Abstract: Method and apparatus for cross-site scripting defense using document object model template are disclosed. In the method and apparatus, a document object model template is generated based at least in part on representative information for web content. The document object model template is provided for use in determining whether received web content is permissible.

Abstract: Method and Over The TOP (OTT) service providing node for retrieval of geographic location information of a communication device communicatively coupled to the OTT service providing node. A request for an OTT service is received from the communication device, and an identifier of the communication device is determined. An operator of the communication device is determined, by utilizing the determined identifier of the communication device. An identifier of an Operator Location Service (OLS) node of the operator is determined. A location request is sent to the OLS node for requesting geographic location information of the communication device, the location request comprising the identifier of the communication device, the identifier of the communication device to be utilized by the OLS node for retrieving the requested geographic location information from a location server, and the retrieved geographic location information to be sent by the OLS node to the OTT service providing node.

Abstract: A context-aware distributed firewall scheme is provided. A firewall engine tasked to provide firewall protection for a set of network addresses applies a reduced set of firewall rules that are relevant to the set of addresses associated with the machine. A hypervisor implements a search structure that allows each virtual machine's filter to quickly identify relevant rules from all of the received rules. The search structure is constructed as a binary prefix tree, each node corresponding to an IP CIDR (Classless Inter-Domain Routing) block. A query for relevant rules traverses nodes of the search structure according to a queried IP address and collect all rules that are associated with the traversed nodes.

Abstract: The disclosed embodiments provide techniques for performing deduplication for a distributed filesystem. Two or more cloud controllers collectively manage distributed filesystem data that is stored in one or more cloud storage systems; the cloud controllers cache and ensure data consistency for the stored data. During operation, a cloud controller receives an incremental metadata snapshot that references new data that was added to the distributed filesystem by a remote cloud controller. The cloud controller extracts a set of deduplication information from this incremental metadata snapshot. Upon receiving a subsequent client write request (e.g., a file write that includes one or more data blocks), the cloud controller uses the extracted deduplication information to determine that one or more data blocks in the client write request have already been written to the distributed filesystem.

Abstract: Techniques for destination domain extraction for secure protocols are disclosed. In some embodiments, destination domain extraction for secure protocols includes monitoring network communications between a client and a remote server; determining if the client sends a request to create a secure connection with the remote server (e.g., in which the network communications are initiating a setup for a secure protocol-based connection); and extracting a destination domain from the request to create the secure connection with the remote server. In some embodiments, the secure protocol is a secure sockets layer (SSL) protocol or transport layer security (TLS) protocol, and the destination domain is extracted from the server name indication (SNI) of a client hello message sent from the client to the remote server. In some embodiments, destination domain extraction for secure protocols further includes applying a policy (e.g.

Abstract: A system and method for mitigating the effects of malicious internet traffic, including DDOS attacks and email bombs, by utilizing a DNS Traffic Analyzer and Firewall to analyze network traffic intended for a DNS server and preventing some network traffic from accessing the DNS server.

Abstract: A method and system of making information from an application accessible to an electronic device, comprising: checking, via a log monitor, a third party log file for a new log entry; sending any new log entries in the third party log file to a rules engine, the rules engine comprising at least one rule; determining if any of the new log entries violate any rules in the rules engine; making accessible any new log entries that violate any rules to the electronic device; creating an alert based on the new log entry that violates at least one rule; and notifying users of the alert using alert criteria to determine who should receive the alerts and when, wherein different users receive different alerts based on the alert criteria.

Abstract: A first identifier associated with a first routine is received as input. A determination of whether a first list includes the first identifier is made. In response to the determination, a first action is performed in the event the first list includes the first identifier. A second action that is different from the first action is performed in the event the first list does not include the first identifier.

Abstract: A system and method for communicating with a client application that can include at a communication platform, receiving an authorization token of a first client application; verifying at least one permission associated with the authorization token; at a first server of the communication platform, accepting an incoming communication request; retrieving communication instructions from a server according to the incoming communication request; identifying an instruction to communicate with a communication destination of the first client application; and establishing communication with the first client application.

