a2) United States Patent
`US 11,036,856 B2
`(0) Patent No.:
`Jun. 15, 2021
`(45) Date of Patent:
`Graunet al.
`
`US011036856B2
`
`(54)
`
`NATIVELY MOUNTING STORAGE FOR
`INSPECTION AND SANDBOXING IN THE
`CLOUD
`
`(56)
`
`References Cited
`U.S. PATENT DOCUMENTS
`
`(71)
`
`Applicant: Fortinet, Inc., Sunnyvale, CA (US)
`
`(72)
`
`Inventors: Jason Graun, Mesa, AZ (US); Jesse
`Alverson, Arvada, CO (US)
`
`6,714,968 Bl
`6,735,623 Bl
`7,630,379 B2
`7,743,260 B2
`
`3/2004 Prust
`5/2004 Prust
`12/2009 Morishita
`6/2010 Fetik
`(Continued)
`
`(73)
`
`Assignee: Fortinet, Inc., Sunnyvale, CA (US)
`
`FOREIGN PATENT DOCUMENTS
`
`(*)
`
`Notice:
`
`Subject to any disclaimer, the term ofthis
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 216 days.
`
`EP
`WO
`
`2703992
`2017210065
`
`5/2014
`12/2017
`
`OTHER PUBLICATIONS
`
`(21)
`
`Appl. No.: 16/132,433
`
`(22)
`
`Filed:
`
`Sep. 16, 2018
`
`(65)
`
`Prior Publication Data
`
`US 2020/0089881 Al
`
`Mar. 19, 2020
`
`(51)
`
`Int. Cl.
`
`(52)
`
`(58)
`
`HO4L 29/06
`G06F 21/56
`GO6F 21/53
`HO4L 29/08
`US. Cl.
`
`(2006.01)
`(2013.01)
`(2013.01)
`(2006.01)
`
`CPC wee GO6F 21/565 (2013.01); GO6F 21/53
`(2013.01); GO6F 21/566 (2013.01); HO4L
`63/1416 (2013.01); HO4L 63/1425 (2013.01);
`HO4L 63/1433 (2013.01); HO4L 63/20
`(2013.01); GO6F 2221/2149 (2013.01); HO4L
`67/06 (2013.01); HO4L 67/1097 (2013.01)
`Field of Classification Search
`CPC...... GO6F 21/565; GO6F 21/53; GO6F 21/566;
`GO6F 2221/2149; HO4L 63/1416; HO4L
`63/1425; HO4L 63/1433; HO4L 63/20;
`HO4L 67/06; HO4L 67/1097; HO4L
`63/1408; HO4L 67/26
`See application file for complete search history.
`100
`
`N
`
`Inpur PLE
`402,
`UPLOADED 79 PUBLIC
`CLOUD FILE STORE
`
`Pusuic CLouc FiLe Stone
`104
`
`Chean FILE STORE
`CLEAN Files READY
`To Re USED
`
`
`Derry Fite STORE
`SANDGCK 6 PERIODICALLY,
`LOOKING FOR Neve Fates
`208
`
`
`
`
`
`16
`To CLEAN FE STORE
`
`FILES INGESTED AND
`SCANNED FOR THREATS
`
`CUBAN FILES ARE MOVED
`
`Network SECURITY DEVICE
`108
`IF FILE CONTAINS THREATS IF IS
`Moven To DIFFERENT STORE
`
`U.S. Appl. No. 15/985,892, filed May 22, 2018. (34 pgs).
`Non-Final Office Action for U.S. Appl. No. 15/985,892, dated Mar.
`9, 2020, 36 pages.
`
`Primary Examiner — Sarah Su
`(74) Attorney, Agent, or Firm — Law Office of Dorian
`Cartwright; Dorian Cartwright
`
`(57)
`
`ABSTRACT
`
`Systems and methods for continuously scanning and/or
`sandboxing files to protect users from accessing infected
`files by natively mounting public cloud file stores are
`provided. According to one embodiment, a determination is
`made by a network security device that is protecting the
`enterprise network regarding whether an untrusted file
`stored within a first repository of a public cloudfile store,
`which is natively mounted on the network security device,
`is a clean file that is free of malicious content by applying
`one or more security checks to the untrusted file. When a
`result of the determination is affirmative, the network secu-
`rity device makes the clean file accessible to the users by
`copying the clean file from the first repository to a second
`repository that is accessible to the users.
`
`28 Claims, 7 Drawing Sheets
`
`UPLOADED To PUBLIC
`C1au0 FILE STORE
`
`'
`ty
`L
`
`SaMoBox 1g PERIOUICALLY
`Looking FoR NEWFILES
`198,
`
`CLEAN FiteSTORE
`Cuan Files REaoy
`70 AE USED
`
`
`
`uo FALE 18 INGESTED AND.
`
`
`
`CLEaW FILES ARE MOVED
`TO CLEAN FILE STORE
`SanneFOR THREATS:
`
`NEfwoRe SECURTY DEVICE
`108
`
`Jf FIL CONTAINS THREATS IT?S.
`Moven 70 DIFFERENT STORE
`
`QUARANLINE SioRE
`STORE Contains FILes
`VATHM4ENSROUTHREATS
`
`Hz
`
`QUARANTINE,STORE,
`STORE CONTAINS FILES.
`WITH MAL WARE/THREATS.
`
`32
`
`Page 1
`
`of 18
`
`Netskope Exhibit 1001
`
`Page 1 of 18
`
`Netskope Exhibit 1001
`
`
`US 11,036,856 B2
`(0) Patent No.:
`Jun. 15, 2021
`(45) Date of Patent:
`Graunet al.
