Abstract: A method implemented by a cloud-based system includes steps of, responsive to connecting to a user device with a user associated with a first tenant of a plurality of tenants, obtaining security policies for the user that are configured for the tenant, wherein the security policies for the user are the same regardless of connection type, location of the user, and device type and operating system of the user device; stream scanning traffic between the user device and the Internet based on the security policies, wherein the security policies are for firewall and intrusion prevention functions; and one of allowing and blocking the traffic based on the stream scanning.

Abstract: A method comprises collecting message-oriented-middleware system parameters from a plurality of message-oriented-middleware clusters, analyzing the parameters using one or more machine learning algorithms, and predicting, based at least in part on the analyzing, at least one anomaly in a message-oriented-middleware cluster of the plurality of message-oriented-middleware clusters. In the method, message metadata is collected from the message-oriented-middleware cluster, and at least part of the message metadata is transmitted to one or more remaining ones of the plurality of message-oriented-middleware clusters. At least the part of the message metadata corresponds to messaging operations to be transferred from the message-oriented-middleware cluster to the one or more remaining ones of the plurality of message-oriented-middleware clusters.

Abstract: The invention relates to the field of wireless mesh communication networks and in particular to methods, networks and nodes (101) for use in such a wireless mesh network (100) for establishing routes in the wireless mesh network (100) by pro-actively regularly sending many-to-one route requests at randomized intervals by wireless network nodes (101) that can operate as a proxy nodes for a mobile wireless device (104) communicating using a first wireless communication protocol and further nodes (102, 103) in the wireless mesh network (100) communicating using a second wireless communication protocol.

Abstract: Methods, systems, and computer readable media for network security are described. In some implementations, security tasks and roles can be allocated between an endpoint device and a firewall device based on tag information sent from the endpoint, the tag information including one or more characteristics of a traffic flow, information of resource availability, and/or reputation of a process associated with a traffic flow.

Abstract: A network sanitization technology for enforcing a network edge and enforcing particular communication functions for untrusted dedicated-function devices such as internet protocol (IP) cameras. An untrusted network device is isolated from a network by a network sanitization system such that it cannot communicate with the network. Communications from the untrusted device are intercepted by the system and only allowed communications are used. Allowed communications are used to create new communications according to an allowed framework. Sanitization device may be in small two-port package with visual indicia indicating the untrusted device and the network side. The device may use and provide power over Ethernet (POE) to device. Abstract is not to be considered limiting.

Abstract: A distributed denial of service attack is detected. In response to detection of the attack, application layer properties of network traffic associated with a web application under attack are analyzed. Changes to distributions of the application layer properties are identified. A signature is generated based, at least in part, on identifying a combination of application layer properties whose distributions have changed, and which identifies traffic increased since onset of the attack. A mitigation rule is generated based, at least in part, on the signature.

Abstract: The disclosed technology is generally directed towards monitoring electronic communications to detect content in a communication that is attempting to influence the recipient user in some way. A user can specify influential intent preference data, such as which electronic communications services/applications to monitor for such influential intent content, and the types of the influential intent to monitor for, e.g., political influence types, advertisement influence types, and so on. A user also can specify remedial or other actions to take upon detection, e.g., block such content, alert on detecting such content and so on. An electronic influence manager server and/or application program can perform the monitoring and/or take the actions. Also described is reporting on the communications with influential intent, user actions with respect thereto. Reputation data can also be collected and used with respect to sources of communications with influential intent.

Abstract: Disclosed herein is a method of operation of a wireless device to provide service gap control in a wireless communication system, comprising: receiving a service gap parameter from a network entity in a mobility management sublayer non-access stratum message, the service gap parameter being indicative of a value for a service gap timer for the wireless device; and enforcing the service gap parameter at the wireless device in a non-access stratum layer. Also disclosed herein is a method of operation of a core network entity in a core network of a wireless communication system to provide service gap control, comprising: obtaining a service gap parameter for a wireless device, the service gap parameter being indicative of a value for a service gap timer for the wireless device; and sending by the core network entity the service gap parameter to the wireless device via a mobility management sublayer non-access stratum message.

