Abstract: The present invention provides a system and method is disclosed for the development and maintenance of a globally distributed state session table wherein a plurality of client connections from one network are stored in a plurality of computer systems to track the aforementioned connection to one or more secondary networks. Client connection requests may originate anywhere on the Internet and server responses to such client requests may be sent asymmetrically from any other point on the Internet. The client-server connection is secured utilizing an intermediary device that acts as a transparent relay, generating a secret cookie hash for the client, such that only the data packets containing such hash are forwarded by the globally distributed system to the server.

Abstract: The present disclosure describes one or more systems, methods, routines and/or techniques for detection of infected network devices via analysis of responseless outgoing network traffic. A computer implemented method may include executing a routine that receives as input first packet information. The method may include executing a routine that analyzes the first packet information to determine whether the first packet information identifies an outgoing network packet that is associated with the initiation of a network communication. The method may include executing a routine that causes storage and/or tracking, in one or more data stores, of the first packet information if the first packet information is determined to be a potential responseless packet. The method may include executing a routine that causes removal and/or ends tracking of the first packet information if the first packet information is determined to not be a responseless packet based on analysis of second packet information.

Abstract: In one embodiment, a method for applying security policy in an overlay network includes receiving a request, including a packet, for a communication path through an overlay network, determining whether a security policy is to be applied to the packet based on at least one of: contents of the packet, first information, and second information, selecting a communication path between a source physical switch and a destination physical switch, wherein the selected communication path directly connects the source physical switch to the destination physical switch when it is determined to not apply the security policy to the packet, and the selected communication path connects the source physical switch to the destination physical switch via a security appliance when it is determined to apply the security policy to the packet, and sending the selected communication path to the source physical switch.

Abstract: A network protection service for providing protective assistance to a subscribing host is presented. The network protection service is configured determine a set of rules for filtering network traffic for a subscribing host. The network protection service is further configured to receive network traffic on behalf of the subscribing host, filter the received network traffic according to the set of rules, and forward a portion of the filtered network traffic to the subscribing host. Still further, the network protection service is configured to analyze the received network traffic via the analysis server, and refine the set of rules for filtering the received network traffic based on the analysis of the received network traffic by the analysis server.

Abstract: Circuits and methods are provided for detecting, identifying and/or removing undesired content. According to one embodiment, a content object that is to be virus processed is stored by a general purpose processor to a system memory. Virus scan parameters for the content object are set up by the general purpose processor. Instructions from a virus signature memory of a virus co-processor are read by the virus co-processor based on the virus scan parameters. The instructions contain op-codes of a first instruction type and op-codes of a second instruction type. Those of the instructions containing op-codes of the first instruction type are assigned to a first instruction pipe of multiple instruction pipes of the virus co-processor for execution. An instruction of the assigned instructions containing op-codes of the first instruction type is executed by the first instruction pipe including accessing a portion of the content object from the system memory.

Abstract: According to aspects of the disclosed subject matter, a network protection service for processing network traffic to assist a network site is presented. The network protection service is communicatively coupled to the network site over a network, and is configured to detect that the network site is experiencing adverse network conditions. Upon detecting that the network site is experiencing adverse network conditions, the network protection service causes that a portion of the network traffic intended for the network site is rerouted to the network protection service. The network protection service then forwards a portion of the network traffic rerouted to the network protection service to the network site.

Abstract: A method and a system for anonymous communication are disclosed in the present invention, which are applied in an architecture network with Identification (ID) identifier and locator separation. The method includes: after receiving an anonymous communication request initiated by a terminal, the network allocating an anonymous ID identifier to the terminal, and recording a state of the terminal as an anonymous communication state; when the terminal is in the anonymous communication state, an access gateway device where the terminal is located replacing a source access identifier in data message transmitted by the terminal with the anonymous ID identifier while receiving the data message; and replacing an anonymous ID identifier in data message transmitted to the terminal with the access identifier of the terminal while receiving the data message transmitted to the terminal.