`
`US011036856B2
`
`(54)
`
`NATIVELY MOUNTING STORAGE FOR
`INSPECTION AND SANDBOXING IN THE
`CLOUD
`
`(56)
`
`References Cited
`U.S. PATENT DOCUMENTS
`
`(71)
`
`Applicant: Fortinet, Inc., Sunnyvale, CA (US)
`
`(72)
`
`Inventors: Jason Graun, Mesa, AZ (US); Jesse
`Alverson, Arvada, CO (US)
`
`6,714,968 Bl
`6,735,623 Bl
`7,630,379 B2
`7,743,260 B2
`
`3/2004 Prust
`5/2004 Prust
`12/2009 Morishita
`6/2010 Fetik
`(Continued)
`
`(73)
`
`Assignee: Fortinet, Inc., Sunnyvale, CA (US)
`
`FOREIGN PATENT DOCUMENTS
`
`(*)
`
`Notice:
`
`Subject to any disclaimer, the term ofthis
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 216 days.
`
`EP
`WO
`
`2703992
`2017210065
`
`5/2014
`12/2017
`
`OTHER PUBLICATIONS
`
`(21)
`
`Appl. No.: 16/132,433
`
`(22)
`
`Filed:
`
`Sep. 16, 2018
`
`(65)
`
`Prior Publication Data
`
`US 2020/0089881 Al
`
`Mar. 19, 2020
`
`(51)
`
`Int. Cl.
`
`(52)
`
`(58)
`
`HO4L 29/06
`G06F 21/56
`GO6F 21/53
`HO4L 29/08
`US. Cl.
`
`(2006.01)
`(2013.01)
`(2013.01)
`(2006.01)
`
`CPC wee GO6F 21/565 (2013.01); GO6F 21/53
`(2013.01); GO6F 21/566 (2013.01); HO4L
`63/1416 (2013.01); HO4L 63/1425 (2013.01);
`HO4L 63/1433 (2013.01); HO4L 63/20
`(2013.01); GO6F 2221/2149 (2013.01); HO4L
`67/06 (2013.01); HO4L 67/1097 (2013.01)
`Field of Classification Search
`CPC...... GO6F 21/565; GO6F 21/53; GO6F 21/566;
`GO6F 2221/2149; HO4L 63/1416; HO4L
`63/1425; HO4L 63/1433; HO4L 63/20;
`HO4L 67/06; HO4L 67/1097; HO4L
`63/1408; HO4L 67/26
`See application file for complete search history.
`100
`
`N
`
`Inpur PLE
`402,
`UPLOADED 79 PUBLIC
`CLOUD FILE STORE
`
`Pusuic CLouc FiLe Stone
`104
`
`Chean FILE STORE
`CLEAN Files READY
`To Re USED
`
`
`Derry Fite STORE
`SANDGCK 6 PERIODICALLY,
`LOOKING FOR Neve Fates
`208
`
`
`
`
`
`16
`To CLEAN FE STORE
`
`FILES INGESTED AND
`SCANNED FOR THREATS
`
`CUBAN FILES ARE MOVED
`
`Network SECURITY DEVICE
`108
`IF FILE CONTAINS THREATS IF IS
`Moven To DIFFERENT STORE
`
`U.S. Appl. No. 15/985,892, filed May 22, 2018. (34 pgs).
`Non-Final Office Action for U.S. Appl. No. 15/985,892, dated Mar.
`9, 2020, 36 pages.
`
`Primary Examiner — Sarah Su
`(74) Attorney, Agent, or Firm — Law Office of Dorian
`Cartwright; Dorian Cartwright
`
`(57)
`
`ABSTRACT
`
`Systems and methods for continuously scanning and/or
`sandboxing files to protect users from accessing infected
`files by natively mounting public cloud file stores are
`provided. According to one embodiment, a determination is
`made by a network security device that is protecting the
`enterprise network regarding whether an untrusted file
`stored within a first repository of a public cloudfile store,
`which is natively mounted on the network security device,
`is a clean file that is free of malicious content by applying
`one or more security checks to the untrusted file. When a
`result of the determination is affirmative, the network secu-
`rity device makes the clean file accessible to the users by
`copying the clean file from the first repository to a second
`repository that is accessible to the users.
`
`28 Claims, 7 Drawing Sheets
`
`UPLOADED To PUBLIC
`C1au0 FILE STORE
`
`'
`ty
`L
`
`SaMoBox 1g PERIOUICALLY
`Looking FoR NEWFILES
`198,
`
`CLEAN FiteSTORE
`Cuan Files REaoy
`70 AE USED
`
`
`
`uo FALE 18 INGESTED AND.
`
`
`
`CLEaW FILES ARE MOVED
`TO CLEAN FILE STORE
`SanneFOR THREATS:
`
`NEfwoRe SECURTY DEVICE
`108
`
`Jf FIL CONTAINS THREATS IT?S.
`Moven 70 DIFFERENT STORE
`
`QUARANLINE SioRE
`STORE Contains FILes
`VATHM4ENSROUTHREATS
`
`Hz
`
`QUARANTINE,STORE,
`STORE CONTAINS FILES.
`WITH MAL WARE/THREATS.
