Abstract: A method operable in a security device cluster having a plurality of security devices each configured to receive respective data flows. The method includes receiving a first segment of a flow at a first security device of the plurality of security devices, sending the first segment of the flow toward a destination node without the first security device of the plurality of security devices asserting ownership over the flow, receiving, from the destination node, a second segment of the flow at a second security device of the plurality of security devices, the second segment of the flow being responsive to the first segment, asserting, by the second security device of the plurality of security devices, ownership over the flow, and forwarding, from the first security device, packets of the flow subsequently received by the first security device to the second security device.

Abstract: A method operable in a security device cluster having a plurality of security devices each configured to receive respective data flows. The method includes receiving a first segment of a flow at a first security device of the plurality of security devices, sending the first segment of the flow toward a destination node without the first security device of the plurality of security devices asserting ownership over the flow, receiving, from the destination node, a second segment of the flow at a second security device of the plurality of security devices, the second segment of the flow being responsive to the first segment, asserting, by the second security device of the plurality of security devices, ownership over the flow, and forwarding, from the first security device, packets of the flow subsequently received by the first security device to the second security device.

Abstract: Presented herein are techniques for determining an initiator of network traffic, collecting at each of multiple instants of time, usage data for network traffic associated with the initiator, and storing historical usage data based on updates from usage data for the network traffic over time. Current usage data are compared to historical usage data of the initiator to determine whether current usage data are within an expected distribution with respect to the historical usage data. Based upon the comparison between the current usage data and the historical usage data, an inspection threshold is selected for traffic flows from the initiator, and a proportion of traffic flows associated with the initiator is determined to be inspected based on the inspection threshold.