Abstract: A system includes a first device that communicates a first configuration signal, an IP address and port identifier to a second device. The second device includes a router having a quality of service module therein. The second device deep packet inspects communication signals destined for the first device based on the IP address and port identifier. The quality of service module applies a quality of service policy to the communication signals based on deep packet inspecting to form modified communication signals. The first device performs a function in response to the modified communication signals.

Abstract: Provided is authentication and authorization without the use of supplicants. Authentication and authorization includes generating a profile for a device based on at least one characteristic observed during a successful attempt by the device to access an 802.1X network infrastructure. Expected characteristics for a next attempt to access the infrastructure by the device are determined. A characteristic of the next access attempt is matched to the expected characteristic and access to the network is selectively controlled as a result of the matching. This is achieved without a supplicant being installed on the device.

Abstract: A method, system, and a computer program product for reducing consumption of resources for lawful interception or retention data related to traffic concerning a 2G/3G target mobile connected to a telecommunications network interworking with Evolved Packet System is provided. A first parameter value in traffic for which lawful interception or data retention has been activated is detected at a first node. Based on at least the first parameter value, whether the traffic will be intercepted or retained at a second node crossed by the traffic is evaluated. If the second node will intercept or retain the traffic, the first node foregoes a lawful interception request or retention of intercepted data.

Abstract: In one embodiment, a provider edge (PE) device in a computer network determines an IPv4 address and link-layer address for each adjacent customer premise equipment (CPE) device, and assigns each CPE device a unique IPv6 address. The PE device stores a key-pair mapping between the unique IPv6 address and combined IPv4 and link-layer address for each adjacent CPE, the mapping bound by a CPE session context, and uses the CPE session context to convert between IPv4 and IPv6 for all network traffic to and from a particular CPE device.

Abstract: A system and method for monitoring network communications are provided. The method comprises capturing one or more packets of data in a networking stack of a computing device. Then, a unique identifier is associated with the computing device that uniquely identifies the computing device. The unique identifier and a sample of the contents of each of the one or more captured packets of data are then stored. The method may further comprise generating hybrid flow data by processing the stored unique identifier and the sample of the contents of each of the one or more captured packets of data. The hybrid data flow comprises the unique identifier, the sample of the contents of each of the one or more captured packets of data, derived network flow data, and derived statistical packet data.

Abstract: A rule engine configured with at least one hash table which summarizes the rules managed by the engine. The rule engine receives rules and automatically adjusts the hash table in order to relate to added rules and/or in order to remove cancelled rules. The adjustment may be performed while the rule engine is filtering packets, without stopping. The rules may be grouped into a plurality of rule types and for each rule type the rule engine performs one or more accesses to at least one hash table to determine whether any of the rules of that type match the packet. In some embodiments, the rule engine may automatically select the rule types responsive to a set of rules provided to the rule engine and adapt its operation to the specific rules it is currently handling, while not spending resources on checking rule types not currently used.

Abstract: Systems, methods, and software described herein provide security actions to computing assets of a computing environment. In one example, a method of operating an advisement system to manage security actions for a computing environment includes identifying a security incident for an asset in the environment, and obtaining enrichment information about the security incident. The method further includes identifying a rule set based on the enrichment information, identifying an action response based on the rule set, and initiating implementation of the action response in the computing environment.

Abstract: A processor-based system and method comprising a private tunnel connector operable to receive a network connection request, test the connection request for private network information, generate network connection information in response to the test, and respond to the network connection request with the network connection information. The testing may include accessing a DNS server for private network information, and receiving private domain information from a private domain server. The private tunnel connector is further operable to connect to a private domain server that is coupled to the private network connector through the Internet. The private domain server may include private cloud information such that users may create and access one or more private clouds using tunneling technologies. Domain servers and host machines may employ various encryption schemes to facilitate adding public Internet resources to the private cloud.

Abstract: A clickjacking protector in an electronic system helps prevent unwanted clickjacking. The elements clicked on by the click position are evaluated to determine whether any of the elements clicked on by the click position is obscured (including being transparent or partially transparent). A protective action is generated in response to a determination that an element clicked on by the click position is obscured.

