公开(公告)号：US20190108372A1

公开(公告)日：2019-04-11

申请号：US16105886

申请日：2018-08-20

Applicant: Fortinet, Inc.

Inventor： Saurabh BHARGAVA ,  Anil KAUSHIK ,  Ajay MALIK

IPC: G06K7/10 ,  G01S5/02 ,  G01S13/76 ,  H04K3/00 ,  G01S5/00 ,  H04W4/02 ,  H04W64/00

Abstract: RF tags using source addresses to locate stations on a Wi-Fi network are secured. An RF location server receives a pseudo source address of an RF (radio frequency) tag from a station. The station obtains the pseudo source address while being within radio range of the RF tag and the station receiving a beacon frame from the RF tag. A source address for the RF tag is looked-up utilizing the pseudo source address, and a specific location for the RF tag is looked-up utilizing the source address. Some embodiments store the locations in association with the pseudo address. Either way, the specific location of the station is identified based on the source address of the RF tag. An action is determined in response to at least the specific location of the station. Information related to the action is sent to the station for output to a user of the station. For example, a location-based offer or service can be provided in real-time with a consumer's presence to relevant products or services

公开(公告)号：US20180069895A1

公开(公告)日：2018-03-08

申请号：US15698654

申请日：2017-09-08

Applicant: Fortinet, Inc.

Inventor： Anil KAUSHIK

IPC: H04L29/06

CPC classification number: H04L63/1466 ,  H04L63/1416 ,  H04W12/12 ,  H04W84/12

Abstract: Spoof attacks on location based beacons are detected. A stream of beacons (e.g., IBEACONS) comprising at least a unique source identifier is generated. The stream of beacons is broadcast over a wireless communication channel to mobile devices within range. A list of broadcasted beacons is stored in a table along with a time and location of broadcast. Subsequent to broadcasting, a stream of beacons is detected. The detected beacon stream comprises a unique source identifier along with a time and a location of broadcast. The unique source identifier, the time and the location of at least one beacon of the detected beacon stream can be compared to the unique source identifier, the time and the location of at least one beacon of the broadcast beacon stream. Responsive to a match between the unique source identifiers and a mismatch of at least one of the time and locations, it is determined that the broadcast beacon stream has been spoofed by the detected beacon stream. Once a spoof has been detected, various remediation actions can be taken, such as sending alerts to admin, cautioning end users, and other security mode procedures.

公开(公告)号：US20190020547A1

公开(公告)日：2019-01-17

申请号：US16043157

申请日：2018-07-24

Applicant: Fortinet, Inc.

Inventor： PC Sridhar ,  Pradeep Mohan ,  Anil KAUSHIK

IPC: H04L12/24 ,  H04W88/08 ,  H04W84/12 ,  H04W84/18

CPC classification number: H04L41/0893 ,  H04L61/2015 ,  H04L61/6059 ,  H04W84/12 ,  H04W84/18 ,  H04W88/08

Abstract: IoT stations are profiled in an IPv6 protocol environment. Responsive to sending the modified router advertisement instead of the router advertisement to the station, a DHCPv6 solicitation packet is snooped. The DHPv6 solicitation packet is sent from the station to a DHCPv6 server to gather network configuration information stored in the router advertisement withheld by the access point. In turn, the access point examines the DHCPv6 solicitation packet to determine an identity of least one of device and operating system. The identity determination is stored for applying network policies (e.g., network security policies) during transactions with the station.

公开(公告)号：US20180255498A1

公开(公告)日：2018-09-06

申请号：US15908728

申请日：2018-02-28

Applicant: Fortinet, Inc.

Inventor： Anil KAUSHIK

IPC: H04W36/38 ,  H04W36/30 ,  H04B17/373 ,  H04W52/40 ,  H04B17/318 ,  H04W36/08 ,  H04L12/24 ,  H04W84/12 ,  H04W88/12

CPC classification number: H04W36/38 ,  H04B17/318 ,  H04B17/373 ,  H04L41/00 ,  H04L67/10 ,  H04W36/08 ,  H04W36/30 ,  H04W52/40 ,  H04W84/12 ,  H04W88/12

Abstract: Directing station roaming in a cloud-managed Wi-Fi network. Management messages are received from a controller that is located remotely from the Wi-Fi communication network by an access point. When an RSSI (received signal strength indication) value between the station and the access point falls below a threshold, the access point (i.e., controller access point) determines which neighboring access point would be a best fit for a hand-off, with limited real-time input form the cloud-based Wi-Fi controller. One of the two or more of the plurality of access points is selected for handing-off the station based on the RSSI values received from the interrogation. Responsive to the selection, a message is sent to the selected access point instructing the one of the at least one of the plurality of access points to respond to messages from the station.

公开(公告)号：US20180191756A1

公开(公告)日：2018-07-05

申请号：US15396632

申请日：2016-12-31

Applicant: Fortinet, Inc.

Inventor： Anil KAUSHIK

IPC: H04L29/06

CPC classification number: H04L63/1425 ,  G06F21/56 ,  H04L63/145

Abstract: Attacks from IoT (Internet of Things) devices (or other statins) on a Wi-Fi network are identified using heuristics. Frames are detected from an IoT device (or conventional station) over a window of time. The frame is processed to expose IoT application data from the frame over the time window. Deviations are identified in the IoT application data to detect malicious activity from the IoT device by comparing the IoT application data from at least a first time and a second time within the time. Responsive to the IoT data comparison detecting a malicious activity from the IoT device, a network security action is performed in reference to the IoT device, the network security action to prevent the malicious activity.

