Abstract: According to one embodiment, a system features a network security device and a cloud computing service. The network security device is configured to determine whether an object includes one or more characteristics associated with a malicious attack. The cloud computing service, communicatively coupled to and remotely located from the network security device, includes virtual execution logic that, upon execution by a processing unit deployed as part of the cloud computing service and after the network security device determining that the object includes the one or more characteristics associated with the malicious attack, processes the object and monitors for behaviors of at least the object suggesting the object is associated with a malicious attack.

Abstract: According to one embodiment, a system features a network security device and a cloud computing service. The network security device is configured to determine whether an object includes one or more characteristics associated with a malicious attack. The cloud computing service, communicatively coupled to and remotely located from the network security device, includes virtual execution logic that, upon execution by a processing unit deployed as part of the cloud computing service and after the network security device determining that the object includes the one or more characteristics associated with the malicious attack, processes the object and monitors for behaviors of at least the object suggesting the object is associated with a malicious attack.

Abstract: In an embodiment, a system, device and method for detecting a malicious attack is described. Herein, the system includes a security network device that conducts an analysis on received network traffic to detect a suspicious object associated with the network traffic and determine an identifier associated with a source of the suspicious object. Information associated with the suspicious object and/or ancillary data, including information that identifies a return path for analysis results to a customer, are uploaded to a detection cloud. The detection cloud includes provisioning logic and one or more virtual machines that are provisioned by the provisioning logic in accordance with at least a portion of the ancillary data. The provisioning logic to customize functionality of the detection cloud for a specific customer.

Abstract: According to one embodiment, a system features analysis circuitry and detection circuitry. The analysis circuitry features a first processing unit and a first memory that includes a filtering logic configured to produce a second plurality of objects from a received first plurality of objects. The second plurality of objects is a subset of the first plurality of objects. The detection circuitry is communicatively coupled to and remotely located from the analysis circuitry. The detection circuitry includes a second processing unit and a second memory. The second memory includes a virtual execution logic to process content within at least a first object of the second plurality of objects. The virtual execution logic is configured to monitor for behaviors, during the processing of the first object, and determine whether any or all of the monitored behaviors correspond to activities indicative that the first object is associated with a malicious attack.

Abstract: Application programming interface (API) hooks are injected into an application program executing at a client during run-time. Responsive to these hooks, data intended for encryption prior to transmission from the client is diverted, for example for content filtering, compression, etc., prior to being encrypted. In the case of encrypted data received at the client, the data is decrypted but before being passed to the application it is diverted, under control of the API hooks, for content filtering, decompression, etc.

Abstract: In an embodiment, a system, device and method for detecting a malicious attack is described. Herein, the system includes a security network device that conducts an analysis on received network traffic to detect a suspicious object associated with the network traffic and determine an identifier associated with a source of the suspicious object. Both information associated with the suspicious object and ancillary data, including information that identifies a return path for analysis results to a customer, are uploaded to a detection cloud. The detection cloud includes provisioning logic and one or more virtual machines that are provisioned by the provisioning logic in accordance with at least a portion of the ancillary data. The provisioning logic to customize functionality of the detection cloud for a specific customer.

Abstract: Herein described is a collection of traffic classifiers communicatively coupled to a classification aggregator. Traffic classifiers may use conventional techniques to classify network traffic by application name, and thereafter may construct mappings that are used to more efficiently classify future network traffic. Mappings may associate one or more characteristics of a communication flow with an application name. In a collaborative approach, these mappings are shared among the traffic classifiers by means of the classification aggregator so that one traffic classifier can leverage the intelligence (e.g., mappings) formulated by another traffic classifier.

Abstract: According to one embodiment, a network security device configured to detect malicious content within received network traffic comprises a traffic analysis controller (TAC) is provided. The traffic analysis controller comprises a network processing unit (NPU) and is configured to perform at least packet processing on the NPU with a set of pre-filters. In addition, the network security device further comprises a central processing unit (CPU) and is configured to perform at least virtual machine (VM)-based processing. The set of pre-filters is configured to distribute objects of received network traffic such that either static analysis or dynamic analysis may be performed on an object to determine whether the object contains malicious content. The static analysis may be performed on either the NPU or the CPU while the dynamic analysis is performed on the CPU.

Abstract: Application programming interface (API) hooks are injected into an application program executing at a client during run-time. Responsive to these hooks, data intended for encryption prior to transmission from the client is diverted, for example for content filtering, compression, etc., prior to being encrypted. In the case of encrypted data received at the client, the data is decrypted but before being passed to the application it is diverted, under control of the API hooks, for content filtering, decompression, etc.