Abstract: A computing resource policy regime specification is received from a first user. The computing policy regime specification comprises a plurality of rules. The received computing resource policy regime specification is associated with a computing resource. An assessment of compliance by the computing resource with the computing resource policy regime specification is dispatched.

Abstract: An approach for enabling controlled access to a limited set of remote services associated with a device is described. A controlled access platform determines one or more network access descriptors to associate with a calling application of a device configured to access a remote service via a communication network. The controlled access platform initiates a limiting of the calling application to one or more allowed network interaction types with a remote service or a network access component associated with the device based on a profile for defining one or more allowed network interaction types between the calling application and the remote service.

Abstract: A method and apparatus for improved approaches for detection of exploits and drift in a network is described. The method includes: determining, by a processor, a logical configuration of a network comprising a plurality of links connecting a plurality of nodes; determining, by the processor, a physical path corresponding to one of the links, the physical path including a plurality of switches of the network, wherein the processor is configured to determine whether data sent on one of the nodes to another one of the nodes by the one link is received at the other node; receiving an error detection value computed by one of the switches; and determining, by the processor, whether the error detection value corresponds with a value inaccessible to the one switch.

Abstract: In one embodiment, a system can comprise an interface that receives data related to a communication session and a messaging security device component that evaluates the data and enables a security measure for preventative monitoring of a threat based on the evaluation, the security measure can be universally applied to two or more messaging formats.

Abstract: Methods and systems provide tracking or logging requests to resolve non-existent textual identifiers and classifying the textual identifier into a predefined set of taxonomical categories to support the detection of requestors of machine generated requests to resolve textual identifiers. Detection includes calculating a measure of probability based on the analysis and classification of prior textual identifier requests from a requestor.

Abstract: Methods, apparatus and articles of manufacture for detecting suspicious web traffic are provided herein. A method includes generating a database comprising information corresponding to each of multiple connections between one or more destinations external to an enterprise network and one or more hosts within the enterprise network, wherein said multiple connections occur over a given period of time; processing multiple additional connections between one or more destinations external to the enterprise network and one or more hosts within the enterprise network with one or more filtering operations to produce one or more filtered connections, wherein said multiple additional connections occur subsequent to said given period of time; and analyzing said filtered connections against the database to identify a connection to a destination external to the enterprise network that is not included in the information in the database.

Abstract: An intrusion prevention system includes a processor, processing engines, buffers that are associated with a different range of reputation scores, and a storage device having a database and an application. The processor executes the application to determine that a firewall has admitted a packet, determine a reputation score for the packet from the database, provide the packet to a buffer that has a reputation score range that includes the reputation score of the packet, provide the packet from the buffer to a processing engine, process the packet by in the processing engine to determine if the packet includes an exploit, and forward the packet to the protected network if the first packet does not include the exploit.

Abstract: A method implemented by an agent operating on a mobile device communicating to a cloud-based system includes opening up local listening sockets on the mobile device; redirecting outgoing traffic from all application on the mobile device except the agent to the local listening sockets; and forwarding the outgoing traffic from the local listening sockets to the cloud-based system with additional information included therein for the cloud-based system.

Abstract: A system is disclosed that logs access system events. When an access system event occurs, a log entry is created for the access system event. Information from an identity profile is stored in the log entry. The identity profile pertains to a first user. The first user is the entity who caused or was involved with the access system event. In one embodiment, the access system includes identity management and access management functionality.

Abstract: Malware beaconing activity detection is disclosed, including: monitoring a plurality of conversations between an internal device and one or more external destinations; extracting feature sets based at least in part on the plurality of conversations; and determining that a conversation of the plurality of conversations is anomalous based at least in part on the extracted feature sets.

Abstract: Exploit nonspecific host intrusion prevention/detection methods, systems and smart filters are described. Portion of network traffic is captured and searched for a network traffic pattern, comprising: searching for a branch instruction transferring control to a first address in the memory; provided the first instruction is found, searching for a subroutine call instruction within a first predetermined interval in the memory starting from the first address and pointing to a second address in the memory; provided the second instruction is found, searching for a third instruction at a third address in the memory, located at a second predetermined interval from the second address; provided the third instruction is a fetch instruction, indicating the presence of the exploit; provided the third instruction is a branch instruction, transferring control to a fourth address in the memory, and provided a fetch instruction is located at the fourth address, indicating the presence of the exploit.