Abstract: Systems, methods, and software described herein provide security actions to computing assets of a computing environment. In one example, a method of operating an advisement system to manage security actions for a computing environment includes identifying a security incident for an asset in the environment, and obtaining enrichment information about the security incident. The method further includes identifying a rule set based on the enrichment information, identifying an action response based on the rule set, and initiating implementation of the action response in the computing environment.

Abstract: Techniques for performing network address allocation, administration and management in federated cloud computing networks are described. In one example embodiment, network interface cards (NICs) in a local network services appliance and a remote network services appliance register with an associated local network cloud and remote network cloud in the federated cloud computing networks. The local cloud network and the remote cloud network are then configured to send packets with unclaimed network address to the associated registered NICs. A layer-2 (L2) network tunnel including a data channel and a control channel is then formed between the local network services appliance and the remote network services appliance by stitching the local cloud network and the remote cloud network. Network address allocation, administration and management in the federated cloud computing networks are then performed using the formed L2 network tunnel.

Abstract: In an example embodiment, a wireless client sends a probe request frame and waits for responses to the probe frame. The responses to the probe request from comprise encrypted data representative of the signal strength of the client as measured by the respondent that are digitally signed by the respondent's certificate. The client aggregates the responses and forwards them to a location based server.

Abstract: In one embodiment, a device (e.g., switch or registry) maintains a binding table for all internet protocol (IP) addresses in a particular subnet associated with the device, and in response to receiving a neighbor solicitation (NS) lookup message from a router for a particular address, determines whether the particular address is within the binding table. When the particular address is not within the binding table, the device causes the router to not store the particular address in a neighbor discovery (ND) cache at the router (e.g., by responding to clear the cache, or ignoring to prevent state from being created). In another embodiment, the ND-requesting router ensures that the particular address is not kept in an ND cache at the router in response to the device indicating that the particular address is not within its binding table (e.g., an explicit response to clear, or absence of instruction to store state).

Abstract: In one example, a server executes a virtual router configured to receive an inner packet output by a virtual machine associated with a virtual network. The virtual router is further configured to offload, to a physical network interface card of the server that executes the virtual router, segmentation of the inner packet into a plurality of outbound tunnel packets each having a tunnel header for output by the physical network interface card to a physical network underlying the virtual network.

Abstract: A method of creating a structural document may include determining a shape of a structural document, determining a plurality of dimensions of the structural document, receiving information associated with one or more content items, identifying one or more security features associated with the structural document and causing a graphical representation of the structural document to be displayed at a user computing device. A shape of the graphical representation may correspond to the determined shape, a plurality of dimensions of the graphical representation may be representative of the determined plurality of dimensions, and the graphical representation may include at least a portion of the received content items and at least a portion of the identified security features. The method may include receiving an indication that a user is finished creating the structural document, generating a print document including an encoded data mark, and providing the print document to print-related devices.

Abstract: Systems, methods, and instrumentalities are described to implement reporting of surveillance information associated with a device. A gateway device may intercept a communication associated with the device. The gateway device may route the communication such that the communication bypasses a core network. The gateway device may report information associated with the communication to a core network entity. The gateway device may receive a command message. The command message may include a request for a surveillance status of the device. The gateway device may send a response message. The response message may indicate a surveillance status of the device. The gateway device may receive an activate surveillance signal for the device. The gateway device may receive a deactivate surveillance signal for the device. Upon receiving the deactivate surveillance signal, the gateway device may stop further reporting.

Abstract: Provided are methods and systems for flagging security threats in web service requests. Specifically, a method for flagging security threats in web service requests can include receiving a request addressed to an addressee. The method can further include analyzing the request based on at least one security signature. The method can continue with determining a threat level associated with the request. The determination can be carried out based on the analysis. The method can further include creating a flag corresponding to the threat level. The method can further include inserting the flag into a network packet associated with the request, thereby creating a modified request. The method may further include sending the modified packet to the addressee. An application associated with the addressee can be operable to selectively process the request based on the threat level.