`
`32
`
`Page 1
`
`of 18
`
`Netskope Exhibit 1001
`
`Page 1 of 18
`
`Netskope Exhibit 1001
`
`
`
`US 11,036,856 B2
`
`Page 2
`
`(56)
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`
`3/2016 Langton
`2016/0092684 Al
`4/2016 Kashyap
`2016/0099951 Al
`6/2016 Dalcher
`2016/0180090 Al
`7/2016 Nambiar
`2016/0203336 Al
`8/2016 Benson
`2016/0248590 Al
`10/2011 Mu
`8,042,185 Bl
`10/2016 Langton
`2016/0292419 Al
`8/2013 Sun
`8,510,838 Bl
`10/2016 Langton
`2016/0294851 Al
`10/2013 Lyle
`8,549,640 B2
`11/2016 Chen
`2016/0330226 Al
`6/2014 Canion
`8,756,337 Bl
`12/2016 Zhang
`2016/0381024 Al
`6/2015 Moskowitz
`9,070,151 B2
`2/2017 Ford.
`2017/0041296 Al
`11/2015 Hiltgen
`9,189,265 B2
`3/2017 Woodward
`2017/0090821 Al
`1/2016 Khajuria
`9,245,108 Bl
`3/2017 Muttik
`2017/0090929 Al
`3/2017 Jain
`9,594,904 Bl
`3/2017 Tin
`2017/0091461 Al
`3/2017 Langton
`9,594,906 BL
`3/2017 Natanzon
`2017/0093890 Al
`8/2017 Adams
`9,729,572 Bl
`4/2017 Crawford
`2017/0109045 Al
`8/2017 Quinlan
`9,740,862 Bl
`5/2017 Yamane
`2017/0147817 Al
`3/2018 Grafi
`9,922,191 Bl
`6/2017 Vejmelka
`2017/0169214 Al
`6/2018 Douglas
`10,009,370 BL
`
`
`10,230,749 B1 2017/0199694 Al=7/2017 Khemani3/2019 Rostami-Hesarsorkh
`
`10,242,185 Bl W/2017=Jai3/2019 Goradia 2017/0206353 Al
`
`
`10,341,355 BL
`7/2019 Niemoller
`2017/0250996 Al
`8/2017 Rostamabadi
`10,346,260 Bl
`7/2019 Natanzon
`2017/0251002 Al
`8/2017 Rostamabadi
`10,372,909 B2
`8/2019 Wray
`2017/0251003 Al
`8/2017 Rostami-Hesarsorkh
`10,402,241 BL*
`9/2019 Loukissas ........... HO4L 67/2804
`2017/0264619 AL*
`9/2017 Narayanaswamy .........-erin
`10,452,279 Bl
`10/2019 Malwankar
`GO6F 21/6209
`10,469,512 BL
`11/2019 Ismael
`10,474,640 B1* 11/2019 Roche, Jr ww... GO6F 16/148
`10,482,250 Bl
`11/2019 Joshi
`10,489,583 B2
`11/2019 Wang
`10,503,904 Bl
`12/2019 Singh
`10,534,909 B2*
`1/2020 Chalmandrier-Perna...................
`GO6F 9/45558
`
`10/2017 Berger
`2017/0302458 Al
`11/2017 Zhang
`2017/0337372 Al
`2017/0353496 AL* 12/2017) Pal woes HO4L 63/1441
`2017/0366606 Al
`12/2017 Ben-Shaul
`2018/0018459 Al
`1/2018 Zhang
`2018/0027074 Al
`1/2018 Collet
`2018/0046799 Al
`2/2018 Kohawi
`2018/0096148 Al
`4/2018 Setjtko
`2/2020 Wueest
`10,554,688 Bl
`2018/0107417 Al
`4/2018 Shechter
`2/2020 Dixon
`10,567,432 B2
`2018/0157444 Al
`6/2018 Franciosi
`12/2002 Reuter
`2002/0019922 Al
`2018/0183681 Al
`6/2018 Chen
`6/2003 Wolff
`2003/0110391 Al
`2018/0183824 Al
`6/2018 Chen
`1/2005. Davies
`2005/0021606 Al
`2018/0159896 AL
`7/2018 Soman
`10/2005 Karr
`2005/0235132 Al
`
`
`2006/0075199 Al 2018/0191739 Al=7/2018 Kraft4/2006 Kallahalla
`2006/0075252 Al
`4/2006 Kallahalla
`2018/0203641 Al
`7/2018 Petrocelli
`2006/0101130 Al
`5/2006 Adams
`2018/0218155 AL*
`8/2018 Graff on GO6F 21/554
`2008/0021902 Al
`1/2008 Dawkins
`2018/0268143 Al
`9/2018 Grafi
`2009/0144388 Al
`6/2009 Gross
`2018/0336158 Al
`11/2018 Iyer
`2009/0150511 Al
`6/2009 Gross
`2018/0336346 Al
`11/2018 Guenther
`2009/0307166 Al
`12/2009 Routray
`2018/0359272 AL* 12/2018 Mizrachi... GO6F 21/57
`2010/0005531 Al
`1/2010 Largman
`2019/0007436 Al
`1/2019 Dods
`
`2010/0043072 Al—-2/2010 Rothwell 2019/0034622 Al 1/2019 Kennedy
`
`2010/0070631 Al
`3/2010 Cherian
`2019/0042781 Al
`2/2019 Lukacs
`2010/0161536 Al
`6/2010 Clark
`2019/0081983 Al
`3/2019 Teal
`2010/0169972 Al
`7/2010 Kuo
`2019/0097970 Al
`3/2019 Coleman
`2011/0082997 Al
`4/2011 Yochai
`2019/0199739 Al
`6/2019 Anderson
`2011/0173698 Al
`7/2011 Polyakov
`2019/0199740 Al
`6/2019 Zhang
`2012/0066450 Al
`3/2012 Yochai
`2019/0205530 Al
`7/2019 Brown
`2013/0074185 Al
`3/2013 McDougal
`2019/0205533 Al
`7/2019 Diehl
`2013/0333042 Al 12/2013 Saika
`2019/0228153 Al
`7/2019 Scaife
`2014/0007239 AL®
`1/2014 Sharpe snorrvrcv GOGF 16/137
`9919/0228154 AL*
`7/2019 Agrawal... GOOF 21/56
`50140025041 AL
`U/2014 But
`2019/0235755 Al
`8/2019 Abe
`726/24
`UUs.