Abstract: Management of access control in wireless networks known as smart spaces includes a framework that presents non-expert users with a consistent and intuitive interaction mechanism to manage access to devices they own in the smart space without exposing to them the complexity of the underlying security infrastructure. Access control of devices in a network can include providing an interface between a user-level tool on a first device connected to a network and security components associated with the network, communicating a passlet between the user-level tool and the interface, verifying access permission at a second device on the network where access permissions are based on the passlet, and providing a response to the first device based on the verification of the access permission in the passlet. The passlet provides access permissions based on a particular user rather than a particular device.

Abstract: Diversity string based pattern matching is disclosed. In one embodiment, a method for inspecting multiple data patterns in a data block includes scanning the data block for a diversity string of each data pattern, where the diversity string is a subset of the each data pattern. The method further includes comparing the each data pattern with a respective segment of the data block only if the diversity string is present in the data block, and forwarding flag data if the each data pattern matches with the respective segment of the data block.

Abstract: A system and a method for operating a plurality of information handling systems forming a network are provided. The system includes a host computer processing unit (CPU); a band management controller (BMC); and a switch having a first port coupled to the host CPU, a second port coupled to the BMC, and an external port coupled to a network; wherein the switch is configured to perform lookups and send an ingress traffic including an internet content to the host CPU, and to send the ingress traffic including a management content to the BMC accordingly. A computer program product including a non-transitory computer readable medium having computer readable and executable code for instructing a processor in a management unit for a plurality of information handling systems forming a network to perform a method using a system as above is also provided.

Abstract: Systems and methods are described for using a client agent operating in a virtual private network environment to intercept HTTP communications. Methods include: intercepting at the network layer, by a client agent executing on a client, an HTTP request from an application executing on the client; modifying the HTTP request; and transmitting, via a transport layer connection, the modified HTTP request to a server. Additional methods may comprise adding, removing, or modifying at least one cookie in the HTTP request. Still other methods may comprise modifying at least one name-value pair contained in the HTTP request. Corresponding systems are also described.

Abstract: A method and system for selective web traffic blocking are provided herein. The method may include: receiving a request from a user to receive a resource from a web server; collecting data from the received request; applying either background device inspection or foreground device inspection in response to the received request, based on the collected data; receiving fingerprint data in response to inspection; and providing a rule how to respond to the user based on the fingerprint data. The system comprises a service node to receive a request from a user to receive a resource from a web server, to collect data from the received request and to apply either background device inspection or foreground device inspection based on the collected data, and a centralized device reputation center to receive fingerprint data and to provide to said service node a rule how to respond to the user based on the fingerprint data.

Abstract: A system is disclosed for protecting a network against malicious attacks or attempts for unauthorized access. A network is connected to an external network by a number of firewalls. Inspectors detect packets blocked by the firewalls and some or all of the packets are detected to a labyrinth configured to emulated an operational network and response to the packets in order to engage an attacker. Blocked packets may be detected by comparing packets entering and exiting a firewall. Packets for which a corresponding packets are not received within a transit delay may be identified as blocked. Entering and exiting packets may be compared by comparing only header information. A central module may receive information from the inspectors and generate statistical information and generate instructions for the inspectors, such as blacklists of addresses known to be used by attackers.

Abstract: Novel solutions for detecting and/or treating malware on a subscriber's premise network. Such solutions can include, but are not limited to, tools and techniques that can detect, and/or enable the detection of, malware infections on individual subscriber devices within the subscriber's network. In a particular embodiment, for example, a premise gateway, or other device on the subscriber's premise network, is configured to analyze packets traveling through the premise gateway and, based on that analysis, identify one or more subscriber devices that are infected with malware.