Abstract: According to one embodiment, an analyzer module (AM) within a same protected network and on-premise with a web application server (WAS) detects and distinguishes between types of Denial-of-Service (DoS) attacks. The AM tracks whether test HTTP messages, which include test HTTP request messages that a signal generation module (SGM) is configured to transmit to the WAS and test HTTP response messages that the WAS is expected to transmit in response to the test HTTP request messages, are timely received. The AM is aware of a timeliness that the SGM is expected to transmit the test HTTP request messages and that the WAS is expected to transmit the test response HTTP messages. The AM detects an occurrence of a DoS attack and identifies the type of the DoS attack based upon the result of the tracking indicating that a number of the test HTTP messages have not been timely received.

Abstract: A device validates reachability of nodes of a communication network of an industrial automation and control system. The device includes a collector module configured to update a data set including discovered dataflow information by detecting direct neighbor nodes having a physical connection to a selected node, and updating the data set by adding the selected node and those direct neighbor nodes which have configured logical network constraints matching logical network constraints of the selected node. The device includes a repeater module configured to repeat the selecting of a direct neighbor node in the data set and directing the collector module to update the data set using the selected direct neighbor node. The device includes a validation module configured to validate reachability of nodes of the network by comparing the data set with a data set including designed dataflow information which defines reachability requirements for nodes of the communication network.

Abstract: Techniques are presented herein for redirection between any number of network devices that are distributed to any number of sites. A first message of a flow is received from a network endpoint at a first network device. A relationship between the endpoint and the first network device is registered in a directory that maps endpoints for network devices. A state for the flow is stored at the first network device. A second message is received for the flow which is indicative of the first endpoint at a second network device. It is determined that the second network device does not store the flow state for the flow. Querying is performed to receive information indicative of the relationship between the endpoint and the first network device. The received information is stored in a cache at the second network device. Services are applied to the second message according to the stored information.

Abstract: A communication system capable of enabling one or more communication devices to remotely execute one or more applications includes one or more communication devices that are coupled to a data connection. At least one of the one or more communication devices is operable to communicate a request to establish a communication session over the data connection. The system also includes one or more application servers that are coupled to the data connection. At least one of the one or more application servers is adapted to execute an application to establish the requested communication session with the at least one communication device. The at least one application server resides at a location remote from the at least one communication device. The at least one application server communicates a request for processing service to the at least one communication device. The request for processing service is communicated to the at least one communication device over the data connection.

Abstract: A proxy apparatus includes a processor and a memory storing instructions executed by the processor to determine whether a received packet has a corresponding application proxy and, if so, apply application proxy processing optimizations to the packet plus overlay network optimizations to the packet. Wherein the application proxy processing optimizations include header reduction for header fields that remain static from transmission to transmission.

Abstract: A security management apparatus and method for a web server/web application server is provided. The security management apparatus includes a connection state table storage unit for, as a web client accesses a web server/web application server, storing connection state information, an access time, and a connection policy. A connection state information inspection unit inspects whether current connection state information is present in connection state information of the connection state table storage unit in which the connection policy is set to blocking. If current connection state information is not present, a web session reuse attack determination unit determines whether a current connection is a web session reuse attack. If the current connection is not the web session reuse attack, an attack pattern analysis unit analyzes whether an attack pattern is present. A blocking unit blocks a connection between the web client and the web server/web application server.

Abstract: This disclosure generally relates to the generation of a packet signature for packets determined to correspond to a network attack, such as a denial of service (“DoS”) attack. Specifically, a set of data packets captured during normal system operations can be analyzed to determine a set of baseline attributes. Additional packets captured during an attack can be compared to the baseline attributes, to determine, for individual packets, a probability that the packet forms a part of the attack. A packet signature can then be generated to identify attributes that are characteristic of the attack. That signature can then be used to filter out packets and mitigate the attack.

Abstract: A router is provided. The router includes a packet marking unit that inserts marking information generated based on an address of the router into a packet received by the router, according to a packet marking probability that is dynamically set, and a marking probability determination unit that calculates filtering efficiency of the router, and determines the packet marking probability based on the filtering efficiency. The marking information is used to obtain the address of the router by a device that has received the packet containing the marking information.

