Abstract: A host identification engine receives network traffic from a network and uses one or more artifact extractors to extract artifact data items that can identify a host. The artifact data items can be stored in a host signature database. Network addresses to which the hosts correspond can be stored in a network address database. A mapping table can be implemented to match the data in the signature database and network database to generate durable host identification data that can accurately track hosts as they use different identification data and/or move between hosts.

Abstract: Approaches for detecting network intrusions, such as malware infection, Trojans, worms, or bot net mining activities includes: identifying one or more threat detections in session datasets, the session datasets corresponding to network traffic from a plurality of hosts; determining a layered detection score, the layered detection score corresponding to a certainty score and threat score; determining a layered host score, the layered host score corresponding to a certainty score and threat score; and generating alarm data comprising the layered detection score and the layered host score. In some embodiments, the network traffic may be received passively through a network switch; for example, by “tapping” the switch. Other additional objects, features, and advantages of the invention are described in the detailed description, figures and claims.

Abstract: A device may include an interface to send authentication information to a plug-in, where the authentication information is related to a client device. The interface may send a policy identifier to the plug-in, where the policy identifier identifies a policy, and may receive a policy result from the plug-in, where the policy result is produced using the authentication information and a policy requirement identified by the policy identifier, and where the policy result identifies whether the client device complies with the policy.

Abstract: A host identification engine receives network traffic from a network and uses one or more artifact extractors to extract artifact data items that can identify a host. The artifact data items can be stored in a host signature database. Network addresses to which the hosts correspond can be stored in a network address database. A mapping table can be implemented to match the data in the signature database and network database to generate durable host identification data that can accurately track hosts as they use different identification data and/or move between hosts.

Abstract: A real-time perspective engine that can detect network intrusions by accepting network packets as input, organizing the packets, and processing them through a series of detection schemes to identify potentially malicious network behavior. The detection system can implement stateless detection that detects network threats in real-time. The detection system can implement state-full detection that detects network threats which in small amounts may appear innocuous but over time evidence a network attack or malicious activity.

Abstract: Approaches for detecting network intrusions, such as malware infection, Trojans, worms, or bot net mining activities includes: identifying one or more threat detections in session datasets, the session datasets corresponding to network traffic from a plurality of hosts; determining a layered detection score, the layered detection score corresponding to a certainty score and threat score; determining a layered host score, the layered host score corresponding to a certainty score and threat score; and generating alarm data comprising the layered detection score and the layered host score. In some embodiments, the network traffic may be received passively through a network switch; for example, by “tapping” the switch. Other additional objects, features, and advantages of the invention are described in the detailed description, figures and claims.

Abstract: A device may include an interface to send authentication information to a plug-in, where the authentication information is related to a client device. The interface may send a policy identifier to the plug-in, where the policy identifier identifies a policy, and may receive a policy result from the plug-in, where the policy result is produced using the authentication information and a policy requirement identified by the policy identifier, and where the policy result identifies whether the client device complies with the policy.

Abstract: A device may include an interface to send authentication information to a plug-in, where the authentication information is related to a client device. The interface may send a policy identifier to the plug-in, where the policy identifier identifies a policy, and may receive a policy result from the plug-in, where the policy result is produced using the authentication information and a policy requirement identified by the policy identifier, and where the policy result identifies whether the client device complies with the policy.