Abstract: Systems, methods and apparatus for tunneling in a cloud based security system. In an aspect, tunnel session data describing authentication and unauthenticated sessions, and location data describing tunnel identifiers for tunnels, locations, and security policies specific to the locations are accessed. Tunnel packets are received, and for each tunnel packet it is determined, from the tunnel identifier associated with the packet, whether a session entry in the session data exists for the tunnel identified by the tunnel identifier. In response to determining that a session entry does not exist in the session data, then a session entry is created for the tunnel identifier, an authentication process to determine a location to be associated with the session entry is performed, and an entry in the location data for the location is associated with the session entry.

Abstract: A method for maintaining a cache of dynamically generated objects. The method includes storing in the cache dynamically generated objects previously served from an originating server to a client. A communication between the client and server is intercepted by the cache. The cache parses the communication to identify an object determinant and to determine whether the object determinant indicates whether a change has occurred or will occur in an object at the originating server. The cache marks the object stored in the cache as invalid if the object determinant so indicates. If the object has been marked as invalid, the cache retrieves the object from the originating server.

Abstract: Methods, systems, and apparatus, including computer program products, for generating or using augmentation queries. In one aspect, statistical model of statistical data is used to support lossless predictive compression. Data instances are identified in statistical data and classified into one of a plurality of data types. Each data type is associated with a corresponding compression process that is used to compress data instances of that type.

Abstract: Systems, methods and apparatus for handling security messages in a distributed security system. Requests, replies, and/or updates have varying time constraints. Processing node managers and authority node managers determine the best transmission times and/or the ignoring of such data to maximize information value.

Abstract: Methods, systems, and apparatus, including computer program products, for generating or using augmentation queries. In one aspect, a set of phrase terms of a phrase are received in first ordinal positions, and a set of first hashes for each of the phrase terms. Concatenated hashes from the set of first hashes are generated. Hashes of content terms for received content are compared to the concatenated hashes to determine if a phrase is detected in the content.

Abstract: The present invention is directed towards a method and system for providing a technique referred to as flash caching to respond to requests for an object, such as a dynamically generated object, from multiple clients. This technique of the present invention uses a dynamically generated object stored in a buffer for transmission to a client, for example in response to a request from the client, to also respond to additional requests for the dynamically generated object from other clients while the object is stored in the buffer. Using this technique, the present invention is able to increase cache hit rates for extremely fast changing dynamically generated objects that may not otherwise be cacheable.

Abstract: The present invention is directed towards a method and system for providing granular timed invalidation of dynamically generated objects stored in a cache. The techniques of the present invention incorporates the ability to configure the expiration time of objects stored by the cache to fine granular time intervals, such as the granularity of time intervals provided by a packet processing timer of a packet processing engine. As such, the present invention can cache objects with expiry times down to very small intervals of time. This characteristic is referred to as “invalidation granularity.” By providing this fine granularity in expiry time, the cache of the present invention can cache and serve objects that frequently change, sometimes even many times within a second. One technique is to leverage the packet processing timers used by the device of the present invention that are able operate at time increments on the order of milliseconds to permit invalidation or expiry granularity down to 10 ms or less.

Abstract: The present disclosure provides systems and methods for detecting email spam and variants thereof. The systems and methods are configured to detect spam messages and variations thereof for different senders and with slight differences within the message body. In an exemplary embodiment, an incoming message body (m) is converted to a sequence of successive word lengths (Sm): m->Sm, a comparison is performed between the sequence, Sm, and a plurality of stored sequences (Sk) of known spam messages, and the incoming message is flagged as spam based on the comparison. Further, the plurality of stored sequences, Sk, may be continually updated based on user feedback and other spam detection techniques. The systems and methods of the present invention may be implemented through a computer, such as a mail server, through a cloud-based security system, through a user's computer via a software agent, and the like.

Abstract: Systems, methods and apparatus for tunneling in a cloud based security system. A multi-tenant cloud-based security system that can distinguish between client computing devices with overlapping private IP addresses is disclosed. Client devices communicate through a processing node to which a tunnel is established. The processing node is able to detect the client devices and apply security policies to the device.

Abstract: The present invention is directed towards a method and system for providing a technique referred to as flash caching to respond to requests for an object, such as a dynamically generated object, from multiple clients. This technique of the present invention uses a dynamically generated object stored in a buffer for transmission to a client, for example in response to a request from the client, to also respond to additional requests for the dynamically generated object from other clients while the object is stored in the buffer. Using this technique, the present invention is able to increase cache hit rates for extremely fast changing dynamically generated objects that may not otherwise be cacheable.

