from the first network monitoring system, revise the initial communication and control profile and change a verdict associated with a second application sample that is different from the first application sample; and
transmit an updated communication and control profile to the first network monitoring system; and
a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 9,471,514

MITIGATION OF CYBER ATTACKS BY POINTER OBFUSCATION

PALO ALTO NETWORKS, INC.,...

1. A method for protecting a computer when loading a computer program into a memory for execution by the computer and creating
a data structure for the computer program, comprising:
executing a pointer handling module which when loading a computer program into a memory for execution by the computer, and
before execution of the computer program, performs:

identifying a first pointer in the data structure created for the computer program, the first pointer indicating a first memory
address which can be used to access operating system functions and accordingly is considered to be vulnerable;

replacing the identified first pointer in the created data structure for the loaded computer program with a second pointer
selected to initiate an exception when accessed;

configuring the computer such that when the second pointer is accessed, control is transferred to a security program module
in two steps, a first step in which the computer attempts to access a memory location indicated by the second pointer, causing
an exception, and a second step in which an exception handling function transfers control to the security program module;

initiating execution of the computer program after replacing the first pointer; and
determining, by the security program module when invoked, whether an access to the second pointer which invoked the security
program module is a possible unauthorized access to the functionality of the computer.

US Pat. No. 9,473,528

IDENTIFICATION OF MALWARE SITES USING UNKNOWN URL SITES AND NEWLY REGISTERED DNS ADDRESSES

Palo Alto Networks, Inc.,...

1. A system, comprising:
a processor configured to:
perform a heuristic analysis for information associated with a network site, wherein performing the heuristic analysis for
information associated with the network site further comprises:

determine whether the network site has recently been registered, wherein in the event that the network site has been recently
registered, the network site has been registered within the last 9 months;

determine whether the network site has a change in domain name system (DNS) information, the change in DNS information including
a change in domain name, a change in ownership of a network uniform resource locator (URL), a new IP address outside of the
same subnet, or any combination thereof;

determine source information associated with the network site, wherein the source information includes geographical information
associated with the network site and IP network related source information; and

generate a list of potentially malicious network sites based on whether the network site has recently been registered, whether
the network site has a change in DNS information, and the source information associated with the network site; and

assign a score based on the heuristic analysis, wherein the score indicates whether the network site is potentially malicious,
wherein the assigning of the score comprises to assign the score based on whether the network site has recently been registered,
whether the network site has a change in DNS information, and the source information associated with the network site; and

a memory coupled to the processor and configured to provide the processor with instructions.