`2019/0235973 Al
`8/2019 Brewer
`2014/0208426 Al
`7/2014 Natarajan
`2019/0236273 Al
`8/2019 Saxe
`2014/0223096 Al
`8/2014 Zhe Yang
`2019/0278922 Al
`9/2019 Levin
`2014/0229688 Al
`8/2014 Toyama
`2019/0303573 Al
`10/2019 Chelarescu
`2014/0237590 Al
`8/2014 Shua
`
`2015/0074810 AL* 20190319987 Al—10/2019 Levy3/2015. Saher ......cseees GO6F 16/951
`
`726/23
`2019/0325059 AL* 10/2019 Fait wccccccccseen GO6F 9/547
`4/2015 McErlean .......e GO6F 8/61
`2019/0332770 AL
`10/2019 Kumar
`76/4
`2019/0340359 Al
`11/2019 Kumar
`2019/0347338 AL*
`11/2019 Mati... GO6F 16/134
`2019/0347415 Al
`11/2019 Yavo
`2019/0362075 Al
`11/2019 Kriz
`2019/0386980 Al* 12/2019 Kludy ow... HO4L 63/0838
`
`.. GOOF 21/31
`2020/0012803 A1l*
`1/2020 Mannan .......
`
`2/2020 Kamalapuram.
`...... GO6F 16/122
`2020/0050686 AL*
`.. GO6F 16/955
`2020/0201918 Al*
`6/2020 Karande
`
`7/2020 Pratt oo. HO4L 63/1425
`2020/0218832 Al*
`
`2015/0101021 Al*
`
`9015/0150142 Al
`2015/0172301 Al
`2015/0172305 Al
`2015/0172311 Al
`2015/0278520 Al
`2015/0319182 Al
`2015/0331635 Al
`2016/0006754 Al
`2016/0080399 Al
`2016/0092682 Al
`
`5/2015. Austin
`6/2015 Kumar
`6/2015 Dixon
`6/2015 Freedman
`10/2015 Mraz
`11/2015 Natarajan
`11/2015 Ben-Shaul
`1/2016 Woodward.
`3/2016 Harris
`3/2016 Adams
`
`* cited by examiner
`
`Page 2 of 18
`
`Netskope Exhibit 1001
`
`Page 2 of 18
`
`Netskope Exhibit 1001
`
`
`
`U.S. Patent
`
`Jun. 15, 2021
`
`Sheet 1 of 7
`
`US 11,036,856 B2
`
`100
`
`~,
`
`INPUT FILE
`102
`
`UPLOADED TO PUBLIC
`CLOUD FILE STORE
`
`PUBLIC CLOUD FILE STORE
`104
`
`DIRTY FILE STORE
`
`CLEAN FILE STORE
`
`SANDBOX IS PERIODICALLY
`LOOKING FOR NEW FILES
`106
`
`CLEAN FILES READY
`TO BE USED
`110
`
` —__—_oeooeoorereoeroror serene —_er—_ ec— ieee roe cer ce ee error eer error —~,
`
`,
`
`II
`
`II'
`
`!
`
`1II\
`
`
`
`Re eum sae nee cette en te setae cette satinsnlCette atte Stn eat citi SI NIN ANI SONI: IN OI HEN HO CHOU WN NR a I St ti te atte,
`
`FILE IS INGESTED AND
`SCANNED FOR THREATS
`
`CLEAN FILES ARE MoveD
`TO CLEAN FILE STORE
`
`108
`
`NETWORK SECURITY DEVICE
`
`IF FILE CONTAINS THREATSIT IS
`MoveD To DIFFERENT STORE
`
`QUARANTINE STORE
`
`412
`
`STORE CONTAINS FILES
`WITH MALWARE/THREATS
`
`FIG. 1A
`
`Page 3 of 18
`
`Netskope Exhibit 1001
`
`Page 3 of 18
`
`Netskope Exhibit 1001
`
`
`
`U.S. Patent
`
`Jun. 15, 2021
`
`Sheet 2 of 7
`
`US 11,036,856 B2
`
`INPUT FILE
`
`102
`
`UPLOADED TO PUBLIC
`CLOUD FILE STORE
`
`PUBLIC CLOUD FILE STORE
`104
`'1
`
`1
`
`DIRTY FILE STORE
`
`CLEAN FILE STORE
`
`wmeeeeereeereeree
`
`1
`SANDBOX IS PERIODICALLY|| CLEAN FILES READY
`
`LOOKING FOR NEW FILES
`!
`TO BE USED
`106
`!