Abstract: Systems and methods for providing multi-perimeter firewalls via a virtual global network are disclosed. In one embodiment the network system may comprise an egress ingress point in communication with a first access point server, a second access point server in communication with the first access point server, an endpoint device in communication with the second access point server, a first firewall in communication with the first access point server, and a second firewall in communication with the second access point server. The first and second firewalls may prevent traffic from passing through their respective access point servers. The first and second may be in communication with each other and exchange threat information.

Abstract: Example embodiments provide systems and methods for increasing the cryptographic strength of an encryption or message-authentication-code-(MAC) generation technique. According to some embodiments, a MAC may be constructed around a shared secret (such as a random initialization number), thereby increasing strength of the MAC against brute force attacks based on the size of the shared secret. The MAC may be combined with randomized data, and may also be encrypted to further bolster the strength of the code. These elements (shared secret, MAC algorithm, and encryption algorithm) may be employed in various combinations and to varying degrees, depending on the application and desired level of security. At each stage, the cryptographic construct operates on the cyptographically modified data from the previous stage. This layering of cryptographic constructs may increase the strength of the group of contrasts more efficiently than applying any one construct with a larger key size or similar increase in complexity.

Abstract: A verification method for fast source and path embedded with random authentication is provided. The method includes: generating a corresponding verification structure for an expected path according to a predetermined path strategy, embedding different m pieces of fragment information randomly selected with same possibility from the verification structure for the expected path to a header of a data packet to be transmitted in a data flow, and transmitting the data packet to be transmitted with the embedded fragment information to a next hop of routing node of the expected path, performing a verification on the received data packet by the respective intermediate routing node on the expected path, and forwarding the data packet to the next routing node when the verification passes, performing verification on the received data packet by the data flow destination, performing a parsing verification evaluation on the expected path when the verification passes.

Abstract: Behavioral characteristics of at least a first machine component are monitored. A model that represents machine-to-machine interactions between at least the first machine component and at least a further machine component is generated. Using the monitored behavioral characteristics and the generated model, an incongruity of a behavior of at least the first machine component and the machine-to-machine interactions is computed, where the incongruity is predicted based on determining a discordance between an expectation of the system and the behavior and the machine-to-machine interactions, and wherein the predicting is performed without using a previously built normative rule of behavior and machine-to-machine interactions.

Abstract: A method for execution by a processor of a host having an external interface for connection to at least one other network element of a packet-based data network, the host storing a routing table and implementing a container connected to a bridge, the container being addressable by an internal address on a bridge network associated with the bridge. The method includes obtaining an indication of a request for the container to join a multicast group. In response to the obtaining, a request is sent via the external interface for the host to join the multicast group. The routing table may be modified so as to make the bridge a next hop for future packets obtained from the external interface and destined for the multicast group. The routing table may also be modified so as to make the external interface a next hop for future packets that are obtained from the bridge, whose source address is the internal address of the container and that are destined for the multicast group.

Abstract: A method of Internet Protocol (IP) address control includes receiving a request from a computing device for a new IP address, the request including a Media Access Control (MAC) address of the computing device. A query can be sent to a storage resource for a whitelist of MAC numbers associated with IP addresses and an IP address not present on the whitelist can be selected for use in assigning the new IP address. A new IP/MAC pairing of the selected IP address and the MAC address of the computing device is sent to the storage resource for adding to the whitelist and optionally to a firewall for adding to a firewall whitelist. A confirmation can be sent to the computing device, providing the new IP address.

Abstract: Security policies can be dynamically updated in response to changes in endpoints associated with those policies. A user can indicate one or more regions or networks from which access is to be granted under a specific security policy. The user can subscribe to receive notifications upon a change relating to those endpoints, such as the addition or removal of one or more endpoints. When a change is detected, new policy information can be generated automatically and published for subscribed policies, which can then have the updates applied automatically or provided for manual review and application. Such a process enables access determinations to be made based upon up-to-date endpoint information.

