Abstract: A distributed and coordinated security system providing intrusion-detection and intrusion-prevention for the virtual machines (VMs) in a virtual server is described. The virtualization platform of the virtual server is enhanced with networking drivers that provide a “fast path” firewall function for pre-configured guest VMs that already have dedicated deep packet inspection security agents installed. A separate security VM is deployed to provide virtual security agents providing deep packet inspection for non pre-configured guest VMs. The network drivers are then configured to intercept the data traffic of these guest VMs and route it through their corresponding virtual security agents, thus providing a “slow-path” for intrusion detection and prevention.

Abstract: A computer implemented method and computer program product for obtaining a secure route. A trusted host sets a node security association for a trusted host. The trusted host receives, at the trusted host, a client communication request directed to a destination host. The trusted host builds a secure route query comprising a trusted host address, a destination host address, and at least one security level, to form at least one secure route. The trusted host sends packets from the trusted host to the destination host based on the at least one secure route. The packets are responsive to the client communication request, and the packets each have a security label that matches the security level.

Abstract: A method and apparatus that secures a dynamic virtualized network is described. In an exemplary embodiment, a device learns a current network policy of the dynamic virtualized network, where the dynamic virtualized network is a virtualized layer 2 network that is overlaid on a layer 3 physical network. In addition, the current network policy includes multiple network policy elements, where each of the multiple network policy elements identifies an authorized endpoint in the dynamic virtualized network. Furthermore, the layer 3 physical network includes multiple network access devices. The device further determines a network security policy for the dynamic virtualized network from the current network policy. The network security policy includes one or more second network policy elements that are a different network policy element than one of the multiple network policy elements of the current network policy.

Abstract: A computer implemented method for obtaining a secure route. A trusted host sets a node security association for a trusted host. The trusted host receives, at the trusted host, a client communication request directed to a destination host. The trusted host builds a secure route query comprising a trusted host address, a destination host address, and at least one security level, to form at least one secure route. The trusted host sends packets from the trusted host to the destination host based on the at least one secure route. The packets are responsive to the client communication request, and the packets each have a security label that matches the security level.

Abstract: A method and apparatus that secures a dynamic virtualized network is described. In an exemplary embodiment, a device learns a current network policy of the dynamic virtualized network, where the dynamic virtualized network is a virtualized layer 2 network that is overlaid on a layer 3 physical network. In addition, the current network policy includes multiple network policy elements, where each of the multiple network policy elements identifies an authorized endpoint in the dynamic virtualized network. Furthermore, the layer 3 physical network includes multiple network access devices. The device further determines a network security policy for the dynamic virtualized network from the current network policy. The network security policy includes one or more second network policy elements that are a different network policy element than one of the multiple network policy elements of the current network policy.

Abstract: Disclosed is a method of preventing a denial of service (DoS) attack using transmission control protocol (TCP) state transition. Flow of packets transmitted between a client and a server using TCP is monitored to prevent the DoS attack, e.g., SYN flooding, and to efficiently reduce the load on the server and provide more secure service. By applying the method to a firewall, a proxy server, an intrusion detection system, etc., of a server, it is possible to make up for vulnerabilities regarding a DoS attack without disturbing a conventional TCP state transition operation and detect, verify and block DoS attacks abusing the vulnerabilities, thereby providing more secure service.

Abstract: A method and a detection system are provided for detecting encrypted peer-to-peer (EP2P) sessions associated with a particular EP2P network. Seed data associated with the EP2P network is extracted from a selected packet, and an encryption seed is obtained from the seed data. An encryption key is obtained from the encryption seed by using a key function associated with the EP2P network, and a cipher associated with the EP2P network is initialized with the encryption key. A portion or whole of the packet is decrypted, and checksum data associated with the EP2P network is extracted. A checksum is obtained from the checksum data, and the obtained checksum is compared with a reference checksum associated with the EP2P network. If the obtained checksum matches the reference checksum, a session including the packet is determined to be an EP2P session associated with the EP2P network.

