Abstract: Some embodiments of proxy-less Secure Sockets Layer (SSL) data inspection have been presented. In one embodiment, a secured connection according to a secured network protocol between a client and a responder is setup via a gateway device, which is coupled between the client and the responder. The gateway device transparently intercepts data transmitted according to the secured network protocol between the client and the responder. Furthermore, the gateway device provides flow-control and retransmission of one or more data packets of the data without self-scheduling the packet retransmissions using timeouts and based on the packet retransmission logic of either the client-side or the responder side of the connection. The gateway device is further operable to perform security screening on the data.

Abstract: The present disclosure is directed to monitoring internal process memory of a computer at a time with program code executes. Methods and apparatus consistent with the present disclosure monitor the operation of program code with the intent of detecting whether received program inputs may exploit vulnerabilities that may exist in the program code at runtime. By detecting suspicious activity or malicious code that may affect internal process memory at run-time, methods and apparatus described herein identify suspected malware based on suspicious actions performed as program code executes. Runtime exploit detection may detect certain anomalous activities or chain of events in a potentially vulnerable application during execution. These events may be detected using instrumentation code when a regular code execution path of an application is deviated from.

Abstract: Methods and apparatus consistent with the present disclosure may prevent a computer process from failing when a firewall located between a client device and a server identifies that a process at the firewall should be bypassed using fingerprint information associated with a connection attempt. When fingerprint information stored at a firewall matches previously received fingerprint information, the firewall may allow processes typically performed at the firewall to be bypassed, thereby, allowing communications to pass between the client device and the server without inspection. When that fingerprint information does not match previously received fingerprint information, the firewall may perform a process that causes the client device to fail the first connection attempt. Because of this, methods consistent with the present disclosure may allow communications from an application program to be passed through a firewall without relying on an ever growing list of trusted application programs.

Abstract: Some embodiments of proxy-less Secure Sockets Layer (SSL) data inspection have been presented. In one embodiment, a secured connection according to a secured network protocol between a client and a responder is setup via a gateway device, which is coupled between the client and the responder. The gateway device transparently intercepts data transmitted according to the secured network protocol between the client and the responder. Furthermore, the gateway device provides flow-control and retransmission of one or more data packets of the data without self-scheduling the packet retransmissions using timeouts and based on the packet retransmission logic of either the client-side or the responder side of the connection. The gateway device is further operable to perform security screening on the data.

Abstract: A method and apparatus for identifying data patterns of a file are described herein. In one embodiment, an exemplary process includes, but is not limited to, receiving a data packet of a data stream containing a file segment of a file originated from an external host and destined to a protected host of a local area network (LAN), the file being transmitted via multiple file segments contained in multiple data packets of the data stream, and performing a data pattern analysis on the received data packet to determine whether the received data packet contains a predetermined data pattern, without waiting for a remainder of the data stream to arrive. Other methods and apparatuses are also described.

Abstract: Some embodiments of reassembly-free deep packet inspection (DPD on multicore hardware have been presented. In one embodiment, a set of packets of one or more files is received at a networked device from one or more connections. Each packet is scanned using one of a set of processing cores in the networked device without buffering the one or more files in the networked device. Furthermore, the set of processing cores may scan the packets substantially concurrently.

Abstract: Techniques for notification of reassembly-free file scanning are described herein. According to one embodiment, a first request for accessing a document provided by a remote node is received from a client. In response to the first request, it is determined whether a second request previously for accessing the document of the remote node indicates that the requested document from the remote node contains offensive data. If the requested document contains offensive data, a message is returned to the client, without accessing the requested document of the remote node, indicating that the requested document is not delivered to the client.

Abstract: The present disclosure is directed to monitoring internal process memory of a computer at a time with program code executes. Methods and apparatus consistent with the present disclosure monitor the operation of program code with the intent of detecting whether received program inputs may exploit vulnerabilities that may exist in the program code at runtime. By detecting suspicious activity or malicious code that may affect internal process memory at run-time, methods and apparatus described herein identify suspected malware based on suspicious actions performed as program code executes. Runtime exploit detection may detect certain anomalous activities or chain of events in a potentially vulnerable application during execution. These events may be detected using instrumentation code when a regular code execution path of an application is deviated from.

Abstract: Some embodiments of reassembly-free deep packet inspection (DPD on multicore hardware have been presented. In one embodiment, a set of packets of one or more files is received at a networked device from one or more connections. Each packet is scanned using one of a set of processing cores in the networked device without buffering the one or more files in the networked device. Furthermore, the set of processing cores may scan the packets substantially concurrently.

Abstract: A method and an apparatus to perform multi-connection traffic analysis and management are described. In one embodiment, the method includes analyzing data packets in the first data flow of a client application for a pattern of interest, where the client application communicates data using first and second data flows. In response to the method detecting a pattern of interest in the first data flow, the method identifies the second data flow and identifies a traffic policy for the second data flow. The method applies the identified traffic policy to the second data flow. Other embodiments have been claimed and described.