`110
`
`1114
`
`
`FILE IS INGESTED AND
`
`SCANNED FOR THREATS
`
`CLEAN FILES ARE MOVED
`TO CLEAN FILE STORE
`
`
`NETWORK SECURITY DEVICE
`108
`
`
`
`
`IF FILE CONTAINS THREATSIT IS
`MOVED TO DIFFERENT STORE
`
`
`
`
`
`QUARANTINE STORE
`
`STORE CONTAINS FILES
`WITH MALWARE/THREATS
`112
`
`FIG. 1B
`
`Page 4 of 18
`
`Netskope Exhibit 1001
`
`Page 4 of 18
`
`Netskope Exhibit 1001
`
`
`
`U.S. Patent
`
`Jun. 15, 2021
`
`Sheet 3 of 7
`
`US 11,036,856 B2
`
`SECURE DATA TRANSFER SYSTEM
`200
`
`204
`
`UNTRUSTED FILE PROCESSING
`MoDULE
`202
`
`CLEAN FILE TRANSFER MODULE
`
`FIG. 2
`
`Page 5 of 18
`
`Netskope Exhibit 1001
`
`Page 5 of 18
`
`Netskope Exhibit 1001
`
`
`
`U.S. Patent
`
`Jun. 15, 2021
`
`Sheet 4 of 7
`
`US 11,036,856 B2
`
`300
`
`BUCKETS
`
`OBJECTS AND FOLDERS
`
`H
`
`WELCOME, XYZ
`
`SIGNOUT
`
`STORE / BUCKET
`
`DIRTY FiLe
`STORE / BUCKET
`
`CLEAN FILE
`Store / BUCKET
`
`QUARANTINE
`
`FIG. 3
`
`Page 6 of 18
`
`Netskope Exhibit 1001
`
`Page 6 of 18
`
`Netskope Exhibit 1001
`
`
`
`U.S. Patent
`
`Jun. 15, 2021
`
`Sheet 5 of 7
`
`US 11,036,856 B2
`
`400
`
`UPLOADING A FILE INTO DIRTY S3 BUCKET
`
`MONITORING BY A SIMPLE NOTIFICATION SERVICE
`
`SCANNING BY A SANDBOX APPLIANCE
`
`MALICIOUS S3 BUCKET
`
`408
`
`MoviNG CLEANFILES INTO
`CLEAN S3 BUCKET
`
`MoviNG MALIcious FILES To
`
`410
`
`FIG. 4A
`
`Page 7 of 18
`
`Netskope Exhibit 1001
`
`Page 7 of 18
`
`Netskope Exhibit 1001
`
`
`
`U.S. Patent
`
`Jun. 15, 2021
`
`Sheet 6 of 7
`
`US 11,036,856 B2
`
`450
`
`STORING AN UNTRUSTED FILE WITHIN A FIRST REPOSITORY OF A PUBLIC CLOUD FILE
`
`STORE, SAID PUBLIC CLOUD FILE STORE BEING NATIVELY MOUNTED ON A NETWORK
`SECURITY DEVICE THAT IS PROTECTING AN ENTERPRISE NETWORK, WHEREIN USERS OF
`THE ENTERPRISE NETWORK DO NOT HAVE READ ACCESS THE FIRST REPOSITORY OF
`THE PUBLIC CLOUD FILE STORE
`
`TO A SECOND REPOSITORY THAT IS ACCESSIBLE TO THE USERS
`
`RECEIVING, BY THE NETWORK SECURITY DEVICE, A NOTIFICATION, VIA AN APPLICATION
`PROGRAMMING INTERFACE (API) CALL FROM A NOTIFICATION SERVICE OF THE PUBLIC
`CLOUD FILE STORE, REGARDING EXISTENCE OF THE UNTRUSTED FILE WITHIN THE FIRST
`REPOSITORY
`
`DETERMINING, BY THE NETWORK SECURITY DEVICE, WHETHER THE UNTRUSTED FILE IS A
`CLEAN FILE THAT IS FREE OF MALICIOUS CONTENT BY APPLYING ONE OR MORE SECURITY?
`CHECKS TO THE UNTRUSTED FILE
`
`MAKING THE CLEAN FILE ACCESSIBLE TO THE USERS BY, WHEN A RESULT OF SAID
`DETERMINING IS AFFIRMATIVE, COPYING THE CLEAN FILE FROM THE FIRST REPOSITORY
`
`452
`
`454
`
`456
`
`458
`
`FIG. 4B
`
`Page 8 of 18
`
`Netskope Exhibit 1001
`
`Page 8 of 18
`
`Netskope Exhibit 1001
`
`
`
`U.S. Patent
`
`Jun. 15, 2021
`
`Sheet 7 of 7
`
`US 11,036,856 B2
`
`500
`
`EXTERNAL STORAGE
`DEVICE
`510
`
`570 DEVICE
`
`MAIN MEMORY
`530
`
`Mass STORAGE
`
`550
`
`COMMUNICATION
`Port(s)
`2360
`
`PROCESSOR
`
`FIG. 5
`
`Page 9 of 18
`
`Netskope Exhibit 1001
`
`Page 9 of 18
`
`Netskope Exhibit 1001
`
`
`
`US 11,036,856 B2
`
`1
`NATIVELY MOUNTING STORAGE FOR
`INSPECTION AND SANDBOXING IN THE
`CLOUD
`
`COPYRIGHT NOTICE
`
`Contained herein is material that is subject to copyright
`protection. The copyright owner has no objection to the
`facsimile reproduction of the patent disclosure by any per-
`son as it appears in the Patent and Trademark Office patent
`files or records, but otherwise reserves all rights to the
`copyright whatsoever. Copyright © 2018, Fortinet, Inc.
`
`BACKGROUND
`
`Field
`
`Embodiments of the present invention generally relate to
`network security. In particular, embodiments of the present
`invention relate to continuously scanning and/or sandboxing
`files residing on cloud storage to protect users from access-
`ing infected files by natively mounting public cloudfile
`stores.
