Abstract: A network component has a set of one or more rules, each of which has a match component and an action component. If an incoming packet maps to the match component of a rule, then the packet is handled according to the rule's action component. If the rule also includes a limit component, then if the packet maps to the rule's match component, a family history of the rule is updated, and the packet is handled according to the rule's action component only if the rule's family history satisfies the rule's limit component.

Abstract: Data access optimization features the innovative use of a writer-present flag when acquiring read-locks and write-locks. Setting a writer-present flag indicates that a writer desires to modify a particular data. This serves as an indicator to readers and writers waiting to acquire read-locks or write-locks not to acquire a lock, but rather to continue waiting (i.e., spinning) until the write-present flag is cleared. As opposed to conventional techniques in which readers and writers are not locked out until the writer acquires the write-lock, the writer-present flag locks out other readers and writers once a writer begins waiting for a write-lock (that is, sets a writer-present flag). This feature allows a write-lock method to acquire a write-lock without having to contend with waiting readers and writers trying to obtain read-locks and write-locks, such as when using conventional spinlock implementations.

Abstract: To defend a computer against malware, first executable code, of the computer, that includes a signature that identifies an address, in the computer's memory, of a respective data structure that is potentially vulnerable to tampering, is identified. The first executable code is copied to provide second executable code that emulates the first executable code using its own respective data structure. The first executable code is modified to jump to the second executable code before accessing the data structure, and also so that the signature identifies the address of a guard page.

Abstract: A network device which communicates with peers using Border Gateway Protocol (BGP) advertises to one or more peers a first Multi-Exit Discriminator (MED) when all sessions are in ‘established’ state, and a second MED when one or more sessions are in a non-‘established’ state. The second MED is higher than the first MED and higher than the MED advertised by the backup network device, causing peers to prefer the backup device. If the device is also configured for Virtual Router Redundancy Protocol (VRRP), when the device advertises the first MED, virtual routers are transitioned to ‘master’ state, and when the device advertises the second MED, virtual routers are transitioned to ‘backup’ state.

Abstract: A computerized method performed in a computer operatively connected to storage. Parsing rules are determined for parsing logs output as text and/or symbols from multiple devices in a computer network. The logs are stored in the storage. Multiple log samples are sampled from the logs. The log samples are input into an application running on the computer. The log samples are each sectioned into multiple sections which include variable information separated by static structural text. Each of the log samples is processed by: comparing the sections to a list of regular expressions. The list is maintained in the storage, and upon matching a matched section of the sections to a matched regular expression from the list of the regular expressions, the matched section is tagged with a tag associated with the matched regular expression. The tag associated to the matched regular expression is stored and combined with any unmatched sections and with the static structural text to create a log pattern.

Abstract: Three heuristic layers are used to determine whether suspicious code received at a port of a data processing device is malware. First, static analysis is applied to the suspicious code. If the suspicious code passes the static analysis, dissembling analysis is applied to the suspicious code. Preferably, if the suspicious code passes the dissembling analysis, dynamic analysis is applied to the suspicious code.

Abstract: A computer-readable storage medium has embedded thereon non-transient computer-readable code for controlling access to a protected computer network, by intercepting packets that are being exchanged between a computer system and the protected network, and then, for each intercepted packet, identifying the associated application that is running on the computer system, determining whether the application is trusted, for example according to a white list or according to a black list, and disposing of the packet accordingly.

Abstract: A plurality of untrusted digital files are run simultaneously in fewer sandboxes than there are files, while monitoring for malicious activity. Preferably, only one sandbox is used. If the monitoring detects malicious activity, either the files are run again in individual sandboxes, or the files are divided among subsets whose files are run simultaneously in one or more sandboxes, while monitoring for malicious activity.

Abstract: A system and method for protecting data communications in a system including a load-balancer connected to a cluster of security network components, e.g. firewall node. The load-balancer transfers one or more of the data streams respectively to the security components. The security network components transmit control information to the load-balancer and the control information includes an instruction regarding balancing load of the data streams between said security network components; The load-balancer balances load based on the control information. Preferably, network address translation is performed by the load-balancer based on the control information or network address translation is performed by the security network component and the control information includes information regarding an expected connection based on the network address translation.

Abstract: Disclosed are methods, media, and vault servers for providing a secure messaging system using vault servers in conjunction with client-side restricted-execution vault-mail environments. Methods include the steps of upon activating a vault-mail message containing sensitive content, removing the content from the vault-mail message; placing the content on a vault server; creating a link in the vault-mail message to the content on the vault server; sending the vault-mail message to a designated recipient; and upon activating the link, allowing the content to be only viewed in a restricted-execution session of a client application, wherein the restricted-execution session does not allow the content to be altered, copied, stored, printed, forwarded, or otherwise executed. Preferably, the activation of the vault-mail message is performed by a network-security gateway, and can be performed on a per-message basis.

