Abstract: A cloud checking and killing method for combating an anti-antivirus test includes receiving, by a cloud sever, a cloud checking and killing request for performing virus checking and killing on a sample. The method further includes analyzing the cloud checking and killing request, and determining whether the cloud checking and killing request is a cloud checking and killing request of an anti-antivirus test. If the cloud checking and killing request is a cloud checking and killing request of an anti-antivirus test, returning, by the cloud server, to the client a cloud checking and killing result that the sample does not carry a virus. If the cloud checking and killing request is not a cloud checking and killing request of an anti-antivirus test, comparing the sample with a virus library of the cloud server to determine whether the sample carries a virus and performing corresponding virus checking and killing.

Abstract: A method is provided to monitor network traffic, including reserving a portion of a system memory for short-term storage of copied network traffic, wherein the system memory is volatile, receiving copied packets of intercepted network traffic traversing a network, wherein the packets are associated with a plurality of respective traffic streams included in the network traffic, storing the copied packets in the portion of the system memory, maintaining an ordered list per traffic stream of copied packets that are stored, removing copied packets selected, based on their positions in their respective ordered lists, from the portion of the system memory based on a storage constraint, receiving an attack alert identifying a packet that is involved in a network attack, identifying the traffic stream that includes the packet identified, and transferring stored copied packets that are included in the identified traffic stream from the portion of the system memory to a long-term storage device.

Abstract: A media distribution network device connects to an online collaborative session between a first participant network device, a second participant network device, and a security participant network device. The security participant network device is configured to decrypt packets of the online collaborative session to apply security polices to the packets. An encrypted packet is received at the media distribution network device. The encrypted packet is received from the first participant network device containing data to be distributed as part of the online collaborative session. The encrypted packet is distributed to the security participant network device prior to distributing the encrypted packet to the second participant network device.

Abstract: A method is provided for securing a Signalling System No. 7 interface, SS7 interface, of a system, via which access to a local mobile radiocommunications network is carried out, in relation to an external system. The method protects the SS7 network access points of telecommunication providers from SS7/MAP attacks by detecting and filtering these attacks.

Abstract: A system for dynamically implementing exceptions in an onboard network firewall has a client application interface receptive to a data link request from a client device. An onboard connectivity manager includes a firewall interface connected to the onboard network firewall to request the exceptions in response to a connection authorization, and a client presence manager receptive to the data link request relayed by the client application interface from the client device. A presence state for the client devices is activated and maintained following the data link request. A remote connectivity manager is connected to a remote application service and is in communication with the onboard connectivity manager. The remote connectivity manager generates a connection authorization based upon an evaluation of the presence state for the client device against the conditions set by the remote application service.

Abstract: In one implementation, a method for tap technology can include identification of a plurality of network element primitives of a tap request, a determination of a set of selection criteria based on the plurality of network element primitives, a selection of a tap technology based on a comparison of the set of selection criteria to a tap technology profile, and a configuration of the tap domain to copy packets based on the set of selection criteria.

Abstract: This disclosure provides a network security architecture that permits installation of different software security products as virtual machines (VMs). By relying on a common data format and standardized communication structure (e.g., using pre-established, cross-platform messaging), a general architecture can be created and used to dynamically build and reconfigure interaction between both similar and dissimilar security products. Examples are provided where an intrusion monitoring system (IMS) can be used to detect network threats based on distributed threat analytics, passing detected threats to other security products (e.g., products with different capabilities from different vendors) to trigger automatic, dynamically configured communication and reaction. A network security provider using this infrastructure can provide hosted or managed boundary security to a diverse set of clients, each on a customized basis.

Abstract: An information processing system includes information terminals; an information processing apparatus; and an information storage apparatus connected to a network different from a network to which the information processing apparatus is connected. Further, the information processing apparatus includes a receiving unit receiving information from one of the information terminals, and a transmission unit transmitting the information to other information terminals and the information storage apparatus. Each of the information terminals includes a transmission unit transmitting the information to the information processing apparatus, and a receiving unit receiving information from the information processing apparatus. The information storage apparatus includes a storage unit storing the information from the information processing apparatus.

