Abstract: A protection module operates to analyze threats, at the protocol level (e.g., at the HTML level), by intercepting all requests that a browser engine resident in a computing device sends and receives, and the protection agent completes the requests without the help of the browser engine. And then the protection module analyzes and/or modifies the completed data before the browser engine has access to it, to, for example, display it. After performing all of its processing, removing, and/or adding any code as needed, the protection module provides the HTML content to the browser engine, and the browser engine receives responses from the protection agent as if it was speaking to an actual web server, when in fact, browser engine is speaking to an analysis engine of the protection module.

Abstract: A protection module operates to analyze threats, at the protocol level (e.g., at the HTML level), by intercepting all requests that a browser engine resident in a computing device sends and receives, and the protection agent completes the requests without the help of the browser engine. And then the protection module analyzes and/or modifies the completed data before the browser engine has access to it, to, for example, display it. After performing all of its processing, removing, and/or adding any code as needed, the protection module provides the HTML content to the browser engine, and the browser engine receives responses from the protection agent as if it was speaking to an actual web server, when in fact, browser engine is speaking to an analysis engine of the protection module.

Abstract: A protection module operates to analyze threats, at the protocol level (e.g., at the HTML level), by intercepting all requests that a browser engine resident in a computing device sends and receives, and the protection agent completes the requests without the help of the browser engine. And then the protection module analyzes and/or modifies the completed data before the browser engine has access to it, to, for example, display it. After performing all of its processing, removing, and/or adding any code as needed, the protection module provides the HTML content to the browser engine, and the browser engine receives responses from the protection agent as if it was speaking to an actual web server, when in fact, browser engine is speaking to an analysis engine of the protection module.

Abstract: A protection module operates to analyze threats, at the protocol level (e.g., at the HTML level), by intercepting all requests that a browser engine resident in a computing device sends and receives, and the protection agent completes the requests without the help of the browser engine. And then the protection module analyzes and/or modifies the completed data before the browser engine has access to it, to, for example, display it. After performing all of its processing, removing, and/or adding any code as needed, the protection module provides the HTML content to the browser engine, and the browser engine receives responses from the protection agent as if it was speaking to an actual web server, when in fact, browser engine is speaking to an analysis engine of the protection module.

Abstract: A protection module operates to analyze threats, at the protocol level (e.g., at the HTML level), by intercepting all requests that a browser engine resident in a computing device sends and receives, and the protection agent completes the requests without the help of the browser engine. And then the protection module analyzes and/or modifies the completed data before the browser engine has access to it, to, for example, display it. After performing all of its processing, removing, and/or adding any code as needed, the protection module provides the HTML content to the browser engine, and the browser engine receives responses from the protection agent as if it was speaking to an actual web server, when in fact, browser engine is speaking to an analysis engine of the protection module.

Abstract: A packet forwarding network may include switches that forward network traffic between end hosts and network tap devices that forward copied network traffic to an analysis network formed from client switches that are controlled by a controller. Network analysis devices and network service devices may be coupled to the client switches at interfaces of the analysis network. The controller may receive one or more network policies from a network administrator. A network policy may identify ingress interfaces, egress interfaces, matching rules, packet manipulation services to be performed. The controller may control the client switches to generate network paths that forward network packets that match the matching rules from the ingress interfaces to the egress interfaces through service devices that perform the services of the list. The controller may generate network paths for network policies based on network topology information and/or current network conditions maintained at the controller.

Abstract: A controller may fulfill hardware address requests that are sent by source end hosts in a network to discover hardware addresses of destination end hosts. The controller may use network topology information to determine how to process the hardware address requests. The controller may retrieve a requested hardware address from a database of end hosts. If the controller is able to retrieve the hardware address of a destination end host from the database of end hosts, the controller may provide the source end host with a reply packet that contains the requested hardware address. If the controller is unable to retrieve the requested hardware address, the controller may form request packets to discover the address of the second end host and/or to discover a packet forwarding path between the source end host and the destination end host.

