Abstract: The technology disclosed relates to enforcing multi-part policies on data-deficient transactions of independent data stores. In particular, it relates to combining active analysis of access requests for the independent object stores with inspection of objects in the independent object stores, each of the analysis and inspection generating and persisting object metadata in a supplemental data store, actively processing data-deficient transactions that apply to the objects by accessing the supplemental data store to retrieve object metadata not available in transaction streams of the data-deficient transactions, and actively enforcing the multi-part policies using the retrieved object metadata.

Abstract: The technology disclosed relates to failure recovery in cloud-based services. In particular, the technology disclosed relates to a service instance BA that identifies a service instance BB as having a secondary role for packets carrying a stream affinity code which is specified in a service map distributed to service instances. Service instance BA state information is synchronized with the service instance BB after processing a first packet. After failure of the service instance BA, a service instance AA receives an updated service map, and prepares to forward to the service instance BA a second packet. The second packet includes a same stream affinity code as the first packet forwarded before the failure. The updated service map is used to determine that the service instance BB is available and servicing the same stream affinity code as the service instance BA. The second packet is forwarded to the service instance BB.

Abstract: The disclosed technology teaches distributed routing and load balancing in a dynamic service chain: receiving and processing a packet, with added header including stream affinity code, at a first service instance and based on processing determining a second service, among available services, that should next handle the packet. The technology teaches accessing a flow table using the stream affinity code in the header to select a service instance performing the second service in the service chain, and routing the packet to the second service instance upon egress from the first service instance. When the flow table lacks an entry for the second service corresponding to the stream affinity code, the disclosed technology teaches accessing a consistent hash table of service instances performing the second service, selecting an available instance, and updating the flow table to specify the second service instance as providing the second service for packets sharing the header.

Abstract: The technology disclosed relates to enforcing multi-part policies on data-deficient transactions of independent data stores. In particular, it relates to combining active analysis of access requests for the independent object stores with inspection of objects in the independent object stores, each of the analysis and inspection generating and persisting object metadata in a supplemental data store, actively processing data-deficient transactions that apply to the objects by accessing the supplemental data store to retrieve object metadata not available in transaction streams of the data-deficient transactions, and actively enforcing the multi-part policies using the retrieved object metadata.

Abstract: The technology disclosed relates to reducing error in security enforcement by a network security system (abbreviated NSS). The NSS classifies incoming connection access requests as loss prevention inspectable or connection preserving by determining their conformance or non-conformance with semantic and content requirements of HTTP and HTTPs protocols. The NSS forwards the loss prevention inspectable connection access requests to a data inspection and loss prevention appliance (abbreviated DILPA) for deep inspection. The NSS directly sends the connection preserving connection access requests to the destination servers, preventing connection termination and error generation.

Abstract: The technology disclosed relates to conserving inspection bandwidth of a data inspection and loss prevention appliance (DILPA) of a network security system (NSS). The technology disclosed uses bypass lists to ensure that rich content traffic is not subjected to inspection by the DILPA. An endpoint routing client (ERC), running on a device, has a bypass list of bandwidth conservable destination identifiers for which inspection bandwidth of the DILPA is conserved by bypassing the DILPA. The identifiers specify rich content sources through domain names, URLs, web categories, and server names (e.g., server name indications (SNIs), HOST headers). ERC classifies incoming connecting access requests as loss prevention inspectable or bandwidth conservable by comparing them against entries in the bypass list. ERC tunnels loss prevention inspectable requests to the DILPA over a secure encrypted channel for inspection.

Abstract: The technology disclosed teaches protecting sensitive data in the cloud via indexable databases. The method includes identifying sensitive fields of metadata for encryption and for hashing. The method also includes hashing at least partial values in the indexable sensitive fields to non-reversible hash values, concatenating the non-reversible hash values with the metadata for the network events, and encrypting the sensitive fields of metadata. Also included is sending the metadata for the network events, with the non-reversible hash values and the encrypted sensitive fields, to a remote database server that does not have a decryption key for the encrypted sensitive fields and that indexes the non-reversible hash values for indexed retrieval against the indexable sensitive fields.