Abstract: A request is received at a local domain name system server (LDNS) from a client application to resolve a domain name. Responsive to the request a WHOIS information corresponding to the domain name is obtained, using which an age of registration of the domain name and a first weighted value based on the age are computed at the LDNS. A host associated with the domain name is accessed to determine whether a type of a service is configured at the host. A second weighted value is computed based on the configuration of the type of the service. A weighted score is computed using the first weighted value and the second weighted value. An action is selected according to the weighted score. The action is applied to a network component in a network where the client application is executing, to control a manner in which the client application communicates with the host.

Abstract: A security container of a container environment monitors a resource load in a container environment, the container environment including a container service providing operating system-level virtualization for one or more application containers connected to a virtual switch within the container environment, the one or more application containers having their traffic intercepted by the security container for inspection. The security container activates, in response to determining that the monitored resource load meets a condition in a network load policy, a new security container. The security container determines a subset of the one or more application containers to be associated with the new security container, and transfers the network connections and network sessions of the subset of the one or more application containers to the new security container.

Abstract: A method is disclosed in which a system compares a first set of reports characterizing network traffic flows originating from an endpoint device with a second set of reports characterizing network traffic flows originating from the endpoint device and stored at an external network device to determine whether the first set and second set of reports characterizing network traffic flows originating from an endpoint device are different. In response to determining that the first and second reports characterizing network traffic flows are different, the system identifies the network traffic flows originating from the endpoint device and reported by an external network device, but not reported by the endpoint device, as possibly indicative of malware and forwards the network traffic flows originating from the endpoint device to an analyzer for further processing.

Abstract: A topology remediation method includes with a remediation engine, deriving a number of remediation actions based on a number of incidents within an instantiated topology, and with a lifecycle management engine, modifying the instantiated topology based on a number of lifecycle management actions (LCMAs) determined to remediate the incidents.

Abstract: A process for automatic tuning a set of collectors and/or sensors includes: collecting first machine data by a first sensor in a collection framework, processing the first machine data by a first collector in the collection framework to yield first collected machine data, performing analytics on the first collected machine data to generate analytics output, and tuning, based, at least in part, on the analytics output, at least one of the following: the first sensor and the first collector.

Abstract: Content inspection and analysis are described. A server stores a definition of sets of browser policies. A definition of one or more sets of users is stored. The server stores an association with a respective set of browser policies for the one or more sets of users. A request is received from a client browser associated with a user, wherein the client browser is configured to communicate with the server. The server determines which set of users the user is associated with. The server identifies a first set of browser policies that is associated with the determined set of users and applies the identified first set of browser policies to the request.

Abstract: Techniques are disclosed for enabling a user to validate the authenticity of a computing system (e.g., an access management system) such as one which controls access to one or more resources. A user can determine the authenticity of an access management system before the user provides credential information to the access management system. A user can be presented at a client system with an interface to request authentication of an access management system. The access management system may provide the user at the client system with temporary access information to submit back to the access management system. The access management system may provide recent personal information to the user at the client system to verify the access management system. Upon verification of the personal information, the access management system may prompt the user for credential information to establish a session.

Abstract: Ternary content-addressable memory (TCAM) of an ingress appliance in a visibility fabric may include rules for filtering traffic received by the ingress appliance. But the TCAM has limited space for rules and can become easily exhausted. By migrating rules to other visibility nodes in the visibility fabric, the techniques introduced here allow the TCAM to be virtually extended across multiple visibility nodes. More specifically, upon receiving a data packet at an ingress port, the ingress visibility node can tag the data packet with an identifier based on which ingress port received the data packet. The ingress visibility node can then determine, based on the identifier, whether the data packet should be filtered using a rule stored in the TCAM of the ingress visibility node or a rule stored in the TCAM of some visibility node in the visibility fabric.

