Abstract: In an embodiment, a distributed firewall that learns from traffic patterns to prevent attacks is configured to receive traffic comprising one or more uniform resource identifiers (URIs), where a URI of the one or more URIs includes one or more parameters and one or more corresponding values. The firewall is configured to classify the corresponding value(s) using a pre-configured classifier and obtain a statistical rule that specifies an allowable type and an allowable length for traffic containing the one or more parameters, where the statistical rule is generated based on the classification. The firewall is configured to apply the statistical rule to incoming traffic to allow or drop requests comprising the parameter(s).

Abstract: In an embodiment, a statistical approach for augmenting signature detection in a Web application firewall includes receiving a new request including a parameter in a uniform resource identifier (URI), tokenizing the new request, and determining a compound probability that tokens in a value that is associated with the parameter of the URI and that is included in the new request are associated with an attack. The compound probability is determined based at least in part on component probabilities of tokens of historical values associated with the parameter of the URI.

Abstract: A technique for content proxying is described. The technique includes receiving from a first device a stream of data. The stream of data is formatted in a format that does not indicate content length in a header. A received payload of the stream of data is encoded into a data chunk including a chunk length header and the received payload. The data chunk is forwarded to a second device that does not support the format.

Abstract: A method and system are disclosed. A first service engine among a plurality of service engines detects a traffic violation of a web application policy for an instantiation of a virtual service on the first service engine. The service engines maintain corresponding instances of a shared state of policy violations for the web application policy. In response to detecting the traffic violation, a first instance of the shared state on the first service engine is updated. The first service engine broadcasts the updated first instance of the shared state. Remaining service engines, which have instantiations of the virtual service, update their instances of the shared state in response to receiving the updated first instance. The instances of the shared state are aggregated to obtain an aggregated shared state. It is detected whether the aggregated shared state triggers an application policy rule for the web application policy.

Abstract: In an embodiment, a distributed firewall that learns from traffic patterns to prevent attacks is configured to receive traffic comprising one or more uniform resource identifiers (URIs), where a URI of the one or more URIs includes one or more parameters and one or more corresponding values. The firewall is configured to classify the corresponding value(s) using a pre-configured classifier and obtain a statistical rule that specifies an allowable type and an allowable length for traffic containing the one or more parameters, where the statistical rule is generated based on the classification. The firewall is configured to apply the statistical rule to incoming traffic to allow or drop requests comprising the parameter(s).

Abstract: A technique for content proxying is described. The technique includes receiving from a first device a stream of data. The stream of data is formatted in a format that does not indicate content length in a header. A received payload of the stream of data is encoded into a data chunk including a chunk length header and the received payload. The data chunk is forwarded to a second device that does not support the format.

Abstract: In an embodiment, a method of payload matching via a single pass transformation of an HTTP payload includes receiving a payload packet destined for a recipient and parsing the payload packet in a single scan of the packet using a combined regular expression. The combined regular expression includes a plurality of regular expressions that correspond to a set of replacement rules. The method includes determining a scatter-gather list conforming to the rule, constructing a new payload packet based on the scatter-gather list, and sending the new payload packet to the recipient.

Abstract: In an embodiment, a method of payload matching via a single pass transformation of an HTTP payload includes receiving a payload packet destined for a recipient and parsing the payload packet in a single scan of the packet using a combined regular expression. The combined regular expression includes a plurality of regular expressions that correspond to a set of replacement rules.

Abstract: In an embodiment, a statistical approach for augmenting signature detection in a Web application firewall includes receiving a new request including a parameter in a uniform resource identifier (URI), tokenizing the new request, and determining a compound probability that tokens in a value that is associated with the parameter of the URI and that is included in the new request are associated with an attack. The compound probability is determined based at least in part on component probabilities of tokens of historical values associated with the parameter of the URI.

Abstract: Efficient mechanisms are provided for transferring key objects associated with disk logical unit numbers and tape cartridges from one data center to another data center. A request is received to transfer a source data center key object from a source data center to a destination data center. The source data center key object corresponds to a data block, such as a disk logical unit number (LUN) or a tape cartridge, maintained in a storage area network (SAN) and includes a unique identifier, an encrypted key, and a wrapper unique identifier. The encrypted key is decrypted using a source data center key hierarchy. Key information is transmitted from the source data center to the destination data center. A destination data center key object is generated using a destination data center key hierarchy.

Abstract: Methods and apparatus for performing Storage Media Encryption (SME) are disclosed. In one embodiment, an apparatus includes a memory and a plurality of processors. The apparatus receives a write command from a network device. The apparatus sends a transfer ready to the network device in response to the write command. The apparatus receives data from the network device. The apparatus composes a status and sends the status the network device. The status is sent to the network device after the data has been received from the network device and prior to both compressing and encrypting the data. The apparatus compresses the data to generate compressed data. One of the plurality of processors encrypts the compressed data to generate modified data. The apparatus then sends the modified data to a target indicated by the write command.

Abstract: Methods and apparatus for encrypting data are disclosed. In accordance with one embodiment, data path information identifying a data path is provided to one or more of a plurality of nodes in a cluster of nodes in a network, each of the nodes in the cluster being configured for encryption of data. One of the nodes is selected to be responsible for encryption of data in the data path. The selected one of the nodes is notified of its responsibility for encryption of data associated with the data path, wherein traffic associated with the data path is redirected to the selected one of the nodes.

Abstract: Efficient mechanisms are provided for transferring key objects associated with disk logical unit numbers and tape cartridges from one data center to another data center. A request is received to transfer a source data center key object from a source data center to a destination data center. The source data center key object corresponds to a data block, such as a disk logical unit number (LUN) or a tape cartridge, maintained in a storage area network (SAN) and includes a unique identifier, an encrypted key, and a wrapper unique identifier. The encrypted key is decrypted using a source data center key hierarchy. Key information is transmitted from the source data center to the destination data center. A destination data center key object is generated using a destination data center key hierarchy.