Abstract: A non-transitory computer readable medium storing instructions which, when executed on one or more processors, cause performance of operations. The operations include: receiving a first message from a device; determining, in response to the first message, a media access control (MAC) address of the device; and transmitting, in response to the first message, a second message comprising the MAC address to the device.

Abstract: In illustrative embodiments, methods in accordance with the present invention utilize a thin kernel module operating in the kernel space of an operating system to redirect all TCP flows to user space for application analysis and processing. Redirected data is presented to the user space application as a data stream, allowing the processing of information contained within the data stream from the user space on a mobile device. This allows the user space application to inspect and take action on incoming data before allowing the data to continue to pass through the device. This enables parental controls, firewalls, real-time anti-virus scanning, tethering/hot-spot, bandwidth optimization, and similar programs to effectively operate across different mobile devices as user downloadable/actuatable applications.

Abstract: Local breakout mechanisms can be performed by a femto access point (FAP) to facilitate efficient utilization of backhaul and/or macro networks. In particular, a slave Gateway GPRS Support Node (GGSN) can be integrated within the FAP to directly route the incoming traffic from a user equipment (UE) at the FAP. In one example, Internet bound traffic can be directly routed to the Internet, without employing macro network resources. Further, the system can avoid hairpinning by routing traffic between the UE and a home Local Area Network (LAN) by a anchoring a call or a session in the slave GGSN and facilitate integration of UEs with home applications by employing a UE Digital Home Agent. In addition, the FAP can perform UE-to-UE CS media breakout to facilitate communication between UEs attached to the FAP, without routing the traffic through the core macro network.

Abstract: An intrusion detection method for detecting an intrusion in data traffic on a data communication network parses the data traffic to extract at least one protocol field of a protocol message of the data traffic, and associates the extracted protocol field with a model for that protocol field. The model is selected from a set of models. An assessment is made to determine if a contents of the extracted protocol field is in a safe region as defined by the model, and an intrusion detection signal is generated in case it is established that the contents of the extracted protocol field is outside the safe region. The set of models may comprise a corresponding model for each protocol field of a set of protocol fields.

Abstract: A receiver of network data dynamically filters packets by packet type from a network device CPU based on usage information, such as time, day, location, and feature (e.g., “video” or “application”) selection.

Abstract: A method is provided to control the flow of packets within a system that includes one or more computer networks comprising: policy rules are provided that set forth attribute dependent conditions for communications among machines on the one or more networks; machine attributes and corresponding machine identifiers are obtained for respective machines on the networks; and policy rules are transformed to firewall rules that include machine identifiers of machines having attributes from among the obtained machine attributes that satisfy the attribute dependent policy rules.

Abstract: Systems and methods for retrospective scanning of network traffic logs for missed threats using updated scan engines are provided. According to an embodiment, a network security device maintains a network traffic log that includes information associated with network activities observed within a private network. Responsive to an event, the network traffic log is retrospectively scanned in an attempt to identify a threat that was missed by a previous signature-based scan or a previous reputation-based scan of the observed network activities. When the threat is identified as a result of the retrospective scan, then remedial and/or preventive action is taken with respect to the threat.

Abstract: Some embodiments of the invention are directed to techniques for determining whether a process on a computer system that is sending or receiving data, or is attempting to send or receive data, with another computer system is executing in kernel mode or user mode and providing an indicator of this determination to a security engine. In some embodiments, such an indication is provided to a security engine (e.g., a firewall) that implements a security policy based at least in part on whether the sending or receiving process is in kernel mode or user mode, and filter communications based on a process' operating mode. This enables a security engine to maintain security policies of greater specificity and thus improve security of a computer system.

Abstract: A method, a device, and a communication system are provided for secure communication of at least one of multiple components of a vehicle with at least one external communication partner via a wireless communication link, the multiple components in each case including at least one communication module for data exchange. The method includes exchange of data packets between a transceiver device of the vehicle and an external transceiver station, a communication status of the wireless communication link being ascertained and a data exchange between the at least one component and/or the external communication partner on the one hand, and the others of the multiple components on the other hand and/or an access of the at least one component and/or of the external communication partner to the others of the multiple components being enabled or disabled as a function of the communication status. The device and the communication system are provided for implementing the method.

