Abstract: A cloud based service use may be logged into the service through multiple client devices simultaneously. Methods, systems, and computer program products base upon cryptographic challenge response are provide to efficiently and securely simultaneously effect a logout from the cloud based service at one or many logged-in client devices associated with the user. When a valid logout request is received by the cloud based service, a current key associated with the user is invalidated, and in some instances, replaced with a new key. Upon subsequent attempt to use the cloud based service by the user, one or more tokens residing on any previously logged-in client device associated the user will not allow cloud based service usage until the user validly logs into the cloud-based service and receives one or more new tokens based upon the new key at each client device.

Abstract: Systems, methods and apparatus for a distributed security system that detects proxied resource requests. The system can search data communications, such as HTTP requests and responses, for proxy strings that are indicative of a string pattern associated with corresponding proxy software. Security operations can be initiated for each data communication that includes a proxy string. The security operations can block the data communication, modify the data communication, and/or generate security notifications for system administrators.

Abstract: Systems, methods and apparatus for a distributed security that provides authentication and authorization management. The system can include a state manager that is used to identify and maintain the source associated with a client browser that submits requests to the state manager. The state manager can allow requests that are authorized and request authorization for requests that are not. The state manager can maintain the states associated with each domain to reduce the number of transaction needed to authenticate and/or authorize subsequent requests to the same domain or to different domains.

Abstract: A computer implemented method, a cloud system, and a log system provide interactive analytics providing various intuitive mechanisms for interaction with data visualizations of Internet traffic, email, etc. The methods and systems utilize a cloud based monitoring system where all traffic from an organization may be monitored in a location and platform independent manner. The methods and systems include context-aware drilldown with progressively applied filtering and grouping while maintaining workflow history such that a user can go back to any point in the flow and proceed down a new path of investigation.

Abstract: Systems, methods and apparatus for a content item inspection. A plurality of portions of a content item are received in a buffer, the buffer divided into a plurality of segments. A partial signature of the content item is computed using the received portions of the content item in a most recently received segment and a partial signature computed for a preceding segment. The computed partial signature is compared against a plurality of partial signatures associated with trustworthy content items. If a matching partial signature associated with a trustworthy content item is found for the computed partial signature, the most recently received segment is allowed to be transmitted to a device that requested the content item.

Abstract: A system includes an enterprise network including an internal management system communicatively coupled thereon, the enterprise network includes security and the internal management system is disposed behind the security; a cloud system external to the enterprise network and communicatively coupled to the enterprise network, at least one user associated with the enterprise network is configured to communicate through the cloud system for cloud-based services, and the cloud system is configured to log data associated with the at least one user for the cloud-based services; and an external service bridge located in the enterprise network behind the security, the external service bridge is configured to securely communicate with the cloud system to receive the log data and to communicate with the internal management system to provide the log data thereto.

Abstract: Guard tables including absence information are used in a security system to limit the processing of negative queries. A key corresponding to a request to access a network resource is hashed and the output of the hash is a bit position in a guard table. The bit value at the bit position in the guard table is checked to determine if the information to which the key corresponds is absent from a datastore. Further processing of the request can be based on the indicated presence or absence information.

Abstract: The present disclosure provides systems and methods for detecting email spam and variants thereof. The systems and methods are configured to detect spam messages and variations thereof for different senders and with slight differences within the message body. In an exemplary embodiment, an incoming message body (m) is converted to a sequence of successive word lengths (Sm): m->Sm, a comparison is performed between the sequence, Sm, and a plurality of stored sequences (Sk) of known spam messages, and the incoming message is flagged as spam based on the comparison. Further, the plurality of stored sequences, Sk, may be continually updated based on user feedback and other spam detection techniques. The systems and methods of the present invention may be implemented through a computer, such as a mail server, through a cloud-based security system, through a user's computer via a software agent, and the like.

Abstract: Systems, methods and apparatus for a distributed security system that provides security processing for security customers external to network edges of external systems. Each security customer is associated with one or more external systems. The security system can monitor data communications originating from or destined to the external systems and generate security-related information based on the monitored communications. For each security customer, the system can aggregate the system information from each external system associated with that customer, regardless of the geographical location of the system.

