	US 12,074,906 B1
	System and method for ransomware early detection using a security appliance as default gateway with point-to-point links between endpoints
Satish M. Mohan, San Jose, CA (US); Vinay Adavi, Sunnyvale, CA (US); and Ritesh R. Agrawal, San Jose, CA (US)
Assigned to AIRGAP Networks Inc., Santa Clara, CA (US); and Zscaler, Inc., San Jose, CA (US)
Filed by AIRGAP NETWORKS INC., Santa Clara, CA (US)
Filed on Dec. 5, 2023, as Appl. No. 18/529,621.
Application 18/529,621 is a continuation in part of application No. 18/346,078, filed on Jun. 30, 2023.
Application 18/346,078 is a continuation in part of application No. 18/064,177, filed on Dec. 9, 2022, granted, now 11,916,957.
Application 18/064,177 is a continuation in part of application No. 17/521,092, filed on Nov. 8, 2021.
Application 17/521,092 is a continuation of application No. 17/387,615, filed on Jul. 28, 2021, granted, now 11,323,474, issued on May 3, 2022.
Application 17/521,092 is a continuation of application No. 17/357,757, filed on Jun. 24, 2021, granted, now 11,171,985, issued on Nov. 9, 2021.
Int. Cl. H04L 9/40 (2022.01); H04L 12/46 (2006.01)

CPC H04L 63/1466 (2013.01) [H04L 12/4641 (2013.01); H04L 63/1416 (2013.01)]

16 Claims

1. A method for ransomware protection in a Virtual Local Area Network (VLAN), comprising:

deploying at least one gateway with each gateway having point-to-point links with a plurality of client endpoint devices, with each gateway having a security appliance acting as a DHCP relay assigning itself as the default gateway to a plurality of client endpoint devices in a VLAN after receiving a DHCP response wherein the security appliance overwrites a subnet mask to 255.255.255.255 to set the security appliance as a default gateway for the plurality of endpoint devices of the VLAN; and

sending a copy of message traffic of the gateway to an early ransomware detection system to analyze network traffic from each of the at least one gateway for behavioral anomalies and statistical anomalies.