Abstract: Apparatus, systems, and methods for the detection and remediation of malicious network traffic. Network traffic is received from a network-based device and analyzed the network traffic to identify the network-based device as an infected network-based device. In response to identifying the network-based device as an infected network-based device, a response message is sent to the infected network-based device, the response message triggering a tarpitting effect on the network-based device.

Abstract: Intraocular pressure in an eye is reduced by delivering a high resolution optical coherence tomography (OCT) beam and a high resolution laser beam through the cornea, and the anterior chamber into the irido-corneal angle along an angled beam path. The OCT beam provides OCT imaging for surgery planning and monitoring, while the laser beam is configured to modify tissue or affect ocular fluid by photo-disruptive interaction. In one implementation, a volume of ocular tissue within an outflow pathway in the irido-corneal angle is modified to create a channel opening in one or more layers of the trabecular meshwork. In another implementation, a volume of fluid in the Schlemm's canal is affected by the laser to bring about a pneumatic expansion of the canal. In either implementation, resistance to aqueous flow through the eye is reduced.

Abstract: Aspects of the disclosure relate to monitoring virtual desktops accessed by devices at remote locations using machine-learning models to mitigate potential cyber-attacks. In some embodiments, a computing platform may monitor data associated with a series of activities from a virtual desktop accessed by a remote computing device. Subsequently, the computing platform may detect new activity data on the virtual desktop accessed by the remote computing device, and evaluate the new activity data relative to the data associated with the series of activities, wherein evaluating includes applying a machine learning model to the new activity data. Based on evaluating the new activity data, the computing platform may determine if the new activity data is indicative of a potential cyber-attack. In response to determining that the new activity data is indicative of a potential cyber-attack, the computing platform may initiate one or more security response actions.

Abstract: This disclosure provides systems, methods, and apparatuses for wireless sensing. In some aspects, a first wireless communication device may receive a first wireless transmission including a transmit (TX) parameter information element (IE). The first wireless communication device may verify the integrity of the TX parameter IE using a message integrity code (MIC) in the first wireless transmission, discarding the first wireless transmission when the MIC does not verify the integrity of the TX parameter IE. The first wireless device may obtain one or more transmission parameters for one or more second wireless communication devices associated with the TX parameter IE. The first wireless communication device may receive a second wireless transmission from one of the second wireless communication devices and obtain one or more wireless sensing measurements associated with the second wireless transmission and the one or more transmission parameters.

Abstract: A computing device may receive a first packet addressed to a destination node. The device may check a packet counter to determine if the counter exceeds a threshold, the counter recording a number of packets addressed to the destination node that have been received during a first time period. The device may in response to the packet counter exceeding the threshold: send, by the computing device, a query to an intermediate node; generate, by the device, a query flag in response to sending the query. The query flag can indicate that a query has been sent to the intermediate node. A reply from the intermediate node can be received by the device. The reply can identify a set of processes that the intermediate node is configured to perform on the first packet. The set of processes can be applied by the device to the first packet.

Abstract: This disclosure describes systems, methods, and devices related to network outage management. A method may include receiving, by a cloud-based system, a first indication of a first cable system outage; instantiating, by the cloud-based system, a first computing instance associated with generating event data indicative of the first cable system outage; instantiating, by the cloud-based system, a second computing instance associated with a machine learning model; generating, by the cloud-based system, using the event data as inputs to the machine learning model, a score indicative of a probability that the first cable system outage is repairable by a technician; and refrain from sending, by the cloud-based system, based on a comparison of the score to a score threshold, the event data to a first system associated with repairing the first cable system outage.

