Abstract: Systems, methods and apparatus for malware detection to detect and stop the distribution of malware and other undesirable content before such content reaches computing systems. A Malware Detection Service (MDS) including a processor and memory storing computer program instructions that when executed cause the processor to receive one of content or a signature of a file, responsive to receiving a signature of a file, determine a status of the file as trusted, untrusted, or unknown for malware based on the signature, responsive to receiving content of a file, generate a signature of the file and scan the content to identify the status of the content as trusted or untrusted.

Abstract: Systems, methods and apparatus for malware detection to detect and stop the distribution of malware and other undesirable content before such content reaches computing systems. A Malware Detection Service (MDS) including a processor and memory storing computer program instructions that when executed cause the processor to receive one of content or a signature of a file, responsive to receiving a signature of a file, determine a status of the file as trusted, untrusted, or unknown for malware based on the signature, responsive to receiving content of a file, generate a signature of the file and scan the content to identify the status of the content as trusted or untrusted.

Abstract: Systems, methods and apparatus for malware detection detect and stop the distribution of malware and other undesirable content before such content reaches computing systems. A cloud-based malware detection method includes receiving a signature from a computer, wherein the signature which identifies a file and the signature is smaller in size than the file; determining whether the file is trusted, untrusted, or unknown for malware based on the signature; and transmitting whether the file is trusted, untrusted, or unknown for malware to the computer based on the determining, wherein the computer is precluded from distribution of the file responsive to the file being untrusted.

Abstract: Systems, methods and apparatus for malware detection detect and stop the distribution of malware and other undesirable content before such content reaches computing systems. A malware detection service external to network edges of a system receives a request from a computer within the system, the request identifying a signature associated with content. The service determines a status indicator of the content using the signature, and transmits the status indicator to the computer.

Abstract: Systems, methods and apparatus for malware detection detect and stop the distribution of malware and other undesirable content before such content reaches computing systems. A cloud-based malware detection method includes receiving a signature from a computer, wherein the signature which identifies a file and the signature is smaller in size than the file; determining whether the file is trusted, untrusted, or unknown for malware based on the signature; and transmitting whether the file is trusted, untrusted, or unknown for malware to the computer based on the determining, wherein the computer is precluded from distribution of the file responsive to the file being untrusted.

Abstract: Systems, methods and apparatus for a distributed security that provides authentication and authorization management. The system can include a source processor that is used to identify the source associated with a request for authentication or authorization. The source processor can maintain the initial source associated with the request through the use of an association token. The associate token can be transmitted with each subsequent request that includes authentication or authorization data. The source processor can use the associate token to verify that the source associated with the initial request is the same as the source associated with subsequent authentication and authorization requests.

Abstract: Methods, systems, and apparatus, including computer program products, for generating or using augmentation queries. In one aspect, subject phrases for detection in content are identified. Each phrase has a corresponding cardinality of terms. First hash sets for each of the subject phrases are generated, each first hash set including first hashes of bigram term subsets for each of the phrases. Sub-phrase scores for each of the hashes based on the cardinality of each phrase are assigned. The sub-phrase scores a used to detect the subject phrases in hashes of portions of received content. Other implementations of this aspect include corresponding systems, apparatus, and computer program products.

Abstract: Systems, methods and apparatus for a distributed security that provides authentication and authorization management. The system can include an epoch manager that is used to generate authentication and authorization data that remain valid only for an epoch. The epoch manager can generate an epoch key pair that can be used to encrypt and decrypt the authentication and authorization data during the epoch that the key is valid. The epoch manager can also associate the contents of the data with the epoch in which it was created, so that at decrypting the epoch that the data was generated in can be identified.

Abstract: A cloud based system that facilitates inspection of secure content and inexpensively detects the presence of a Man-in-the-Middle attack in a client-server communication is disclosed. Through inspection of the server certificate, no Man-in-the-Middle attack between server and the system is ensured; through inspection and designation of the client certificate, absence of a Man-in-the-Middle attack between the cloud based system and the client is ensured. In this way, the cloud based system can perform its usual policy enforcement functions with respect to secure content while avoiding Man-in-the-Middle attacks.

Abstract: Systems, methods and apparatus for a distributed security that provides authentication and authorization management. The system can include an epoch processor that is used to validate authentication and authorization data that is valid only for an epoch. The epoch processor can maintain a public key that can be used to decrypt the authentication and authorization data during the epoch that the key is valid. The epoch processor can receive a new public key during each epoch. The epoch processor can also determine if the authentication or authorization data was fraudulently generated based on the contents of the data, and verifying whether the data is valid for the epoch in which it was decrypted.