Abstract: A protection module operates to analyze threats, at the protocol level (e.g., at the HTML level), by intercepting all requests that a browser engine resident in a computing device sends and receives, and the protection agent completes the requests without the help of the browser engine. And then the protection module analyzes and/or modifies the completed data before the browser engine has access to it, to, for example, display it. After performing all of its processing, removing, and/or adding any code as needed, the protection module provides the HTML content to the browser engine, and the browser engine receives responses from the protection agent as if it was speaking to an actual web server, when in fact, browser engine is speaking to an analysis engine of the protection module.

Abstract: A packet forwarding network may include switches that forward network traffic between end hosts and network tap devices that forward copied network traffic to an analysis network formed from client switches that are controlled by a controller. Network analysis devices and network service devices may be coupled to the client switches at interfaces of the analysis network. The controller may receive one or more network policies from a network administrator. A network policy may identify ingress interfaces, egress interfaces, matching rules, packet manipulation services to be performed. The controller may control the client switches to generate network paths that forward network packets that match the matching rules from the ingress interfaces to the egress interfaces through service devices that perform the services of the list. The controller may generate network paths for network policies based on network topology information and/or current network conditions maintained at the controller.

Abstract: A controller may be used to control client switches in a network that includes non-client, switches. The controller may form client domains from groups of client switches that are separated by intervening non-client domains formed from non-client switches. The controller may determine a network domain topology from the client domains and non-client domains. The controller may determine a spanning tree that interconnects the nodes of the network domain topology. The controller may control client switches of the client domains to allow only network traffic between the client domains and the non-client domains along the spanning tree. The controller may use the network domain topology to generate inter-domain forwarding maps. The inter-domain forwarding maps may be used to determine network forwarding paths between end hosts in the network.

Abstract: A controller may be used to control client switches in a network that includes non-client switches. The controller may form client domains from groups of client switches that are separated by intervening non-client domains formed from non-client switches. The controller may determine a network domain topology from the client domains and non-client domains. The controller may determine a spanning tree that interconnects the nodes of the network domain topology. The controller may control client switches of the client domains to allow only network traffic between the client domains and the non-client domains along the spanning tree. The controller may use the network domain topology to generate inter-domain forwarding maps. The inter-domain forwarding maps may be used to determine network forwarding paths between end hosts in the network.

Abstract: A network of switches that forwards network packets between end hosts may be controlled by a controller. The controller may maintain information that identifies subsets of the end hosts that are associated with respective broadcast domains. The controller may configure the switches in the network to identify broadcast network packets and to forward the broadcast network packets to the controller. The controller may identify which broadcast domain is associated with a received broadcast network packet based on information such as source information retrieved from the broadcast network packet. The controller may identify switches that are coupled to the end hosts of a broadcast domain associated with the received broadcast network packet. The controller may forward the broadcast network packet to the identified switches through network control paths and may direct the identified switches to forward the broadcast network packet to end hosts of the associated broadcast domain.

Abstract: A network may include network switches with network switch ports that may be coupled to end hosts. The network switches may be controlled by a controller such as a controller server. Virtual switches may be formed using the controller from groups of the network switch ports and the end hosts. Each virtual switch may include virtual interfaces associated with end hosts or network switches. Virtual links may be formed that define network connections between the virtual interfaces and end hosts or between two virtual interfaces. Virtual network policies such as selective packet forwarding, packet dropping, packet redirection, packet modification, or packet logging may be implemented at selected virtual interfaces to control traffic through the communications network. The controller may translate the virtual network policies into network switch forwarding paths that satisfy the virtual network policies.