Abstract: A device that implements a method for performing integrated caching in a data communication network. The device is configured to receive a packet from a client over the data communication network, wherein the packet includes a request for an object. At the operating system/kernel level of the device, one or more of decryption processing of the packet, authentication and/or authorization of the client, and decompression of the request occurs prior to and integrated with caching operations. The caching operations include determining if the object resides within a cache, serving the request from the cache in response to a determination that the object is stored within the cache, and sending the request to a server in response to a determination that the object is not stored within the cache.

Abstract: A method for automated evaluation of a SPAM filter rates a sender-receiver pair based on traffic information related to the sender-receiver pair. A SPAM filter intercepts electronic messages transmitted between the sender-receiver pair and classifies them as either SPAM or HAM. On comparing the rating for the sender-receiver pair and the classification for an electronic message between the sender-receiver pair, the method generates a metric indicating the reliability of the spam filter. Repeating these steps for more than one electronic messages and related sender-receiver pairs, the method produces a set of metrics. One or more of the metrics from the set of metrics are used to calculate an evaluation factor for evaluating the SPAM filter.

Abstract: The present disclosure is directed to systems and methods for generating, managing, and displaying alarms associated with monitoring a wireless network. Advantageously, the present disclosure provides one alarm per security event, and the ability to see an event in context over time and aggregate information. This results in a significant reduction in alarm volume for wireless monitoring which increases manageability and reduces storage requirements. Further, this provides better security by avoiding the “needle in the haystack” problem where you see few actionable alarms rather than being flooded by multiple copies of the same event over time. Finally, the present disclosure provides improved system scalability with large deployments by managing alarms through lesser alarm volume, and through visual representation.

Abstract: Systems, methods and apparatus for a distributed security that provides security processing external to a network edge. The system can include many distributed processing nodes and one or more authority nodes that provide security policy data, threat data, and other security data to the processing nodes. The processing nodes detect and stop the distribution of malware, spyware and other undesirable content before such content reaches the destination network and computing systems.

Abstract: A device that implements a method for performing integrated caching in a data communication network. The device is configured to receive a packet from a client over the data communication network, wherein the packet includes a request for an object. At the operating system/kernel level of the device, one or more of decryption processing of the packet, authentication and/or authorization of the client, and decompression of the request occurs prior to and integrated with caching operations. The caching operations include determining if the object resides within a cache, serving the request from the cache in response to a determination that the object is stored within the cache, and sending the request to a server in response to a determination that the object is not stored within the cache.

Abstract: Login credit is monitored over a credit time period. Continuous invalid login attempts decrease the login credit for the duration of the credit time period. Login credit accumulates with time. If the login credit is less than a credit threshold, login processing is precluded. A common invalid login notification for presentation to a user is generated if login processing is precluded or if login processing indicates that the login credentials are invalid.

Abstract: In one general aspect, entity instances are monitored during a first interval, each entity instance being one of several types of entity instances. A first ranked list of entity instances is determined from the entity instances monitored during the first interval. The types of entity instances are ranked in the first list according to the number of times each type of entity instance occurred during the first interval and the first ranked list has a first cardinality of types of entity instances. Entity instances are monitored during a second interval. A second ranked list of entity instances is determined. The second ranked list has the first cardinality of types of entity instances. The first ranked list and the second ranked list are merged into a third ranked list of entities instances. The third ranked list has a second cardinality that is less than or equal to the first cardinality.

Abstract: Methods, systems, and apparatus, including computer program products, for selective presence notification are provided. In one general aspect, a plurality of presence notification messages are monitored. Each presence notification message may include address information identifying at least one of a recipient or a sender of the presence notification message. Based on the address information a determination is made as to whether a presence notification message is allowable. If it is determined that the presence notification message is allowable, the transmission of the presence notification message is allowed.

Abstract: The present invention is directed towards a “flash crowd” technique for handling situations where the cache receives additional requests, e.g., nearly simultaneous requests, for the same object during the time the server is processing and returning the response object for a first requestor. Once all such nearly simultaneous requests are responded to by the cache, the object is flushed from the cache, with no additional expiry time or invalidation action needed. This technique of the present invention enables data to be cached and served for very small amounts of time for objects that would otherwise be considered non-cacheable. As such, this technique yields a significant improvement in applications that serve fast changing data to a large volume of concurrent users, such, for example, as real time stock quotes, or a fast evolving news story.

Abstract: Systems, methods and apparatus for a distributed security that provides security processing external to a network edge. The system can include many distributed processing nodes and one or more authority nodes that provide security policy data, threat data, and other security data to the processing nodes. The processing nodes detect and stop the distribution of malware, spyware and other undesirable content before such content reaches the destination network and computing systems.