Abstract: Various apparatuses and methods are usable to identify an Advanced Persistent Threat (APT). Various network packets may be subjected to a suitable behavioral analysis to identify such APTs. Upon identifying an APT, a response is initiated which may include sending attack messages to various devices in the network.

Abstract: A load distribution for data units received by a particular packet inspection device that is part of a collection of packet inspection devices is determined, where the packet inspection devices in the collection are to examine content of corresponding received data units. For corresponding data units received by the particular packet inspection device, the determined load distribution favors keeping the corresponding data units at the particular packet inspection device. Based on metric information regarding utilization of at least the particular packet inspection device, the load distribution is dynamically modified.

Abstract: According to an example, configurable network security may include receiving data flows directed to end node modules of a server, and selecting data flows from the received data flows based on an analysis of attributes of the received data flows. The selected data flows may be less than the received data flows. A number of IPS data plane modules of the server that are available for inspection of the selected data flows may be determined. The selected data flows may be distributed between the IPS data plane modules based on the determined number of the IPS data plane modules. The distributed data flows may be inspected using the IPS data plane modules to identify malicious and benign data flows, and to determine whether to drop the malicious data flows, direct the malicious data flows to a predetermined destination, or forward the benign data flows to the end node modules.

Abstract: A method and a system for efficient search of string patterns characterized by positional relationships in a character stream are disclosed. The method is based on grouping string patterns of a dictionary into at least two string sets and performing string search processes of a text of the character stream based on individual string sets with the outcome of a search process influencing a subsequent search process. A system implementing the method comprises a dictionary processor for generating string sets with corresponding text actions and search actions, a conditional search engine for locating string patterns belonging to at least one string set in a text according to a current search state, a text operator for producing an output text according to search results, and a search operator for determining a subsequent search state.

Abstract: A system for processing network traffic includes a hardware-accelerated inspection unit to process network traffic in hardware-accelerated inspection mode, and a software inspection unit to process the network traffic in software inspection mode. The software inspection unit processes a connection in in the software inspection mode at least for a consecutive predetermined number of bytes of the connection. The connection may be transitioned to the hardware-accelerated inspection mode if the connection is determined to be clean.

Abstract: Mitigation for combating malicious codes is delivered to particular endpoint computers. A first malicious code pattern is received in a first computer over a computer network. The first computer is scanned using the first malicious code pattern, with the result of the scanning forwarded to a second computer. The first computer is identified as having a file scanned using the first malicious code pattern. In response, the first computer is provided a second malicious code pattern. The first computer is scanned for malicious codes using the second malicious code pattern.

Abstract: Example embodiments disclosed herein relate to providing network security. A network security device parses an initial handshake or communication to establish an encrypted channel between two endpoints. The network security device validates a certificate chain between the two endpoints and determines a reputation for each of one or more signers of a respective one or more certificates of the certificate chain. The network security device determines a certificate reputation for the certificate chain.

Abstract: A load distribution for data units received by a particular packet inspection device that is part of a collection of packet inspection devices is determined, where the packet inspection devices in the collection are to examine content of corresponding received data units. For corresponding data units received by the particular packet inspection device, the determined load distribution favors keeping the corresponding data units at the particular packet inspection device. Based on metric information regarding utilization of at least the particular packet inspection device, the load distribution is dynamically modified.

Abstract: A computer system receives a file and instruments an original code of the file in memory. The resulting instrumented code allows for collection of runtime information of the original code. An unpacking routine that includes one or more instructions that execute several times, modify memory locations, and execute instructions in the modified memory locations is identified. The unpacking routine is deemed a malware signature and incorporated into a malware pattern. An unpacking behavior diagram can also be generated from the runtime information.

Abstract: Communication between software components in different virtual machines may be made through a hypervisor between pseudo-devices that have no corresponding physical device. A software component in a virtual machine transfers data to a pseudo-device in the virtual machine. The pseudo-device is connected to another pseudo-device in another virtual machine, and the connection is through the hypervisor. The data from the software component is transferred from the pseudo-device to the other pseudo-device over the connection through the hypervisor. The other pseudo-device in the other virtual machine receives the data and provides the data to another software component in the other virtual machine.