Abstract: A test method for Internet-Protocol packet networks that verifies the proper functioning of a dynamic pinhole filtering implementation as well as quantifying network vulnerability statistically, as pinholes are opened and closed is described.

Abstract: A router is provided. The router includes a packet marking unit that inserts marking information generated based on an address of the router into a packet received by the router, according to a packet marking probability that is dynamically set, and a marking probability determination unit that calculates filtering efficiency of the router, and determines the packet marking probability based on the filtering efficiency. The marking information is used to obtain the address of the router by a device that has received the packet containing the marking information.

Abstract: Disclosed is an apparatus for preventing illegal access of industrial control system and a method thereof in accordance with the present invention. The apparatus for preventing illegal access of industrial control system includes: a first interface communicating a packet by interoperating with a management network group that requests a control command; a second interface communicating a packet by interoperating with a control network group that receives a control command from the management network group and processes it; and a control device, which, when a packet flows therein from the management network group or the control network group, checks whether or not at least one filter rule is set and controls the packet flow between the management network group and the control network group using the filter where the rule is set.

Abstract: A system, method and computer readable storage medium that blocks network traffic exceeding a user selected value. Received data packets are analyzed to determine volumetric traffic flow so as to graphical represent the determined volumetric traffic flow for the received data packets on a display device. A countermeasure filter is provided having at least one traffic setting operational to block data packet traffic flow from the one or more external devices when the volumetric data packet flow exceeds a prescribed threshold value. The prescribed threshold value is determined by a user positioned indicator on a display device graphically representing the determined volumetric traffic flow.

Abstract: An information processing apparatus for determining whether or not to transmit a predetermined content to a reception apparatus connected to a network, in accordance with a response time taken to respond to a predetermined command, including: reception means receiving a response to a command; measuring means measuring the response time to the command; authentication means authenticating the reception apparatus; generation means generating authentication data to be inserted into the command; transmission means transmitting the command including predetermined one of the authentication data; storage means storing the authentication data contained in the command and the response data contained in the response; request means requesting the reception apparatus for transmission of the authentication data and the response data; and determination means determining whether the authentication data and the response data transmitted from the reception apparatus, and determining transmission permission/inhibition of a cont

Abstract: A device has physical network interface port through which a user can monitor and configure the device. A backend process and a virtual machine (VM) execute on a host operating system (OS). A front end user interface process executes on the VM, and is therefore compartmentalized in the VM. There is no front end user interface executing on the host OS outside the VM. The only management access channel into the device is via a first communication path through the physical network interface port, to the VM, up the VM's stack, and to the front end process. If the backend process is to be instructed to take an action, then the front end process forwards an application layer instruction to the backend process via a second communication path. The instruction passes down the VM stack, across a virtual secure network link, up the host stack, and to the backend process.

Abstract: This disclosure describes techniques for determining whether a network session originates from an automated software agent. In one example, a network device, such as a router, includes a network interface to receive packets of a network session, a bot detection module to calculate a plurality of scores for network session data based on a plurality of metrics, wherein each of the metrics corresponds to a characteristic of a network session originated by an automated software agent, to produce an aggregate score from an aggregate of the plurality of scores, and to determine that the network session is originated by an automated software agent when the aggregate score exceeds a threshold, and an attack detection module to perform a programmed response when the network session is determined to be originated by an automated software agent. Each score represents a likelihood that the network session is originated by an automated software agent.

Abstract: A technique that simplifies managing and configuring firewalls by provisioning a vendor-neutral firewall in an MPLS-VPN service network. In one example embodiment, this is accomplished by creating a vendor-neutral firewall policy using a service activation tool residing in a host server. One of the one or more VPNs requiring the provisioning of the vendor-neutral firewall in the MPLS-VPN service network is then selected. The created vendor-neutral firewall policy is then transformed to form a vendor-specific firewall policy associated with the selected one of the one or more VPNs.

