Abstract: A system for processing data, comprising a first processor configured to operate one or more algorithms to provide an explicit proxy that directs network communications over a public network to a proxy server. The first processor configured to operate one or more algorithms to provide a firewall agent that verifies the presence of a firewall key prior to allowing data communications over the public network using the explicit proxy. Wherein the explicit proxy is installed using a proxy auto configuration file that is associated with the firewall agent.

Abstract: A method for configuring a network monitoring device is provided. A plurality of flow records is received. The plurality of flow records is analyzed according to user-specified criteria to identify one or more network traffic patterns. A plurality of network entities associated with the one or more identified network traffic patterns is identified. A managed object including the identified plurality of network entities is generated.

Abstract: A system for processing data, comprising a first processor configured to operate one or more algorithms to provide an explicit proxy that directs network communications over a public network to a proxy server. The first processor configured to operate one or more algorithms to provide a firewall agent that verifies the presence of a firewall key prior to allowing data communications over the public network using the explicit proxy. Wherein the explicit proxy is installed using a proxy auto configuration file that is associated with the firewall agent.

Abstract: A system for controlling data services, comprising a plurality of host computers configured to communicate over the network and to request a data tunnel. A plurality of server computers configured to provide data tunnel services to the plurality of host computers. An address allocator operating on one or more processors and configured to implement one or more algorithms that cause a range of addresses to be assigned to each of the server computers, wherein each of the host computers receives one of the addresses for use as part of a data tunnel service request from the host computer to the server computer.

Abstract: A system for controlling data services, comprising a plurality of host computers configured to communicate over the network and to request a data tunnel. A plurality of server computers configured to provide data tunnel services to the plurality of host computers. An address allocator operating on one or more processors and configured to implement one or more algorithms that cause a range of addresses to be assigned to each of the server computers, wherein each of the host computers receives one of the addresses for use as part of a data tunnel service request from the host computer to the server computer.

Abstract: A system for controlling a network, comprising a plurality of host computers configured to communicate over the network. A plurality of server computers configured to provide services to the plurality of host computers. An address allocator operating on one or more processors and configured to implement one or more algorithms that cause a range of addresses to be assigned to each of the server computers, wherein each of the host computers receives one of the addresses for use as part of a service request from the host computer to the server computer.

Abstract: A method for encoding domain name information into flow records includes receiving a flow record. The flow record includes initial network flow information in a standard flow record format including at least a source address and a destination address. Domain name information associated with each of the source address and destination address is retrieved from a database. The domain name information is encoded into the received flow record while maintaining the initial network flow information to yield an enhanced flow record.

Abstract: A method for configuring a network monitoring device is provided. One or more performance metrics associated with one or more thresholds to be configured are received from a user. Historical network traffic flow information associated with a previously detected malicious activity is analyzed to identify characteristic values for the one or more performance metrics. Threshold values are automatically configured based on the identified characteristic values.

Abstract: A system for mitigating network attacks includes a protected network and one or more attack mitigation devices communicatively coupled to the protected network. The attack mitigation devices are configured to receive a request from a host having an IP address and determine whether the IP address is included in a first probabilistic data structure representing addresses of hosts having failed to authenticate using a first authentication procedure. The attack mitigation devices are also configured to perform the first authentication procedure, responsive to a determination that the IP address of the host is not included in the first data structure. The attack mitigation devices are yet further configured to allow the host to access the protected network, responsive to successful completion of the first authentication procedure and to update the first data structure to include the IP address of the host, responsive to unsuccessful completion of the first authentication procedure.

Abstract: A system for mitigating network attacks within encrypted network traffic is provided. The system includes a protected network including a plurality of devices. The system further includes attack mitigation devices communicatively coupled to the protected network and to a cloud platform. The attack mitigation devices are configured and operable to decrypt the encrypted traffic received from the cloud platform and destined to the protected network to form a plurality of decrypted network packets and analyze the plurality of decrypted network to detect attacks. The attack mitigation devices are further configured to generate, in response to detecting the attacks, attack signatures corresponding to the detected attacks and configured to send the generated attack signatures to attack mitigation services provided in the cloud platform. The attack mitigation services are configured and operable to drop encrypted network traffic matching the attack signatures received from the attack mitigation devices.

Abstract: A system for mitigating network attacks is provided. The system includes a protected network including a plurality of devices. The system further includes one or more attack mitigation devices communicatively coupled to the protected network. The attack mitigation devices are configured and operable to employ a recurrent neural network (RNN) to obtain probability information related to a request stream. The request stream may include a plurality of at least one of: HTTP, RTSP and/or DNS messages. The attack mitigation devices are further configured to analyze the obtained probability information to detect one or more atypical requests in the request stream. The attack mitigation services are also configured and operable to perform, in response to detecting one or more atypical requests, mitigation actions on the one or more atypical requests in order to block an attack.