Abstract: The technology discloses a method of improved recovery from failure of a service instance in a service chain. Instances AA, BA and BB perform services A and B respectively. Instance BA receives from instance AA a first packet that includes an added header with a stream affinity code consistent for packets in the stream. Instance BA with a primary role specified in a distributed service map processes the packet. BA identifies BB as having a secondary role for packets carrying the code and synchronizes BA state information with BB after processing the packet. After failure of instance BA, instance AA receives an updated service map prepares to forward a second packet, with the same code as the first packet, to BA. After determining from the updated map that BA is no longer available and instance BB has the secondary role, AA forwards the second packet to BB, instead of BA.

Abstract: The technology disclosed relates to enforcing multi-part policies on data-deficient transactions of independent data stores. In particular, it relates to combining active analysis of access requests for the independent object stores with inspection of objects in the independent object stores, each of the analysis and inspection generating and persisting object metadata in a supplemental data store, actively processing data-deficient transactions that apply to the objects by accessing the supplemental data store to retrieve object metadata not available in transaction streams of the data-deficient transactions, and actively enforcing the multi-part policies using the retrieved object metadata.

Abstract: The technology disclosed relates to reducing error in security enforcement by a network security system (abbreviated NSS). The NSS classifies incoming connection access requests as loss prevention inspectable or connection preserving by determining their conformance or non-conformance with semantic and content requirements of HTTP and HTTPs protocols. The NSS forwards the loss prevention inspectable connection access requests to a data inspection and loss prevention appliance (abbreviated DILPA) for deep inspection. The NSS directly sends the connection preserving connection access requests to the destination servers, preventing connection termination and error generation.

Abstract: The technology disclosed relates to enforcing multi-part policies on data-deficient transactions of independent data stores. In particular, it relates to combining active analysis of access requests for the independent object stores with inspection of objects in the independent object stores, each of the analysis and inspection generating and persisting object metadata in a supplemental data store, actively processing data-deficient transactions that apply to the objects by accessing the supplemental data store to retrieve object metadata not available in transaction streams of the data-deficient transactions, and actively enforcing the multi-part policies using the retrieved object metadata.

Abstract: The technology disclosed relates to conserving inspection bandwidth of a data inspection and loss prevention appliance (DILPA) of a network security system (NSS). The technology disclosed uses bypass lists to ensure that rich content traffic is not subjected to inspection by the DILPA. An endpoint routing client (ERC), running on a device, has a bypass list of bandwidth conservable destination identifiers for which inspection bandwidth of the DILPA is conserved by bypassing the DILPA. The identifiers specify rich content sources through domain names, URLs, web categories, and server names (e.g., server name indications (SNIs), HOST headers). ERC classifies incoming connecting access requests as loss prevention inspectable or bandwidth conservable by comparing them against entries in the bypass list. ERC tunnels loss prevention inspectable requests to the DILPA over a secure encrypted channel for inspection.

Abstract: The technology disclosed teaches protecting sensitive data in the cloud via indexable databases. The method includes identifying sensitive fields of metadata for encryption and for hashing. The method also includes hashing at least partial values in the indexable sensitive fields to non-reversible hash values, concatenating the non-reversible hash values with the metadata for the network events, and encrypting the sensitive fields of metadata. Also included is sending the metadata for the network events, with the non-reversible hash values and the encrypted sensitive fields, to a remote database server that does not have a decryption key for the encrypted sensitive fields and that indexes the non-reversible hash values for indexed retrieval against the indexable sensitive fields.

Abstract: The technology discloses a method of improved recovery from failure of a service instance in a service chain. Instances AA, BA and BB perform services A and B respectively. Instance BA receives from instance AA a first packet that includes an added header with a stream affinity code consistent for packets in the stream. Instance BA with a primary role specified in a distributed service map processes the packet. BA identifies BB as having a secondary role for packets carrying the code and synchronizes BA state information with BB after processing the packet. After failure of instance BA, instance AA receives an updated service map prepares to forward a second packet, with the same code as the first packet, to BA. After determining from the updated map that BA is no longer available and instance BB has the secondary role, AA forwards the second packet to BB, instead of BA.