公开(公告)号：US20170344767A1

公开(公告)日：2017-11-30

申请号：US15620779

申请日：2017-06-12

Applicant: Fortinet, Inc.

Inventor： Saurabh BHARGAVA ,  Anil KAUSHIK ,  Ajay MALIK

IPC: G06K7/10 ,  H04K3/00 ,  G01S13/76 ,  G01S5/02 ,  H04W4/02 ,  G01S5/00 ,  H04W64/00

CPC classification number: G06K7/10257 ,  G01S5/00 ,  G01S5/0215 ,  G01S13/767 ,  G06K7/10366 ,  H04K3/90 ,  H04W4/02 ,  H04W64/00

Abstract: RF tags using source addresses to locate stations on a Wi-Fi network are secured. An RF location server receives a pseudo source address of an RF (radio frequency) tag from a station. The station obtains the pseudo source address while being within radio range of the RF tag and the station receiving a beacon frame from the RF tag. A source address for the RF tag is looked-up utilizing the pseudo source address, and a specific location for the RF tag is looked-up utilizing the source address. Some embodiments store the locations in association with the pseudo address. Either way, the specific location of the station is identified based on the source address of the RF tag. An action is determined in response to at least the specific location of the station. Information related to the action is sent to the station for output to a user of the station. For example, a location-based offer or service can be provided in real-time with a consumer's presence to relevant products or services

公开(公告)号：US20170188384A1

公开(公告)日：2017-06-29

申请号：US15435104

申请日：2017-02-16

Applicant: Fortinet, Inc.

Inventor： Anil KAUSHIK ,  Saurabh BHARGAVA ,  Siva Rama Krishna Rao Yogendra JUPUDI ,  Sachin P. DOHRE

IPC: H04W74/00 ,  H04W24/08 ,  H04W36/00 ,  H04W76/02 ,  H04W36/08

CPC classification number: H04W74/004 ,  H04W24/08 ,  H04W36/0055 ,  H04W36/08 ,  H04W48/12 ,  H04W48/14 ,  H04W74/008 ,  H04W76/11 ,  H04W84/12

Abstract: A technique for emulating virtual port control of airtime fairness for wireless stations using per station Enhanced Distributed Channel Access (EDCA) parameters. Specific parameters are received for each of a plurality of stations connected to the access point. An EDCA field of a beacon that stores a general EDCA parameter is set to an empty state. The beacon is broadcast to a plurality stations on the wireless communication network and within range of an access point. The beacon comprises a BSSID (Basic Service Set Identifier) for use by the plurality of stations to connect with the access point for access to the wireless communication network. The beacon also comprises an empty EDCA field. In response to broadcasting the empty EDCA parameter, receiving a direct inquiry from each of the plurality of stations for the general EDCA parameter. Each of the plurality of stations is responded to with a direct communication of a specific parameter corresponding to each station. A transmission is received from at least one of the stations complying with the specific parameter.

公开(公告)号：US20190045364A1

公开(公告)日：2019-02-07

申请号：US16105850

申请日：2018-08-20

Applicant: Fortinet, Inc.

Inventor： Anil KAUSHIK ,  Naga Kishore Reddy Tarimala

IPC: H04W12/12 ,  H04L29/06 ,  G01S5/00 ,  H04L12/24 ,  H04B17/318 ,  H04W36/18 ,  H04W36/08 ,  H04W4/70 ,  H04W84/12 ,  H04W88/06

Abstract: An analytics containment system store RSSI values of connected stations and corresponding time stamps. If two or more stations have RSSI values within a certain proximity within a certain time period, a first condition for identifying analytics poisoning has been satisfied. Additionally, if RSSI values for the two or more stations changes at similar rate, the stations have satisfied a second optional condition.

公开(公告)号：US20180287999A1

公开(公告)日：2018-10-04

申请号：US15476966

申请日：2017-03-31

Applicant: Fortinet, Inc.

Inventor： Anil KAUSHIK

IPC: H04L29/06 ,  H04W12/08

Abstract: Per-application micro-firewall container images execute in containers on a data communication network. A micro-firewall controller detects that a specific application has been activated. In response, a micro-firewall image corresponding to the specific application is configured and executed in a container.

公开(公告)号：US20180191573A1

公开(公告)日：2018-07-05

申请号：US15396606

申请日：2016-12-31

Applicant: Fortinet, Inc.

Inventor： PC Sridhar ,  Pradeep Mohan ,  Anil KAUSHIK

IPC: H04L12/24 ,  H04W72/04

CPC classification number: H04L41/0893 ,  H04W84/12 ,  H04W84/18 ,  H04W88/08

Abstract: IoT stations are profiled in an IPv6 protocol environment. Responsive to sending the modified router advertisement instead of the router advertisement to the station, a DHCPv6 solicitation packet is snooped. The DHPv6 solicitation packet is sent from the station to a DHCPv6 server to gather network configuration information stored in the router advertisement withheld by the access point. In turn, the access point examines the DHCPv6 solicitation packet to determine an identity of least one of device and operating system. The identity determination is stored for applying network policies (e.g., network security policies) during transactions with the station.