Abstract: A network of switches that forwards network packets between end hosts may be controlled by a controller. The controller may maintain information that identifies subsets of the end hosts that are associated with respective broadcast domains. The controller may use network topology information to determine which of the switches are coupled in a forwarding tree formed from network paths between the end hosts of a broadcast domain. The controller may be used to configure the switches with an identifier that identifies which broadcast domain is associated with each subset of end hosts. The controller may configure switches of a given forwarding tree that are coupled to end hosts of an associated broadcast domain to modify broadcast network packets received from the end hosts with the identifier and to forward the modified broadcast network packets along the forwarding tree exclusively to end hosts of the associated broadcast domain.

Abstract: A controller may help reduce network traffic that is associated with broadcasting of Dynamic Host Configuration Protocol (DHCP) packets by converting broadcast DHCP packets into unicast DHCP packets and forwarding the unicast DHCP packets to appropriate DHCP servers. The servers may be identified from a database of servers that is updated with DHCP server address information based on DHCP reply packets that are received by the controller from servers in the network. To convert DHCP request packets into unicast packets, the controller may modify address header fields of the packets such as Ethernet addresses and Internet Protocol (IP) addresses. The controller may forward the modified DHCP request packets to the server by providing packet forwarding rules such as flow table entries to the switches or by forwarding the modified DHCP request packets through the controller.

Abstract: Network packets may be transmitted from packet sources to packet destinations through a network of switches. The switches may have corresponding flow tables that control how the packets are forwarded through the switches. A controller server may generate network switch forwarding paths for the network packets by modifying the flow tables with entries based on attributes of the network packets and network topology information. The controller server may forward selected packets directly to packet destinations instead of generating the network switch forwarding paths. To determine which packets to directly forward, the controller server may calculate cost metrics associated with the network switch forwarding paths and associated with forwarding network packets directly to packet destinations.

Abstract: Network policies that control the flow of traffic through a network may be implemented using a controller server that controls a network of switches. Based on network packet attributes, the controller server may identify network policies that are associated with the network traffic. The controller server may identify dependencies between the network policies based on priorities that are associated with the network policies and overlap between the network policies. The controller server may provide the switches with packet forwarding rules based on the identified dependencies between the network policies, network switch attributes, and network switch capabilities. The packet forwarding rules may implement network policies for current network traffic and future network traffic.

Abstract: A controller may help reduce network traffic that is associated with broadcasting of Dynamic Host Configuration Protocol (DHCP) packets by converting broadcast DHCP packets into unicast DHCP packets and forwarding the unicast DHCP packets to appropriate DHCP servers. The servers may be identified from a database of servers that is updated with DHCP server address information based on DHCP reply packets that are received by the controller from servers in the network. To convert DHCP request packets into unicast packets, the controller may modify address header fields of the packets such as Ethernet addresses and Internet Protocol (IP) addresses. The controller may forward the modified DHCP request packets to the server by providing packet forwarding rules such as flow table entries to the switches or by forwarding the modified DHCP request packets through the controller.

Abstract: A network may include network switches with network switch ports that may be coupled to end hosts. The network switches may be controlled by a controller such as a controller server. Virtual switches may be formed using the controller from groups of the network switch ports and the end hosts. Each virtual switch may include virtual interfaces associated with end hosts or network switches. Virtual links may be formed that define network connections between the virtual interfaces and end hosts or between two virtual interfaces. Virtual network policies such as selective packet forwarding, packet dropping, packet redirection, packet modification, or packet logging may be implemented at selected virtual interfaces to control traffic through the communications network. The controller may translate the virtual network policies into network switch forwarding paths that satisfy the virtual network policies.

Abstract: A method and apparatus for detecting malware in network traffic is described. One embodiment executes, in an emulation environment, an executable file as it is being received serially over a network, execution beginning once a block of data including an entry point of the executable file has been received, execution halting whenever an instruction in the executable file references data not yet received and resuming once the data not yet received has been received, execution ceasing upon satisfaction of a termination condition; examining the emulation environment for indications that the executable file includes malware; and taking corrective action responsive to the results of examining the emulation environment for indications that the executable file includes malware.