Abstract: This disclosure describes an approach to handle packets that arrive at a network security device, such as a router. At a data plane of the security device, packet identifiers included in an incoming packet not currently belonging to an IP session of the device are compared to packet identifiers stored in a table stored in a memory of the security device. The incoming packet identifiers includes a source IP, a destination IP, a protocol, a destination port, and a source port while the identifiers stored in the table do not include the source port. A new session is established for the incoming packet in response to the set of packet identifiers matching one of the entries in the table.

Abstract: Systems and methods are disclosed to provide on demand packet traffic monitoring for packet communications within virtual packet processing environments. Virtual TAPs (test access ports) within virtualization layers for VM (virtual machine) host hardware systems are controlled by external controllers to configure watch filters for VM platforms operating within the virtualization layer based upon trigger events determined within packet flow data and/or based upon other external trigger events. The virtual TAP controller then periodically receives watch filter packet data updates from the virtual TAP and further controls the virtual TAP to configure more detailed focus filters for the VM platforms based upon watch filter trigger events. The virtual TAP controller can further communicate one or more VM action commands (e.g., stop VM, stop application, etc.) to the virtual TAP for application to the VM platforms based upon trigger events associated with this more detailed focus filter data.

Abstract: The present invention prevents all of the filter rules from leaking and the filter functions of an entire network from stopping, even if problems arise in a filter device, etc. performing filtering.

Abstract: Systems, methods, and computer readable medium for virtualized computing environments. A method for providing a connection between a guest virtual machine and a service virtual machine uses driver code functions to establish a listening port on the service virtual machine without providing a listening port on the guest virtual machine. The guest virtual machine initiates a remote procedure call socket between itself and the service virtual machine over a secure, hardened port. The service virtual machine presents an authority certificate by encoding into the authority certificate identifying information received from the guest virtual machine. The service virtual machine makes available (e.g., as an ISO image) the authority certificate, which is used to establish new secure connections.

Abstract: In an example, there is disclosed a computing apparatus, having: a network interface to communicatively couple to a software-defined network (SDN); first one or more logic elements providing an SDN controller engine to provide a control function for the SDN; and second one or more logic elements providing a route tracing engine to: receive a tunneling notification from a network device agent, the tunneling notification associated with a network flow; and perform a backtracking traceroute operation to deterministically identify a source device for the flow. There is also disclosed a method of providing the foregoing, and one or more tangible, non-transitory computer-readable storage mediums for providing the foregoing.

Abstract: In a system for configuring a web application firewall, one or more parameters of the firewall are adjusted such that a test configured for exposing a vulnerability of an application protected by the application firewall is blocked by the firewall and another test configured to invoke functionality of the application but that does not expose or exploit any security vulnerability is not blocked by the firewall. A notification is provided to a user if such a firewall configuration is not found after a specified number of attempts.

Abstract: Data is collected from a set of devices according to a data collection policy. The data is associated with device configuration, device state, or device behavior. A norm is established using the collected data. A different data collection policy is established based on the norm. Data is collected from a particular device according to the different data collection policy. The norm is compared to the data collected from the particular device. If there is a deviation outside of a threshold deviation between the norm and the data collected from the particular device, a response is initiated.

Abstract: A system and computer program product for detecting distributed denial-of-service (DDoS) attacks is provided. Current aggregated flow information for a defined period of time is analyzed. It is determined whether network flow increased above a defined flow threshold value to a second data processing system connected to a network within the defined period of time based on analyzing the current aggregated flow information. In response to determining that the network flow has increased above the defined flow threshold value to the second data processing system connected to the network within the defined period of time, it is determined that the second data processing system is under a DDoS attack.

Abstract: A method for detecting distributed denial-of-service (DDoS) attacks is provided. Current aggregated flow information for a defined period of time is analyzed. It is determined whether network flow increased above a defined flow threshold value to a second data processing system connected to a network within the defined period of time based on analyzing the current aggregated flow information. In response to determining that the network flow has increased above the defined flow threshold value to the second data processing system connected to the network within the defined period of time, it is determined that the second data processing system is under a DDoS attack.