Abstract: Systems and methods include reception of a request for access to a target domain, the request including a source Internet Protocol (IP) address, determination of whether the source IP address is one of a plurality of IP addresses indicated within stored first data, determination, if it is determined that the source IP address is one of the plurality of stored IP addresses, of whether the target domain is one of a plurality of domains indicated within stored second data, and forwarding, if it is determined that the source IP address is one of the plurality of stored IP addresses and the target domain is one of a plurality of domains indicated within stored second data, of the request to the target domain.

Abstract: Some network architectures include perimeter or edge devices which perform network address translation or otherwise modify data in a network traffic packet header, such as the source address. The modification of the source address prevents downstream devices from knowing the true or original source address from which the traffic originated. To address this issue, perimeter devices can insert the original source address in an X-Forwarded-For field of the packet header. Firewalls and related security services can be programmed to record the original source address in the XFF field in addition to the other packet information and to consider the original source address during security analysis. Using the original source address in the XFF field, services can determine additional characteristics about the traffic, such as geographic origin or associated user accounts, and use these characteristics to identify applicable rules or policies.

Abstract: Disclosed are systems and associated methods for protecting systems against software intended to damage or disable computers and computer systems, commonly called “malware” especially encrypting malware. Both agent-based and agentless implementations allow the identification of malware and the protection of local and cloud-based data by observing changes to filesystem structure and the information content of files, with no need to scan memory or interfere with the processing of individual processes. The data permeability of the protected system can be dynamically changed, allowing user-directed changes to be committed to storage and backed up, while adverse or potentially adverse changes are quarantined.

Abstract: A system and method for cybersecurity risk analysis and anomaly detection using active and passive external reconnaissance, that identifies critical network entities within a cyber-physical graph, identifies anomalous events within the network, determines the risk of identified anomalies based on the value of the entities involved, and determines an effectiveness score for the network based on the identified risks.

Abstract: A method includes creating a secured connection between a home network and a remote corporate network via a smart home gateway; detecting a plurality of devices are connected with the smart home gateway, wherein the plurality of devices are within the home network; determining that a first device of the plurality of devices is indicated as an authorized corporate device; determining that the first device has software updated to a threshold version of software; and based on the indication that the first device is an authorized corporate device or the first device has software update to the threshold version of software, automatically connecting the first device to the remote corporate network.

Abstract: The disclosure provides a method performed by a wireless device for providing capability information. The method comprises: receiving a first message from a base station, the first message comprising an indication of a capability filter; utilizing the capability filter to generate a filtered set of capabilities of the wireless device; applying a hash function to the filtered set of capabilities to generate a hash value; and transmitting a second message to the base station, the second message comprising the hash value.

Abstract: A logic circuit for managing reception of secure data packets in an industrial controller snoops data being transferred by a Media Access Controller (MAC) between a network port and a shared memory location within the industrial controller. The logic circuit is configured to perform authentication and/or decryption on the data packet as the data packet is being transferred between the port and the shared memory location. The logic circuit performs authentication as the data is being transferred and completes authentication shortly after the MAC has completed transferring the data to the shared memory. The logic circuit coordinates operation with the MAC and signals a Software Packet Processing (SPP) module when authentication is complete. The logic circuit is further configured to decrypt the data packet, if necessary, and to similarly coordinate operation with the MAC and delay signaling the SPP module that data is ready until decryption is complete.

Abstract: The innovation disclosed and claimed herein, in one aspect thereof, comprises systems and methods of autonomous asset configuration modeling and management. The innovation includes probing elements of a networked architecture to compile information about elements in the networked architecture. The innovation learns a configuration for the at least one element in the environment based on the probing and determines vulnerabilities in the learned configuration. The innovation develops a threat model based on the learned configuration. The innovation applies the threat model to the elements of the networked architecture and deploys a configuration that resolves the vulnerabilities based on the threat model to the elements in the networked architecture. The threat model can be developed over time using machine learning concepts and deep learning of data sources associated with the elements and vulnerabilities.

