Entries |
Document | Title | Date |
20080201772 | Method and Apparatus for Deep Packet Inspection for Network Intrusion Detection - In a method of determining whether a data stream includes unauthorized data, the data stream is analyzed using a hardware filter to detect a presence of one or more of a first set of patterns in the data stream. It is determined whether a packet in the data stream belongs to one of a plurality of data flows to be further inspected based on the analysis of the data stream by the hardware filter. A set of rules is applied to the packet to produce rule match status data if it is determined that the packet belongs to one of the plurality of data flows to be further inspected. The packet is analyzed to determine if the packet includes unauthorized data using software stored on a computer-readable medium and implemented on a processor if the rule match status data indicates that the packet potentially includes unauthorized data. | 08-21-2008 |
20080209540 | FIREWALL INCLUDING LOCAL BUS - A gateway for screening packets transferred over a network. The gateway includes a plurality of network interfaces, a memory and a memory controller. Each network interface receives and forwards messages from a network through the gateway. The memory temporarily stores packets received from a network. The memory controller couples each of the network interfaces and is configured to coordinate the transfer of received packets to and from the memory using a memory bus. The gateway includes a firewall engine coupled to the memory bus. The firewall engine is operable to retrieve packets from the memory and screen each packet prior to forwarding a given packet through the gateway and out an appropriate network interface. A local bus is coupled between the firewall engine and the memory providing a second path for retrieving packets from memory when the memory bus is busy. | 08-28-2008 |
20080229404 | AUTOMATED METHODS AND PROCESSES FOR ESTABLISHING MEDIA STREAMING CONNECTIONS THROUGH FIREWALLS AND PROXY SERVERS AND COUNTERMEASURES THERETO - A streaming media application attempting to establish a streaming media connection first attempts to establish the connection directly using a format such as UDP. If no direct connection can be established, the media application attempts to establish a connection through a proxy server using proxy server information obtained from installed software components such as browsers that manage Internet connections. If necessary, an auto configuration web page is utilized to obtain the proxy server address. The invention also includes methods for blocking streaming media connections. | 09-18-2008 |
20080235785 | Method, Apparatus, and Computer Program Product for Routing Packets Utilizing a Unique Identifier, Included within a Standard Address, that Identifies the Destination Host Computer System - A computer-implemented method, apparatus, and computer program product are disclosed in a data processing environment that includes host computer systems that are coupled to adapters utilizing a switched fabric for routing packets between the host computer systems and the adapters. A unique destination identifier is assigned to one of the host computer systems. A portion of a standard format packet destination address is selected. Within a particular packet, the portion is set equal to the unique identifier that is assigned to the host computer system. The particular packet is then routed through the fabric to the host computer system using the unique destination identifier. | 09-25-2008 |
20080244725 | METHOD AND APPARATUS FOR MANAGING PACKET BUFFERS - According to one example embodiment of the inventive subject matter, there is described herein a method and apparatus for securely and efficiently managing packet buffers between protection domains on an Intra-partitioned system using packet queues and triggers. According to one embodiment described in more detail below, there is provided a method and apparatus for optimally transferring packet data across contexts (protected and unprotected) in a commodity operating system. | 10-02-2008 |
20080244726 | FIREWALL SYSTEM FOR INTERCONNECTING TWO IP NETWORKS MANAGED BY TWO DIFFERENT ADMINISTRATIVE ENTITIES - Firewall system for interconnecting a first IP network ( | 10-02-2008 |
20080250491 | METHOD OF TRANSMITTING INFORMATION EFFECTIVELY IN SERVER/CLIENT NETWORK AND SERVER AND CLIENT APPARATUSES USING THE SAME - A method for transmitting information effectively in a server/client network system is provided, the network system including a client placed behind a firewall and a server that provides the client with a predetermined service. The method includes the client generating a hole packet which is for making a hole in the firewall to allow a packet to pass through the firewall from the server, the hole being maintained for a certain period of time, and transmitting the hole packet to the firewall; and transmitting a packet from the server to the client through the hole made by the hole packet. | 10-09-2008 |