`
`Description of the Related Art
`
`Network security consists of policies and practices that
`are adopted to prevent and monitor unauthorized access,
`misuse, modification, or denial of a computer network or
`network-accessible
`resources. Network
`security
`also
`involves authorization of access to data in a network thatis
`
`controlled by a network administrator. Computing devices
`that form part of a computer network, such as an enterprise
`network, are continually threatened by a risk of attack from
`various types of malicious content, including, but not limited
`to, viruses, malware, worms, and Trojans, while accessing
`data that has been transferred to internal locations from an
`external
`source and/or data that has been transferred
`
`between different departments, having different levels of
`trust, by various ways such as through servers, physical
`storage devices, among other communication channels. One
`exemplary source of malware infection includes data thatis
`externally uploaded or is provided from untrusted, semi
`trusted servers or from public cloudfile stores that various
`users then have access to. Another source is the user
`
`himself/herself transmitting malware infected data to other
`users.
`
`Although there are many virus scanning and content
`filtering systems that purport to protect users from malicious
`content, including anti-virus (AV) scanners on file systems
`or applications using the Internet Content Adaptation Pro-
`tocol (ICAP)forfile checking, such systemsare reactive in
`nature. So, while these systems are capable of verifying data
`and may have the ability to take action to removebadfiles
`once they are discovered, damage may already have been
`done. When an infected file is discovered by existing AV
`scanners and file checking systems,
`the threat
`is either
`reported afterwards(i.e., after access to such infected file has
`already been made available to one or more users) or the
`threat is reported during execution of such infected file,
`thereby risking exposure of the network and/or the comput-
`ing devices in the network between the time the file is
`introduced until the file is finally inspected.
`Meanwhile, as more organizations move towards public/
`hybrid cloud solutions for file storage, among other things,
`the need to ensure files do not contain malware becomes
`
`critically important. Currently, scanning ofa file residing on
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`2
`cloud storage requires passing the file through a security
`inspection virtual machine (VM)/image. This method is
`inefficient. Today, there are no security solutions that can
`scan native cloud object storage. In order to accomplish the
`task of scanning cloud storage, at present, one must perform
`one of the following: (A) duplicate the transfer through a
`device which can proxy the connection over the network to
`collect a file sample; (B) attach cloud storage to a cloud VM
`then leverage a sandbox connector to send files to the
`sandbox; or (C) attach the cloud storage to a cloud VM and
`run a local static AV scan. All three options are overly
`complex and resource intensive, which impacts monthly
`recurring costs. Options A and B are also limited by size
`restrictions and require additional cloud infrastructure to
`support either method. Option C provides no protection
`from zero day or unknown variants due to non-execution
`static scanning.
`implementation, and deploy-
`the design,
`Furthermore,
`mentof virtual machines have also opened up novelthreats
`and security issues, which take on new forms in relation to
`it. For example, reverse engineering becomeseasier due to
`introspection capabilities, as encryption keys, security algo-
`rithms,
`low-level protection,
`intrusion detection, or anti-
`debugging measures can become moreeasily compromised.
`Configuration problems, such as creating secure default
`configurations for virtual machines, are also magnified and
`if a machine build starts out with poor default configura-
`tions, those vulnerabilities may extend to each instance of
`the virtual machinethat is replicated from that build. Finally,
`technologies associated with virtual machines suchas virtual
`routing and networking can create challenging issues for
`security, intrusion control, and associated processes.
`Therefore, there exists a need for a new paradigm accord-
`ing to which newly introducedfiles, for instance, through
`public cloudfile stores are physically segregated until they
`are properly scanned, thereby ensuring only known good
`files are made available for access to users.
`
`SUMMARY
`
`Systems and methods are described for continuously
`scanning and/or sandboxing files to protect users from
`accessing infected files by natively mounting public cloud
`file stores. Users of an enterprise network are prevented
`from accessing malware infected files that stored within
`public cloud file stores. According to one embodiment, a
`determination is made by a network security device that is
`protecting the enterprise network regarding whether an
`untrusted file stored within a first repository of a public
`cloud file store, which is natively mounted on the network
`security device,
`is a clean file that is free of malicious
`content by applying one or more security checks to the
`untrusted file. When a result of the determination is affir-
`mative, the network security device makes the clean file
`accessible to the users by copying the clean file from the first
`repository to a second repository that is accessible to the
`users.
`
`Other features of embodiments of the present disclosure
`will be apparent from accompanying drawings and from
`detailed description that follows.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`In the Figures, similar components and/or features may
`have the same reference label. Further, various components
`of the same type may bedistinguished by following the
`reference label with a second label that distinguishes among
`
`Page 10 of 18
`
`Netskope Exhibit 1001
`
`Page 10 of 18
`
`Netskope Exhibit 1001
`
`
`
`US 11,036,856 B2
`
`3
`the similar components. If only the first reference label is
`usedin the specification, the description is applicable to any
`one of the similar components having the samefirst refer-
`ence label irrespective of the second reference label.
`FIGS. 1A-B illustrate exemplary network architectures in
`which or with which embodiments of the present invention
`can be implemented.
`FIG. 2 illustrates an exemplary module diagram for a
`secure file transfer system in accordance with an embodi-
`ment of the present invention.
`FIG. 3 conceptually illustrates configuration of multiple
`buckets in a public cloud file store for transfer of clean files
`from a dirty file store/bucket to a clean file store/bucket in
`accordance with an embodiment of the present invention.
`FIGS. 4A-B are flow diagrams illustrating exemplary
`methods of secure data transfer in accordance with embodi-
`ments of the present invention.
`FIG.5 illustrates an exemplary computer system in which
`or with which embodiments of the present invention may be
`utilized.