Abstract: A method of monitoring and controlling network traffic within an industrial control system including receiving one or more data packets at a smart network switching system operating software-defined networking, analyzing the one or more data packets at a protocol level within a control plane of the software-defined networking, based on the analysis, determining whether the one or more data packets are authorized data packets, and forwarding a data packet of the one or more data packets to a destination device within a data plane of the software-defined networking upon determining that the data packet is an authorized data packet. The method further includes providing information related to the analysis of the one or more data packets to an out-of-band monitoring and control system for display to a user, and receiving a response communication from the out-of-band monitoring and control system indicating whether the one or more data packets are authorized data packets.

Abstract: Disclosed in some examples are methods, systems, and machine readable mediums for secure, low end-user effort computing device configuration. In some examples the IoT device is configured via a user's computing device over a short range wireless link of a first type. This short range wireless communication may use a connection establishment that does not require end-user input. For example, the end user will not have to enter, or confirm a PIN number or other authentication information such as usernames and/or passwords. This allows configuration to involve less user input. In some examples, to prevent man-in-the-middle attacks, the power of a transmitter in the IoT device that transmits the short range wireless link is reduced during a configuration procedure so that the range of the transmissions to and from the user's computing device are reduced to a short distance.

Abstract: A packet gateway may protect TCP/IP networks by enforcing security policies on in-transit packets that are crossing network boundaries. The policies may include packet filtering rules derived from cyber threat intelligence (CTI). The rapid growth in the volume of CTI and in the size of associated CTI-derived policies, coupled with ever-increasing network link speeds and network traffic volume, may cause the costs of sufficient computational resources to be prohibitive. To efficiently process packets, a packet gateway may be provided with at least one probabilistic data structure, such as a Bloom filter, for testing packets to determine if packet data may match a packet filtering rule. Packet filtering rules may be grouped into subsets of rules, and a data structure may be provided for determining a matching subset of rules associated with a particular packet.

Abstract: Systems and methods for implementing filters within computer networks include obtaining blocklist data that includes blocklist entries for a network. Each of the blocklist entries includes one or more network traffic attributes for identifying traffic to be blocked. In response to receiving the blocklist data, a filter based on a common network traffic attribute shared between at least two of the plurality of blocklist entries is generated. The filter is then deployed to a network device within the network such that the filter may be implemented at the network device to block corresponding traffic.

Abstract: A method for automatically adjusting one or more device security settings includes receiving a plurality of information feeds received over a communications network from a plurality of information sources. The method further includes accessing a particular information feed from the plurality of information feeds and accessing a predefined trigger associated with the particular information feed. The method further includes determining, by comparing the particular information feed with the predefined trigger, whether a security event is predicted to occur. When the security event is predicted to occur, the method generates an alert for display on a user device and sends, over the communications network, one or more instructions to adjust the one or more device security settings.

Abstract: A packet-filtering system configured to filter packets in accordance with packet-filtering rules may receive data indicating network-threat indicators and may configure the packet-filtering rules to cause the packet-filtering system to identify packets comprising unencrypted data, and packets comprising encrypted data. A portion of the unencrypted data may correspond to one or more of the network-threat indicators, and the packet-filtering rules may be configured to cause the packet-filtering system to determine, based on the portion of the unencrypted data, that the packets comprising encrypted data correspond to the one or more network-threat indicators.

Abstract: A speech-processing system may provide access to one or more virtual assistants via a voice-controlled device. The system may be activated by detecting a wakeword in speech received by a microphone of the device. The system may process the speech and provide a response in the form of synthetic speech. When a speaker of the device synthetic emits the speech, the microphone may detect some or all of the speech. If the synthetic speech includes a wakeword or words or phrases similar to the wakeword, a wakeword detection component of the device may detect the wakeword and activate an assistant, resulting in a self-wake or cross-wake. Self- or cross-wake may interrupt an action or response currently in progress, which may frustrate the user and result in a poor user experience. This disclosure thus proposes systems and methods for preventing cross-wake and self-wake in a voice-controlled device.