Abstract: Examples relate to determining string similarity using syntactic edit distance. In one example, a computing device may: receive domain name system (DNS) packets that were sent by a client device, each DNS packet specifying a domain name; generate, for each domain name, a syntax string by replacing each character of the domain name with one of a plurality of metacharacters, each metacharacter representing a category of characters that is different from each other category of characters represented by each other metacharacter; determine, for each domain name, a syntactic edit distance between the domain name and each other domain name, the syntactic edit distance between domain names being determined based on syntax strings of the corresponding domain names; cluster each domain name into one of a plurality of clusters based on the syntactic edit distances; and identify the client device as a potential source of malicious software based on the clusters.

Abstract: A password for accessing an online service is secured by receiving keystroke information of the password at a kernel level. The password is encrypted prior to inputting the encrypted password to an application program at an application level. The encrypted password is transmitted from the kernel level to the application level over an out-of-band-channel. The encrypted password is forwarded to a server computer associated with the online service. The server computer decrypts the encrypted password back to the password to determine if the client computer is authorized to access the online service.

Abstract: According to an example, configurable workload optimization may include selecting a performance optimized application workload from available performance optimized application workloads. A predetermined combination of removable workload optimized modules may be selected to implement the selected performance optimized application workload. Different combinations of the removable workload optimized modules may be usable to implement different ones of the available performance optimized application workloads. The predetermined combination of the removable workload optimized modules may be managed to implement the selected performance optimized application workload. Data flows directed to the predetermined combination of the removable workload optimized modules may be received.

Abstract: According to an example, security and access control may include receiving traffic that is related to an application tier of a plurality of application tiers, and that is to be routed to another application tier or within the application tier. The attributes of the traffic related to the application tier may be analyzed, and based on the analysis, an application related to the traffic and a type of the traffic may be determined. The type of the traffic may be compared to a policy related to the application to determine whether the traffic is valid traffic or invalid traffic. Based on a determination that the traffic is valid traffic, the valid traffic may be forwarded to an intended destination. Further, based on a determination that the traffic is invalid traffic, the invalid traffic may be forwarded to a predetermined destination or blocked.

Abstract: A computer system includes a system healing module for facilitating repair of a malfunctioning computer. The system healing module may be a set-top box for cable television or a publicly accessible kiosk, for example. The system healing module collects diagnostic data from a malfunctioning computer and provides the diagnostic data to a system healing harvester. The system healing harvester provides the diagnostic data to a system healing master that analyzes the diagnostic data to determine a support server that is responsible for fixing a problem indicated in the diagnostic data. Based on the diagnostic data, the support server generates remediation data, which is received in the system healing module by way of the system healing master and the system healing harvester. The system healing module uses the remediation data to fix the malfunctioning computer.

Abstract: A method and a system for efficient search of string patterns characterized by positional relationships in a character stream are disclosed. The method is based on grouping string patterns of a dictionary into at least two string sets and performing string search processes of a text of the character stream based on individual string sets with the outcome of a search process influencing a subsequent search process. A system implementing the method comprises a dictionary processor for generating string sets with corresponding text actions and search actions, a conditional search engine for locating string patterns belonging to at least one string set in a text according to a current search state, a text operator for producing an output text according to search results, and a search operator for determining a subsequent search state.

Abstract: Securing a virtual environment includes: in a host device, intercepting a packet addressed to a virtual machine implemented by the host device; redirecting the packet to a security device external to the host device through an egress tunnel; and delivering the packet to the virtual machine if the host device receives an indication from the security device that the packet is approved.

Abstract: Example embodiments disclosed herein relate to perform a security action, (e.g., filtering) based on reputation and a signature match. A reputation is determined of a devices associated with a network packet or network packet stream. It is determined whether a signature matches the network packet or an associated flow of the network packet. The security action is determined based on the reputation and the match.

Abstract: Example embodiments disclosed herein relate to a network security system. The network security system intercepts inline DNS requests. It is determined whether a domain name associated with one of the inline DNS requests corresponds with one or more domain names. A security action is performed based on the determination.

Abstract: A virtual mobile infrastructure for mobile devices includes mobile client devices and a server computer running remote mobile operating systems. The remote mobile operating systems share the same kernel, and are each implemented on a container. A mobile client device running a mobile operating system, which may be the same as or different from the remote mobile operating systems, may access one of the many remote mobile operating systems on the server computer.