Abstract: A system and method for providing security in a virtual environment are provided. An example system includes a link module that links a secured logical component to a logical entity including a set of virtual machines. The example system also includes a security module that identifies a set of security policies for one or more communications to the logical entity or one or more communications from the logical entity. The example system further includes a control module that controls, based on the set of security policies, the one or more communications to the logical entity or the one or more communications from the logical entity.

Abstract: A method for providing a desired portion of a data object document is disclosed. The method comprises receiving, from a client device, an Application Program Interface (API) request for a data object document, where the API request includes a parameter identifying the desired portion of the data object document, and the desired portion is less than all of the data object document. The method continues with transmitting the API request for the data object document to an origin server, and receiving an API response from the origin server that includes the data object document including more than the desired portion of the data object document. The method further includes automatically selecting, from the received data object document, the desired portion of the data object document based on the parameter, and transmitting, to the client device, the desired portion instead of all of the data object document.

Abstract: DNS wildcard beaconing. In one embodiment, for example, a computer-implemented method comprises: receiving a network request from a resolver to resolve a hostname, the network request from the resolver comprising a network address of the resolver, the hostname comprising a unique wildcard portion; storing first data representing an association between at least the unique wildcard portion and the network address of the resolver; receiving a network request from a client for a resource, the network request from the client comprising a network address of the client and at least the unique wildcard portion; storing second data representing an association between at least the unique wildcard portion and the network address of the client; based on the first data and the second data, associating the client with the resolver; and storing third data representing the association between the client and the resolver.

Abstract: Automated locating and disconnection of undesired devices may include receiving both the addresses of the device and the switch coupled to the device and determining whether the switch can blackhole the traffic of the device. If it is determined that the switch cannot blackhole the traffic associated with the device, systems and methods of the present disclosure may further determine whether the switch can reroute the traffic of the device. If, however, the switch can blackhole traffic of the device, a blackhole command may be issued to transform a destination of the traffic associated with the device to a null destination. Alternatively, if it is determined that the switch can reroute traffic of the device, a reroute command may be issued to transform the destination of the traffic associated with the device to a safe zone.

Abstract: When obtained communication data corresponds to an external communication from the outside of the network to the inside, external communication data is stored. When the obtained communication data corresponds to a service start, external communication data associated with the service start is extracted, and service start data is stored in correlation with the extracted external communication data. When the obtained communication data corresponds to an operation end, operation end data is stored. When the obtained communication data corresponds to a communication from the inside to the outside of the network, operation end data associated with the obtained communication data is extracted. Then, it is determined that a condition is satisfied that external communication data associated with the obtained communication data is stored in correlation with the service start data associated with the extracted operation end data. When the condition is satisfied, an attack for the system is detected.

Abstract: A method, a device and a system for detecting security of a download link are provided. The method comprises: pre-acquiring an information set of download link security (S101); performing a feature matching between information of a download link and content of the information set of download link security (S102); and identifying security of the download link according to a result of the feature matching, and presenting an identification result to a user (S103). In the method, device and system, statistics regarding security of download links in a network are collected in advance to generate an information set, whether a download link in a webpage is secure is determined according to the preset information set, and a corresponding prompt is provided to a user, so that the user can know the security of the download link before downloading, thereby reducing ineffective download behaviors and the consumption of network bandwidth resources.

Abstract: Systems and methods for ensuring the quality of identity and access management information at a computing system are described. Access right information that respectively corresponds to one or more access rights may be stored at a data store. The access right information may be stored in accordance with a data model that defines respective relationships between the access rights and both the users having access to the computing system and the computing resources of the computing system. At least a portion of the access right information may be retrieved, and quality assurance tasks may be performed using the portion of the access right information retrieved.

Abstract: A network management service system includes a policy management apparatus that receives updating of a communication policy from an user and manages the communication policy for each user; a control apparatus that generates a packet handling operation of a packet associated with the communication policy of the user, in response to a request from the user, and sets the generated packet handling operation in a forwarding node(s); and the forwarding node(s) that processes the packet using the packet handling operation generated by the control apparatus.