Abstract: Described are techniques including a computer-implemented method that comprises defining a respective priority classification for each of a plurality of sockets used for communicating between an initiator computational system and a target computational system. The method further comprises automatically assigning a respective priority classification to each of a plurality of Input/Output (IO) requests based on a type of data associated with each IO request. The method further comprises sending the plurality of IO requests to respective sockets of the plurality of sockets with a matching priority classification.

Abstract: A system for managing connection from a smartphone 1 provided to a child to specific connection destinations via the Internet, comprising: a filter server 9 for restricting packet transmission to the Internet based on a destination of the packet and a source IP of the smartphone 1; a VPN server 6 for establishing a tunnel connection 27 between the VPN server 6 and the smartphone 1, wherein the tunnel connection 27 passes all communication traffic from the smartphone 1, and also transmitting to the filter server the packet which passed through the tunnel connection 27; and an API server 8 connected to the VPN server 6 for confirming existence of the tunnel connection 27 at predetermined timing and, when lack of the existence is determined, blocking the Internet connection itself of the information communication device.

Abstract: A method including configuring a VPN server to determine, based on requesting data of interest from a host device, that the host device has declined to provide the data of interest; configuring the VPN server to verify, based on determining that the host device has declined to provide the data of interest, an identity of a secondary server with which the VPN server is authorized to establish a secure connection; configuring the VPN server to establish, based on verifying the identity of the secondary server, a secure connection with the secondary server to enable communication of encrypted information; and configuring the VPN server to transmit, to the secondary server, an encrypted message identifying the host device and the data of interest to be retrieved from the host device to enable the secondary server to request the data of interest from the host device is disclosed. Various other aspects are contemplated.

Abstract: Systems and methods for admitting new nodes into an existing network, for example a MoCA network. As a non-limiting example, various aspects of the present disclosure provide systems and methods for adding a new node to an existing network without requiring on-site manual configuration, for example utilizing communication between the new node and a network coordinator of the existing network prior to admission of the new node to the existing network.

Abstract: A network device includes one or more ports, and action-select circuitry. The ports are to exchange packets over a network. The act-ion-select circuitry is to determine, for a given packet, a first search key based on a first header field of the given packet, and a second search key based on a second header field of the given packet, to compare the first search key to a first group of compare values, to output a multi-element vector responsively to a match between the first search key and a first compare value, to generate a composite search key by concatenating the second search key and the multi-element vector, to compare the composite search key to a second group of compare values, and, responsively to a match between the composite search key and a second compare value, to output an action indicator for applying to the given packet.

Abstract: A device monitoring method includes: receiving a message transmitted from a first device to a second device and addressed to the second device; determining whether the message contains a device control command for controlling the second device; if the message contains the device control command, further determining whether to transmit the message to the second device based on a predetermined condition; and when the message is determined to be transmitted to the second device, transmitting the message to the second device. The predetermined condition includes a first condition that the first device is registered as a device having a predetermined function in a device list containing information about whether each of the devices is a device having the predetermined function. The message is determined to be transmitted to the second device when the predetermined condition is satisfied.

Abstract: Mechanisms for generating documents with confidential information are provided, the systems comprising: a memory; and a first collection of at least of one hardware processor coupled to the memory and configured to: receive from a user device a request for a first document with confidential information; generate a second document, that corresponds to the first document, with at least one token corresponding to the confidential information; transmit the second document to a second collection of at least one hardware processor in a computer network that is entitled to access the confidential information; receive from the second collection of at least one hardware processor in the computer network a uniform resource locator (URL) corresponding to the first document; and transmit the URL to the user device. In some of these mechanisms, the user device is in the computer network.

Abstract: A system, method, and computer program product for implementing network state processing is provided. The method includes detecting operational states for ports of a server Internet protocol (IP) data plane component of an integrated switching device. Each operational state is analyzed and matching and action rules associated with the operational states are generated with respect to data packets arriving at the ports. Data describing each operational state is stored within a port cache structure of a port. An incoming data packet is detected at a first port and the matching and action rules are distributed between port engines of the ports. The matching and action rules are executed with respect to the incoming data packet and the incoming data packet is transmitted to a destination port. Operational functionality of the integrated switching device is enabled with respect to execution of the incoming data packet at the destination port.

