Abstract: A first example network security platform disclosed herein is to store a cryptographic session key from a server, the cryptographic session key associated with an encrypted network traffic flow between the server and a client different from the first network security platform. This disclosed first example network security platform is also to access a query from a second network security platform requesting the cryptographic session key, and generate a response including the cryptographic session key to send to the second network security platform.

Abstract: A network security platform (NSP) device and interaction method are disclosed. The interaction method provides network packet analysis for secure transmission protocols using ephemeral keys or keys that are negotiated dynamically. The NSP may be part of an Intrusion Protection System, or firewall. The disclosed approach does not use man-in-the-middle proxy. Instead, it includes monitoring connections ends: client and/or server, to intercept the required data or negotiated (or changed) encryption keys. Decrypted data may be sent to an NSP sensor in a secure manner for analysis. Alternatively, intercepted keys used for the encrypt/decrypt operations may be sent to an NSP sensor in a secure manner every time they are changed. The NSP sensor may then use the obtained keys to decrypt traffic prior to providing it to the inspection engines. Embodiments focused on inbound traffic to a web server may coordinate between a web server and an NSP.

Abstract: There is disclosed in one example a method of a work node synchronously load balancing to a multi-node service having an expected maximum of n work nodes, including: provisioning a flow table having m bucket groups, m?1, the bucket groups including n slots each; enumerating a static integer self-identification id0; initializing the flow table with id0 in each slot; performing a discovery iteration, including: discovering a peer device; enumerating a static integer identification idx for the peer device; assigning idx to each slot corresponding to a home position for the peer device; and load balancing slots not assigned to a home position according to a deterministic algorithm; and discovering additional nodes and performing discovery iteration for the additional nodes.

Abstract: There is disclosed in one example a method of a work node synchronously load balancing to a multi-node service having an expected maximum of n work nodes, including: provisioning a flow table having m bucket groups, m?1, the bucket groups including n slots each; enumerating a static integer self-identification id0; initializing the flow table with id0 in each slot; performing a discovery iteration, including: discovering a peer device; enumerating a static integer identification idx for the peer device; assigning idx to each slot corresponding to a home position for the peer device; and load balancing slots not assigned to a home position according to a deterministic algorithm; and discovering additional nodes and performing discovery iteration for the additional nodes.

Abstract: A first example network security platform disclosed herein is to store a cryptographic session key from a server, the cryptographic session key associated with an encrypted network traffic flow between the server and a client different from the first network security platform. This disclosed first example network security platform is also to access a query from a second network security platform requesting the cryptographic session key, and generate a response including the cryptographic session key to send to the second network security platform.

Abstract: A first example network security platform disclosed herein includes a platform selector to determine a platform selection value based on a first parameter value in a first message from a client and a second parameter value in a second message from a server, the first and second messages associated with establishment of an encrypted network traffic flow between the client and the server. The example first network security platform also includes a key retriever to obtain a cryptographic session key associated with the encrypted network traffic flow from a selected one of a cluster of network security platforms based on the platform selection value, the first network security platform included in the cluster of network security platforms. The example first network security platform further includes a traffic analyzer to analyze network traffic associated with the encrypted network traffic flow based on the cryptographic session key.

Abstract: A network security platform (NSP) device and interaction method are disclosed. The interaction method provides network packet analysis for secure transmission protocols using ephemeral keys or keys that are negotiated dynamically. The NSP may be part of an Intrusion Protection System, or firewall. The disclosed approach does not use man-in-the-middle proxy. Instead, it includes monitoring connections ends: client and/or server, to intercept the required data or negotiated (or changed) encryption keys. Decrypted data may be sent to an NSP sensor in a secure manner for analysis. Alternatively, intercepted keys used for the encrypt/decrypt operations may be sent to an NSP sensor in a secure manner every time they are changed. The NSP sensor may then use the obtained keys to decrypt traffic prior to providing it to the inspection engines. Embodiments focused on inbound traffic to a web server may coordinate between a web server and an NSP.

Abstract: A network security platform (NSP) device and interaction method are disclosed. The interaction method provides network packet analysis for secure transmission protocols using ephemeral keys or keys that are negotiated dynamically. The NSP may be part of an Intrusion Protection System, or firewall. The disclosed approach does not use man-in-the-middle proxy. Instead, it includes monitoring connections ends: client and/or server, to intercept the required data or negotiated (or changed) encryption keys. Decrypted data may be sent to an NSP sensor in a secure manner for analysis. Alternatively, intercepted keys used for the encrypt/decrypt operations may be sent to an NSP sensor in a secure manner every time they are changed. The NSP sensor may then use the obtained keys to decrypt traffic prior to providing it to the inspection engines. Embodiments focused on inbound traffic to a web server may coordinate between a web server and an NSP.