Abstract: A policy that includes an address group is received. The policy is compiled into a set of one or more rules. The compiling is performed at least in part by determining members of the address group. The compiling can further include substituting one or more IP addresses of the members for the address group. At least one rule included in the set of rules is enforced.

Abstract: Some embodiments provide an elastic architecture for providing a service in a computing system. To perform a service on the data messages, the service architecture uses a service node (SN) group that includes one primary service node (PSN) and zero or more secondary service nodes (SSNs). The service can be performed on a data message by either the PSN or one of the SSN. However, in addition to performing the service, the PSN also performs a load balancing operation that assesses the load on each service node (i.e., on the PSN or each SSN), and based on this assessment, has the data messages distributed to the service node(s) in its SN group. Based on the assessed load, the PSN in some embodiments also has one or more SSNs added to or removed from its SN group. To add or remove an SSN to or from the service node group, the PSN in some embodiments directs a set of controllers to add (e.g., instantiate or allocate) or remove the SSN to or from the SN group.

Abstract: A computer-implemented method according to one embodiment of the present disclosure includes identifying, by a computer system, an asset associated with a logical zone; detecting a change in an attribute of the asset; and in response to detecting the change in the attribute of the asset, modifying, by the computer system, a configuration setting for a firewall. Among other things, the embodiments of the present disclosure can perform dynamically configure and control security features in response to changes in the computing environment, including asset attribute changes, security events, operational events, user input and environmental changes. Embodiments of the present disclosure thereby help to quickly maintain or change the security posture of a system and maintain the level of compliance with set of predefined security benchmarks or codified best practices.

Abstract: A small piece of hardware connects to a mobile device and filters out attacks and malicious code. Using the piece of hardware, a mobile device can be protected by greater security and possibly by the same level of security offered by its associated corporation/enterprise. In one embodiment, a mobile security system includes a connection mechanism for connecting to a data port of a mobile device and for communicating with the mobile device; a network connection module for acting as a gateway to a network; a security policy for determining whether to forward content intended for the mobile device to the mobile device; and a security engine for executing the security policy.

Abstract: Methods, devices and systems for detecting suspicious or performance-degrading mobile device behaviors intelligently, dynamically, and/or adaptively determine computing device behaviors that are to be observed, the number of behaviors that are to be observed, and the level of detail or granularity at which the mobile device behaviors are to be observed. The various aspects efficiently identify suspicious or performance-degrading mobile device behaviors without requiring an excessive amount of processing, memory, or energy resources.

Abstract: The present invention teaches methods and systems for subscriber blocking of unauthorized network traffic in a cable data network. The cable modem termination system (CMTS) incorporates a data gateway agent that filters unauthorized traffic thereby eliminating consumption based subscribers from being responsible for related service charges. Embodiments incorporate the use of packet filtering, hybrid stateful packet filtering, content filtering, application layer filtering and time based filtering. Greater acceptance of consumption based billing is achieved by having the filter settings directed by the subscriber.

Abstract: Systems and techniques relating to securely managing electronic resources are described. A described technique includes receiving a request to add to a mobile device an account setting for a server resource account. Detecting a trigger event for a new perimeter based on the account setting. In response to a parameter or a pattern associated with the account setting, retrieving a security policy from a resource server for the server resource account, and generating, by the mobile device, a new perimeter including the server resource account based on the security policy. The new perimeter is configured to prevent transferring data associated with the server resource account being transferred to mobile-device resources external to the new perimeter.

Abstract: One embodiment disclosed relates to a method of proactive containment of network security attacks. Filtering parameters corresponding to a specific system vulnerability are determined. These parameters are distributed to network infrastructure components, and the network infrastructure components examine packets using these parameters to detect occurrence of an attack. Once an attack is detected, the network infrastructure components take action to inhibit the attack. Other embodiments are also disclosed.

