Abstract: Countering phishing attacks by generating multiple synthetic victims, where each of the synthetic victims includes synthetic victim information that represents a computer user identity and includes associated sensitive information, where the computer user identity and its associated sensitive information are fictitious in that they are not known to be associated with a legitimate computer user, providing any of the synthetic victim information of the synthetic victims to a computer-hosted phishing site, storing the synthetic victim information in a computer-accessible database, receiving from a computer-hosted target site information provided to the computer-hosted target site by a requestor, identifying in the computer-accessible database database synthetic victim information matching the requestor information, and notifying the computer-hosted target site that the requestor information is of a synthetic victim.

Abstract: A network-based appliance includes a mechanism to provide TLS inspection with session resumption, but without requiring that a session cache be maintained. To this end, the inspector is configured to cause the TLS client to participate in maintaining the session context, in effect on behalf of the TLS inspector. In operation, when the inspector first receives a session ID from the TLS server, the inspector generates and issues to the client a session ticket that includes the original session ID and other session context information. In this manner, the inspector converts the Session ID-based connection to a Session Ticket-based connection. The session ticket is encrypted by the inspector to secure the session information. When the TLS client presents the session ticket to resume the TLS connection, the inspector decrypts the ticket and retrieves the session ID from it directly. The inspector then uses the original session ID to resume the TLS session.

Abstract: A tiered machine learning-based infrastructure comprises a first machine learning (ML) tier configured to execute within an enterprise network environment and that learns statistics for a set of use cases locally, and to alert deviations from the learned distributions. Use cases typically are independent from one another. A second machine learning tier executes external to the enterprise network environment and provides further learning support, e.g., by determining a correlation among multiple independent use cases that are running locally in the first tier. Preferably, the second tier executes in a cloud compute environment for scalability and performance.

Abstract: A network-based appliance includes a mechanism to provide TLS inspection with session resumption, but without requiring that a session cache be maintained. To this end, the inspector is configured to cause the TLS client to participate in maintaining the session context, in effect on behalf of the TLS inspector. In operation, when the inspector first receives the session ticket from the TLS server, and in lieu of caching it, the inspector generates and issues to the client a composited ticket that includes the original ticket and session context information that contains the session key. The composited ticket is encrypted by the inspector to secure the session information. When the TLS client presents the composited session ticket to resume the TLS connection, the inspector decrypts the ticket and retrieves the session context from it directly. The inspector then uses the original session ticket to resume the TLS session.

Abstract: A network-based appliance includes a mechanism to set-up and selectively use an “out-of-band” encryption channel. The mechanism comprises a packet parser, and a packet dispatcher, and it is integrated with an existing network layer stack that typically is not visible to host applications. In lieu of simply encrypting all data it receives, the mechanism instead analyzes one or more attributes, e.g., protocol type, application type, current encryption strength, content payload, etc., associated with a packet transmission to determine whether further encryption is required. The evaluation may include a deep packet inspection (DPI) when the information at the network layer (e.g., IP address, port number, etc.) is not sufficient to determine if the payload in the packet needs to be further encrypted. Based on the result of the analysis, packets are dispatched to the encryption channel as and when necessary.

Abstract: Disclosed is a method of customizing an appliance. The method includes steps of pre-storing a public key in the appliance; connecting the appliance to an external storage device; and booting up the appliance to automatically proceed with the following customization process: obtaining a customization file from the external storage device; authenticating the customization file with the public key; and executing customization with the customization file if the authentication succeeds.

Abstract: “Multi-tenant awareness” is added to a set of one or more packet processing devices in a Software Defined Network (SDN) having a controller. For each of one or more tenants, information in a table associates network protocol address attributes with an Internet Protocol (IP) address unique to the tenant. The table is associated with a multiple-layer translation layer being managed by the SDN controller. As a data packet traverses the translation layer, network protocol address attributes are translated according to values in the table to enable logical routing of the packet (to a given PPD. This translation occurs dynamically (or “on-the-fly”) as packets are “on route” to their destination. By implementing a multi-layer network address translation (NAT), one layer may be used to translate network protocol address source attributes, while a second layer may be used to translate network protocol address destination attributes.

Abstract: Disclosed is a method of customizing an appliance. The method includes steps of pre-storing a public key in the appliance; connecting the appliance to an external storage device; and booting up the appliance to automatically proceed with the following customization process: obtaining a customization file from the external storage device; authenticating the customization file with the public key; and executing customization with the customization file if the authentication succeeds.

Abstract: Embodiments provide a system and method for network tracking. Through various methods of packet encapsulation or IP option filling, one or more packets of information can be tagged with a unique security tag to prevent unauthorized access. A user agent can be validated by an authentication server through acceptance of one or more user credentials. The authentication server can generate a security token that can be transmitted to the user agent. The user agent can generate a keystream from the security token, and portions of that keystream can be attached to the packets as the security tag. The tagged packets can be forwarded to an authenticator, who can recreate the keystream from a copy of the security token provided by the authentication server. If the tags generated from the authenticator match the tags on the tagged packet, the authenticator can strip the tag from the tagged packet and forward the packet on to its next network address.

Abstract: A network-based appliance includes a mechanism to set-up and selectively use an “out-of-band” encryption channel. The mechanism comprises a packet parser, and a packet dispatcher, and it is integrated with an existing network layer stack that typically is not visible to host applications. In lieu of simply encrypting all data it receives, the mechanism instead analyzes one or more attributes, e.g., protocol type, application type, current encryption strength, content payload, etc., associated with a packet transmission to determine whether further encryption is required. The evaluation may include a deep packet inspection (DPI) when the information at the network layer (e.g., IP address, port number, etc.) is not sufficient to determine if the payload in the packet needs to be further encrypted. Based on the result of the analysis, packets are dispatched to the encryption channel as and when necessary.