Abstract: A system capable of automated mapping between a connectivity request and an ordered security rule-set and a method of operating thereof. The system includes an interface operable to obtain data characterizing at least one connectivity request; a module for automated recognizing at least one rule within the rule-set, the rule controlling traffic requested in the at least one connectivity request, wherein the recognizing is provided by comparing a set of combinations specified in the connectivity request with a set of combinations specified in the rule and matching connectivity-related actions specified in the connectivity request; a module for automated evaluating relationship between traffic controlled by the recognized at least one rule and traffic requested in the at least one connectivity request; and a module for automated classifying, in accordance with evaluation results, the at least one connectivity request with respect to the at least one rules and/or vice versa.

Abstract: An approach for regional firewall clustering for optimal state-sharing of different sites in a virtualized/networked (e.g., cloud) computing environment is provided. In a typical embodiment, each firewall in a given region is informed of its peer firewalls via a registration process with a centralized server. Each firewall opens up an Internet protocol (IP)-based communication channel to each of its peers in the region to share state table information. This allows for asymmetrical firewall flows through the network and allows routing protocols to ascertain the best path to a given destination without having to take firewall placement into consideration.

Abstract: Systems, methods, and computer readable media for detecting and mitigating address spoofing in messaging service transactions are disclosed. A messaging service firewall (MSF) separate from a short message service center (SMSC) receives a mobility management reply message (MMR) that is sent by a mobile location register element in response to an associated mobility management query (MMQ) and that includes a serving switch identifier. The MSF allocates a global title address (GTA) from a pool of GTAs and stores a correlation between the allocated GTA and the originating SMSC. The MSF replaces the serving switch identifier in the MMR with the allocated GTA and routes the modified MMR. The MSF then receives a messaging service message (MSM) that is addressed to the allocated GTA and that includes the purported originating SMSC. If the purported originating SMSC does not match the SMSC to which the GTA is correlated, the MSM is discarded.

Abstract: A notification is received that a network device in a computing network has blocked a service request directed towards a network resource of the computing network. A determination is made, based on authentication information associated with one or more of a network endpoint that transmitted the service request and a user at the network endpoint, as to whether the user should be notified of a reason that the network device blocked the service request. If it is determined that the user should be notified, a notification summarizing the reason that the network device blocked the service request is transmitted to the network endpoint.

Abstract: A system, method, and computer program product are provided for preventing communication of unwanted network traffic by holding only a last portion of the network traffic. In use, network traffic associated with a file transfer is received. Additionally, only a last portion of the network traffic associated with the file transfer is held for determining whether the file is unwanted. Further, the last portion of the network traffic associated with the file transfer is conditionally forwarded to a destination device, based on the determination.

Abstract: A method of packet management for restricting access to a resource of a computer system. The method includes identifying client parameters and network parameters, as a packet management information, used to determine access to the resource, negotiating a session key between client and server devices, generating a session ID based on at least the negotiated session key, inserting the packet management information and the session ID into each information packet sent from the client device to the server device, monitoring packet management information in each information packet from the client device, and filtering out respective information packets sent to the server device from the client device when the monitored packet management information indicates that access to the resource is restricted.

Abstract: A method for processing communication traffic includes receiving an incoming stream of compressed data conveyed by a sequence of data packets, each containing a respective portion of the compressed data. The respective portion of the compressed data contained in the first packet is stored in a buffer, having a predefined buffer size. Upon receiving a subsequent packet, at least a part of the compressed data stored in the buffer and the respective portion of the compressed data contained in the subsequent packet are decompressed, thereby providing decompressed data. A most recent part of the decompressed data that is within the buffer size is recompressed and stored in the buffer.

Abstract: The method can be implemented on a processor executing software instructions stored in memory. In one embodiment of the invention, the method includes receiving an Ethernet frame, wherein the Ethernet frame comprises a Transmission Control Protocol (TCP) header, wherein the TCP header comprises a TCP header length value. When the Ethernet frame is received, the TCP header length value is compared to a predetermined value.

Abstract: Described are a secure geo-location obscurity network and ingress nodes, transit nodes and egress nodes used in such a network. In particular, a novel device is provided and comprises: a node for a network, the node comprising: a private portion for allowing high bandwidth secure private traffic to be received and transmitted by the node on a private pathway through the node; and a public portion for allowing low bandwidth secure public traffic to be received and transmitted by the node on a plurality of public pathways through the node.