Abstract: A system for optimized paged item loading in Exchange Web Services (EWS) improves response time of user queries to EWS. In contrast to conventional implementations that search an entire folder first, and then present results to user, this invention features not searching the entire folder, but searching only portions of the folder and then only searching portions until a desired number of results is obtained. Folders are sampled in an interval of N items and then using an abstract paging mechanism, thus defining a new restricted page with a limited item count of N. The sampling is performed in a first operation, for example, by using FindItem. In a second operation, FindItem is again used with a requested restriction, which is limited to the restricted page according to the samples. Searches may be limited by the amount of items to return or results (result set) desired.

Abstract: A server and/or a gateway of a computer network receive a filter for filtering data items to be sent to a mobile device of a cellular network. The mobile device is notified of receipt of data items by the server only if such notification is allowed by the filter. In one embodiment, the server maintains a first queue of data items for which notification is allowed and a second queue of data items for which notification is not allowed, and the gateway periodically inspects the first queue and notifies the mobile device of receipt of new data items.

Abstract: To validate data, a plurality of strings that match a predetermined regular expression is extracted from the data. A validated subset of the strings is identified. To determine whether the validated subset has been falsely validated, it is determined whether the validated subset satisfies each of one or more predetermined criteria relative to the plurality of strings. In one embodiment, the subset is determined to be falsely validated if at least one of the criteria is satisfied. In another embodiment, the subset is determined to be falsely validated if all of the criteria are satisfied. The data are released only if the subset is determined to be falsely validated.

Abstract: Methods, devices, and media for intelligent NIC bonding and load-balancing including the steps of: providing a packet at an incoming-packet port of a gateway; attaching an incoming-port identification, associated with the incoming-packet port, to the packet; routing the packet to a processing core; passing the packet through a gateway processing; sending the packet, by the core, to the operating system of a host system; and routing the packet to an outgoing-packet port of the gateway based on the incoming-port identification. Preferably, the gateway processing includes security processing of the packets. Preferably, the step of routing the packet to the outgoing-packet port is based solely on the incoming-port identification. Preferably, an outgoing-port identification, associated with the outgoing-packet port, has an identical bond-index to the incoming-port identification.

Abstract: A method and system is provided for a scalable clustered system. The method and system may handle asynchronous traffic as well as session backup. In the method and system, a home cluster member having ownership of a local session predicts designation of a an other cluster member to receive a packet associated with the local session and sends appropriate state information or forwarding instruction to the other network member.

Abstract: A network component has a set of one or more rules, each of which has a match component and an action component. If an incoming packet maps to the match component of a rule, then the packet is handled according to the rule's action component. If the rule also includes a limit component, then if the packet maps to the rule's match component, a family history of the rule is updated, and the packet is handled according to the rule's action component only if the rule's family history satisfies the rule's limit component.

Abstract: Disclosed are methods and media for inspecting security certificates. Methods include the steps of: scanning, by a network security device, messages of a security protocol between a server and a client system; detecting the messages having a security certificate; detecting suspicious security certificates from the messages; and aborting particular sessions of the security protocol associated with the suspicious certificates. Preferably, the step of scanning is performed only on messages of server certificate records. Preferably, the method further includes the step of sending an invalid-certificate notice to the server and the client system. Preferably, the step of detecting the suspicious certificates includes detecting a use of an incorrectly-generated private key for the certificates. Preferably, the step of detecting the suspicious certificates includes detecting an unavailability of revocation information for the certificates.

Abstract: To administer computer network security, a computer system receives a bit string that encodes a natural-language request for adjusting a security policy of the network and parses the bit string to identify one or more objects and an action to be applied to the object(s). Preferably, the system displays a description of one of the objects and a menu of operations that are applicable to the object, receives a user selection of one of the options, and effects the selected operation. The scope of the invention also includes a non-transient computer-readable storage medium bearing code for implementing the method and a system for implementing the method.

Abstract: A security gateway of a computer network receives incoming packets at one or more network interfaces. One or more security functions are applied to the packets. Reports of security function violations are recorded. The reports include the source addresses of the packets, the times that the packets were received, and descriptions of the violations. The descriptions include weights, and if the sum of the weights, for packets of a common source address that are received within a first time interval, exceeds a threshold, subsequent packets from that source address are dropped. Alternatively, in a “monitor only” mode, the common source address is logged but packets are not dropped. Optionally, encrypted packets and/or packets received at some network interfaces but not at other network interfaces are not dropped.

Abstract: A plurality of untrusted digital files are run simultaneously in fewer sandboxes than there are files, while monitoring for malicious activity. Preferably, only one sandbox is used. If the monitoring detects malicious activity, either the files are run again in individual sandboxes, or the files are divided among subsets whose files are run simultaneously in one or more sandboxes, while monitoring for malicious activity.