Abstract: Techniques are provided for providing access control lists in a distributed network switch. The distributed network switch made of switch units is divided into logical switch partitions, or logical networks. Physical ports of the switch units are partitioned into logical ports, where each logical port is associated with a logical switch partition. A control point of the distributed network switch manages and assigns a service tag (S-Tag) used to identify which logical port ingress and egress frames are associated with. To generate metrics and other forwarding actions for a given logical switch partition, the control point sets up access control list (ACLs) targeting the logical port associated with the S-Tags associated with the given logical switch partition.

Abstract: A firewall security platform is provided for enhancing security of a network. The firewall security platform includes at least one interface to communicate the identity and current status of one or more traffic requesters and at least one device for receiving instructions from a user. Communication data packets associated with the one or more traffic requesters are allowed for communication via the network or denied and blocked by the firewall security platform based on the current status of each of the one or more traffic requesters. The user's instructions include making a selection, with the selection including members that are at least one of the one or more traffic requesters. The current status of each member of the selection is altered in response to the making of the selection.

Abstract: Receive, at an access control node (ACN) of a first network enclave, a plurality of data packets inbound to the enclave. The characteristics of each received packet can be communicated from the ACN to a secure access server (SAS) of the enclave. The admissibility, to the first enclave, of each received packet for which characteristics are communicated, can be determined by the first secure access server. For each packet determined to be inadmissible, the technology can communicate, from the SAS to a plurality of ACNs of the first enclave, an instruction to deny admission to packets having the characteristics of the inadmissible packet. At each access control node receiving the instruction, the technology can deny admission to packets having the characteristics of the inadmissible packet based on the instruction to deny admission to packets having the characteristics of the inadmissible packet.

Abstract: A computer-implemented subject monitoring method is provided. The method includes providing an online-monitoring agent configured for monitoring a personal computing device, receiving identifying information associated with at least one of an account, email address, site, and service from the personal computing device via the online-monitoring agent, and monitoring via a network the at least one of the account, email address, site, and service based on the identifying information received via the online-monitoring agent.

Abstract: A system and a method initiate a data transmission from a first computer to at least a second computer or approve access to the data on a first computer by a second computer. The computers are interconnected through a network connection. The first computer is protected against access through the network connection by a firewall. Another communication connection, which the first computer does not use for transmitting data, is provided for initiating the access authorization to the first computer or the data transmission from the first computer to at least the second computer. A printing machine is provided with the system.

Abstract: Various embodiments provide a method and apparatus of providing a distributed security service that runs light instances in a number of security devices and central instances of the security services in select security devices. A received or transmitted client content segment is directed to a light instance which either applies a security policy corresponding to the client content segment if the client content segment has been previously analyzed and has a valid security policy, or else, the light instance sends the client content segment to a central instance to be analyzed. The central instance may then provide a complete security analysis on the client content segment, determine a security policy corresponding to the client content segment and push the determined security policy to one or more of the light instances. Advantageously, a distributed security service delivery may provide highly secure, network efficient and cost effective security service delivery.

Abstract: Methods and systems for Data Leak Prevention (DLP) in a private network are provided. A data structure is maintained within a network security appliance identifying candidate upper layer protocols, corresponding commands of interest and a corresponding suspect field within each of the commands that is to be subjected to DLP scanning as a result of its potential for carrying sensitive information. A packet is received by the network security appliance. A protocol associated with the packet is identified. It is determined whether the identified protocol is among those of the candidate protocols. Responsive to an affirmative determination and when a command represented by the packet is among those of the corresponding commands of interest for the candidate protocol, then a DLP scan is performed on the packet. Otherwise, the packet is allowed to pass through the network security appliance without being subject to a DLP scan.

Abstract: A user is provided an interface for selecting network connectivity features for designing a virtual private cloud computing network. Each network connectivity feature has an attribute for connecting tangible storage elements and tangible computing elements in the virtual private cloud computing network. Each network connectivity feature is translatable into a network element configuration statement that instantiates an action particular to the network connectivity feature. Usage rules are defined specifying how the network connectivity features can be used. Selected network connectivity features are accepted from the user. The virtual private cloud computing network is configured in accordance with the selected network connectivity features using the tangible storage elements and tangible computing elements in the virtual private cloud computing network.

