Abstract: Some embodiments of reassembly-free deep packet inspection (DPD on multicore hardware have been presented. In one embodiment, a set of packets of one or more files is received at a networked device from one or more connections. Each packet is scanned using one of a set of processing cores in the networked device without buffering the one or more files in the networked device. Furthermore, the set of processing cores may scan the packets substantially concurrently.

Abstract: The present invention provides systems and methods for unified bandwidth management for network traffic. In particular, two or more network devices may be grouped into a single set, and bandwidth management is performed on the single set. The grouping of network devices into a single set facilitates dynamic adjustment of bandwidth management based on real-time variations in network traffic that may arise during standard operations of the network.

Abstract: The present disclosure relates to an apparatus, a method, and a non-transitory computer readable storage medium for managing bandwidth in a computer network. The method may identify that a first received packet belongs to a first traffic class and a second received packet belongs to a second traffic class where the first traffic class is associated with a higher priority than the second traffic class. The method may also identify that the first and the second traffic classes compete for shared bandwidth at the computer network. The method may monitor a number of bytes received that are associated with the first traffic class and second traffic class and perform a series of calculations used to adjust a window size according to the relative priorities of the first and the second traffic class.

Abstract: A character class is detected in a regular expression and substituted with a pseudo character. A table is created with a bit vector for each pseudo character inserted into the regular expression. Each bit in the bit-vector represents one character of the alphabet from which the expression is generated. The status of the bits in a bit-vector indicates which characters of the alphabet are included in the character class. The pseudo character in the modified regular expression is used to construct a non-deterministic finite automaton (NFA). The NFA with the pseudo character is then used to construct a deterministic finite automaton (DFA). When constructing the DFA, the bit-vectors are used to determine if a certain transition should be constructed in the DFA.

Abstract: Systems and methods for edge protection for internal identity providers are provided. A first claimed embodiment of the present disclosure involves a method for edge protection for internal identity providers. The method includes receiving a service authentication request at a virtual private networking (VPN) appliance on an edge of a secure network. A client device external to the secure network can send the service authentication request. The VPN appliance can then send a synthetic service authentication request to an identity provider in the secure network. This synthetic service authentication request can be based on the service authentication request. The VPN can then receive an authenticated credential from the identity provider. The authenticated credential is responsive to the synthetic service authentication request. The VPN appliance can then send the authenticated credential from the VPN appliance to the client device.

Abstract: A firewall system determines whether a protocol used by an incoming data packet is a standard protocol compliant with Request For Comment (RFC) standards. In the event the protocol is RFC compliant, the firewall transmits the packet to the recipient according to firewall policies regarding the standard protocol. If the protocol is not that of an RFC standard, the firewall determines whether the protocol matches an RFC-exception protocol in a RFC-exception protocol database. If the protocol does match an RFC-exception, the firewall may transmit the packet to the recipient according to firewall policies regarding the RFC-exception protocol. If it does not match an RFC-exception, the firewall may transmit the packet or protocol to a support system where it may be quarantined until it is approved based on a decision that the protocol is safe and/or widely adopted.

Abstract: The present disclosure identifies topologies of a computer network where one network appliance may be configured as a master network appliance and where that master network appliance may communicate over a network communication interface with one or more slave network appliances. Computer networks of the present disclosure may include a switch and a firewall where the switch may be coupled to several network appliances via different network communication interfaces.

Abstract: A fingerprint of an image identified within a received message is generated following analysis of the message. A spam detection engine identifies an image within a message and converts the image into a grey scale image. The spam detection engine analyzes the grey scale image and assigns a score. A fingerprint of the grey scale image is generated based on the score. The fingerprint may also be based on other factors such as the message sender's status (e.g. blacklisted or whitelisted) and other scores and reports generated by the spam detection engine. The fingerprint is then used to filter future incoming messages.

Abstract: The present invention relates to a system, method, and non-transitory storage medium executable by one or more processors at a multi-processor system that improves load monitoring and processor-core assignments as compared to conventional approaches. A method consistent with the present invention includes a first data packet being received at a multi-processor system. After the first packet is received it may be sent to a first processor where the first processor identifies a first processing task associated with the first data packet. The first data packet may then be forwarded to a second processor that is optimized for processing the first processing task of the first data packet. The second processor may then process the first processing task of the first data packet. Program code associated with the first processing task may be stored in a level one (L1) cache at the first processor.

Abstract: Handling a message comprises: classifying an incoming message for a recipient, storing the classified message and providing a notification to the recipient, wherein the notification includes summary information about the classified message and an interface that allows the recipient to operate on the classified message.