Abstract: A Man in the Middle (MitM) computer receives a first session identifier from a client for a first communication session between the client and a server, and monitors Transport Layer Security (TLS) communication sessions between the client and the server, where the first session identifier is one of an unknown session identifier and an invalid session identifier. In response to receiving the first session identifier from the client, the MitM computer performs one of: requesting a second session identifier from the server for a second communication session if the first session identifier is an unknown session identifier; and transmitting, to the client, an instruction to flush a session cache in the client, where flushing the session cache in the client forces the client and the server to establish a full TLS handshake in order to obtain a session key if the first session identifier is an invalid session identifier.

Abstract: According to one exemplary embodiment, a method for orchestrating a flow of a packet through a software-defined network (SDN) switch is provided. The method may include determining at least one available service associated with the SDN switch. The method may also include receiving the packet at an input port associated with the SDN switch, wherein the packet has a destination value and a packet type. The method may then include generating a flow entry based on the at least one available service and the packet type, wherein the flow entry has a plurality of entry characteristics and an action. The method may further include selecting the flow entry based on matching the plurality of entry characteristics to the destination value and the packet type. The method may also include performing the action associated with the selected flow entry.

Abstract: Embodiments provide a system and method for network tracking. Through various methods of packet encapsulation or IP option filling, one or more packets of information can be tagged with a unique security tag to prevent unauthorized access. A user agent can be validated by an authentication server through acceptance of one or more user credentials. The authentication server can generate a security token that can be transmitted to the user agent. The user agent can generate a keystream from the security token, and portions of that keystream can be attached to the packets as the security tag. The tagged packets can be forwarded to an authenticator, who can recreate the keystream from a copy of the security token provided by the authentication server. If the tags generated from the authenticator match the tags on the tagged packet, the authenticator can strip the tag from the tagged packet and forward the packet on to its next network address.

Abstract: A technique for network attack tainting and tracking includes monitoring data packets received from a network for a malicious request. Responsive to detecting a malicious request, a payload is created that is digitally signed. The digitally signed payload is encrypted and injected into a response message, and the response message is then transmitted to a source of the request as a response to the request.

Abstract: Embodiments provide a system and method for stateless session synchronization between inspectors for high availability deployments. Man in the Middle inspectors of a communication session between a client and server exchange a shared key that is used as a common seed value in a mapping function algorithm. Each inspector generates identical key-pairs using the common mapping function algorithm, and the inspectors generate the session keys from the key-pairs. Inspectors use the session keys to decrypt and either actively or passively inspect data transferred in a session between a client and server.

Abstract: A computer program product for transmitting data flow in a network between two resources using a processing circuit to perform a method which includes obtaining a data record from a first resource, storing the data record and an associated data record identifier in a first memory, transmitting the data record from a first network to a second network, storing the data record and an associated data record identifier in a second memory, determining by an inline service provider whether the data record is suitable for transmission from a first resource to a second resource; based on determining that the data record is suitable for transmission by the inline service provider transmitting only the data record identifier stored in the second memory to the first switch and retrieving the data record stored in the first memory associated with the data record identifier for transmission to the second resource.

Abstract: “Multi-tenant awareness” is added to a set of one or more packet processing devices in a Software Defined Network (SDN) having a controller. For each of one or more tenants, information in a table associates network protocol address attributes with an Internet Protocol (IP) address unique to the tenant. The table is associated with a multiple-layer translation layer being managed by the SDN controller. As a data packet traverses the translation layer, network protocol address attributes are translated according to values in the table to enable logical routing of the packet (to a given PPD. This translation occurs dynamically (or “on-the-fly”) as packets are “on route” to their destination. By implementing a multi-layer network address translation (NAT), one layer may be used to translate network protocol address source attributes, while a second layer may be used to translate network protocol address destination attributes.

Abstract: In response to receiving an unknown first session identifier from a client for a first communication session between the client and a server, a Man in the Middle (MitM) computer requests a second session identifier from the server for a second communication session between the server and the MitM computer. The MitM computer generates a third session identifier for a third communication session between the MitM computer and the client. The MitM computer generates a fourth communication session between the server and the client using a combination of the second communication session and the third communication session. In response to receiving an invalid session identifier from the client for a fifth communication session between the client and the server, the MitM computer transmits an instruction, to the client, to flush a session cache in the client to force a full TLS handshake between the client and the server.

Abstract: A first client encryption initiation is intercepted from a client. The first client encryption initiation is intended for a server. Based on the first client encryption initiation, a second client encryption initiation is initiated with the server. Receiving a server response from the server responsive to the initiated second client encryption initiation. A first secure connection is negotiated with the client. The first secure connection is based on the intercepted first client encryption initiation and based on the server response. A session key to perform secure communication with the client is obtained from the first secure connection. A second secure connection is established with the server. The second secure connection is based on the server response and the session key.

Abstract: A method for providing a transparent asynchronous network flow exchange is provided. The method may include receiving a query request from a requester, whereby the received query request is associated with a network packet. The method may also include determining if the network packet contains a plurality of defined signatures. The method may further include in response to determining that the network packet contains a plurality of defined signatures, authenticating a plurality of information associated with the network packet. The method may additionally include determining a plurality of flow related security information associated with the network packet based on the authentication of the plurality of information. The method may include sending the determined plurality of flow related security information to the requester.