`
`20
`
`4
`PROMs, random access memories (RAMs), programmable
`read-only memories
`(PROMs),
`erasable
`PROMs
`(EPROMs), electrically erasable PROMs (EEPROMs),flash
`memory, magnetic or optical cards, or other type of media/
`machine-readable medium suitable for storing electronic
`instructions (e.g., computer programming code, such as
`software or firmware).
`Various methods described herein may be practiced by
`combining one or more machine-readable storage media
`containing the code according to the present invention with
`appropriate standard computer hardware to execute the code
`contained therein. An apparatus for practicing various
`embodiments of the present invention may involve one or
`more computers (or one or more processors within a single
`computer) and storage systems containing or having net-
`work access to computer program(s) coded in accordance
`with various methods described herein, and the methodsteps
`of the invention could be accomplished by modules, rou-
`tines, subroutines, or subparts of a computer program prod-
`uct.
`
`DETAILED DESCRIPTION
`
`If the specification states a componentor feature “may”,
`“can”, “could”, or “might” be included or have a character-
`istic, that particular componentor feature is not required to
`be included or have the characteristic.
`
`25
`
`30
`
`Systems and methods are described for continuously
`scanning and/or sandboxing files to protect users from
`accessing infected files by natively mounting public cloud
`The phrase “network appliance” generally refers to a
`file stores. According to one embodiment,
`files that are
`specialized or dedicated device for use on a network in
`newly introduced to a public cloud file store that is natively
`virtual or physical
`form. Some network appliances are
`mounted on a network security device protecting an enter-
`implemented as general-purpose computers with appropriate
`prise network, are first subjected to desired security checks
`software configured for the particular functions to be pro-
`(e.g., AV scanning, file checking, sandboxing, etc.) while
`vided by the network appliance; others include custom
`residing in a segregated data storage area before they are
`hardware (e.g., one or more custom Application Specific
`made available for access to users by copying only those
`Integrated Circuits (ASICs)). Examples of functionality that
`files passing the security checks to a sanitized storage area,
`35
`maybe provided by a network appliance include, but are not
`which may or may notbeapart of the public cloudfile store,
`limited to, simple packet forwarding,
`layer 2/3 routing,
`but is accessible to the users. In this manner, the typical
`content inspection, contentfiltering, firewall, traffic shaping,
`model, involving the removal of bad files upon their iden-
`application control, Voice over Internet Protocol
`(VoIP)
`tification, is turned on its head by initially storing untrusted
`support, Virtual Private Networking (VPN),
`IP security
`files in a separate data location of a public cloud file store
`that is inaccessible to end users and then after the untrusted
`(IPSec), Secure Sockets Layer (SSL), antivirus, intrusion
`detection, intrusion prevention, Web content filtering, spy-
`ware prevention and anti-spam. Examples of network appli-
`ances include, but are not limited to, network gateways and
`network security appliances (e.g., FORTIGATE family of
`network security appliances and FORTICARRIERfamily of
`consolidated security appliances), messaging security appli-
`ances (e.g., FORTIMAIL family of messaging security
`appliances), database security and/or compliance appliances
`(e.g., FORTIDB database security and compliance appli-
`ance), web application firewall appliances (e.g., FORTI-
`WEBfamily of web application firewall appliances), appli-
`cation acceleration appliances,
`server
`load balancing
`appliances (e.g., FORTIBALANCERfamily of application
`delivery controllers), vulnerability management appliances
`(e.g., FORTISCAN family of vulnerability management
`appliances), configuration, provisioning, update and/or man-
`agement appliances (e.g., FORTIMANAGER family of
`management appliances), logging, analyzing and/or report-
`ing appliances (e.g., FORTIANALYZERfamily of network
`security reporting appliances), bypass appliances
`(e.g.,
`FORTIBRIDGE family of bypass appliances), Domain
`NameServer (DNS)appliances (e.g., FORTIDNSfamily of
`DNSappliances), wireless security appliances (e.g., FORTI-
`WIFIfamily of wireless security gateways), virtual or physi-
`cal sandboxing appliances (e.g., FORTISANDBOX family
`of security appliances) FORIDDOS, wireless access point
`appliances (e.g., FORTIAP wireless access points), switches
`
`files have been verified as being free of malware (clean) by
`a secure data transfer system, the verified clean files are
`transferred to a data location that is accessible to end users.
`
`In the following description, numerousspecific details are
`set forth in order to provide a thorough understanding of
`embodiments of the present invention. It will be apparent to
`one skilled in the art
`that embodiments of the present
`invention may bepracticed without some ofthese specific
`details.
`
`Embodiments of the present invention include various
`steps, which will be described below. The steps may be
`performed by hardware components or may be embodiedin
`machine-executable instructions, which may be used to
`cause a general-purpose or special-purpose processor pro-
`grammed with the instructions to perform the steps. Alter-
`natively, steps may be performed by a combination of
`hardware, software, and firmware and/or by human opera-
`tors.
`
`Embodiments of the present invention maybe provided as
`a computer program product, which may include a machine-
`readable storage medium tangibly embodying thereon
`instructions, which may be used to program a computer (or
`other electronic devices) to perform a process. The machine-
`readable medium mayinclude, but is not limited to, fixed
`(hard) drives, magnetic tape, floppy diskettes, optical disks,
`compact disc read-only memories (CD-ROMs), and mag-
`neto-optical disks, semiconductor memories, such as ROMs,
`
`65
`
`Page
`
`11 of 18
`
`Netskope Exhibit 1001
`
`Page 11 of 18
`
`Netskope Exhibit 1001
`
`
`
`US 11,036,856 B2
`
`6
`the network security device can
`In an embodiment,
`include a virtual machine (VM) that
`is controlled by a
`sandbox engine to determine whether the untrustedfile is a
`clean file that is free of malicious content.
