Abstract: Provided are methods and systems for configuring a network device with user-defined instruction scripts. The method may commence with receiving a request for a network session between a client device and a server. The method may further include receiving a user-defined class and a user-defined object configuration. The user-defined class and the user-defined object configuration may include the user-defined instruction scripts provided by a user of the client device. The method may further include instructing an object virtual machine to generate at least one user-defined object based on the user-defined class and the user-defined object configuration. The method may continue with instructing an object virtual machine to generate at least one user-defined object based on the user-defined class and the user-defined object configuration.

Abstract: Provided are methods and systems for eliminating a redirection of data traffic in a cluster. An example method may include receiving, by one or more nodes of the cluster, a data packet associated with a service session. The method may include determining, by the node, that the data packet is directed to a further node in the cluster. The method may further include, in response to the determination, acquiring, by the node, a session context associated with the service session. Acquiring the session context may include sending, by the node, a request for the session context to the further node and receiving the session context from the further node. The method may further include processing, by the one or more nodes, the data packet based on the session context.

Abstract: A method for web service load balancing may commence with receiving, from a local DNS server, a request for a web service. The local DNS server may be coupled to a web client requesting the web service. The request may include local DNS server information. The method may continue with determining a geographic location of the local DNS server based on the local DNS server information. The method may further include selecting a web server from a plurality of web servers based on the web service. The method may continue with determining a geographic location of the web server and determining that the geographic location of the local DNS server matches the geographic location of the web server. The method may further include selecting the web server based on the match. The method may continue with sending a response to the local DNS server.

Abstract: Provided are computer-implemented methods and systems for transitioning between traffic classification modules. An example method for transitioning between traffic classification modules may include processing a plurality of packets associated with a plurality of sessions by a first collection of traffic-classification modules. The method may further include loading a second collection of traffic-classification modules. The method may continue with receiving one or more further packets flowing from a source network device to a destination network device. The one or more further packets may be associated with one or more new sessions. The method may further include processing the one or more further packets associated with the one or more new sessions by the second collection of traffic-classification modules.

Abstract: Exemplary embodiments for a distributed system for determining a server's health are disclosed. The systems and methods provide for a network controller to direct one or more servicing nodes to check the health of one or more servers, and report a health score to the network controller. The network controller may then calculate, update and maintain a health score for each server in the network from the various health scores reported to it from the servicing nodes. This allows a distributed system to be used to facilitate network operations, as a single device is not relied on for periodically determining each server's health.

Abstract: Provided are methods and systems for processing data packets in a data network using a policy-based network path. The method may commence with receiving the data packet associated with a service session from a client. The method may continue with determining data packet information associated with the data packet. The method may further include determining the policy-based network path for the data packet based on the data packet information and one or more packet processing criteria. The method may continue with routing, based on the determination of the policy-based network path, the data packet along the policy-based network path.

Abstract: Provided are methods and systems for providing a fault resilient virtual broadband gateway. A fault resilient virtual broadband gateway system may include a primary network node, at least one secondary node, and a controller. The primary network node may establish a first data traffic channel with customer premises equipment. The primary network node may collect customer policy data of the customer premises equipment and continuously provide the collected customer policy data to the controller. The at least one secondary network node may determine that the primary network node is no longer available to serve the customer premises equipment and may establish a second data traffic channel with the customer premises equipment. The at least one secondary network node may receive, on demand, the customer policy data from the controller. The at least one secondary network node may serve the customer premises equipment based on the received customer policy data.

Abstract: Provided is a method for identifying suspicious traffic. The method may commence with compiling statistical data for a plurality of hosts. The method may further include generating data lists for with the plurality of hosts based on the statistical data. The method may continue with receiving a data packet from a host of the plurality of hosts. The data packet may be associated with a plurality of parameters. The method may further include analyzing one or more of the plurality of parameters associated with the data packet using the data lists. The method may continue with determining, based on the analysis, that the one or more of the plurality of parameters are outside a predetermined tolerance zone. Based on the determination that the one or more of the plurality of parameters are outside the predetermined tolerance zone, a mitigation action associated with the host may be selectively initiated.

Abstract: Facilitation of secure network traffic over an application session by an application delivery controller is provided herein. A method for secure network traffic transmission over an application session may include receiving, from a client device, a SYN data packet intended for an application server. The method may continue with determining, based on the SYN data packet, that the client device is a trusted source. The method may further include transmitting, based on the determination that the client device is the trusted source, a SYN/ACK packet to the client device. The SYN/ACK packet may include information for the client device to authenticate the client device to the application server directly as the trusted source.

Abstract: Decreasing a volume of data transfer over a network may commence with collecting a plurality of datasets having subscriber data. The method may continue with classifying data fields of each dataset of the plurality of datasets into low frequency change data and high frequency change data based on predetermined criteria. The method may further include combining a plurality of consecutive datasets of the plurality of datasets into a combination dataset. The combination dataset may include the low frequency change data and aggregated high frequency change data from the plurality of consecutive datasets. The method may continue with providing the combination dataset to a data processing node.

Abstract: Provided are a method and a system for intercepting secure shell (SSH) sessions. The method may commence with intercepting, by a client-facing SSH gateway, a session request to establish an SSH session between a client and a server. The method may continue with establishing a first SSH session between the client and the client-facing SSH gateway and receiving encrypted data packets of the SSH session from the client via the first SSH session. The client-facing SSH gateway may decrypt the encrypted data packets, establish a communication session with a server-facing SSH gateway, and forward decrypted data packets to the server-facing SSH gateway via the communication session. The server-facing SSH gateway may receive the decrypted data packets, establish a second SSH session between the server-facing SSH gateway and the server, encrypt the decrypted data packets, and forward the encrypted data packets to the server via the second SSH session.

