Abstract: A method for providing a transparent asynchronous network flow exchange is provided. The method may include receiving a query request from a requester, whereby the received query request is associated with a network packet. The method may also include determining if the network packet contains a plurality of defined signatures. The method may further include in response to determining that the network packet contains a plurality of defined signatures, authenticating a plurality of information associated with the network packet. The method may additionally include determining a plurality of flow related security information associated with the network packet based on the authentication of the plurality of information. The method may include sending the determined plurality of flow related security information to the requester.

Abstract: Embodiments can provide a computer implemented method in a data processing system comprising a processor and a memory comprising instructions, which are executed by the processor to cause the processor to implement a system for network protection, the method comprising determining, by the analyzing unit, if an incoming connection comprising one or more packets has a false latency larger than a trigger latency; if the incoming connection latency is larger than the trigger latency, reporting, by the analyzing unit, the incoming connection as a suspicious connection; determining, by the analyzing unit, if an attack is currently in progress; and if the attack is in progress, injecting, by the analyzing unit, at least one of the one or more packets of the incoming connection or one or more packets of an outgoing connection with a false latency.

Abstract: Systems and methods for managing a wireless mesh network, in particular to provide for the simple configuration of a plurality of unconfigured devices to be added to the wireless mesh network are disclosed. New devices in the vicinity of a wireless mesh network broadcast signals, such as beacons, advertising their ability to join the wireless mesh network. These beacons may be detected by a primary device, such as a primary router, that is part of and can manage the wireless mesh network. The primary device is then able to establish temporary connections with the new devices that are eligible to join the wireless mesh network. The primary device may generate a list of potential new nodes for presentation to an electronic device, such as a smartphone, from which a user can select a plurality of new devices to add as new nodes. Alternatively, the primary device automatically adds devices as nodes to the wireless mesh network based on various criteria.

Abstract: A method for monitoring encrypted communication sessions between computing devices includes intercepting messages of a handshaking procedure between a client and a server device, the handshaking procedure establishing an encrypted communication session between the client and server. The method further includes determining, from the messages, a session context for the encrypted session and an identifier associated with the session context. The method further includes storing the session context in a database indexed by the identifier. The method further includes intercepting, subsequent to the storing, second messages of a second handshaking procedure between the client and a second server device, the where second handshaking procedure resumes the encrypted communication session after an interruption.

Abstract: A mechanism is provided in a network security subsystem in a virtual machine monitor for policy based load distribution among a plurality of packet processing units. Responsive to receiving a packet from a virtual machine, the network security subsystem compares the packet to rules in a load distribution policy in the network security subsystem. Responsive to the packet matching a rule in the load distribution policy, the network security subsystem identifies a packet processing unit list and an action in the matching rule. The network security subsystem distributes the packet to a selected packet processing unit from the packet processing unit list based on the action.

Abstract: Methods, systems, and computer program products for enabling network services in a multi-tenant IaaS environment are provided. A service portal is deployed in the IaaS environment. In one embodiment, tenant packet associated with a first tenant of the IaaS environment is received by the service portal. The tenant packet is analyzed to identify one or more services to which to transmit the tenant packet. The tenant packet is distributed to the identified services for processing. A processed tenant packet is received from one or more of the identified services. The processed tenant packet is transmitted to a destination.

Abstract: Embodiments pertain to facilitation of live migration of a virtual machine in a network system. During live migration, a first appliance is cloned and state information directed to a first network flow is obtained. The state information is utilized by the cloned appliance to re-direct operations associated with the first network flow. At such time as the first network flow is terminated, the cloned is removed.

Abstract: Embodiments provide a virtual queue management system within the cluster of gateways. When a network message arrives at the gateway cluster, it is processed by one of the gateways within the cluster. The gateway that is processing the network message obtains identifying parameters. The identifying parameters can include, but are not limited to, an Internet Protocol (IP) address, a port number, and/or an HTTP command. The gateway creates a virtual queue identifier based on the obtained identifying parameters. The first gateway to receive a network message with a given virtual queue identifier assumes the role of virtual queue manager for that virtual queue. The virtual queue manager gateway informs other gateways within the cluster of the proper sequence for sending network messages to the server such that messages are transmitted to the server in the proper temporal order.

Abstract: A method of translating network attributes of packets in a multi-tenant environment, and an appliance and a program product implementing the method. The method comprises the following steps: receiving a packet from a multi-tenant environment; referring to the information of tenants, translating a selected network attribute of the packet into a unique identity representing the packet in the multi-tenant environment; and forwarding the translated packet including the unique identity.

Abstract: Embodiments can provide a computer implemented method in a data processing system comprising a processor and a memory comprising instructions, which are executed by the processor to cause the processor to implement a system for transforming a Channel ID communication, the method comprising: generating, by a SSL/TLS inspector, a secret; receiving, from a client, a Channel ID communication comprising a public key value; deriving, by the SSL/TLS inspector, a random seed value for a private key using the secret and the public key value of the Channel ID communication; generating, by the SSL/TLS inspector, a new private key based upon the random seed value; deriving, by the SSL/TLS inspector, a new public key based upon the new private key; generating, by the SSL/TLS inspector, a transformed Channel ID communication based upon the new private key and the new public key; and forwarding, by the SSL/TLS inspector, the transformed Channel ID communication to a server.