Abstract: Methods, machines, and systems manage security policies of heterogeneous infrastructure and computing devices of a network. Security policy repository houses security policies that are pushed over the network by a policy decision point PDP to appropriate security-enabled devices (policy enforcement points (PEPs)) for enforcement. Using a closed feedback loop, a policy feedback point (PFP) collects and processes data from intrusions, alerts, violations, and other abnormal behaviors from a variety of PEPs or logs produced from PEPs. This data is sent as feedback to the policy repository. The PDP detects the data and analyzes it to determine if policy updates (which can be dynamic and automatic) need to be adaptively made and dynamically pushed to PEPs. The PDP can also send console messages or alerts to consoles or administrators.

Abstract: Systems and methods for web application firewall tunneling are disclosed. In one embodiment, the method may include (1) receiving a plurality of characters entered by a user into a field of a HTML page that is executed in a client runtime environment of a client device; (2) executing a client tunneling application to encode at least some of the characters; (3) passing the plurality of characters through the web application firewall; (4) executing a server tunneling application to decode the encoded characters; and (5) providing the plurality of characters, including the decoded characters, to a host application. Parts of the method may be performed by at least one computer processor.

Abstract: A system and method for providing a secured connection between servers on a local area network (LAN) and clients on a wide area network (WAN) via a de-militarized zone (DMZ). The system includes a Service, a LAN Server, a LAN Controller, a DMZ Server and a DMZ Stack Pool Service. The method includes establishing an outbound TCP-based connection to the DMZ Stack Pool Service based on a request; passing Client Connection Information to the LAN Server; generating a first connection to the Service and a second connection to the DMZ Server, wherein the LAN server creates a Connection Binder between the Service and the outbound connections; creating a Connection Binder that binds the incoming Request and the outbound connection to complete the route of the Request; streaming the Request through the DMZ Server and the LAN Server; and streaming the request data from the Service to the Client.

Abstract: Methods, systems, and computer readable media for initiating and executing a performance test of a private network and/or components thereof are disclosed. Methods and systems include a receiver endpoint in a private network, and a sender endpoint in a public network. The receiver endpoint initiates a transport layer connection with the sender endpoint. The sender endpoint allocates a port, binds to the port, and sends an Internet Protocol (IP) address and a port number over the transport layer connection. The receiver endpoint then sends a hole punch datagram from the private network to the public network to create a hole in a firewall that is separating the public and private networks. The sender endpoint receives the hole punch datagram and uses IP address and port information in the hole punch datagram to send test traffic through the hole in the firewall.

Abstract: Embodiments of the present invention provide a blacklist management method and a device, relate to the field of communications, and are used for rapidly and conveniently adding a number to a blacklist, thereby improving operation efficiency of a terminal. The method includes: detecting, by a first terminal, an acceleration of the first terminal; when it is determined that the acceleration is greater than or equal to a first preset value, acquiring identification information of a second terminal; and adding the identification information to a blacklist. Embodiments of the method are used for blacklist management.

Abstract: A system for determining whether a website is an illegitimate website, the system comprising: a requester module configured to request one or more rules from a host server for a website and to receive a response from the host server in response to a request; an analysis module configured to determine whether a response or lack of a response received by the requester module indicates that the website is an illegitimate website; and a record module configured to store an indication that the website is an illegitimate website, wherein the one or more rules provide one or more instructions to a robot computer program regarding access of the website by the robot computer program.

Abstract: Some embodiments provide a novel network control system for managing a set of switching elements in a network. The network control system includes a first set of network controllers for managing a first set of switching elements that enable communication between a first set of machines. The network control system includes a second set of network controllers for managing a second set of switching elements that enable communication between a second set of machines. The second set of switching elements is separate from the first set of switching elements and the second set of machines is separate from the first set of machines. The network control system includes a third set of network controllers for managing the first and second sets of network controllers in order to enable communication between machines in the first set of machines and machines in the second set of machines.