`In an embodiment, the network security device can copy
`the file to the second repository by sharing it by means of
`any or a combination of network file system (NFS)file
`transfer protocol
`(FTP), common Internet
`file system
`(CIFS), Internet Small Computer Systems Interface @ SC
`SD, Storage Area Network (SAN), and local storage.
`In an embodiment, the untrusted file processing module
`can further remove any malware from the untrustedfile that
`is detected by the one or more security checks when the
`result of said determining is negative.
`In an embodiment, the untrusted file processing module
`can quarantine or delete the untrusted file whenthe result of
`the determination is negative.
`In an embodiment, the second repository can be part of
`the network security device or part of an external storage
`device that forms part of the enterprise network.
`In an embodiment, the second repository can form part of
`the public cloud file store.
`In an embodiment,
`the public cloud file store can be
`provided by a third-party cloud storage service provider, for
`example, the public cloud file store can be any or a combi-
`nation of Amazon Simple Storage Service (Amazon $3)™,
`Microsoft Azure™, Google Cloud Platform™, and IBM
`Cloud™.
`
`20
`
`25
`
`30
`
`In an embodiment, the network security device can deter-
`mine whether the untrustedfile is a clean file that is free of
`
`5
`(e.g., FORTISWITCH family of switches) and IP-PBX
`phone system appliances (e.g., FORTIVOICE family of
`IP-PBX phone systems).
`The phrases “security device” or “network security
`device” generally refers to a hardware device or network
`appliance that provides security services to a private net-
`work, for example, providing one or more of data privacy,
`protection, encryption and security. A network security
`device can be a device providing one or more of the
`following features: network firewalling, VPN, antivirus,
`intrusion prevention (IPS), content filtering, data leak pre-
`vention, antispam, antispyware,
`logging, reputation-based
`protections, event correlation, network access control, vul-
`nerability management, load balancing andtraffic shaping—
`that can be deployed individually as a point solution or in
`various combinations as a unified threat management
`(UTM)solution. Non-limiting examples of network security
`devices include proxyservers, firewalls, sandboxing appli-
`ances, Intrusion Prevention Systems OP S s), Intrusion
`Detection Systems (IDSs), VPN appliances, gateways, UTM
`appliances andthe like.
`Systems and methods are described for preventing users
`of an enterprise network from accessing malware infected
`files that are stored within public cloud file stores by
`continuously scanning and/or sandboxing files by natively
`mounting a public cloud file store as a file system, for
`example, within a network security device. Open source
`software is available for mounting an Amazon Web Services
`(AWS) Simple Storage Service (S83) bucket at http://
`malicious content based any or a combination of sandboxing
`s3tools.org/downloadandhttps://github.com/s3fs-fuse/s3fs-
`fuse.
`analysis (e.g., behavioral-based malware detection),
`file
`signature, file hash, file path, file attributes, file source, file
`In an exemplary aspect, the present disclosure provides a
`pre-scan parameters, file extension, file content, and file
`secure data transfer system that includes: a non-transitory
`name, and anypart thereof.
`storage device having embodied therein one or more rou-
`In an embodiment, the network security device can make
`tines operable to prevent users
`(also interchangeably
`the determination regarding whether the untrusted file is a
`referred to as “end users”) of an enterprise network from
`clean file that is free of malicious content by first moving the
`accessing malwareinfected files that are stored within public
`untrusted file from the first repository to a third repository,
`cloudfile stores; and one or more processors coupled to the
`and then applying one or more security checks to the
`non-transitory storage device and operable to execute the
`one or more routines, wherein the one or more routines
`untrusted file in the third repository, and moving back the
`checkedfile as a clean file into the first repository for onward
`include: an untrusted file processing module, which when
`copying to the second repository or moving the checkedfile
`executed by the one or more processors: accesses an
`as a clean file directly from the third repository to the second
`untrusted file stored within a first repository of a public
`repository.
`cloudfile store, said public cloud file store being natively
`Another aspect of the present disclosure relates to a
`mounted on a network security device that is protecting the
`method that can include: receiving, by a network security
`enterprise network, wherein the users do not have read
`device that is protecting an enterprise network, a notifica-
`access to the first repository of the public cloudfile store;
`tion, via an Application Programming Interface (API) call
`and causes the network security device to make a determi-
`from a notification service of a public cloud file store,
`nation regarding whetherthe untrusted file is a cleanfile that
`
`is free of malicious content by applying one or more security regarding existence of an untrusted file stored withinafirst
`checks to the untrusted file; and a clean file transfer module,
`repository of the public cloudfile store, said public cloudfile
`which when executed by the one or more processors, makes
`store being natively mounted on the network security
`the clean file accessible to the users by, when a result of the
`device, wherein users of the enterprise network do not have
`determination is affirmative, copying the clean file from the
`read access thefirst repository of the public cloudfile store;
`first repository to a second repository that is accessible to the
`determining, by the network security device, whether the
`users.
`untrusted file is a clean file that is free of malicious content
`
`35
`
`40
`
`45
`
`50
`
`55
`
`the network security device can
`In an embodiment,
`include any or a combination of a sandbox device, a network
`controller, a firewall, a network gateway device, an Intrusion
`Prevention System (IPS), and an Intrusion Detection System
`(IDS).
`the network security device can
`In an embodiment,
`include a sandbox appliance, and wherein the one or more
`security checks comprise behavioral-based malware detec-
`tion by deploying a file inside a
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