Abstract: An Application-Aware Automatic Network Selection (ANS) router and method for automatic network selection, translation of data between networks, and application-specific feedback. In one embodiment, the router and method select between an Internet Protocol (IP) network and a Delay Tolerant Networking (DTN) network, monitoring the state of both networks, intercepting IP packets which could otherwise not be delivered, responding to the application that sent the packet, and translating a group of such packets into a DTN bundle; the software implementing this system resides on a network router that functions as a node on both the IP and DTN networks. In other embodiments, the system and method select between or among mobile ad hoc networks, sensor networks, vehicular networks, and satellite and deep space networks.

Abstract: A method for detection of network address spoofing and false positive avoidance in a network is described herein. The network may include one or more hosts and a network management system. The network management system may identify a suspicious host in the network. A condition indicative of network address spoofing by the suspicious host may be detected. It may be determined whether the spoofing condition is expected in normal traffic of the network. In response to a determination that the spoofing condition is expected, it is determined that the suspicious host generated normal traffic.

Abstract: Various embodiments are disclosed for prioritizing network flows and providing differentiated quality of service in a telecommunications network. In some embodiments, a SecaaS can be utilized to signal flow characteristics of one or more network flows to a connector in a network so that the network can install differentiated quality of service against the one or more network flows based upon the received flow characteristics. Some embodiments enable a connector in a network to act as a PCP client to signal received flow characteristics to an upstream PCP server hosted by an adjacent access network.

Abstract: A system and method comprising a network interface controller having a processor configured to receive data packets, determine whether field values extracted from the packet satisfy legitimacy criteria, and based on the determination, either provide the packet to a computing device if a set of one or more legitimacy criteria is satisfied or perform a mitigation action if the set of one or more legitimacy criteria is not satisfied.

Abstract: A firewall device may include a forwarding component that includes a filter block. The filter block may obtain a first hardware-implemented filter, where a hardware implementation limits the first hardware-implemented filter to a maximum quantity of rules; determine whether a last rule associated with the accessed hardware-implemented filter includes a split-filter action, where the split-filter action identifies a second hardware-implemented filter; and link the second hardware-implemented filter to the first hardware-implemented filter to make the second hardware-implemented filter a logical continuation of the first hardware-implemented filter, in response to determining that the last rule includes the split-filter action.

Abstract: A method of exchanging a rules engine decision tree cache is disclosed. The method provides for provision accepting a command to build a replacement rules engine decision tree cache, replacing the existing cache if the decision tree creation process is successful, retaining the existing cache if the decision tree creation process is not successful, and providing specific error messages in the event that the replacement fails. The method allows an network operator to change the rules for the rule engine without disruption of real-time service and allows for a level of error checking prior to provisioning the new decision tree.

Abstract: One embodiment is directed to a system that comprises a network device, including at least a first port, which is configured to analyze information within one or more messages received during a session initiated by another network device. The system is configured to perform operations including determining a total number of sessions for the first port of the network device and determining whether the total number of sessions for the first port exceeds a threshold value. If the total number of sessions for the first port exceeds the threshold value, an application associated with the first port is classified as a peer-to-peer application. Thereafter, a policy may be enforced based on this classification.

Abstract: This disclosure describes techniques for determining whether a network session originates from an automated software agent. In one example, a network device, such as a router, includes a network interface to receive packets of a network session, a bot detection module to calculate a plurality of scores for network session data based on a plurality of metrics, wherein each of the metrics corresponds to a characteristic of a network session originated by an automated software agent, to produce an aggregate score from an aggregate of the plurality of scores, and to determine that the network session is originated by an automated software agent when the aggregate score exceeds a threshold, and an attack detection module to perform a programmed response when the network session is determined to be originated by an automated software agent. Each score represents a likelihood that the network session is originated by an automated software agent.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for enforcing publisher content item block requests. In one aspect, a method includes receiving a set of declared network locations for a content item and rendering the content item. A request is initiated for a resource that is referenced by the content item, and network locations fetched in response to the request are logged. A composite set of network locations that includes the fetched network locations and declared network locations is generated. The composite set of network locations is used to enforce publisher block requests.