Abstract: Methods and apparatus consistent with the present disclosure may be performed by a Cloud computing device may use instrumentation code that remains transparent to an application program that the instrumentation code has been injected into, may perform deep packet inspection (DPI) on computer data, or identify a content rating associated with computer data. In certain instances, data sets that include executable code may be received via packetized communications or be received via other means, such as, receiving a file from a data store. The present technique allows one or more processors executing instrumentation code to monitor actions performed by the program code included in a received data set. Malware can be detected using exception handling to track memory allocations of the program code included in the received data set. Furthermore, access to content associated with malware, potential malware, or with inappropriate content ratings may be blocked.

Abstract: A method and an apparatus to perform multi-connection traffic analysis and management are described. In one embodiment, the method includes analyzing data packets in the first data flow of a client application for a pattern of interest, where the client application communicates data using first and second data flows. In response to the method detecting a pattern of interest in the first data flow, the method identifies the second data flow and identifies a traffic policy for the second data flow. The method applies the identified traffic policy to the second data flow. Other embodiments have been claimed and described.

Abstract: Some embodiments of cloud-based gateway security scanning have been presented. In one embodiment, some data packets are received sequentially at a gateway device. The data packets constitute at least a part of a file being addressed to a client machine coupled to the gateway device. The gateway device forwards an identification of the file to a remote datacenter in parallel with forwarding the data packets to the client machine. The datacenter performs signature matching on the identification and returns a result of the signature matching to the gateway device. The gateway device determining whether to block the file from the client machine based on the result of the signature matching from the datacenter.

Abstract: Some embodiments of reassembly-free deep packet inspection (DPD on multicore hardware have been presented. In one embodiment, a set of packets of one or more files is received at a networked device from one or more connections. Each packet is scanned using one of a set of processing cores in the networked device without buffering the one or more files in the networked device. Furthermore, the set of processing cores may scan the packets substantially concurrently.

Abstract: The present disclosure is directed to monitoring internal process memory of a computer at a time with program code executes. Methods and apparatus consistent with the present disclosure monitor the operation of program code with the intent of detecting whether received program inputs may exploit vulnerabilities that may exist in the program code at runtime. By detecting suspicious activity or malicious code that may affect internal process memory at run-time, methods and apparatus described herein identify suspected malware based on suspicious actions performed as program code executes. Runtime exploit detection may detect certain anomalous activities or chain of events in a potentially vulnerable application during execution. These events may be detected using instrumentation code when a regular code execution path of an application is deviated from.

Abstract: The present disclosure is directed to preventing computer data from being usurped and exploited by individuals or organizations with nefarious intent. Methods and systems consistent with the present disclosure may store keys and keying data for each of a plurality of connections in separate memory locations. These memory locations may store data that maps a virtual address to a physical memory address associated with storing information relating to a secure connection. These separate memory locations may have a unique instance for each individual communication connection session, for example each transport layer security (TLS) connection may be assigned memory via logical addresses that are mapped to one or more physical memory addresses on a per-core basis. Such architectures decouple actual physical addresses that are used in conventional architectures that assign a single large continuous physical memory partition that may be accessed via commands that access physical memory addresses directly.

Abstract: Some embodiments of cloud-based gateway security scanning have been presented. In one embodiment, some data packets are received sequentially at a gateway device. The data packets constitute at least a part of a file being addressed to a client machine coupled to the gateway device. The gateway device forwards an identification of the file to a remote datacenter in parallel with forwarding the data packets to the client machine. The datacenter performs signature matching on the identification and returns a result of the signature matching to the gateway device. The gateway device determining whether to block the file from the client machine based on the result of the signature matching from the datacenter.

Abstract: Methods and apparatus consistent with the present disclosure may prevent a computer process from failing when a firewall located between a client device and a server identifies that a process at the firewall should be bypassed using fingerprint information associated with a connection attempt. When fingerprint information stored at a firewall matches previously received fingerprint information, the firewall may allow processes typically performed at the firewall to be bypassed, thereby, allowing communications to pass between the client device and the server without inspection. When that fingerprint information does not match previously received fingerprint information, the firewall may perform a process that causes the client device to fail the first connection attempt. Because of this, methods consistent with the present disclosure may allow communications from an application program to be passed through a firewall without relying on an ever growing list of trusted application programs.

Abstract: Some embodiments of reassembly-free deep packet inspection (DPD on multicore hardware have been presented. In one embodiment, a set of packets of one or more files is received at a networked device from one or more connections. Each packet is scanned using one of a set of processing cores in the networked device without buffering the one or more files in the networked device. Furthermore, the set of processing cores may scan the packets substantially concurrently.

Abstract: A character class is detected in a regular expression and substituted with a pseudo character. A table is created with a bit vector for each pseudo character inserted into the regular expression. Each bit in the bit-vector represents one character of the alphabet from which the expression is generated. The status of the bits in a bit-vector indicates which characters of the alphabet are included in the character class. The pseudo character in the modified regular expression is used to construct a non-deterministic finite automaton (NFA). The NFA with the pseudo character is then used to construct a deterministic finite automaton (DFA). When constructing the DFA, the bit-vectors are used to determine if a certain transition should be constructed in the DFA.