Abstract: A method and system for managing data traffic and protecting computing assets. The method and system includes intercepting queries and messages, such as EDNS0 queries, and sending probe queries and reply queries to the originating computing device to determine whether the originating computing device may be sufficiently validated so as to justify forwarding resource-intensive queries and messages to the targeted computing device.

Abstract: A method and system for managing data traffic on a cellular network. The method and system includes detecting that an internet service is experiencing excessive amounts of data traffic from a cellular network. Sending, to a cellular device on the cellular network, a modified IP address for the internet service, wherein the modified IP address points away from the internet service. The modified IP address is sent in response to detecting that the internet service is experiencing excessive amounts of traffic from a cellular network and detecting a DNS query from the cellular device for the internet service.

Abstract: A system, method and computer readable storage medium that receives traffic/packets from external devices attempting to access protected devices in a protected network. A determination is made to whether a received packet belongs to one of a plurality of packet classifications. Each packet classification indicative of different classes of IP traffic. Countermeasures are applied to a received packet to prevent attack upon the protected devices. Applying a countermeasure to a received packet determined to belong to one of the plurality of packet classifications includes countermeasure modification/selection contingent upon the determined packet classification for the received packet.

Abstract: A method and system for correlating web content with content providers to determine the origin of the content such that it is not necessary to look inside the information exchange. The method and system maintains sequences of reference points, which are ordered lists of content providers accessed by subscribers over time, and correlates the internet content applications, such as video, found in network traffic to the sequence of reference points accessed by subscribers to determine the origins of the content even when the content being delivered by third-party content delivery networks.

Abstract: A system and method performed by a computing device connected to a network and having one or more processors and memory storing one or more programs for execution by the one or more processors. At least one packet is received over a network. The packet is analyzed to detect predetermined content. The predetermined content is selected if it is determined that the packet contains the predetermined content. Future transmission of any packet containing the predetermined content is prevented in response to selection of the predetermined content.

Abstract: A method and system for managing data traffic on a cellular network. The method and system includes detecting that an internet service is experiencing excessive amounts of data traffic from a cellular network. Sending, to a cellular device on the cellular network, a modified IP address for the internet service, wherein the modified IP address points away from the internet service. The modified IP address is sent in response to detecting that the internet service is experiencing excessive amounts of traffic from a cellular network and detecting a DNS query from the cellular device for the internet service.

Abstract: A system and method are provided to receive mirrored versions of transmissions sent by a node in response to initiating transmissions received by the node over a network. At least one mirrored response transmission sent from the node in response to at least one corresponding initiating transmission is analyzed to determine whether or not the corresponding at least one initiating transmission is malicious.

Abstract: A scalable flow monitoring solution takes in standard flow records exported from network devices such as routers, switches, firewalls, hubs, etc., and annotates the flow with additional information. This information is derived from a number of sources, including Border Gateway Protocol (BGP), Simple Network Management Protocol (SNMP), user configuration, and other, intelligent flow analysis. These annotations add information to the flow data, and can be used to perform value-added flow analysis. The annotated flow is then resent to a configurable set of destinations using standard flow formatting, e.g., Cisco System Inc.'s NetFlow, in one implementation. This allows the annotated flow to be processed and the enhanced information to be used by other flow analysis tools and existing flow analysis infrastructure.

Abstract: A method and system for authenticating IP source addresses by accessing one or more HTTP requests whose source client identifies itself as a legitimate web crawler. One or more IP addresses are detected from the one or more HTTP requests and each detected IP address is authenticated via a probability estimation regarding its association with a legitimate web crawler. A lookup table is preferably compiled for the authenticated IP addresses for reference, publication and authentication purposes.

Abstract: A system and methods for mitigation slow HTTP, SSL/HTTPS, SMTP, and/or SIP attacks. A protection system monitors each TCP connection between a client and a server. The protection system monitors the header request time and minimum transfer rate for each client and TCP connection. If the client has not completed the data transfer in the minimum time or the data are not transferred at the minimum transfer rate, the protection system determines the connections are potentially a slow attack and resets the connections for the protected devices.

