Abstract: An approach to establish connections between clusters having overlapping IP address ranges. A method includes receiving, at a service discovery server, from a first node in a first cluster, a service discovery request including a unique name, determining, at the service discovery server, that the unique name resolves to a destination IP address of a second node in a second cluster, determining that the destination IP address overlaps with an IP address range associated with the first cluster, in response to determining that the destination IP address overlaps with the IP address range belonging to the first cluster, configuring a gateway to expect a network connection request from the first node that includes an IP address of the gateway, and sending a service discovery response to the first node, the service discovery response including the IP address of the gateway, but not the destination IP address.

Abstract: An approach to establish connections between clusters having overlapping IP address ranges. A method includes receiving, at a service discovery server, from a first node in a first cluster, a service discovery request including a unique name, determining, at the service discovery server, that the unique name resolves to a destination IP address of a second node in a second cluster, determining that the destination IP address overlaps with an IP address range associated with the first cluster, in response to determining that the destination IP address overlaps with the IP address range belonging to the first cluster, configuring a gateway to expect a network connection request from the first node that includes an IP address of the gateway, and sending a service discovery response to the first node, the service discovery response including the IP address of the gateway, but not the destination IP address.

Abstract: The invention concerns a method for identifying a protocol of a data stream exchanged between two entities of a telecommunication network, the processing method comprising the following steps: on receiving data of the data stream, grammatical parsing of said data stream in order to identify a protocol of the data stream; in the event of failure to identify the protocol of the data stream by grammatical parsing, consulting a signature engine mapping protocols with corresponding signatures, and sequentially applying signatures to the data flow in order to identify a data stream protocol.

Abstract: The invention concerns a method for identifying a protocol of a data stream exchanged between two entities of a telecommunication network, the processing method comprising the following steps: —on receiving data of the data stream, grammatical parsing of said data stream in order to identify a protocol of the data stream; —in the event of failure to identify the protocol of the data stream by grammatical parsing, consulting a signature engine mapping protocols with corresponding signatures, and sequentially applying signatures to the data flow in order to identify a data stream protocol.

Abstract: The invention relates to a method for processing a data stream exchanged between a client and an entity via a telecommunications network, the data stream including a set of data packets, the processing method including the following steps: upon intercepting (201) a data packet belonging to a data stream—the data stream including a source and a recipient, the client being the source or the recipient of the data stream—copying (204) the data packet and transferring (205) the data packet to the recipient; transmitting said copy to a stream analyser capable of analyzing the data stream; receiving (206) a data stream analysis result from the stream analyser; and processing (207; 208) the data stream in accordance with the receiver analysis result.

Abstract: A computing device running a local enforcement agent is configured to instantiate at least one application container at the computing device, where the at least one application container is part of a containerized application. The computing device is also configured to associate the local enforcement agent with the least one application container so that the local enforcement agent operates as an intra-application communication proxy for the least one application container. The local enforcement agent receives an intra-application Application Programming Interface (API) call that is sent to the at least one application container from a second application container that is part of the containerized application. The local enforcement agent is configured to analyze the intra-application API call for compliance with one or more security policies associated with the at least one container.

Abstract: Presented herein are techniques for detecting anomalies in micro-service communications that are indicative of security issues/problems for the application. More specifically, a computing device receives a plurality of micro-service communication records each associated with traffic sent between pairs of executables (nodes) that are related to a micro-services application. Each of the micro-service communication records includes a time series entry and an associated trace sequence identifier and each of the micro-service communication records are generated during a time period. The computing device analyzes the plurality of micro-service communications to detect possible anomalous communication patterns associated with the micro-services application during the time period.

Abstract: The invention relates to a method for processing a data stream exchanged between a client and an entity via a telecommunications network, the data stream including a set of data packets, the processing method including the following steps: upon intercepting (201) a data packet belonging to a data stream—the data stream including a source and a recipient, the client being the source or the recipient of the data stream—copying (204) the data packet and transferring (205) the data packet to the recipient, transmitting said copy to a stream analyser capable of analyzing the data stream, receiving (206) a data stream analysis result from the stream analyser, and processing (207; 208) the data stream in accordance with the receiver analysis result.

Abstract: Presented herein are techniques for detecting anomalies in micro-service communications that are indicative of security issues/problems for the application. More specifically, a computing device receives a plurality of micro-service communication records each associated with traffic sent between pairs of executables (nodes) that are related to a micro-services application. Each of the micro-service communication records includes a time series entry and an associated trace sequence identifier and each of the micro-service communication records are generated during a time period. The computing device analyzes the plurality of micro-service communications to detect possible anomalous communication patterns associated with the micro-services application during the time period.

Abstract: A computing device running a local enforcement agent is configured to instantiate at least one application container at the computing device, where the at least one application container is part of a containerized application. The computing device is also configured to associate the local enforcement agent with the least one application container so that the local enforcement agent operates as an intra-application communication proxy for the least one application container. The local enforcement agent receives an intra-application Application Programming Interface (API) call that is sent to the at least one application container from a second application container that is part of the containerized application. The local enforcement agent is configured to analyze the intra-application API call for compliance with one or more security policies associated with the at least one container.

Abstract: The invention relates to a data collection device for monitoring streams in a data network using a packet transmission mode, including an extractor for extracting data contained in packets belonging to a stream defined by a transmitter, a receiver, and a protocol. The collection device also includes a syntax analyzer which receives data in real time from the extractor and breaks the data down into elements according to the syntactic rules of the protocol, said syntactic rules enabling the elements to be represented as a tree structure. The syntax analyzer combines respective tree state indicators with at least some of the elements, wherein the tree state indicator combined with an element locates said element within the tree structure. An interface transmits the tree state indicators, together with the elements with which the latter have been combined, to a stream analyzer external to the collection device.

Abstract: The invention concerns a digital processing system fed by at least one filter having three possible states resulting from one or more conditions on one or more protocol attributes, specified for a semantic stream. Each protocol attribute is specified by an ordered sequence of protocol names used in the semantic stream and a parameter name carried by a protocol whereof the name is indicated in the ordered sequence of protocol names. The digital processing device comprises a filtering engine which applies the filter on the communication data until the data provide protocol attribute values wherefrom results a valid or invalid state of the filter and an action motor which triggers the action when the state of the filter is valid.