Abstract: The present disclosure relates to systems, methods, and non-transitory computer readable storage medium for detecting a tunnel routing loop attack on a computer network. A method of the presently claimed invention receives a packet of data over an automatic tunnel. When the received packet includes an Internet protocol version 6 (IPv6) packet headers in the received packet may be extracted from the received packet. When an extracted header is a tunnel routing loop attack (TRLA) header, address information included in the TRLA header may be matched to a destination address that the IPv6 packet is about to be tunneled through. When the address information included in the TRLA header matches the destination address that the IPv6 packet is about to be tunneled through the IPv6 packet is dropped because the match indicates that that a loop is about to be formed.

Abstract: A system and method are disclosed for maintaining a whitelist, including: obtaining message data based on an email message sent by a user; extracting recipient information from message data; updating the whitelist using the recipient information.

Abstract: Techniques for notification of reassembly-free file scanning are described herein. According to one embodiment, a first request for accessing a document provided by a remote node is received from a client. In response to the first request, it is determined whether a second request previously for accessing the document of the remote node indicates that the requested document from the remote node contains offensive data. If the requested document contains offensive data, a message is returned to the client, without accessing the requested document of the remote node, indicating that the requested document is not delivered to the client.

Abstract: The present disclosure is directed to monitoring internal process memory of a computer at a time with program code executes. Methods and apparatus consistent with the present disclosure monitor the operation of program code with the intent of detecting whether received program inputs may exploit vulnerabilities that may exist in the program code at runtime. By detecting suspicious activity or malicious code that may affect internal process memory at run-time, methods and apparatus described herein identify suspected malware based on suspicious actions performed as program code executes. Runtime exploit detection may detect certain anomalous activities or chain of events in a potentially vulnerable application during execution. These events may be detected using instrumentation code when a regular code execution path of an application is deviated from.

Abstract: A solution for reducing transmission pathway lengths within a distributed network, as embodied in various systems, methods, and non-transitory computer-readable storage media, may include migrating a TCP socket from a request server to a data server. The solution may further include reprogramming one or more routers to recognize a new packet route based on the migrated socket. The solution may include the one or more routers subsequently communicating directly with the data server while bypassing the request server.

Abstract: The present disclosure relates to a system, a method, and a non-transitory computer readable storage medium for deep packet inspection scanning at an application layer of a computer. A method of the presently claimed invention may scan pieces of data received out of order without reassembly at an application layer from a first input state generating one or more output states for each piece of data. The method may then identify that the first input state includes one or more characters that are associated with malicious content. The method may then identify that the data set may include malicious content when the first input state combined with one or more output states matches a known piece of malicious content.

Abstract: Some embodiments of reassembly-free deep packet inspection (DPD on multicore hardware have been presented. In one embodiment, a set of packets of one or more files is received at a networked device from one or more connections. Each packet is scanned using one of a set of processing cores in the networked device without buffering the one or more files in the networked device. Furthermore, the set of processing cores may scan the packets substantially concurrently.

Abstract: A user of a client device that is protected by a firewall may navigate to a website using a particular browser process (e.g., a window/tab of a browser) of the client device, sending a content request toward a web content server in the process. The firewall may intercept the content request, and may also receive information from the client device identifying which browser process initiated the content request. Before passing the content request to the appropriate web content server, the firewall may request and download a security policy from a security policy server. The security policy may notify the firewall which hosts are authorized/unauthorized for use with a particular domain, and which file types from each of these hosts are authorized/unauthorized for use with the particular domain. The firewall may then filter content related to the identified browser process based on the security policy.

Abstract: Some embodiments of an efficient string search have been presented. In one embodiment, a string of bytes representing content written in a non-delimited language is received, wherein the content has been classified into a predetermined category. In a single pass through the string of bytes, a set of N-grams is searched for simultaneously. Statistical information on occurrences of the N-grams, if any, in the string of bytes is collected. In some embodiments, a model is generated based on the statistical information, where the model is usable by a content filter to classify content.

Abstract: A method for packet processing on a multi-core processor. According to one embodiment of the invention, a first set of one or more processing cores are configured to include the capability to process packets belonging to a first set of one or more packet types, and a second set of one or more processing cores are configured to include the capability to process packets belonging to a second set of one or more packet types, where the second set of packet types is a subset of the first set of packet types. Packets belonging to the first set of packet types are processed at a processing core of either the first or second set of processing cores. Packets belonging to the second set of packet types are processed at a processing core of the first set of processing cores.