Abstract: An agent on a device within a network receives a request to access a resource outside the network. A first encrypted connection is established between the device and the agent, and a second encrypted connection is established between the agent and the resource, to facilitate encrypted communication traffic between the device and the resource. The agent sends a policy request to a network appliance within the network, the request specifying the resource. The agent receives a policy response indicating that the resource is associated with one or more security policies of the network. Traffic passing between the device and the resource is selectively decrypted and inspected depending on the security policies.

Abstract: A communication network is operated by receiving traffic from a user device at a gateway device associated with a gateway service provider, which manages gateways to both secure and insecure networks. The gateway uses security policies to determine if traffic is destined to the secure or insecure network and applies appropriate policies which cause the traffic to be routed, dropped, or analyzed.

Abstract: The communications management systems manage access to a local area network or network content by external users, applications, and devices. The systems and methods are implemented on a network appliance to manage content within the network and facilitate content transmission through a firewall that separates the network from a larger networking environment, such as the World Wide Web.

Abstract: The present invention relates to key management in a secure microcontroller, and more particularly, to systems, devices and methods of automatically and transparently employing logic or physical address based keys that may also be transferred using dedicated buses. A cryptographic engine translates a logic address to at least one physical address, and processes a corresponding data word based on at least one target key. The target key is selected from a plurality of keys based on the logic or physical address. A universal memory controller stores each processed data word in the corresponding physical address within a memory. Each key is associated with a memory region within the memory, and therefore, the logic or physical address associated with a memory region may be used to automatically identify the corresponding target key. A dedicated secure link may be used to transport key request commands and the plurality of keys.

Abstract: The disclosure is related to monitoring data traffic of user equipment through a monitoring node. A monitoring node may receive a data packet from user equipment registered for a monitoring service through a secure channel. The monitoring node may perform a monitoring operation on the received data packet and determine whether the received data packet is a malicious packet or a non-malicious packet. When the received data packet is a non-malicious packet, the monitoring node may transmit the data packet to a destination through a communication network.

Abstract: A computerized system and method for processing network content in accordance with at least one content processing rule is provided. According to one embodiment, the network content is received at a first interface. A transmission protocol according to which the received network content is formatted is identified and used to intercept at least a portion of the received network content. The intercepted portion of the network content is redirected to a proxy, which buffers the redirected portion of network content. The buffered network content is scanned in accordance with a scanning criterion and processed in accordance with the at least one content processing rule based on the result of the scanning The processed portion of network content may be forwarded using a second interface.

Abstract: A system and method for providing DTN services to legacy applications is provided. According to one example, a method for providing delay tolerant networking (DTN) services to legacy applications includes acts of intercepting a packet addressed to a software application, the packet including a payload, the software application being resident on a first computer, determining suitability of the packet for DTN processing and encoding the payload into a DTN bundle. According to another example, a system for providing delay tolerant networking (DTN) services to legacy applications includes a network interface, a memory and a controller coupled to the network interface and the memory. In this example, the controller is configured to intercept a packet addressed to a software application, the packet including a payload, the software application being resident on a computer, determine suitability of the packet for DTN processing and encode the payload into a DTN bundle.

Abstract: Some embodiments provide a method for configuring a logical firewall in a hosting system that includes a set of nodes. The logical firewall is part of a logical network that includes a set of logical forwarding elements. The method receives a configuration for the firewall that specifies packet processing rules for the firewall. The method identifies several of the nodes on which to implement the logical forwarding elements. The method distributes the firewall configuration for implementation on the identified nodes. At a node, the firewall of some embodiments receives a packet, from a managed switching element within the node, through a software port between the managed switching element and the distributed firewall application. The firewall determines whether to allow the packet based on the received configuration. When the packet is allowed, the firewall the packet back to the managed switching element through the software port.