Abstract: Guest accounts arise in a variety of ways. Hotels, Coffee Shops, internet cafes, internet kiosks, etc provide internet access to its guests, aka customers. Cloud based security services can serve as a platform for supporting efficient and safe guest account management. Guest accounts are managed by the cloud service and are associated and disassociated with individuals as needed by the guest account provider. The cloud service can also provide a guest account provider with greater control over guest account usage and accountability.

Abstract: Systems, methods and apparatus for a distributed security that provides authentication and authorization management. The system can include a state manager that is used to identify and maintain the source associated with a client browser that submits requests to the state manager. The state manager can allow requests that are authorized and request authorization for requests that are not. The state manager can maintain the states associated with each domain to reduce the number of transaction needed to authenticate and/or authorize subsequent requests to the same domain or to different domains.

Abstract: Systems, methods and apparatus for a content item inspection. A plurality of portions of a content item are received in a buffer, the buffer divided into a plurality of segments. A partial signature of the content item is computed using the received portions of the content item in a most recently received segment and a partial signature computed for a preceding segment. The computed partial signature is compared against a plurality of partial signatures associated with trustworthy content items. If a matching partial signature associated with a trustworthy content item is found for the computed partial signature, the most recently received segment is allowed to be transmitted to a device that requested the content item.

Abstract: Guard tables including absence information are used in a security system to limit the processing of negative queries. A key corresponding to a request to access a network resource is hashed and the output of the hash is a bit position in a guard table. The bit value at the bit position in the guard table is checked to determine if the information to which the key corresponds is absent from a datastore. Further processing of the request can be based on the indicated presence or absence information.

Abstract: The present disclosure provides systems and methods for detecting email spam and variants thereof. The systems and methods are configured to detect spam messages and variations thereof for different senders and with slight differences within the message body. In an exemplary embodiment, an incoming message body (m) is converted to a sequence of successive word lengths (Sm): m->Sm, a comparison is performed between the sequence, Sm, and a plurality of stored sequences (Sk) of known spam messages, and the incoming message is flagged as spam based on the comparison. Further, the plurality of stored sequences, Sk, may be continually updated based on user feedback and other spam detection techniques. The systems and methods of the present invention may be implemented through a computer, such as a mail server, through a cloud-based security system, through a user's computer via a software agent, and the like.

Abstract: Systems, methods and apparatus for tunneling in a cloud based security system. In an aspect, tunnel session data describing authentication and unauthenticated sessions, and location data describing tunnel identifiers for tunnels, locations, and security policies specific to the locations are accessed. Tunnel packets are received, and for each tunnel packet it is determined, from the tunnel identifier associated with the packet, whether a session entry in the session data exists for the tunnel identified by the tunnel identifier. In response to determining that a session entry does not exist in the session data, then a session entry is created for the tunnel identifier, an authentication process to determine a location to be associated with the session entry is performed, and an entry in the location data for the location is associated with the session entry.

Abstract: Systems, methods and apparatus for handling security messages in a distributed security system. Requests, replies, and/or updates have varying time constraints. Processing node managers and authority node managers determine the best transmission times and/or the ignoring of such data to maximize information value.

Abstract: Methods, systems, and apparatus, including computer program products, for generating or using augmentation queries. In one aspect, a set of phrase terms of a phrase are received in first ordinal positions, and a set of first hashes for each of the phrase terms. Concatenated hashes from the set of first hashes are generated. Hashes of content terms for received content are compared to the concatenated hashes to determine if a phrase is detected in the content.

Abstract: The present disclosure provides systems and methods for detecting email spam and variants thereof. The systems and methods are configured to detect spam messages and variations thereof for different senders and with slight differences within the message body. In an exemplary embodiment, an incoming message body (m) is converted to a sequence of successive word lengths (Sm): m->Sm, a comparison is performed between the sequence, Sm, and a plurality of stored sequences (Sk) of known spam messages, and the incoming message is flagged as spam based on the comparison. Further, the plurality of stored sequences, Sk, may be continually updated based on user feedback and other spam detection techniques. The systems and methods of the present invention may be implemented through a computer, such as a mail server, through a cloud-based security system, through a user's computer via a software agent, and the like.

Abstract: Systems, methods and apparatus for tunneling in a cloud based security system. A multi-tenant cloud-based security system that can distinguish between client computing devices with overlapping private IP addresses is disclosed. Client devices communicate through a processing node to which a tunnel is established. The processing node is able to detect the client devices and apply security policies to the device.