Abstract: The disclosed technology teaches distributed routing and load balancing in a dynamic service chain: receiving and processing a packet, with added header including stream affinity code, at a first service instance and based on processing determining a second service, among available services, that should next handle the packet. The technology teaches accessing a flow table using the stream affinity code in the header to select a service instance performing the second service in the service chain, and routing the packet to the second service instance upon egress from the first service instance. When the flow table lacks an entry for the second service corresponding to the stream affinity code, the disclosed technology teaches accessing a consistent hash table of service instances performing the second service, selecting an available instance, and updating the flow table to specify the second service instance as providing the second service for packets sharing the header.

Abstract: The technology disclosed relates to enforcing multi-part policies on data-deficient transactions of independent data stores. In particular, it relates to combining active analysis of access requests for the independent object stores with inspection of objects in the independent object stores, each of the analysis and inspection generating and persisting object metadata in a supplemental data store, actively processing data-deficient transactions that apply to the objects by accessing the supplemental data store to retrieve object metadata not available in transaction streams of the data-deficient transactions, and actively enforcing the multi-part policies using the retrieved object metadata.

Abstract: The technology disclosed relates to conserving inspection bandwidth of a data inspection and loss prevention appliance (DILPA) of a network security system (NSS). The technology disclosed uses bypass lists to ensure that rich content traffic is not subjected to inspection by the DILPA. An endpoint routing client (ERC), running on a device, has a bypass list of bandwidth conservable destination identifiers for which inspection bandwidth of the DILPA is conserved by bypassing the DILPA. The identifiers specify rich content sources through domain names, URLs, web categories, and server names (e.g., server name indications (SNIs), HOST headers). ERC classifies incoming connecting access requests as loss prevention inspectable or bandwidth conservable by comparing them against entries in the bypass list. ERC tunnels loss prevention inspectable requests to the DILPA over a secure encrypted channel for inspection.

Abstract: The technology disclosed relates to detecting a data attack on a file system stored on an independent data store. The detecting includes scanning a list to identify files of the independent data store that have been updated within a timeframe, assembling current metadata for files identified by the scanning, obtaining historical metadata of the files, determining that a malicious activity is in process by analyzing the current metadata of the files and the historical metadata to identify a pattern of changes that exceeds a predetermined change velocity. Further, the detecting includes determining that the malicious activity is in process by analyzing the current metadata of the files and known patterns of malicious metadata to identify a match between the current metadata and the known patterns of malicious metadata, determining a machine/user that initiated the malicious activity, and implementing a response mechanism that restricts file modifications by the determined machine/user.

Abstract: The technology disclosed relates to detecting a data attack on a local file system. The detecting includes scanning a list to identify files of the local file system that have been updated within a timeframe, reading payloads of files identified by the scanning, calculating current content properties from the payload of the files, obtaining historical content properties of the files, determining that a malicious activity is in process by analyzing the current content properties and the historical content properties to identify a pattern of changes that exceeds a predetermined change velocity. Further, the detecting includes determining that the malicious activity is in process by analyzing the current content properties and known patterns of malicious metadata to identify a match between the current metadata and the known patterns of malicious metadata, determining a machine/user that initiated the malicious activity, and implementing a response mechanism that restricts file modifications by the machine/user.

Abstract: The technology disclosed teaches protecting sensitive data in the cloud via indexable databases. The method includes identifying sensitive fields of metadata for encryption and for hashing. The method also includes hashing at least partial values in the indexable sensitive fields to non-reversible hash values, concatenating the non-reversible hash values with the metadata for the network events, and encrypting the sensitive fields of metadata. Also included is sending the metadata for the network events, with the non-reversible hash values and the encrypted sensitive fields, to a remote database server that does not have a decryption key for the encrypted sensitive fields and that indexes the non-reversible hash values for indexed retrieval against the indexable sensitive fields.