Abstract: A cloud-based traffic classification engine maintains a catalog of application-based traffic classes which have been developed based on known applications, and a local traffic classification engine maintains a subset of these classes. Network traffic intercepted by the firewall which cannot be classified by the local engine is forwarded to the cloud-based engine for classification. Upon determination of a class of the traffic, the cloud-based engine forwards the determined class and corresponding signature to the local engine. The firewall maintains a cache which is updated with the signatures corresponding to the class communicated by the cloud-based engine. Subsequent network traffic sent from the application can be determined to correspond to the application and classified according locally at the firewall based on the cached signatures. Localization of the cache to the firewall reduces latency of traffic classification operations as the catalog of classification information stored in the cloud scales.

Abstract: Described herein are techniques for preventing a user from continuing to access an online service once access rights have been revoked. In some embodiments, the techniques comprise receiving a request to determine a current status of access rights in association with a user and an online service, determining, based on one or more conditions associated with the online service, the current status of access rights, upon determining that the current status of access rights indicates that the user is not authorized to access the online service, identifying at least one user device associated with the user, generating programmatic instructions to cause a session token associated with the online service to be removed from a memory of the at least one user device, and providing the programmatic instructions to the at least one user device.

Abstract: Techniques are disclosed for a network device to preserve packet flow information across bump-in-the-wire (BITW) firewalls. For example, a method comprises receiving, by a network device, a packet. The method also comprises determining, by the network device, that the packet matches a packet flow that is associated with an action to redirect the packet to a firewall configured as a bump-in-the-wire. The method further comprises, in response to the determination: modifying, by the network device, a Media Access Control (MAC) address field of a layer 2 (L2) packet header with a flow identifier of the packet flow; sending, by the network device, the packet to the firewall; receiving, by the network device, the packet from the firewall; and recovering, by the network device, the packet flow by modifying the packet according to the flow identifier in the packet to restore the L2 packet header of the packet.

Abstract: A packet-filtering system configured to filter packets in accordance with packet-filtering rules may receive data indicating network-threat indicators and may configure the packet-filtering rules to cause the packet-filtering system to identify packets comprising unencrypted data, and packets comprising encrypted data. A portion of the unencrypted data may correspond to one or more of the network-threat indicators, and the packet-filtering rules may be configured to cause the packet-filtering system to determine, based on the portion of the unencrypted data, that the packets comprising encrypted data correspond to the one or more network-threat indicators.

Abstract: A communication log aggregation device includes: a communicator that obtains flow information including one or more flow records and first statistical information for each flow from each of collection devices, the one or more flow records each including flow identification information included in a message received by at least one observer that is disposed in a control network system, the flow being classified based on the flow identification information, the collection devices each collecting the one or more flow records and the first statistical information for each flow from the message received by the observer; and a flow aggregator that generates aggregated flow information by performing at least one of the following: (i) selecting at least one of the one or more flow records, (ii) adding second statistical information, and (iii) deleting at least one of the one or more flow records, and outputs the aggregated flow information.

Abstract: Some embodiments of the invention provide a novel method for performing firewall operations on a computer. The method of some embodiments instantiates first and second firewall processes on the computer. These two processes are two separate processes, which in some embodiments have separate memory allocations in the memory system of the computer. The method uses the first firewall process to examine a data message to determine whether an encryption based firewall policy (e.g., a TLS-based firewall policy) has to be enforced on the data message. Based on a determination that the encryption-based firewall policy has to be enforced on the data message, the method provides metadata, which is produced by the first firewall process in its examination of the data message, to the second firewall process. The second firewall process then uses the provided metadata to perform an encryption-based firewall operation based on the encryption-based firewall policy.