Abstract: Flexible network policies might be enforced by (a) obtaining a flow of network packets, (b) determining a content characteristic by characterizing content of the flow using bit-stream level statistics, (c) determining content-independent flow characteristics, port-independent flow characteristics, and/or application header-independent flow characteristics, and (d) enforcing a policy on the flow using both (1) the determined content characteristic and the (2) determined content-independent flow characteristics, port-independent flow characteristics, and/or application header-independent flow characteristics.

Abstract: Host malware (or change) may be detected by (1) receiving baseline set of response time information for each of one or more transactions involving (A) the host and (B) at least one peer of the host, (2) determining or receiving a later set of response time information for each of the one or more transactions involving the host and the at least one peer of the host, and (3) determining whether or not host slowdown has occurred using the baseline set of response time information and the later set of response time information. The execution of a host malware (or change) protection policy may be controlled using at least the determination of whether or not host slowdown has occurred.

Abstract: Files can be reassembled from fragments by (a) accepting (or determining) adjacency scores for each pair of fragments from a set of fragments, (b) identifying header fragments from among the fragments of the set of fragments, and (c) for each of the header fragments identified, reconstructing a corresponding one of two or more files from the fragments of the set of fragments such that the sum of the adjacency scores are optimized. Any of the fragments, other than the identified header fragments, are permitted to belong, at least provisionally, to more than one of the at least two files when reconstructing the file(s).

Abstract: A hierarchical data structure of digested payload information (e.g., information within a payload, or information spanning two or more payloads) allows a payload excerpt to be attributed to earlier network flow information. These compact data structures permit data storage reduction, while permitting efficient query processing with a low level of false positives. One example of such a compact data structure is a hierarchical Bloom filter. Different layers of the hierarchy may correspond to different block sizes.

Abstract: Files can be reassembled from fragments by (a) accepting adjacency scores for each pair of fragments from the set of fragments, (b) identifying header fragments from among the fragments of the set of fragments, and (c) for each of the header fragments identified, reconstructing a corresponding one of the two or more files from the fragments of the set of fragments such that the sum of the adjacency scores are optimized, wherein each of the fragments is permitted to belong to only one of the at least two files, and wherein at least two files are reconstructed such that the results are independent of the order in which the files are reconstructed.

Abstract: Host reboots may be detected passively by tracking and analyzing host initialization events and/or by tracking and analyzing temporal skews in periodic events. Detected host reboots may then be used to determine or help determine whether or not the host has a possible malware infection.

Abstract: Flexible network policies might be enforced by (a) obtaining a flow of network packets, (b) determining a content characteristic by characterizing content of the flow using bit-stream level statistics, (c) determining content-independent flow characteristics, port-independent flow characteristics, and/or application header-independent flow characteristics, and (d) enforcing a policy on the flow using both (1) the determined content characteristic and the (2) determined content-independent flow characteristics, port-independent flow characteristics, and/or application header-independent flow characteristics.

Abstract: Detecting and mitigating threats to a computer network is important to the health of the network. Currently firewalls, intrusion detection systems, and intrusion prevention systems are used to detect and mitigate attacks. As the attackers get smarter and attack sophistication increases, it becomes difficult to detect attacks in real-time at the perimeter. Failure of perimeter defenses leaves networks with infected hosts. At least two of symptoms, roles, and reputations of hosts in (and even outside) a network are used to identify infected hosts. Virus or malware signatures are not required.

Abstract: Files can be reassembled from fragments by (a) accepting adjacency scores for each pair of fragments from a set of fragments, (b) identifying header fragments from the set of fragments, and (c) for each of the header fragments, (i) setting a current fragment to the identified header fragment, (ii) selecting, from any of the fragments not identified as a header fragment, a fragment with a best adjacency score with the current fragment, (iii) determining if the selected fragment has a better adjacency score with any of the other fragments not identified as a header than with the current fragment, (iv) if so, then (A) selecting another fragment, from any of the fragments not identified as a header fragment, a fragment with a next best adjacency score with the current fragment, and continuing, and otherwise (A) adding the selected fragment to a reassembly path started with the identified header fragment, and (B) setting the current fragment to the selected fragment, and continuing until the file is reconstructed.

Abstract: Flexible network policies might be enforced by (a) obtaining a flow of network packets, (b) determining a content characteristic by characterizing content of the flow using bit-stream level statistics, (c) determining content-independent flow characteristics, port-independent flow characteristics, and/or application header-independent flow characteristics, and (d) enforcing a policy on the flow using both (1) the determined content characteristic and the (2) determined content-independent flow characteristics, port-independent flow characteristics, and/or application header-independent flow characteristics.

Abstract: Files can be reassembled from fragments by (a) accepting adjacency scores for each pair of fragments from the set of fragments, (b) identifying header fragments from among the fragments of the set of fragments, and (c) for each of the header fragments identified, reconstructing a corresponding one of the two or more files from the fragments of the set of fragments such that the sum of the adjacency scores are optimized, wherein each of the fragments is permitted to belong to only one of the at least two files, and wherein at least two files are reconstructed such that the results are independent of the order in which the files are reconstructed.

Abstract: Host malware (or change) may be detected by (1) receiving baseline set of response time information for each of one or more transactions involving (A) the host and (B) at least one peer of the host, (2) determining or receiving a later set of response time information for each of the one or more transactions involving the host and the at least one peer of the host, and (3) determining whether or not host slowdown has occurred using the baseline set of response time information and the later set of response time information. The execution of a host malware (or change) protection policy may be controlled using at least the determination of whether or not host slowdown has occurred.

Abstract: Files can be reassembled from fragments by (a) accepting adjacency scores for each pair of fragments from the set of fragments, (b) identifying header fragments from among the fragments of the set of fragments, and (c) for each of the header fragments identified, (i) setting a current fragment to the identified header fragment, (ii) selecting, from among any one of the fragments of the set not identified as a header fragment, a fragment with a best adjacency score with the current fragment, (iii) checking to determine if the selected fragment has a better adjacency score with any of the other fragments not identified as a header than with the current fragment, (iv) if it is determined that the selected fragment has a better adjacency score with any of the other fragments not identified as a header than with the current fragment, then (A) selecting another fragment, from among any one of the fragments of the set not identified as a header fragment, a fragment with a next best adjacency score with the current f

Abstract: Files can be reassembled from fragments by (a) accepting (or determining) adjacency scores for each pair of fragments from the set of fragments, (b) identifying header fragments from among the fragments of the set of fragments, and (c) for each of the header fragments identified, reconstructing a corresponding one of the two or more files from the fragments of the set of fragments such that the sum of the adjacency scores are optimized, wherein any of the fragments, other than the identified header fragments, are permitted to belong, at least provisionally, to more than one of the at least two files during the act of reconstructing.

Abstract: Flexible network policies might be enforced by (a) obtaining a flow of network packets, (b) determining a content characteristic by characterizing content of the flow using bit-stream level statistics, (c) determining content-independent flow characteristics, port-independent flow characteristics, and/or application header-independent flow characteristics, and (d) enforcing a policy on the flow using both (1) the determined content characteristic and the (2) determined content-independent flow characteristics, port-independent flow characteristics, and/or application header-independent flow characteristics.

Abstract: A hierarchical data structure of digested payload information (e.g., information within a payload, or information spanning two or more payloads) allows a payload excerpt to be attributed to earlier network flow information. These compact data structures permit data storage reduction, while permitting efficient query processing with a low level of false positives. One example of such a compact data structure is a hierarchical Bloom filter. Different layers of the hierarchy may correspond to different block sizes.