Abstract: A system for detecting a remotely controlled e-mail spam host. The system includes an E-mail spammer detection unit and a host traffic profiling unit. The E-mail spammer detection unit identifies E-mail Spammers based on SMTP traffic characteristics. The host profiling unit extracts traffic components from the plurality of Internet traffic associated with an E-mail Spammer; interprets the extracted traffic components and determines whether the E-mail Spammer is a compromised host. The system may also include a botnet controller detection unit that analyzes traffic associated with compromised E-mail Spammers and identifies the botnet Controller remotely controlling the compromised E-mail Spammer.

Abstract: A method for applying a host security service to a network is described herein. The network may include a host device and a network device. The network device may receive a request for security-based filtering. The request includes filtering parameters that restrict traffic between the host device and the network device. It is determined whether the filtering parameters conflict with an initial filtering configuration. The filtering parameters may be applied to traffic through the network device.

Abstract: A method for operating a communication module of a network element of a communication network as well as the communication module itself are described. The communication module is embodied for the transmission of data. The network element has a communication module and an interface for communication with further network elements of the communication network. The communication module is embodied in such a way that the transmission, via the interface, of data for transmission is inhibited or authorized on the basis of a filter instruction.

Abstract: Methods and systems for an intelligent network protection gateway (NPG) and network architecture are provided. According to one embodiment, a firewall provides network-layer protection to internal hosts against unauthorized access by hosts of an external network by performing network address translation (NAT) processing of Internet Protocol (IP) addresses. The firewall changes data in headers of VoIP packets and corresponding data contents of the VoIP packets, to enable bi-directional VoIP communications. An external VoIP interface of the firewall receives incoming VoIP packets having a user alias (e.g., an email address) and an indication regarding a VoIP port of external interface. The packets are directed to an appropriate internal host by the firewall performing port address forwarding based on the port indication to an appropriate media gateway within the internal network that maintains a mapping of user aliases to private addresses of the internal hosts.

Abstract: A selective barrier prevents undesired communication between a protected region and an unprotected region. Wireless communication is allowed within the protected region, while wireless communication is prevented between the protected region and any unprotected regions. Particular undesired message packets might be selected by business rules responsive to aspects of individual messages. Particular unprotected regions might be statically or dynamically determined. Alternatively, the selective barrier similarly operates to block undesired message packets from originating in any of the unprotected regions and successfully being received in the protected region.

Abstract: A system and method that provides for protection of a CPU of a router, by establishing a management port on a router. Hosts which are connected to a non-management ports of the router are denied access to management functions of a CPU of the router. The system and method can utilize an application specific integrated circuit, in conjunction with a CAM-ACL, which analyzes data packets received on the ports of router, and the ASIC operates to drop data packets which are directed to the CPU of the router. This system and method operates to filter data packets which may be generated in attempts to hack in to control functions of a network device, and the operation does not require that the CPU analyze all received data packets in connection with determining access to the control functions of the router.

Abstract: Security is enabled in an electrical system by examining a configuration file for a substation present in the electrical system, where the substation includes one or more electrical devices and one or more network devices. Based on the examination of the configuration file, information is determined on a characteristic of an electrical device that is selected from a group including a type, allowed role of the electrical device and allowed communication modes for the electrical device. Based on the determined information, a basis for controlling the role and communication modes for the electrical device is identified. A security policy is configured in a network device in the substation to incorporate the identified basis. Based on the configured security policy in the network device, communication patterns for the electrical device are allowed that are associated with the allowed role and allowed communication modes for the electrical device.

Abstract: A security virtual machine inspects all data traffic between other virtual machines on a virtualization platform in order to prevent an inter-VM attack. Data traffic between the machines is intercepted at the privileged domain and directed to the security virtual machine via a hook mechanism and a shared memory location. The traffic is read by the security machine and analyzed for malicious software. After analysis, the security machine sends back a verdict for each data packet to the privileged machine which then drops each data packet or passes each data packet on to its intended destination. The privileged domain keeps a copy of each packet or relies upon the security machine to send back each packet. The security machine also substitutes legitimate or warning data packets into a malicious data package instead of blocking data packets. The shared memory location is a circular buffer for greater performance. Traffic is intercepted on a single host computer or between host computers.