Abstract: A system and method for determining the risk posed by a web user. The web user can be an individual, a department, a location, or an organization. The method includes the steps of capturing user generated web actions, and classifying the web actions under zero or more risk criteria. The risk criteria include one or more risk calculating and weighting factors. The method further includes the steps of calculating risk scores for the classified risk criteria, combining the calculated risk scores to obtain a total risk score, assigning a qualitative value to the total risk score, and reporting the total risk score. The reported total risk score can be used to enforce security policies based on the value of the risk scores.

Abstract: The present disclosure provides distributed, multi-tenant Virtual Private Network (VPN) cloud systems and methods for mobile security and user based policy enforcement. In an exemplary embodiment, plural mobile devices are configured to connect to one or more enforcement or processing nodes over VPN connections. The enforcement or processing nodes are configured to perform content filtering, policy enforcement, and the like on some or all of the traffic from the mobile devices. The present invention is described as multi-tenant as it can connect to plural clients across different companies with different policies in a single distributed system. Advantageously, the present invention allows smartphone and tablet users to protect themselves from mobile malware, without requiring a security applications on the device. It allows administrators to seamless enforce policy for a user regardless of the device or network they are connecting to, as well as get granular visibility into the user's network behavior.

Abstract: Systems, methods and apparatus for tunneling in a cloud based security system. In an aspect, tunnel session data describing authentication and unauthenticated sessions, and location data describing tunnel identifiers for tunnels, locations, and security policies specific to the locations are accessed. Tunnel packets are received, and for each tunnel packet it is determined, from the tunnel identifier associated with the packet, whether a session entry in the session data exists for the tunnel identified by the tunnel identifier. In response to determining that a session entry does not exist in the session data, then a session entry is created for the tunnel identifier, an authentication process to determine a location to be associated with the session entry is performed, and an entry in the location data for the location is associated with the session entry.

Abstract: Methods, systems, and apparatus, including computer program products, for generating or using augmentation queries. In one aspect, statistical model of statistical data is used to support lossless predictive compression. Data instances are identified in statistical data and classified into one of a plurality of data types. Each data type is associated with a corresponding compression process that is used to compress data instances of that type.

Abstract: System and methods for injecting content into a response for improving client-side security. The system includes a content injection service external to network edges of at least one system. The content injection service receives a request from a client within the at least one system and identifies or anticipates a potential threat associated with the response. The content injection service is configured to determine an appropriate counter for the identified or anticipated potential threat and in response injects content into the response according to the potential or anticipated threat identified.

Abstract: Systems, methods and apparatus for a distributed security that monitors communications to identify access attempts to/from darknet addresses. Such attempts can be inferred to be associated with malicious activity and a notification or other corrective action can be provided identifying such potentially malicious activity.

Abstract: Systems, methods and apparatus for handling security messages in a distributed security system. Requests, replies, and/or updates have varying time constraints. Processing node managers and authority node managers determine the best transmission times and/or the ignoring of such data to maximize information value.

Abstract: Methods, systems, and apparatus, including computer program products, for generating or using augmentation queries. In one aspect, a set of phrase terms of a phrase are received in first ordinal positions, and a set of first hashes for each of the phrase terms. Concatenated hashes from the set of first hashes are generated. Hashes of content terms for received content are compared to the concatenated hashes to determine if a phrase is detected in the content.

Abstract: Systems, methods and apparatus for a distributed security that monitors communications to manage client browser network access based upon the browser configuration of the client browser by use of a configuration script executed in the browser environment. Such management can reduce the exposure of potentially vulnerable client browsers to domains associated with malicious activity.

Abstract: Systems, methods and apparatus for identifying web risks use a web risk service external to network edges of at least one system. The web risk service receives a web request from a computer within the at least one system, the web request identifying at least one network address. The web risk service determines a web risk index score for the at least one network address, and compares the determined web risk index score to at least one threshold value. Based on the comparison, the service determines how to handle the web request, e.g., by forwarding, blocking, and/or logging the web request.

Abstract: Systems, methods and apparatus for tunneling in a cloud based security system. A multi-tenant cloud-based security system that can distinguish between client computing devices with overlapping private IP addresses is disclosed. Client devices communicate through a processing node to which a tunnel is established. The processing node is able to detect the client devices and apply security policies to the device.