Abstract: A network security platform (NSP) device and interaction method are disclosed. The interaction method provides network packet analysis for secure transmission protocols using ephemeral keys or keys that are negotiated dynamically. The NSP may be part of an Intrusion Protection System, or firewall. The disclosed approach does not use man-in-the-middle proxy. Instead, it includes monitoring connections ends: client and/or server, to intercept the required data or negotiated (or changed) encryption keys. Decrypted data may be sent to an NSP sensor in a secure manner for analysis. Alternatively, intercepted keys used for the encrypt/decrypt operations may be sent to an NSP sensor in a secure manner every time they are changed. The NSP sensor may then use the obtained keys to decrypt traffic prior to providing it to the inspection engines. Embodiments focused on inbound traffic to a web server may coordinate between a web server and an NSP.

Abstract: A system configured to detect malware is described. The system configured to detect malware including a data collector configured to detect at least a first hypertext transfer object in a chain of a plurality of hypertext transfer objects. The data collector further configured to analyze at least the first hypertext transfer object for one or more events. And, the data collector configured to generate a list of events based on the analysis of at least the first hypertext transfer object.

Abstract: A system configured to detect malware is described. The system configured to detect malware including a data collector configured to detect at least a first hypertext transfer object in a chain of a plurality of hypertext transfer objects. The data collector further configured to analyze at least the first hypertext transfer object for one or more events. And, the data collector configured to generate a list of events based on the analysis of at least the first hypertext transfer object.

Abstract: A network security platform (NSP) device and interaction method are disclosed. The interaction method provides network packet analysis for secure transmission protocols using ephemeral keys or keys that are negotiated dynamically. The NSP may be part of an Intrusion Protection System, or firewall. The disclosed approach does not use man-in-the-middle proxy. Instead, it includes monitoring connections ends: client and/or server, to intercept the required data or negotiated (or changed) encryption keys. Decrypted data may be sent to an NSP sensor in a secure manner for analysis. Alternatively, intercepted keys used for the encrypt/decrypt operations may be sent to an NSP sensor in a secure manner every time they are changed. The NSP sensor may then use the obtained keys to decrypt traffic prior to providing it to the inspection engines. Embodiments focused on inbound traffic to a web server may coordinate between a web server and an NSP.

Abstract: A network security platform (NSP) device and interaction method are disclosed. The interaction method provides network packet analysis for secure transmission protocols using ephemeral keys or keys that are negotiated dynamically. The NSP may be part of an Intrusion Protection System, or firewall. The disclosed approach does not use man-in-the-middle proxy. Instead, it includes monitoring connections ends: client and/or server, to intercept the required data or negotiated (or changed) encryption keys. Decrypted data may be sent to an NSP sensor in a secure manner for analysis. Alternatively, intercepted keys used for the encrypt/decrypt operations may be sent to an NSP sensor in a secure manner every time they are changed. The NSP sensor may then use the obtained keys to decrypt traffic prior to providing it to the inspection engines. Embodiments focused on inbound traffic to a web server may coordinate between a web server and an NSP.

Abstract: A system configured to detect malware is described. The system configured to detect malware including a data collector configured to detect at least a first hypertext transfer object in a chain of a plurality of hypertext transfer objects. The data collector further configured to analyze at least the first hypertext transfer object for one or more events. And, the data collector configured to generate a list of events based on the analysis of at least the first hypertext transfer object.

Abstract: A system configured to detect malware is described. The system configured to detect malware including a data collector configured to detect at least a first hypertext transfer object in a chain of a plurality of hypertext transfer objects. The data collector further configured to analyze at least the first hypertext transfer object for one or more events. And, the data collector configured to generate a list of events based on the analysis of at least the first hypertext transfer object.

Abstract: Systems and methods for monitoring malware events in a computer networking environment are described. The systems and methods including the steps of identifying suspect objects; transmitting the suspect objects to an inspection service, wherein the inspection service inspects the suspect objects using a plurality of inspection methods to create digital information about the nature of the potential threat posed by the suspect objects; transmitting said digital information to an analytical service operating, wherein the analytical service performs a plurality of analytical algorithms to categorize the suspect objects with one or more scores for each suspect object based on their security threat; transmitting said one or more scores to a correlation facility which aggregates a plurality of scores; and generating an infection verification pack comprising routines which, when run on an end-point machine within the computer networking environment, will mitigate a suspected security threat.

Abstract: A system configured to detect malware is described. The system configured to detect malware including a data collector configured to detect at least a first hypertext transfer object in a chain of a plurality of hypertext transfer objects. The data collector further configured to analyze at least the first hypertext transfer object for one or more events. And, the data collector configured to generate a list of events based on the analysis of at least the first hypertext transfer object.

Abstract: Systems and methods for monitoring malware events in a computer networking environment are described.