Abstract: A system and method are provided for monitoring traffic in an enterprise network. Similar hosts may be grouped using flow information. Network policy may then be created at the group level based on the signatures of the hosts and groups of hosts in the enterprise. Hosts may be arranged in hierarchical clusters. Some of these clusters may be selected as groups based on a desired degree of similarity between hosts in a group. The similarity between hosts may be determined based on similarity of network behavior of the hosts.

Abstract: A system and method to track external devices attempting to connect to a protected network using probabilistic filters. When a connection from a new external device attempts to access the protected network, the memory of a protection system, which is organized as a probabilistic filter, is searched to determine if the IP address already exists in the memory of protection system. If the search locates the IP address, the protection system terminates the connection to the external device. If the search is negative, then protection device begins the authentication process for the external device.

Abstract: A system and method is provided for detecting, tracking and/or blocking control signal attacks, which can occur between local computer systems and/or between remote computer systems, network links, and/or routing systems over a computer network. The system includes a router monitor adapted to receive a plurality of control signals and related information from the computer network and to process the plurality of control signals and related information to detect one or more control signal anomalies. The router monitor is further adapted to generate a plurality of alert signals representing the one or more control signal anomalies. The system further includes a controller that is coupled to the router monitor and is adapted to receive the plurality of alert signals from the router monitor.

Abstract: A server, using a deterministic function, a secret value and persistent information of a packet, destined for a client device, generates and includes a conversation identifier for inclusion with the packet. The client device in turn includes the conversation identifier in a subsequent packet sent by the client device destined for the server. An intermediate routing device having knowledge of the deterministic function and the secret value, upon receiving the packet en-route from the client device to the server, would independently determine whether the packet is a part of a conversation between the client and the server, by independently verifying the included conversation identifier, and forward or not forward the packet accordingly. As result, undesirable packets may be independently detected and filtered for the server.

Abstract: A system is provided that polls one or more caching nameservers and compares their results to a trusted or standard set of data. The set of data may be, for example, stored in a computer system or distributed among several computer systems. In one aspect, the system comprises a discrepancy detector that detects discrepancies between one or more copies of mapping information. Mapping information may be, for example, mapping stored on a Domain Name System (DNS).

Abstract: A method and system allows for the deployment of security policies into the higher layers of the OSI model. Specifically, it allows for the establishment of security policies at layer 4 and higher, by monitoring authentication flows and using these flows as the basis for establishing security policies which then can be used as a basis for assessing the operation of the network.

Abstract: An administration system is defined that provides an interface between a subscriber and resources on a provider network. The subscriber, via the administration system, has access to and control over certain of the resources on the provider network. The subscriber may have access to and control over only those resources on the provider network related to the services provided to his network. Also, the subscriber may not be capable of altering resources on the provider network in a way that affects the services provided to another subscriber. Because the administration system allows a user to control resources on the provider network that relate to services provided to his network, the amount of support required by the provider to administer those resources is reduced.

Abstract: A system and method is provided for detecting, tracking and/or blocking control signal attacks, which can occur between local computer systems and/or between remote computer systems, network links, and/or routing systems over a computer network. The system includes a router monitor adapted to receive a plurality of control signals and related information from the computer network and to process the plurality of control signals and related information to detect one or more control signal anomalies. The router monitor is further adapted to generate a plurality of alert signals representing the one or more control signal anomalies. The system further includes a controller that is coupled to the router monitor and is adapted to receive the plurality of alert signals from the router monitor.

Abstract: A system is provided that polls one or more caching nameservers and compares their results to a trusted or standard set of data. The set of data may be, for example, stored in a computer system or distributed among several computer systems. In one aspect, the system comprises a discrepancy detector that detects discrepancies between one or more copies of mapping information. Mapping information may be, for example, mapping stored on a Domain Name System (DNS).

Abstract: The present invention provides for a novel approach to protecting a system owner's system(s) from being exploited and providing involuntary assistance to a DOS attack. The present invention provides the protection by detecting and preventing undesirable or inappropriate network traffic from being sourced from a network domain. More specifically, a monitor/regulator is provided to monitor network traffic leaving a network domain. The monitor/regulator determines if undesirable/inappropriate network traffics are leaving the network domain based on the observed characteristics of the outbound and inbound network traffics. If it is determined that undesirable/inappropriate network traffics are leaving the network domain, the monitors/regulator, in one embodiment, at least warns system owners of the detection.