Abstract: Systems and methods for handling packets from a trusted network are provided. In some aspects, a system includes a communication module configured to receive a packet at a gateway from a server in a trusted network. The gateway is between the trusted network and a network external to the trusted network. The system also includes a verification module configured to determine whether the received packet is valid. The communication module is configured to route the received packet to a client in the external network if the received packet is determined to be valid. The communication module is configured to apply a corrective action to the received packet if the received packet is determined to be invalid.

Abstract: A software firewall that may be configured using rules specified for types of network interfaces rather than individual network interfaces. The network types may be specified with type identifiers that have a readily understandable meaning to a user, facilitating ease of configuring the firewall. The network types could include, for example, wired, wireless and remote access. A rule specified based on a network type can be implemented for network interfaces of that network type. The implementation may be performed automatically and may be updated based on network location awareness information.

Abstract: A firewall cluster system comprises a first node operable to receive a connection in a firewall cluster having three or more nodes, determine user data associated with the connection, and share the user data with at least another node in the firewall cluster.

Abstract: A method is provided for computing network reachability in a computer network. The method includes: identifying each of the subnetworks that comprise a computer network; determining, for each pair of subnetworks, data paths between the two subnetworks; for each identified data path, identifying access control lists implemented along a given data path and formulating a diagram that merges reachability sets derived from the access control lists along the given data path; and, deriving, for each pair of subnetworks, a set of network packets that can traverse between the subnetworks from the formulated diagrams.

Abstract: A proxy device such as a firewall uses an internal socket namespace such as a text string such that connection requests must be explicitly redirected to a listening socket in the alternate namespace in order to connect to a service. Because external connections cannot directly address the listening socket or service, greater security is provided than with traditional firewall or proxy devices. To receive a redirected proxy connection, a service process creates a listening socket and binds a name in an alternate namespace to the socket before listening for connections.

Abstract: Methods, systems, and apparatus, including computer program products, featuring receiving at a first security device a packet. The first security device determines that the packet is associated with a flow assigned to a distinct second security device. The first security device sends the packet to the second security device. After the second security device performs security processing using the packet, the first security device receives from the second security device a message regarding the packet. The first security device transmits the packet.

Abstract: Provided are system, methods, and computer-readable media for systems, methods, and computer-readable media for secure digital communications and networks. The system provides for secure communication between nodes through the use of a subscription between two nodes based on unique identifiers that are unique to each node, and communication between nodes without a subscription may be blocked. Additionally, secure communications between a node and a remote node are dynamically encrypted using asymmetric and symmetric encryption. The encryption algorithms and key lengths may be changed at each subsequent negotiation between a node and a remote node.

Abstract: A firewall device may include a forwarding component that includes a filter block. The filter block may obtain a first hardware-implemented filter, where a hardware implementation limits the first hardware-implemented filter to a maximum quantity of rules; determine whether a last rule associated with the accessed hardware-implemented filter includes a split-filter action, where the split-filter action identifies a second hardware-implemented filter; and link the second hardware-implemented filter to the first hardware-implemented filter to make the second hardware-implemented filter a logical continuation of the first hardware-implemented filter, in response to determining that the last rule includes the split-filter action.

Abstract: A system, method and computer readable storage medium that receives traffic/packets from external devices attempting to access protected devices in a protected network. A determination is made to whether a received packet belongs to one of a plurality of packet classifications. Each packet classification indicative of different classes of IP traffic. Countermeasures are applied to a received packet to prevent attack upon the protected devices. Applying a countermeasure to a received packet determined to belong to one of the plurality of packet classifications includes countermeasure modification/selection contingent upon the determined packet classification for the received packet.