Abstract: Methods and systems for deception using distributed threat detection are provided. Exemplary methods by an enforcement point, the enforcement point communicatively coupled to a first data network and a second data network, the enforcement point not providing services in the second data network, include: receiving, from a first workload in the second data network, a data packet addressed to a second workload in the second data network, the data packet requesting a service from the second workload; determining the data packet is for unauthorized access of the second workload, the determining using at least some of a 5-tuple of the data packet; identifying a deception point using the service, the deception point being in the first data network and including a decoy for the service; and redirecting the data packet to the deception point in the first data network.

Abstract: A small piece of hardware connects to a mobile device and filters out attacks and malicious code. Using the piece of hardware, a mobile device can be protected by greater security and possibly by the same level of security offered by its associated corporation/enterprise. In one embodiment, a mobile security system includes a connection mechanism for connecting to a data port of a mobile device and for communicating with the mobile device; a network connection module for acting as a gateway to a network; a security policy for determining whether to forward content intended for the mobile device to the mobile device; and a security engine for executing the security policy.

Abstract: A method is provided in one example embodiment and includes receiving at a network element a packet including a Network Services Header (“NSH”), in which the NSH includes an Infrastructure (“I”) flag and a service path header comprising a Service Index (“SI”), and a Service Path ID (“SPI”) and determining whether the I flag is set to a first value. The method further includes, if the I flag is set to the first value, setting the I flag to a second value and forwarding the packet to the service function that corresponds to the SI for processing. The method still further includes, if the I flag is not set to the first value, decrementing the SI and making a forwarding decision based on a new value of the SI and the SPI.

Abstract: A system for managing security within an enterprise includes a computing device that receives a vulnerability, generates a user score for each user within the enterprise and generates a threat score for the vulnerability. A user device score may also be generated for each device associated with a user. Based on the user score and the threat score, a composite score is generated. After acquiring a security measure, the security measure is implemented based on the composite score and, at times, the user score.

Abstract: Some embodiments provide a method for managing policies for a set of computing resources. The method imports several sets of resource management policy rules from several heterogeneous sources. The method stores each set of imported policy rules as a primitive policy. The primitive policies are (i) applicable to resources in the set of computing resources and (ii) combinable into composite policies that are applicable to resources in the set of computing resources. Composite policies are combinable into additional composite policies with primitive policies and other composite policies.

Abstract: Some embodiments provide a method for configuring a logical router in a logical network. The method receives a configuration of a rule for network address translation (NAT) used by a first logical router to translate a set of network addresses to a particular network address. The method automatically configures advertisement of a route for the particular network address to a second logical router. The method automatically adds the advertised route for the particular network address to a routing table for at least one component of the second logical router.

Abstract: Embodiments of the presently disclosed invention provide a method and system for dynamically configuring computer networks based on the topology of the network and the devices contained therein. In embodiments of the present invention, the topology-aware configuration generation method and system dynamically configures each of the devices found in the network topology based on each device type and the devices that are connected therewith.

Abstract: A connection control system includes a management server outside firewall, supporting connection of communications between a control target device inside firewall and a cloud server outside firewall, and a relay device communicating with the control target device inside firewall. A processor included in the management server registers association information associating the cloud server and the relay device with the control target device, establishes an always-on session with the relay device, and upon reception of a connection request, transmits to the relay device via the always-on session a connection instruction to relay communications with the cloud server associated with the control target device by the association information.

Abstract: An approach is proposed that contemplates system and method to configure firewall rules of a VPN gateway of a protected network so that users of devices in the protected network can access Internet securely via a captive network. First, the proposed approach enables the VPN gateway to probe the captive network with an HTTP request to discover a captive portal of the captive network. After the captive portal is discovered, one or more firewall rules of the VPN gateway are added so that network traffic from the devices in the protected network are redirected to the captive portal for authentication. Once the users are authenticated and a VPN tunnel is established between the VPN gateway and a remote VPN tunnel terminal, the firewall rules previously added are removed from the VPN gateway and all network traffic from the devices in the protected network are routed over the VPN tunnel.