Abstract: A packet processor includes an extraction circuit, a lookup circuit, an assignment circuit, a rule matching circuit, and an action circuit. The extraction circuit generates a first set of values based on a first packet. The lookup circuit stores metadata values. Each of the metadata values corresponds to a respective metadata identifier. The assignment circuit assigns a first metadata identifier to the first packet. The lookup circuit selectively retrieves a first metadata value that corresponds to the first metadata identifier. The rule matching circuit selects a first rule from among a predetermined set of rules based on the first set of values and the first metadata value. The action circuit identifies a first action specified by the first rule and performs the first action. The first action includes modifying the first metadata value of the plurality of metadata values.

Abstract: A Data Center Bridged (DCB) Information Handling System (IHS) network include a plurality of switch IHSs that are connected together to provide the IHS network, and a management IHS coupled to each of the plurality of switch IHSs through a management network. The management IHS is configured to identify a plurality of data traffic flows and, for each identified data traffic flow, to determine a flow path through the IHS network. The flow paths include at least some of the plurality of switch IHSs, and the management IHS provides configuration information to each of the switch IHSs included in a flow path such that a quality of service (QoS) is provided for the data traffic flow along that flow path through the DCB IHS network according to the configuration information. Thus, the systems and methods utilize flow based networking to configure and manage DCB IHS networks.

Abstract: A communication control apparatus controls communication between a first apparatus and a second apparatus connected to the first apparatus via a plurality of relay apparatuses. The communication control apparatus comprises: a communication path generation unit that refers to a control policy including access control and supplementary control that is other than the access control from the first apparatus to the second apparatus and refers to network configuration information about a network configuration among the first apparatus, the second apparatus, and the plurality of relay apparatuses and generates a communication path that matches the control policy from the first apparatus to the second apparatus and goes through at least one of the plurality of relay apparatuses; and a communication path control unit that instructs a relay apparatus(es) on the communication path among the plurality of relay apparatuses to execute the access control and the supplementary control included in the control policy.

Abstract: An invalid digital certificate can be saved and subsequently compared to an incoming digital certificate when performing a security check. If a subsequently provided digital certificate does not match the saved digital certificate, an error condition can be generated. Because a digital certificate can be invalid for non-malicious reasons, such technologies can be useful for improving software security.

Abstract: A network-based publication system, to publish data over a communications network, includes an interface to receive, via the communications network and from a first user, user data to be published by a network-based publication system. The publication system further includes a publisher component to generate publication data (e.g., an HTML document) including the user data and function modifying code. The publisher component generates the publication data in accordance with a publication format. The interface publishes the publication data via the communications network. The function modifying code is interpreted and executed, at a browser application, to disable (or modify) least one function of programming language supported by the browser application.

Abstract: Disclosed are various embodiments for detecting and responding to attacks on a computer network. One embodiment of such a method describes monitoring data communications transmitted to a target class of first computing nodes; in response to detecting a non-legitimate data communication to a computing node in the target class, determining whether the non-legitimate data communication is a form of attack on a network to which the computing nodes are connected; and in response to determining that the network is under attack, implementing new security measures for second computing nodes that are not part of the target class to protect the second computing nodes against the attack on the network while the attack is ongoing.

Abstract: Systems and computer program products are provided for dynamically defining network access control rules. A placeholder for a parameter of an interface to an endpoint such as a data processing system or virtual machine may be provided in a network access control rule, instead of a static parameter. The parameter may be dynamically determined, by a firewall or a hypervisor for example, and the placeholder may be replaced with the dynamically determined parameter.

Abstract: Methods are provided for dynamically defining network access control rules. A placeholder for a parameter of an interface to an endpoint such as a data processing system or virtual machine may be provided in a network access control rule, instead of a static parameter. The parameter may be dynamically determined, by a firewall or a hypervisor for example, and the placeholder may be replaced with the dynamically determined parameter.

