Abstract: A network protection method is provided. The network protection method may include receiving a Domain Name System (DNS) request, logging the DNS request, classifying the DNS request based on an analysis of a DNS name associated with the DNS request, taking a security action based on the classification, analyzing network traffic after taking the security action, and providing substantially real-time feedback associated with the network traffic to improve future DNS request classifications. The method may further include receiving a DNS response and logging the DNS response. The analysis of the DNS name may include receiving DNS data related to the DNS name from a plurality of sources, receiving reputation data related to the plurality of sources, scoring each of the plurality of sources based on the reputation data, and aggregating the DNS data related to the DNS name based on the scoring.

Abstract: A packet processing device includes a control logic processor for filtering packets according to a set of stored rules and an arithmetic logic processor for executing packet processing instructions based on the content of the packet. The control logic processor spawns a new thread for each incoming packet, relieving the arithmetic logic processor of the need to do so. The control logic processor and the arithmetic logic processor preferably are integrated via a thread queue. The control logic processor preferably assigns a policy to each incoming packet. A policy action table stores one or more policy instructions which may be easily changed to update policies to be implemented. The policy action table preferably maps a virtual packet flow identification code to the physical memory address of an action code and a state block associated to the identification code. The arithmetic logic processor processes a packet based on the stored policy assigned to that packet.

Abstract: A web threat protection system may receive candidate uniform resource locators (URLs) from several URL sources. The candidate URLs may be received in a submission database. At least a portion of the candidate URLs is selected for further investigation by sending crawlers to retrieve objects from the selected URLs. The retrieved objects may be analyzed to determine whether they are malicious or good (i.e., not malicious). The result of the analysis may be used to build a security states database that includes security information of the selected URLs. Good URLs may be included in a safe URL sphere, which may be used to navigate to good websites on the Internet.

Abstract: A network protection method is provided. The network protection method may include receiving a Domain Name System (DNS) request, logging the DNS request, classifying the DNS request based on an analysis of a DNS name associated with the DNS request, taking a security action based on the classification, analyzing network traffic after taking the security action, and providing substantially real-time feedback associated with the network traffic to improve future DNS request classifications. The method may further include receiving a DNS response and logging the DNS response. The analysis of the DNS name may include receiving DNS data related to the DNS name from a plurality of sources, receiving reputation data related to the plurality of sources, scoring each of the plurality of sources based on the reputation data, and aggregating the DNS data related to the DNS name based on the scoring.

Abstract: A plug-in module of a DHCP server enforces a security policy of a computer network. The module receives a request to provide an IP address for an end-user computer. A blacklist database is consulted to determine if the computer is not in compliance with the policy. If not compliant, the module returns to the computer a special IP address, a special default gateway and a lease time; the special IP address places the computer in a restricted network segment of the network where it cannot send network packets to other computers. If compliant, the computer receives an IP address and a lease time. The first time an IP address is requested a probe is triggered to determine if the computer is compliant using software not present on the computer. A cleanup service located in the restricted segment remove malware and updates software. Lease times increase after each successful request of an IP address.

Abstract: Malicious codes may be prevented from performing malicious actions in a computer that does not have a virtual machine by simulating presence of the virtual machine. When a computer program performs an action in the computer, the action may be intercepted to determine if the computer program is malicious code probing the computer for presence of the virtual machine. A response to the action may be in accordance with convention of the virtual machine when the action is deemed to be for purposes of detecting the virtual machine. Otherwise, the action may be allowed to proceed.

Abstract: An antivirus agent located on a user computer, local area network or standalone hardware device includes a statistical module, a control unit, a timeslot generator and a dispatcher. The statistical module calculates statistics for incoming request packets including the burstiness degree H. A number of normal distributions are predefined. A number of probability sequences are predefined. An input statistic is used to select one of the probability sequences. This probability sequence is used to select a timer value from the distributions. Packets are loaded into a variable-length buffer in the dispatcher to form the timer expires or when the buffer is full. The rate of the output traffic from the dispatcher depends upon a selected distribution value by the timeslot generator and not by any manufactured timing by an attacker. Output traffic frequency is shaped by the dispatcher; packets may go out faster or slower, thus thwarting an attacker who relies upon their own inserted packet timing.