Abstract: A method and an apparatus to perform multi-connection traffic analysis and management are described. In one embodiment, the method includes analyzing data packets in the first data flow of a client application for a pattern of interest, where the client application communicates data using first and second data flows. In response to the method detecting a pattern of interest in the first data flow, the method identifies the second data flow and identifies a traffic policy for the second data flow. The method applies the identified traffic policy to the second data flow. Other embodiments have been claimed and described.

Abstract: A local gateway device receives email across the internet from a sender of the email and forwards it across the internet to an email filtering system. The email filtering system analyzes the email to determine whether it is spam, phishing or contains a virus and sends it back to the local gateway device along with the filtered determination. The local gateway device forwards the received email and the filtered determination to a local junk store which handles the email appropriately. For example, if the email has been determined to be spam, phishing or containing a virus, the junk store can quarantine the email and if the email has been determined to be non-spun and/or not phishing and/or not containing a virus, the junk store can forward the email to a local mail server for delivery.

Abstract: A method and apparatus for resource locator identifier rewrite have been presented. A security device receives from a resource host over a non-secure hypertext transfer protocol (HTTP) session a response to a request received from a client over a secure HTTP session. The response includes a uniform resource locator (URL) that is supposed to be for a resource host, but the URL does not designate a secure resource access protocol and the resource host requires the secure resource access protocol. The URL is located in the response and modified to designate the secure resource access protocol. After modification, the response is transmitted via the secure resource access protocol session to the client.

Abstract: A plurality of beacons that do not include any service set identifiers may be broadcast from an access point. A request concerning association with the access point may be sent wirelessly from a user device and received at the access point. A unique service set identifier (SSID) for the requesting user device may be generated, and information regarding the unique SSID may be transmitted to the requesting user device. A subsequent association request from the requesting user device may include the unique SSID.

Abstract: Systems and methods for blind data leak prevention are provided. A first computer can determine if encrypted data matches a rule even without the encryption key used to encrypt the data. The first computer may encrypt the rule with a second encryption key and send the encrypted rule to a second computer, which may then encrypt the rule with the first encryption key—that is inaccessible to the first computer—and send the doubly encrypted rule back to the first computer. The first computer can then partially decrypt the rule using the second encryption key. The second computer can then encrypt data with the first encryption key and send to the first computer. The first computer can then determine if the partially encrypted rule matches the encrypted data.

Abstract: Some embodiments of on-the-fly pattern recognition with configurable bounds have been presented. In one embodiment, a pattern matching engine is configured based on user input, which may include values of one or more user configurable bounds on searching. Then the configured pattern matching engine is used to search for a set of features in an incoming string. A set of scores is updated based on the presence of any of the features in the string while searching for the features. Each score may indicate a likelihood of the content of the string being in a category. The search is terminated if the end of the string is reached or if the user configurable bounds are met. After terminating the search, the scores are output.

Abstract: An appliance works in conjunction with an agent on a remote device to control application access to a corporate network. In conjunction with an SSL tunnel and policy operating at the appliance, granular application control may be implemented. In particular, a device user may determine what applications from a set of applications may access the corporate network and which applications do not access the network. The applications may be analyzed to determine whether the application is good or bad, as what security configurations, approvals and denials are associated with the application.

Abstract: A device includes a processor and a checksum module, wherein the checksum module calculates, for first data, an updated checksum that complies with Internet Engineering Task Force Request For Comments Number 1624 using twos-complement arithmetic. The processor replaces the original checksum with the updated checksum to update a data packet.

Abstract: A network-connected device (such as an “internet of things” device) that periodically transmits data to recipient devices (e.g., smartphones, tablets, laptops) may be protected by a firewall that include software firewall elements, hardware firewall elements, or some combination thereof. The firewall may intercept datasets sent by the network-connected device, inspect the datasets, and categorize data within each dataset as belonging to one of a number of previously-identified data categories, such as personal data, location data, behavior data, or energy data, or as not belonging to any recognized data category. Rules within firewall policies may indicate whether data of each data category is to be allowed to be sent to the recipient devices or to be blocked from being sent to the recipient devices, for example allowing a firewall to block transmission of location data. Data not belonging to a recognized data category is sent to a support system for classification.

Abstract: Some embodiments of cloud-based gateway security scanning have been presented. In one embodiment, some data packets are received sequentially at a gateway device. The data packets constitute at least a part of a file being addressed to a client machine coupled to the gateway device. The gateway device forwards an identification of the file to a remote datacenter in parallel with forwarding the data packets to the client machine. The datacenter performs signature matching on the identification and returns a result of the signature matching to the gateway device. The gateway device determining whether to block the file from the client machine based on the result of the signature matching from the datacenter.