Abstract: A communication system includes: a plurality of communication nodes; and a control apparatus that controls packet processing of the plurality of communication nodes. The control apparatus further includes: a virtualization unit that configures a virtual node(s) from a plurality of communication nodes among the plurality of communication nodes; a control unit that sets a processing rule for a packet in at least one communication node of the plurality of communication nodes included in the virtual node(s), so that the at least one communication node executes packet processing corresponding to an operation of the virtual node(s); and a path calculation unit that calculates a forwarding path of a packet, based on a virtual network topology including the virtual node(s). The plurality of communication nodes process a packet corresponding to the forwarding path, in accordance with the processing rule.

Abstract: Methods and apparatus for improving hash-based load balancing with per-hop seeding are disclosed. The methods and apparatus described herein provide a set of techniques that enable nodes to perform differing mathematical transformations when selecting a destination link. The techniques include manipulation of seeds, hash configuration mode randomization at a per node basis, per node/microflow basis or per microflow basis, seed index generation, and member selection. A node can utilize any, or all, of the techniques presented in this disclosure simultaneously to improve traffic distribution and avoid path starvation with a degree of determinism.

Abstract: A computer-implemented method for detecting malicious email attachments may include (1) identifying a shortcut file received as an attachment to an email, wherein the shortcut file is configured to open a target file, (2) analyzing the shortcut file to identify at least one attribute of the shortcut file, wherein the attribute comprises information about the shortcut file useful for determining whether text accurately characterizes the shortcut file, (3) identifying accompanying text in the email that characterizes the attachment, and (4) determining that the attachment is malicious by comparing the attribute of the shortcut file with the accompanying text in the email that characterizes the attachment and, based on the comparison, determining that the accompanying text does not accurately characterize the shortcut file. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosure herein describes an edge device of a network for distributed policy enforcement. During operation, the edge device receives an initial packet for an outgoing traffic flow, and identifies a policy being triggered by the initial packet. The edge device performs a reverse lookup to identify at least an intermediate node that is previously traversed by the initial packet and traffic parameters associated with the initial packet at the identified intermediate node. The edge device translates the policy based on the traffic parameters at the intermediate node, and forwards the translated policy to the intermediate node, thus facilitating the intermediate node in applying the policy to the traffic flow.

Abstract: A computing system implemented method, in one embodiment, can include a cloud control module receiving a constraint for cloud architecture. In addition, the method can include the cloud control module receiving a plurality of cloud service provider capabilities. Furthermore, the method can include the cloud control module filtering the plurality of cloud service provider capabilities to identify a cloud service provider capable of satisfying the constraint. Moreover, the method can include the cloud control module outputting an instruction for a resource from the cloud service provider.

Abstract: A system and method of guaranteeing the presence of secure and tamper-proof remote files over a distributed communication medium, such as the Internet, is provided. The system and method automatically detects, and then self-repairs corrupt, modified or non-existent remote files. The method first performs an integrity check on a remote file and then determines whether the integrity check passed. If the integrity check passed, then the user goes through the authentication process as normal. If the integrity check fails, then the present invention redirects to an install module in order to prepare to reinstall the remote file. Via the install module, the present invention then reinstalls the remote file and the user is then taken through the authentication process as normal.

Abstract: A method for measuring performance of virtual desktop services offered by a server including a processor is described. A first encoded watermark is embedded into user interface display generated by a virtual desktop when initiating an operation. The first encoded watermark includes pixels identifying the operation and indicating its initiation. A second encoded watermark is embedded into the user interface upon completion of the operation indicating completion of the operation. An action performance time is then computed and stored in a memory. Multiple performance times may be compiled from multiple operations of multiple virtual desktops to assess the performance of the system as a whole.

Abstract: Securing access to one or more applications in an enterprise zone (e.g., a set of protected applications) is disclosed. A last activity time associated with a use of at least one mobile application in the protected subset may be retrieved from a shared storage location associated with a protected subset of two or more protected mobile applications. It may be determined that the last activity time is within a session expiration time period associated with the protected subset. Access to one or more applications in the protected subset may be allowed without credential verification based at least in part on the determination.