Abstract: Some embodiments provide a network system that includes several host machines for hosting virtual machines, divided into several different domains. The network system includes several local domain management servers. A first local domain management server of a first domain is for (i) initiating creation of a set of distributed virtual switch ports associated with a particular logical network identifier on a host machine within its domain and (ii) attaching a first virtual machine on the host machine to a created port associated with the particular logical network identifier in order for the first virtual machine to send traffic over the logical network. The network system includes a second level management server for coordinating the use of logical network identifiers between multiple different logical domain management servers in order for the first virtual machine to communicate via the logical network with a second virtual machine in a second domain.

Abstract: A method and apparatus for centralized policy programming and distributive policy enforcement is described. A method comprises centrally maintaining a plurality of policy definitions for one or more subscribers, generating policy configurations using the plurality of policy definitions, each of the policy configurations being specific to one of the plurality of policy definitions, and disseminating the policy configurations to the appropriate ones of the subscribers' networks.

Abstract: Techniques for destination domain extraction for secure protocols are disclosed. In some embodiments, destination domain extraction for secure protocols includes monitoring network communications between a client and a remote server; determining if the client sends a request to create a secure connection with the remote server (e.g., in which the network communications are initiating a setup for a secure protocol-based connection); and extracting a destination domain from the request to create the secure connection with the remote server. In some embodiments, the secure protocol is a secure sockets layer (SSL) protocol or transport layer security (TLS) protocol, and the destination domain is extracted from the server name indication (SNI) of a client hello message sent from the client to the remote server. In some embodiments, destination domain extraction for secure protocols further includes applying a policy (e.g.

Abstract: A remotely provisioned proxy within a wireless/mobile phone that proxies a wireless communication path between a disconnected piconet (e.g., BLUETOOTH™) device and a network resource such as a universal resource locator (URL) via a mating mobile phone. Thus, an application proxy module embodied within the mobile phone provides managed access of a piconet device connected to the mating mobile phone to remote services. A disconnected piconet device uses the full data bandwidth available to a wireless phone, without the need for the disconnected piconet device to include its own separate wireless front end, or to require use of a modem within the mobile phone. Thus, using a mobile phone with application proxy, the user need not pay for the luxury of a tethered data plan.

Abstract: A method is provided and may include receiving a request for a network content delivery service from an access device; directing the access device to a network service provider for authentication for the network content delivery service; receiving a network authorization token from the access device, where the network authorization token is associated with the access device; obtaining a network access token from the network service provider; and binding the network access token to a content access token.

Abstract: A method for balancing load among firewall security devices in a network is disclosed. According to one embodiment, a switch causes firewall security devices (FSDs) of a cluster to enter into a load balancing mode. Responsive to receiving a heartbeat signal from an FSD, information regarding the FSD and the port on which the heartbeat signal was received are added to a table maintained by the switch that maps outputs of a load balancing function to ports of the switch. A received packet is forwarded to an FSD of the cluster by: (i) extracting a configurable number of bit values from a configurable set of bit positions within the packet; (ii) determining the output of the load balancing function; (iii) identifying the port to which the FSD is coupled based on the output and the table; and (iv) transmitting the packet to the FSD via the identified port.

Abstract: A method for discovering a communication device is disclosed. The method includes: receiving in the communication device a communication including a request for an address and an identification of an application, in response to receiving the communication, associating a dynamic address of the communication device with the identified application, and sending a second communication directly or indirectly to a client device, the second communication including the dynamic address. The communication device may further obtain a dynamic address in response to receiving the communication. The dynamic address may be used for a dedicated purpose, such as for receiving a file for subsequent use by the application.

Abstract: Data associated with user identities within an electronic social networking platform is extracted from the electronic social networking platform. A request is received to filter the user identities based on a specified value for a characteristic. Based on data associated with the user identities that was extracted from the electronic social networking platform, a subset of the user identities is identified who have the specified value for the characteristic. An indication of content to be delivered to the identified subset of user identities is received. As a consequence, the content is delivered to at least some of the user identities within the identified subset of user identities.