Abstract: A method, an apparatus, a host, and a network system for processing a packet. The method includes receiving, by a physical host through a virtual bridge in the physical host, a network packet sent by a source virtual machine in the physical host, where the network packet carries a source media access control (MAC) address and a target MAC address; obtaining, by the physical host according to the source MAC address and the target MAC address by querying correspondence between each virtual machine MAC address and a security domain, a security domain to which the source virtual machine corresponds and a security domain to which a target virtual machine corresponds; and controlling, by the physical host, the virtual bridge to discard the network packet, when the security domain to which the source virtual machine corresponds is different from a security domain corresponding to the virtual bridge.

Abstract: The present disclosure describes illustrative, non-limiting embodiments of systems, apparatuses, and methods that can be used to facilitate the remote monitoring and support for manufacturing machines. In one particular embodiment, the techniques may be realized as a method for remote monitoring comprising the steps of storing a measurement taken of an injection molding machine to a machine controller associated with that machine; receiving operation data for the injection molding machine including the stored measurement from the machine controller; and remotely displaying the received data including the stored measurement to a first user at a location distant from the machine.

Abstract: A system for correlating communication packets across different communication networks includes a first monitoring agent in a first network for collecting local identifying information of a communication packet at a communication node. The first monitoring agent pairs the local identifying information with a public identifying information of the packet for a second network. The first monitoring agent further adds a timestamp to the collected information. A second monitoring agent in the second network receives a communication packet from the communication node and collects public identifying information of the packet. The second monitoring agent adds a time-stamp to the collected information. A third monitoring agent in the second network receives the information collected by the first and the second monitoring agents and correlates packets based on the received information.

Abstract: A HTTP request addressed to a first resource on a second device outside the network is received from a first device within the network. The HTTP request is redirected to a third device within the network. A first encrypted connection is established between the first device and the third device, and a second encrypted connection between the third device and the second device. The third device retrieves the first resource from the second device. The first resource is modified to change pointers within the first resource to point to location in a domain associated with the third device within the network. The third device serves, to the first device, the second resource.

Abstract: Provided is effective protection of a machine which is connected to a network by including a monitoring unit configured to monitor an apparatus which receives a data packet through a network, a storage unit configured, when abnormality of the apparatus is detected, to store a first data packet which causes the abnormality, a comparison unit configured to compare a second data packet received by the apparatus and the first data packet, a specification unit configured to specify a portion in the first data packet which is changed by a threshold or more from the second data packet, and a registration unit configured to register data of the specified portion.

Abstract: In one embodiment, a method of improving the security of a computing device comprises using a computing device that has received one or more messages that have been determined as unauthorized, obtaining a plurality of state data values from one or more of the computing device, the one or more messages, and a second computer; before admitting the one or more messages to a data communications network that the computing device is configured to protect: using the computing device and pseudo-random selection logic, based on the state data values, pseudo-randomly selecting a particular policy action from among a plurality of different stored policy actions; using the computing device, acting upon the one or more messages using the particular policy action; wherein the method is performed using one or more computing devices.

Abstract: A method and system for improving the security and control of internet/network web application processes, such as web applications. The invention enables validation of requests from web clients before the request reaches a web application server. Incoming web client requests are compared to an application model that may include an allowed navigation path within an underlying web application. Requests inconsistent with the application model are blocked before reaching the application server. The invention may also verify that application state data sent to application servers has not been inappropriately modified. Furthermore, the invention enables application models to be automatically generated by employing, for example, a web crawler to probe target applications. Once a preliminary application model is generated it can be operated in a training mode. An administrator may tune the application model by adding a request that was incorrectly marked as non-compliant to the application model.

Abstract: A network traffic system includes a network traffic mangling application for modifying a signature of packets that are transmitted in the network traffic system. The network traffic mangling application includes a user module control agent and a kernel module for executing the network traffic mangling application. The user control module agent modifies and mangles the behavior of the kernel module and communicates with the kernel module.

Abstract: A method for providing authoritative application-based routing and an improved application firewall, as well as a method for application classification, is described. The first embodiment, which provides a method for authoritative application-based routing, comprises tagging packets with an application identifier, and pushing the tagged packets to the network to enable the application identifier to be used in routing and priority decisions. In the second embodiment, a method for improving application firewall comprises using the application identifier to minimize the amount of processing required by the firewall when analyzing packet information.