Abstract: A packet processing device includes a control logic processor for filtering packets according to a set of stored rules and an arithmetic logic processor for executing packet processing instructions based on the content of the packet. The control logic processor spawns a new thread for each incoming packet, relieving the arithmetic logic processor of the need to do so. The control logic processor and the arithmetic logic processor preferably are integrated via a thread queue. The control logic processor preferably assigns a policy to each incoming packet. A policy action table stores one or more policy instructions which may be easily changed to update policies to be implemented. The policy action table preferably maps a virtual packet flow identification code to the physical memory address of an action code and a state block associated to the identification code. The arithmetic logic processor processes a packet based on the stored policy assigned to that packet.

Abstract: A packet processing device includes a control logic processor for filtering packets according to a set of stored rules and an arithmetic logic processor for executing packet processing instructions based on the content of the packet. The control logic processor spawns a new thread for each incoming packet, relieving the arithmetic logic processor of the need to do so. The control logic processor and the arithmetic logic processor preferably are integrated via a thread queue. The control logic processor preferably assigns a policy to each incoming packet. A policy action table stores one or more policy instructions which may be easily changed to update policies to be implemented. The policy action table preferably maps a virtual packet flow identification code to the physical memory address of an action code and a state block associated to the identification code. The arithmetic logic processor processes a packet based on the stored policy assigned to that packet.

Abstract: An intrusion detection and analysis system and method are disclosed. The system includes a data monitoring device comprising a capture engine operable to capture data passing through the network and configured to monitor network traffic, decode protocols, and analyze received data. The system further includes an intrusion detection device comprising a detection engine operable to perform intrusion detection on data provided by the data monitoring device. Application program interfaces are provided and configured to allow the intrusion detection device access to applications of the data monitoring device to perform intrusion detection. The system also includes memory for storing reference network information used by the intrusion detection device to determine if an intrusion has occurred.

Abstract: A signature based intrusion detection method and system are disclosed. A method for detecting intrusions on a network generally comprises storing signature profiles identifying patterns associated with network intrusions in a signature database and generating classification rules based on the signature profiles. Data packets transmitted on the network and having corresponding classification rules are classified according to generated classification rules. Classified packets are forwarded to a signature engine for comparison with signature profiles.

Abstract: A system, method and computer program product are provided for adjusting results during network analysis. Initially, network communications are received. Such network communications are then processed utilizing first hardware to generate first results. Subsequently, the network communications are processed utilizing second hardware to generate second results. Either the first results and/or the second results are then adjusted for conforming with the other.

Abstract: A method for protecting a host located within a computer network. The method includes mapping a public host address for a public host to a secret host address for a secret host containing data accessible over the computer network. The public host address is available from a domain name system server. The method further includes receiving a request for communication with the secret host at the public host and forwarding the request from the public host to the secret host. The request is processed at the secret host which communicates over the network and the communication appears to be sent from the public host.

Abstract: A method for controlling access to information from a DNS server having an access control list specifying clients approved to receive an IP address corresponding to a domain name of a target host is disclosed. The method includes receiving a request from a client for an IP address of a domain name at the DNS server and looking up the domain name in an access control list. The client is sent a reply containing the IP address of the domain name if the client is authorized in the access control list to receive the IP address. If the client is not authorized to receive the IP address, the request is denied.

Abstract: A method for providing advertising to a handheld computer operable to connect to a network. The handheld computer includes a screen for displaying visual content received from the network and configured for playing an audio message associated with the visual content. The method includes receiving a request for content from the handheld computer and associating an advertisement with the request for content. The requested content is sent to the handheld computer for display on the screen of the computer and the associated advertisement is sent to the computer for playing over an audio output device of the handheld computer.

Abstract: A system, method and computer program product are provided for ascertaining the location of an access point in a wireless network. Initially, a strength of a radio frequency signal of an access point of a wireless network is monitored at a position utilizing a wireless network analyzer. Next, the wireless network analyzer is moved about the position. The foregoing operations may be repeated to allow the location of the access point to be ascertained based on the monitored strength of the radio frequency signal.

Abstract: A method for providing advertising to a handheld computer operable to connect to a network. The handheld computer includes a screen for displaying visual content received from the network and configured for playing an audio message associated with the visual content. The method includes receiving a request for content from the handheld computer and associating an advertisement with the request for content. The requested content is sent to the handheld computer for display on the screen of the computer and the associated advertisement is sent to the computer for playing over an audio output device of the handheld computer.