Abstract: A method and apparatus for centralized policy programming and distributive policy enforcement is described. A method comprises centrally maintaining a plurality of policy definitions for one or more subscribers, generating policy configurations using the plurality of policy definitions, each of the policy configurations being specific to one of the plurality of policy definitions, and disseminating the policy configurations to the appropriate ones of the subscribers' networks.

Abstract: Some embodiments provide a method for identifying unnecessary firewall rules for a distributed firewall of a logical network. The method identifies a firewall policy for network traffic of the logical network. The firewall policy includes a set of firewall rules. The method generates a set of data for implementing the firewall policy on a set of managed forwarding elements that implement the logical network. The method analyzes potential network traffic based on the generated set of data to identify a subset of unnecessary data. The method identifies a subset of unnecessary firewall rules of the set of firewall rules that corresponds to the subset of unnecessary data.

Abstract: Systems and methods for managing network traffic by a perimeter network security device based on internal network traffic or configuration information are provided. According to one embodiment, a network security appliance of a private network receives internal network information collected by multiple Layer 2/3 network devices of the private network. The Layer 2/3 network devices switch/route internal network traffic among multiple internal host devices without the network traffic passing through the network security device and switch/route external network traffic between the network security appliance and the internal host devices. A topology of the private network is derived based on the internal network information. Existence of potential malicious activity involving an internal host device is identified by evaluating the internal network information.

Abstract: Systems, methods, and software are disclosed that provide enhanced replication for message services. In one implementation, updates to a replication source are replicated to replication targets. The replication is monitored to identify an individual health of the replication for each of the replication targets. A composite health of the replication is determined based on the individual health of the replication for each of the replication targets. The updates to the replication source are then controlled based on the composite health of the replication.

Abstract: A method and system for multi-user, multi-device content access metering and control is provided. In one embodiment, a system implements a method such that in response to user login requests, the system controls login access by providing multiple users login access to plural electronic devices capable of communicating via a communication system. Further, in response to user content access actions, the system controls access to content by selectively providing content to said one or more users via said one or more electronic devices based on content access policies.

Abstract: In an embodiment, a method comprises intercepting, from a server computer, a first set of instructions that define one or more objects and one or more operations that are based, at least in part, on the one or more objects; generating, in memory, one or more data structures that correspond to the one or more objects; performing the one or more operations on the one or more data structures; updating the one or more data structures, in response to performing the one or more operations, to produce one or more updated data structures; rendering a second set of instructions, which when executed by a remote client computer cause the remote client computer to generate the updated data structures in memory on the remote client computer, wherein the second set of instructions are different than the first set of instructions; sending the second set of instructions to the remote client computer.

Abstract: A method implemented by a network firewall, comprising obtaining a first authentication token for a network test, receiving a test request message for performing the network test on a network element (NE) connected to the network firewall, authenticating the test request message by determining whether the test request message includes a second authentication token that matches the first authentication token, and granting the network test on the NE when the second authentication token matches the first authentication token.

Abstract: Techniques for destination domain extraction for secure protocols are disclosed. In some embodiments, destination domain extraction for secure protocols includes monitoring network communications between a client and a remote server; determining if the client sends a request to create a secure connection with the remote server (e.g., in which the network communications are initiating a setup for a secure protocol-based connection); and extracting a destination domain from the request to create the secure connection with the remote server. In some embodiments, the secure protocol is a secure sockets layer (SSL) protocol or transport layer security (TLS) protocol, and the destination domain is extracted from the server name indication (SNI) of a client hello message sent from the client to the remote server. In some embodiments, destination domain extraction for secure protocols further includes applying a policy (e.g.

Abstract: In one embodiment, a network device routes traffic along a network path and receives a performance threshold crossing alert regarding performance of the network path. The network device detects that the performance threshold crossing alert is part of a potential network attack by analyzing, by the device, the performance threshold crossing alert. The network device also provides a notification of the detected network attack.