Abstract: A method for configuring a network monitoring device is provided. A plurality of flow records is received. The plurality of flow records is analyzed according to user-specified criteria to identify one or more network traffic patterns. A plurality of network entities associated with the one or more identified network traffic patterns is identified. A managed object including the identified plurality of network entities is generated.

Abstract: A method for configuring a network monitoring device is provided. One or more performance metrics associated with one or more thresholds to be configured are received from a user. Historical network traffic flow information associated with a previously detected malicious activity is analyzed to identify characteristic values for the one or more performance metrics. Threshold values are automatically configured based on the identified characteristic values.

Abstract: A method for encoding domain name information into flow records includes receiving a flow record. The flow record includes initial network flow information in a standard flow record format including at least a source address and a destination address. Domain name information associated with each of the source address and destination address is retrieved from a database. The domain name information is encoded into the received flow record while maintaining the initial network flow information to yield an enhanced flow record.

Abstract: A system for mitigating network attacks includes a protected network and one or more attack mitigation devices communicatively coupled to the protected network. The attack mitigation devices are configured to receive a request from a host having an IP address and determine whether the IP address is included in a first probabilistic data structure representing addresses of hosts having failed to authenticate using a first authentication procedure. The attack mitigation devices are also configured to perform the first authentication procedure, responsive to a determination that the IP address of the host is not included in the first data structure. The attack mitigation devices are yet further configured to allow the host to access the protected network, responsive to successful completion of the first authentication procedure and to update the first data structure to include the IP address of the host, responsive to unsuccessful completion of the first authentication procedure.

Abstract: A computer system and method for monitoring traffic for determining denial of service attacks in a network. Data packets are monitored which are attempting to access one or more server devices in a protected network. A Transport Control Protocol (TCP) window advertisement value is determined for the data packets. If a detected TCP window advertisement value for monitored packets is determined less than a TCP window advertisement threshold value then a determination is made as to whether the data rate for the packets is less than a data rate threshold value. The monitored packets are determined malicious if the detected window advertisement value is less than the TCP window advertisement threshold value and the determined data rate is less than the data rate threshold value.

Abstract: A system for mitigating network attacks is provided. The system includes a protected network including a plurality of devices. The system further includes one or more attack mitigation devices communicatively coupled to the protected network. The attack mitigation devices are configured and operable to employ a recurrent neural network (RNN) to obtain probability information related to a request stream. The request stream may include a plurality of at least one of: HTTP, RTSP and/or DNS messages. The attack mitigation devices are further configured to analyze the obtained probability information to detect one or more atypical requests in the request stream. The attack mitigation services are also configured and operable to perform, in response to detecting one or more atypical requests, mitigation actions on the one or more atypical requests in order to block an attack.

Abstract: A system for mitigating network attacks within encrypted network traffic is provided. The system includes a protected network including a plurality of devices. The system further includes attack mitigation devices communicatively coupled to the protected network and to a cloud platform. The attack mitigation devices are configured and operable to decrypt the encrypted traffic received from the cloud platform and destined to the protected network to form a plurality of decrypted network packets and analyze the plurality of decrypted network to detect attacks. The attack mitigation devices are further configured to generate, in response to detecting the attacks, attack signatures corresponding to the detected attacks and configured to send the generated attack signatures to attack mitigation services provided in the cloud platform. The attack mitigation services are configured and operable to drop encrypted network traffic matching the attack signatures received from the attack mitigation devices.

Abstract: A method for network traffic characterization is provided. Flow data records are acquired associated with a security alert signature. Unidimensional traffic clusters are generated based on the acquired data. A Bloom filter is populated with the acquired flow data records. Clusters of interest are identified from the generated unidimensional traffic clusters. The identified clusters of interest are compressed into a compressed set. A determination is made whether a multidimensional processing of the acquired flow data needs to be performed based on a priority associated with the alert signature. A multidimensional lattice corresponding to the unidimensional traffic clusters is generated. The multidimensional lattice is traversed and for each multidimensional node under consideration a determination is made if the Bloom filter contains flow records matching the multidimensional node under consideration.

Abstract: A computer system and method for monitoring traffic for determining denial of service attacks in a network. Data packets are monitored which are attempting to access one or more server devices in a protected network. A Transport Control Protocol (TCP) window advertisement value is determined for the data packets. If a detected TCP window advertisement value for monitored packets is determined less than a TCP window advertisement threshold value then a determination is made as to whether the data rate for the packets is less than a data rate threshold value. The monitored packets are determined malicious if the detected window advertisement value is less than the TCP window advertisement threshold value and the determined data rate is less than the data rate threshold value.