Abstract: A computer-implemented process for privacy aware authenticated map-reduce processing receives data for a MapReduce operation to form received data, identifies a control point in a set of control points of the MapReduce operation to form an identified control point and identifies an applicable set of policies for the identified control point to form a selected set of policies. The selected set of policies is applied at the identified control point and responsive to a determination that application of the selected set of policies at the identified control point returned a positive result, the computer-implemented process continues operation to a next stage in the MapReduce operation.

Abstract: A method for routing streams of traffic in IP networks, particularly in mobile IP networks. A plurality of streams of traffic to be transmitted are routed such that they are transmitted in one carrier/context. The streams of traffic having different destination networks are merged and are transmitted from a terminal via one carrier/context to a network access node in the IP network. They are routed from there to respective destination networks and devices.

Abstract: A process is disclosed in which all network traffic between a mobile device and an untrusted network arriving before the establishment of a VPN tunnel are dropped in response to rules imposed by the mobile device's operating system. Once a VPN tunnel is established all communication from the mobile device is secured, without an intervention on the part of the user of the device. A device supporting such a process is also disclosed.

Abstract: A flow state monitoring part obtains a frame that is output from firewall units using former and new rules, and monitors a flow state to which each of the former and new rules is applied. When the flow has ended for both the former and new rules, the flow state monitoring part notifies a frame holding part of the end of the frame. Upon receiving the notice of the end of the flow, the frame holding part outputs two captured information items each including a group of frames for the flow in accordance with each rule to a flow comparison part. The flow comparison part compares the two captured information items, and abandons those captured information items if they completely coincide with each other. If there is a difference, the flow comparison part outputs those captured information items.

Abstract: A firewall security device, system and corresponding method are provided that includes an operating system of an entirely new architecture. The operating system is based fundamentally around a protocol stack (e.g., TCP/IP stack), rather than including a transport/network layer in a conventional core operating system. The firewall security device may include a processor and an operating system (OS) embedded in the processor. The OS may include a kernel. The operating system kernel is a state machine and may include a protocol stack for communicating with one or more devices via a network interface. The OS may be configured to receive and transmit data packets and block unauthorized data packets within one or more layers of the protocol stack based on predetermined firewall policies.

Abstract: To improve network reliability and management in today's high-speed communication networks, we propose an intelligent system using adaptive statistical approaches. The system learns the normal behavior of the network. Deviations from the norm are detected and the information is combined in the probabilistic framework of a Bayesian network. The proposed system is thereby able to detect unknown or unseen faults. As demonstrated on real network data, this method can detect abnormal behavior before a fault actually occurs, giving the network management system (human or automated) the ability to avoid a potentially serious problem.

Abstract: Systems and methods for implementing content, streaming, and network security inside a chip or inside a computing device are disclosed. In exemplary embodiments, a system comprises a communication chip and a second processor. The communication chip comprises a router and security instructions. The router is configured to intercept untrusted data between a network, and a first router. The second processor is configured to receive the untrusted data from the router, process the untrusted data with the security instructions to produce trusted data, and provide the trusted data to the router.

Abstract: A multiple inspection avoidance (MIA) technique is implemented in a virtualized environment. Preferably, the technique is implemented in a packet processing unit (PPU) and takes advantage of a protection scope determined in an automated manner. The protection scope may be MAC-based. The MIA technique ensures that the same packet is not inspected more than once by a same packet processing unit (PPU), and that the same packet is not inspected more than once by different PPUs. According to this disclosure, when a PPU implementing MIA receives a packet, it uses the protection scope to determine whether it needs to process the packet. Preferably, the determination of whether to process the packet depends on the source and destination addresses in the packet, whether those addresses are being protected by the PPU that receives the packet, the direction of the packet flow, and optionally one or more packet processing rules.

Abstract: A security module and method within an information handling system are disclosed. In a particular form, a processing module can include a local processor configurable to initiate access to resources of a host processing system. The processing module can also include a security module configured to enable use of the resources of the host processing system using a security metric. According to an aspect, the security module can be further configured to detect the security metric, and enable access to a resource of the host processing system in response to the security metric. The security module can further be configured to disable access to another resource of the host processing system in response to the security metric.