Abstract: Systems and methods for providing sensitive dataflow tracking for containerized applications is provided herein. In some embodiments, a taint tracking system for providing sensitive dataflow tracking may include an audit reporter configured to create a provenance graph; a taint tracking kernel configured to (1) create a screened provenance graph that includes data deemed sensitive, and (2) create one or more final taints set of sensitive data to be tracked at a container level that includes vertices and edges that are descended from a particular sensitive source using one or more dependency checkers; and a taint storage configured to store the taint sets of sensitive data to be tracked at the container level.

Abstract: A method, apparatus and system for providing security for a container network having a plurality of containers includes establishing a network stack for each of the plurality of containers of the container network, determining network and policy information from active containers, based on a set of pre-determined inter-container dependencies for the plurality of containers learned from the determined network and policy information, configuring container access in the container network to be limited to only containers of the plurality of containers that are relevant to a respective communication, and configuring inter-container traffic in the container network to be directed only from a source container into a destination container in a point-to-point manner such that exposure of the inter-container traffic to peer containers is prevented.

Abstract: Embodiments consistent with the present disclosure provide systems and methods for providing namespace-aware provenance tracking in a containerized environment.

Abstract: A method, apparatus and system for providing security for a container network having a plurality of containers includes establishing a network stack for each of the plurality of containers of the container network, determining network and policy information from active containers, based on a set of pre-determined inter-container dependencies for the plurality of containers learned from the determined network and policy information, configuring container access in the container network to be limited to only containers of the plurality of containers that are relevant to a respective communication, and configuring inter-container traffic in the container network to be directed only from a source container into a destination container in a point-to-point manner such that exposure of the inter-container traffic to peer containers is prevented.

Abstract: A network security policy may be implemented at network switches as a set of active packet disposition directives. In a dynamically programmable network, the network switches can be dynamically reprogrammed with new packet disposition directives. A security mediation service permits such dynamic reprogramming as long as the new directives are consistent with the then-current network security policy. The security mediation service evaluates candidate packet disposition directives for conflicts with the currently active security policy, before instantiating the candidate packet disposition directives at the network switches.

Abstract: A network security policy may be implemented at network switches as a set of active packet disposition directives. In a dynamically programmable network, the network switches can be dynamically reprogrammed with new packet disposition directives. A security mediation service permits such dynamic reprogramming as long as the new directives are consistent with the then-current network security policy. The security mediation service evaluates candidate packet disposition directives for conflicts with the currently active security policy, before instantiating the candidate packet disposition directives at the network switches.

Abstract: A network security policy may be implemented at network switches as a set of active packet disposition directives. In a dynamically programmable network, the network switches can be dynamically reprogrammed with new packet disposition directives. A security mediation service permits such dynamic reprogramming as long as the new directives are consistent with the then-current network security policy. The security mediation service evaluates candidate packet disposition directives for conflicts with the currently active security policy, before instantiating the candidate packet disposition directives at the network switches.

Abstract: A network security policy may be implemented at network switches as a set of active packet disposition directives. In a dynamically programmable network, the network switches can be dynamically reprogrammed with new packet disposition directives. A security mediation service permits such dynamic reprogramming as long as the new directives are consistent with the then-current network security policy. The security mediation service evaluates candidate packet disposition directives for conflicts with the currently active security policy, before instantiating the candidate packet disposition directives at the network switches.

Abstract: A network security policy may be implemented at network switches as a set of active packet disposition directives. In a dynamically programmable network, the network switches can be dynamically reprogrammed with new packet disposition directives. A security mediation service permits such dynamic reprogramming as long as the new directives are consistent with the then-current network security policy. The security mediation service evaluates candidate packet disposition directives for conflicts with the currently active security policy, before instantiating the candidate packet disposition directives at the network switches.

Abstract: The present invention relates to a method and apparatus for combating web-based surreptitious binary installations. One embodiment of a method combating web-based surreptitious binary installations on a computing device includes intercepting a download of a file to a local file system of the computing device, storing the file in the local file system when the file is correlated with a user consent, and storing the file in a secure zone of the computing device when the file is not correlated with a user consent, wherein files stored in the secure zone cannot be executed or propagated.

Abstract: A monitor of malicious network traffic attaches to unused addresses and monitors communications with an active responder that has constrained-state awareness to be highly scalable. In a preferred embodiment, the active responder provides a response based only on the previous statement from the malicious source, which in most cases is sufficient to promote additional communication with the malicious source, presenting a complete record of the transaction for analysis and possible signature extraction.

Abstract: An automatic technique for generating signatures for malicious network traffic performs a cluster analysis of known malicious traffic to create a signature in the form of a state machine. The cluster analysis may operate on semantically tagged data collected by connection or session and normalized to eliminate protocol specific features. The signature extractor may generalize the finite-state machine signatures to match network traffic not previously observed.