Abstract: A network-based appliance includes a mechanism to provide TLS inspection with session resumption, but without requiring that a session cache be maintained. To this end, the inspector is configured to cause the TLS client to participate in maintaining the session context, in effect on behalf of the TLS inspector. In operation, when the inspector first receives the session ticket from the TLS server, and in lieu of caching it, the inspector generates and issues to the client a composited ticket that includes the original ticket and session context information that contains the session key. The composited ticket is encrypted by the inspector to secure the session information. When the TLS client presents the composited session ticket to resume the TLS connection, the inspector decrypts the ticket and retrieves the session context from it directly. The inspector then uses the original session ticket to resume the TLS session.

Abstract: A network-based appliance includes a mechanism to provide TLS inspection with session resumption, but without requiring that a session cache be maintained. To this end, the inspector is configured to cause the TLS client to participate in maintaining the session context, in effect on behalf of the TLS inspector. In operation, when the inspector first receives a session ID from the TLS server, the inspector generates and issues to the client a session ticket that includes the original session ID and other session context information. In this manner, the inspector converts the Session ID-based connection to a Session Ticket-based connection. The session ticket is encrypted by the inspector to secure the session information. When the TLS client presents the session ticket to resume the TLS connection, the inspector decrypts the ticket and retrieves the session ID from it directly. The inspector then uses the original session ID to resume the TLS session.

Abstract: Embodiment pertain to facilitation of live migration of a virtual machine in a network system. The network system includes a first host, a second host, a first appliance for providing service to the first host, a second appliance for providing service to the second host, and a third appliance. At least one virtual machine is disposed on the first host and has an ongoing first network flow. The first appliance has generated state information about the first network flow. During the migration of the at least one virtual machine to the second host, the third appliance obtains a copy of the state information about the first network flow; and the third appliance takes over from the first appliance to serve the first network flow during the migration of the at least one virtual machine, until the first network flow is terminated.

Abstract: A method and system are provided that, in turn, provide a secure policy audit in a shared enforcement environment. The method includes providing an auditing component in a software defined network. The method further includes receiving, by the auditing component, a first auditing event from a first component in the software defined network and a related auditing event from a second component in the software defined network. The method also includes analyzing, by the auditing component, the first auditing event and the related auditing event against an enforcement of an access policy criteria for the software defined network. The access policy criteria requires auditing events from at least two enforcement points in the software defined network. The first and second component form the at least two enforcement points. The method additionally includes determining, by the auditing component, one of a compliance and a non-compliance with the access policy criteria.

Abstract: Embodiments provide a virtual queue management system within the cluster of gateways. When a network message arrives at the gateway cluster, it is processed by one of the gateways within the cluster. The gateway that is processing the network message obtains identifying parameters. The identifying parameters can include, but are not limited to, an Internet Protocol (IP) address, a port number, and/or an HTTP command. The gateway creates a virtual queue identifier based on the obtained identifying parameters. The first gateway to receive a network message with a given virtual queue identifier assumes the role of virtual queue manager for that virtual queue. The virtual queue manager gateway informs other gateways within the cluster of the proper sequence for sending network messages to the server such that messages are transmitted to the server in the proper temporal order.

Abstract: A method and system are provided that, in turn, provide a secure policy audit in a shared enforcement environment. The method includes providing an auditing component in a software defined network. The method further includes receiving, by the auditing component, a first auditing event from a first component in the software defined network and a related auditing event from a second component in the software defined network. The method also includes analyzing, by the auditing component, the first auditing event and the related auditing event against an enforcement of an access policy criteria for the software defined network. The access policy criteria requires auditing events from at least two enforcement points in the software defined network. The first and second component form the at least two enforcement points. The method additionally includes determining, by the auditing component, one of a compliance and a non-compliance with the access policy criteria.

Abstract: A graphical indicator comprising a plurality of first header blocks, a plurality of second header blocks and a plurality of data blocks for forming an indicator matrix is provided. Each of the first and second header blocks has a header graphical micro-unit, and each of the data blocks has a data graphical micro-unit. An array area is formed by the second header blocks and the data blocks. A first virtual line and a second virtual line are respectively formed by virtual centers of the first and second header blocks, and an included angle between the first and second virtual lines is less than 90 degrees.

Abstract: An intelligent network management device including an analytic unit, conducting an analysis according to received packets in order to determine whether a given event is occurred; and a processing unit, generating and sending a control instruction to a SDN controller to change configurations of a SDN switch when the analytic unit determined the given event has been occurred.

Abstract: A method for providing a transparent asynchronous network flow exchange is provided. The method may include receiving a query request from a requester, whereby the received query request is associated with a network packet. The method may also include determining if the network packet contains a plurality of defined signatures. The method may further include in response to determining that the network packet contains a plurality of defined signatures, authenticating a plurality of information associated with the network packet. The method may additionally include determining a plurality of flow related security information associated with the network packet based on the authentication of the plurality of information. The method may include sending the determined plurality of flow related security information to the requester.

Abstract: A method, apparatus and computer program product for automatically reconfiguring a policy of a multi-tenant service is disclosed. A first tenant specific policy for a first tenant of a plurality of tenants serviced by the multi-tenant service is provided. The multi-tenant service uses a second tenant specific policy different from the first tenant specific policy for a second tenant of the plurality of tenants. An event relevant to the first tenant specific policy is detected. The first tenant specific policy is reconfigured according to the detected event.