Abstract: A method of packet management for restricting access to a resource of a computer system. The method includes identifying client parameters and network parameters, as a packet management information, used to determine access to the resource, negotiating a session key between client and server devices, generating a session ID based on at least the negotiated session key, inserting the packet management information and the session ID into each information packet sent from the client device to the server device, monitoring packet management information in each information packet from the client device, and filtering out respective information packets sent to the server device from the client device when the monitored packet management information indicates that access to the resource is restricted.

Abstract: A method for facilitating a sequenced, anonymous communications session in a communications environment is provided in one example that includes receiving, from a first endpoint, an anonymous, sequenced request for a communication session involving a second endpoint. The communication session is sequenced to occur at designated periods provided by the end user(s) and/or an administrator, while maintaining end user(s) anonymity.

Abstract: In one implementation, a communications flow analysis system determines whether a communications flow between a source and a destination should be retained. If the communications flow should be retained, the communications flow analysis system injects an extraneous data set into the communications flow in response to determining that the communications flow should be retained.

Abstract: A client application, when executed by a processor, is operative to create a HyperText Transfer Protocol (HTTP) request containing a target header that includes a confidential value. The HTTP request is to be sent over a Secure Sockets Layer (SSL) 3.0 connection or a Transport Layer Security (TLS) 1.0 connection to a web server. The client application implements at its HTTP layer a countermeasure to a blockwise chosen-boundary attack. The client application generates an additional header having a header name that is not recognizable by the web server and inserts the additional header into the HTTP request ahead of the target header, thus creating a modified HTTP request. The modified HTTP request is to be sent, instead of the unmodified HTTP request, over the SSL 3.0 connection or the TLS 1.0 connection to the web server.

Abstract: Techniques for modifying packet filters in a wireless communication network are described. In one scheme, packet filters may be performed with multiple operations, if needed. The operation(s) to be performed and the order of performing the operation(s) may be dependent on the number of existing packet filters to be replaced (N) and the number of new packet filters (M). If N=M, then N packet filters in a traffic filter template may be replaced with a single operation. If N>M, then M packet filters in the traffic filter template may be replaced first, and N?M packet filters may be deleted from the traffic filter template next. If N<M, then M?N new packet filters may be added to the traffic filter template first, and N packet filters in the traffic filter template may be replaced next. In another scheme, packet filters are modified with a single operation using dummy packet filters, if needed.

Abstract: An electronic device for communication in a data network including a communication circuit adapted for performing the network communication, which communication includes controlling a plurality of network layers, the layers including a physical layer, a link layer and at least one higher order layer, the communication circuit includes a protective circuit for identifying unwanted data. The electronic device is characterized in that the protective circuit is arranged to monitor data during transmission of data from the electronic device, and identify unwanted data, and the communication circuit is adapted to avoid transmission of the unwanted data identified by the protective circuit. In this way the network is protected against excessive traffic, for example during a Denial of Service attack.

Abstract: In some implementations, a method for routing communication includes determining a binding interface for a communication session based on a forwarding information base (FIB) and a destination for the communication session. The communication session is from an application running on user equipment (UE), and the binding interface is included in a virtual private network (VPN) tunnel established through an Internet Protocol (IP) security (IPsec) interface. Whether to filter the communication session is determined based on which perimeter of the UE includes the binding interface and which perimeter of the UE includes the IPsec interface.

Abstract: A firewall/router is configured in a best practices approach for security and performance and, as such, greatly enables non-technical consumers to install it as a gateway point in a small network setting. Certain embodiments provide a means to monitor network usage, configure content filtering, schedule hours of access for certain networked devices and specify which network devices may connect to the WAN. It is envisioned that certain embodiments may also be capable of sending alerts to designated and configurable targets. WAN access may be granted or blocked or throttled on a per network device basis using parameters such as, but not limited to, time of day, throttling characteristics, and classification of the content being served by the target resource.