Abstract: In an embodiment, a dynamic analysis engine is configured to receive an identifier associated with a source for network traffic including at least one object having at least a prescribed probability of being associated with an exploit. Deployed within a detection cloud, the dynamic analysis engine comprises one or more virtual machines and monitoring logic. The virtual machines are adapted to virtually process the identifier by establishing a communication session with a server hosting a website accessible by the identifier. In communication with the virtual machines, the monitoring logic is adapted to detect anomalous behaviors by the virtual machines during the communication session with the server.

Abstract: Application programming interface (API) hooks are injected into an application program executing at a client during run-time. Responsive to these hooks, data intended for encryption prior to transmission from the client is diverted, for example for content filtering, compression, etc., prior to being encrypted. In the case of encrypted data received at the client, the data is decrypted but before being passed to the application it is diverted, under control of the API hooks, for content filtering, decompression, etc.

Abstract: Herein described is a collection of traffic classifiers communicatively coupled to a classification aggregator. Traffic classifiers may use conventional techniques to classify network traffic by application name, and thereafter may construct mappings that are used to more efficiently classify future network traffic. Mappings may associate one or more characteristics of a communication flow with an application name. In a collaborative approach, these mappings are shared among the traffic classifiers by means of the classification aggregator so that one traffic classifier can leverage the intelligence (e.g., mappings) formulated by another traffic classifier.

Abstract: A digital certificate associating a unique identifier for a computer-based appliance with an authentication key pair for that appliance is obtained from a certificate authority using a different, manufacturing key pair for the appliance. The manufacturing key pair may be generated by the appliance at or about its time of manufacture. The public key portion of the manufacturing key pair along with the unique identifier for the appliance may be provided via secure means to the certificate authority prior to the request for the digital certificate concerning the authentication key pair. Eventually, the digital certificate associated with the authentication key pair may be used by the appliance when joining a network, as part of a one-way or two-way authentication process.

Abstract: A method and apparatus for dynamically encoding transactional information into a document over a network. The transactional information may include information about client data, object properties, or network conditions. The document may contain embedded links with embedded objects that can be requested by a client. The embedded links may contain URLs with associated domain names. The transactional information may be inserted into the domain name so that when the object request is subsequently translated by a DNS server, the DNS server can utilize the transactional information to intelligently translate the domain name into an IP address of a network device that can most advantageously serve the request.

Abstract: A secure communication protocol (e.g., SSL) transaction request from a client to a server is intercepted at a client-side proxy communicatively coupled to the client and logically deployed between the client and the server. The client-side proxy initiates a secure connection with the server and passes an attribute (e.g., a cryptographic key) associated with that secure connection to a server-side proxy communicatively coupled to the server and logically deployed between the client and the server. This enables the server-side proxy to engage in secure communications with the server in a transparent fashion.

Abstract: Application programming interface (API) hooks are injected into an application program executing at a client during run-time. Responsive to these hooks, data intended for encryption prior to transmission from the client is diverted, for example for content filtering, compression, etc., prior to being encrypted. In the case of encrypted data received at the client, the data is decrypted but before being passed to the application it is diverted, under control of the API hooks, for content filtering, decompression, etc.

Abstract: In response to an indication of a desire to initiate a secure communication session (e.g., a session utilizing a the SSL communication protocol) with a computer resource, a digital certificate indicative of whether or not a user consents to monitoring of the secure communication session is requested. The response to this request will permit or deny such monitoring, allowing the session to proceed or be cancelled, accordingly.

Abstract: A secure communication protocol (e.g., SSL) transaction request from a client to a server is intercepted at a client-side proxy communicatively coupled to the client and logically deployed between the client and the server. The client-side proxy initiates a secure connection with the server and passes an attribute (e.g., a cryptographic key) associated with that secure connection to a server-side proxy communicatively coupled to the server and logically deployed between the client and the server. This enables the server-side proxy to engage in secure communications with the server in a transparent fashion.

Abstract: A digital certificate associating a unique identifier for a computer-based appliance with an authentication key pair for that appliance is obtained from a certificate authority using a different, manufacturing key pair for the appliance. The manufacturing key pair may be generated by the appliance at or about its time of manufacture. The public key portion of the manufacturing key pair along with the unique identifier for the appliance may be provided via secure means to the certificate authority prior to the request for the digital certificate concerning the authentication key pair. Eventually, the digital certificate associated with the authentication key pair may be used by the appliance when joining a network, as part of a one-way or two-way authentication process.

Abstract: A method and apparatus for dynamically encoding transactional information into a document over a network. The transactional information may include information about client data, object properties, or network conditions. The document may contain embedded links with embedded objects that can be requested by a client. The embedded links may contain a URLs with associated domain names. The transactional information may be inserted into the domain name so that when the object request is subsequently translated by a DNS server, the DNS server can utilize the transactional information to intelligently translate the domain name into an IP address of a network device that can most advantageously serve the request.