Abstract: Expertise, for performing classification of a type of network traffic, can be encapsulated in a module. A set of modules, as currently available to a traffic controller, can be referred to as a collection. Programming language constructs are introduced that facilitate the writing of modules customized to identify network traffic that is peculiar to a particular user, or to a relatively small group of users. An example programming language, based on Tcl, is introduced. A key aspect is event-driven programming, and the “when” command construct is introduced. Three important event types, that can trigger a “when” command, are CLIENT_DATA, SERVER_DATA, and RULE_INIT. Another key aspect is an ability to keep state information between events. Constructs for intra-session, intra-module, and global state are introduced. A module can be blocked from executing more than once for a session. Successful execution of a module can be specified by a “match” statement.

Abstract: Provided are methods and systems for network access control. A method for network access control may commence with determining whether a client device is a trusted source or an untrusted source. The determination may be performed using a SYN packet received from the client device. The SYN packet may include identifying information for the client device. When it is determined that the client device is neither the trusted source nor the untrusted source, the method may continue with transmitting a SYN/ACK packet to the client device. The SYN/ACK packet may include a SYN cookie and identifying information for a network device. The method may further include receiving an ACK packet from the client device that may include the identifying information for the client device, identifying information for the network device, and the SYN cookie. The method may continue with establishing a connection with a network for the client device.

Abstract: Provided are methods and systems for a Transmission Control Protocol (TCP) state handoff of a data traffic flow. A method for a TCP state handoff of a data traffic flow comprises determining a TCP state at predetermined times by a state machine unit. The TCP state includes data concerning a session between a client and a server. The TCP state for the predetermined times is stored to a database. A request to apply a predetermined policy to the session is received by a transaction processing unit and, based on the request, a session request associated with the session between the client and the server is sent to an access control unit. The session request is processed by the access control unit based on the TCP state and according to the predetermined policy.

Abstract: Decreasing data transfer over a network may commence with collecting subscriber data. The method may continue with classifying the subscriber data into low frequency change data and high frequency change data based on predetermined criteria. The method may include storing the low frequency change data to a data storage. The method may continue with generating reporting data. The reporting data may include the high frequency change data and at least one data index pointer to the low frequency change data in the data storage. The method may further include providing the reporting data to a data processing node. The low frequency change data may include subscriber identifying data. The data reporting node may be further configured to obfuscate the subscriber identifying data. The at least one data index pointer may include a secure data identifier associated with the obfuscated subscriber identifying data.

Abstract: Provided are methods and systems for recognizing network devices as trusted. A system for recognizing network devices as trusted may include a network module, a storage device, and a processor. The network module may be configured to receive a request from a network device to establish a data connection between the network device and a server based on a determination that the network device is trusted. The storage device may be configured to store a whitelist associated with a plurality of trusted network devices. The processor may be configured to determine that the network device is trusted. Based on the determination, the processor may associate the network device with the whitelist for a predetermined period of time.

Abstract: A method and system for selecting a server load balancer (SLB) for processing requests associated with a client are provided. The method may commence with receiving a Domain Name System (DNS) request from a client DNS server associated with the client. The method may include determining a geolocation of the client. The method may continue with receiving a time delay record including a round trip time (RTT) between the client and each of pluralities of SLBs and a geolocation of each SLB. The method may include matching the geolocation of the client and the geolocation of each of the pluralities of SLBs. The method may include selecting SLBs having the geolocation that matches the geolocation of the client. The method may further include selecting, from the SLBs, an SLB having a lowest RTT and sending a DNS response comprising network data of the selected SLB to the client DNS server.

Abstract: A method for electing a master blade in a virtual application distribution chassis (VADC), includes: sending by each blade a VADC message to each of the other blades; determining by each blade that the VADC message was not received from the master blade within a predetermined period of time; in response, sending a master claim message including a blade priority by each blade to the other blades; determining by each blade whether any of the blade priorities obtained from the received master claim messages is higher than the blade priority of the receiving blade; in response to determining that none of the blade priorities obtained is higher, setting a status of a given receiving blade to a new master blade; and sending by the given receiving blade a second VADC message to the other blades indicating the status of the new master blade of the given receiving blade.

Abstract: Provided are methods and systems for managing health statuses of servers. The method for managing health statuses of servers in a distributed GSLB system may include receiving, at a GSLB site controller, health statuses of local servers associated with the GSLB site controller. The method may further include exchanging, by the GSLB site controller, the health statuses of the local servers with health statuses of remote servers associated with at least one remote GSLB site controller. The method may further include distributing, by the GSLB site controller, at least a part of the health statuses of the local servers and the remote servers to SLBs associated with the GSLB site controller.

Abstract: Provided are methods and systems for caching network generated security certificates. An example system may include a security gateway node and a storage module. The security gateway node may be operable to receive, from a client, a session request to establish a secure connection with a server. Based on the session request, the security gateway node may establish a first secure session between the client and the security gateway node and a second secure session between the security gateway node and the server. The security gateway node may receive a server certificate from the server. The security gateway node may match the server certificate against a gateway certificate table. Based on the matching, the security gateway node may receive a gateway certificate associated with the gateway certificate entry that matches the server certificate. The gateway certificate may be used for performing the first secure session.