Abstract: A firewall may identify a uniform resource locator (URL) being transmitted to a user device, the URL link pointing to a host system. The firewall can then modify the URL link to point instead to a sandbox system. Once a user at the user device selects the URL link (e.g., by clicking or touching it in a browser), the firewall receives the user device's HTTP request and directs it to the sandbox system, which generates a new HTTP request that is then sent through the firewall to the host system. The host system then sends host content to the sandbox system instead of to the user device. The user device may then be presented with a representation of the host content as rendered at the sandbox system (e.g., through a remote desktop interface).

Abstract: Innovative technologies for reducing network request response times over a server-signed connection are disclosed. The technologies may involve dynamically computing synchronized compression dictionaries using server responses to speculative or “read-ahead” client requests. The technologies operate even when the client is unable to accept the server responses due to server-signing constraints. A server proxy may receive a read-ahead request originating from a client proxy. After receiving a response to the read-ahead request from a server, the server proxy may populate a compression dictionary and forward the read-ahead request to the client proxy. The client proxy may populate its own synchronized compression dictionary using the forwarded read-ahead response. The server proxy and client proxy may use the compression dictionaries to respectively compress and decompress a response to an actual client request that matches or is highly similar to the earlier response to the read-ahead request.

Abstract: A client computer hosts a virtual private network tool to establish a virtual private network connection with a remote network. Upon startup, the virtual private network tool collects critical network information for the client computer, and sends this critical network information to an address assignment server in the remote network. The address assignment server compares the critical network information with a pool of available addresses in the remote network, and assigns addresses for use by the client computer that do not conflict with the addresses for local resources. The address assignment server also provides routing information for resources in the remote network to the virtual private network tool. The virtual private network tool will postpone loading this routing information into the routing tables of the client computer until the client computer requests access to a specific resource in the remote network.

Abstract: According to embodiments of the invention, a first wireless access point discovers a second wireless access point, the first wireless access point tunes its radio and privacy settings, without user input, based upon parameters automatically exchanged in response to the discovery of the second wireless access point, and a secure direct wireless connection is established between the first and second wireless access points using the radio and privacy settings. Adding the first wireless to an existing mesh network includes a determination of the best available direct wireless connection.

Abstract: The present invention relates to a method and system for performing deep packet inspection of messages transmitted through a network switch in a Software Defined Network (SDN). Embodiments of the invention include a network switch, a controller, and a firewall in a software defined networking environment. In the present invention, the network switch is a simple network switch that is physically separate from the controller and the firewall. The invention may include a plurality of physically distinct network switches communicating with one or more controllers and firewalls. In certain instances, communications between the network switch, the controller, and the firewall are performed using the Open Flow standard communication protocol.

Abstract: Methods are directed towards initializing a path maximum transmission unit value for two gateways in communication via a network tunnel (e.g., VPN environment). The initialized path maximum transmission unit value is used in establishing the network tunnel of the two gateways. Methods are also directed towards synchronizing path maximum transmission unit values for the two gateways after the network tunnel has been established. These methods minimize the occurrence of dropped data packets arising from mismatched path maximum transmission unit value between the gateways.

Abstract: A secure connection between a user mobile device and a “Internet-of-Things” network-connected device (e.g., a home appliance or a vehicle) may be provided using an internet gateway residing in the public internet and a local gateway residing in a private network behind a firewall. The user device may receive an input through a software application and may generate an electronic instruction based on the input. The user device may then encrypt the electronic instruction and send the encrypted electronic instruction to the internet gateway over a secure connection (e.g., SSH, TLS). The internet gateway then sends the encrypted electronic instruction to the local gateway, which decrypts the encrypted electronic instruction, interprets it, and generates and transmits a device instruction to communicate with the network-connected device, either directly or through an intermediary device such as a third-party bridge or hub. Only the user device and local gateway have encryption/decryption keys.

Abstract: A secure VPN connection is provided based on user identify and a hardware identifier. A client application may initiate the VPN connection. A client device user may provide identification information to the application, which then sends a VPN connection request to a remote VPN gateway. The VPN gateway may require an equipment identifier to establish the secure VPN gateway. If the hardware ID is registered, the secure VPN connection is established. If the hardware ID is not registered with the VPN gateway, the connection may be denied. In some instances, a connection may be established with an unregistered equipment ID based on settings at the VPN gateway.

Abstract: A global response network collects, analyzes, and distributes “cross-vector” threat-related information between security systems to allow for an intelligent, collaborative, and comprehensive real-time response.

Abstract: Detecting infectious messages comprises performing an individual characteristic analysis of a message to determine whether the message is suspicious, determining whether a similar message has been noted previously in the event that the message is determined to be suspicious, classifying the message according to its individual characteristics and its similarity to the noted message in the event that a similar message has been noted previously.