20080271134 | Method and system for combined security protocol and packet filter offload and onload - A network interface card (NIC) includes a security association database (SADB) comprising a plurality of security associations (SAs), a cryptographic offload engine configured to decrypt a packet using one of the plurality of SAs, a security policy database (SPD) comprising a plurality of security policies (SPs) and a plurality of filter policies, and a policy engine configured to determine an admittance of the packet using one of the plurality of SPs from the SPD and apply one of the plurality of filter policies to the packet. | 10-30-2008 |
20080282339 | ATTACK DEFENDING SYSTEM AND ATTACK DEFENDING METHOD - An attack defending system allows effective defense against attacks from external networks even when a communication system uses a communication path encryption technique such as SSL. A firewall device and a decoy device are provided. The firewall device refers to the header of an input IP packet and, when it is determined that the input IP packet is suspicious, it is guided into the decoy device. The decoy device monitors a process providing a service to detect the presence or absence of attacks. When an attack has been detected, an alert including the attack-source IP address is sent to the firewall device so as to reject subsequent packets from attack source. | 11-13-2008 |
20080295163 | Method and Apparatus for Updating Anti-Replay Window in Ipsec | 11-27-2008 |
20080301798 | Apparatus and Method for Secure Updating of a Vulnerable System over a Network - An apparatus interposed between a vulnerable system and a network for secure updating of the system includes an internal interface connected to the system; an external interface connected to the network; and one or more filter modules for filtering out specific incoming network packets to block possible network attacks. The filtering may comprise filtering out all incoming TCP SYN packets; filtering out all incoming TCP SYN packets and UDP packets; and/or only allowing packets pertinent to any outgoing connection initiated by the system. | 12-04-2008 |
20080320584 | FIREWALL CONTROL SYSTEM - Generally speaking, systems, methods and media for implementing a firewall control system responsive to user authentications are disclosed. Embodiments of a method may include receiving a data request at a firewall where the data request is associated with a program. Embodiments may include determining whether an authentication plan is required to be matched for the associated program and, if so, accessing a stored authentication plan associated with the program and having one or more authentication records each having expected information relating to user access to a particular server. Embodiments may include accessing a current authentication plan from an authentication store, the current authentication plan having one or more authentication records each having information relating to user access to a particular server. Embodiments may include comparing the stored authentication plan with the received current authentication plan to determine whether they match and, in response, performing one or more firewall actions. | 12-25-2008 |
20080320585 | METHOD AND SYSTEM TO MITIGATE LOW RATE DENIAL OF SERVICE (DoS) ATTACKS - A technique to mitigate low rate Denial-of-Service (DoS) attacks at routers in the Internet is described. In phase 1, necessary flow information from the packets traversing through the router is stored in fast memory; and in phase 2, stored flow information is periodically moved to slow memory from the fast memory for further analysis. The system detects a sudden increase in the traffic load of expired flows within a short period. In a network without low rate DoS attacks, the traffic load of all the expired flows is less than certain thresholds which are derived from real Internet traffic analysis. The system can also include a filtering solution to drop attack packets. The filtering scheme treats the long-lived flows in the Internet preferentially, and drops the attack traffic by monitoring the queue length if the queue length exceeds a threshold percent of the queue limit. | 12-25-2008 |
20090013400 | Method of filtering undesirable streams coming from a terminal presumed to be malicious - A method of filtering undesirable streams coming from a terminal ( | 01-08-2009 |
20090019537 | SYSTEMS AND METHODS FOR INHIBITING ATTACKS WITH A NETWORK - Systems and methods for inhibiting attacks with a network are provided. In some embodiments, methods for inhibiting attacks by forwarding packets through a plurality of intermediate nodes when being transmitted from a source node to a destination node are provided, the methods comprising: receiving a packet at one of the plurality of intermediate nodes; determining at the selected intermediate node whether the packet has been sent to the correct one of the plurality of intermediate nodes based on a pseudo random function; and forwarding the packet to the destination node, based on the determining. In some embodiments an intermediate node is selected based on a pseudo random function. In some embodiments, systems and methods for establishing access to a multi-path network are provided. | 01-15-2009 |
20090019538 | DISTRIBUTED NETWORK SECURITY SYSTEM AND A HARDWARE PROCESSOR THEREFOR - An architecture provides capabilities to transport and process Internet Protocol (IP) packets from Layer 2 through transport protocol layer and may also provide packet inspection through Layer 7. A set of engines may perform pass-through packet classification, policy processing and/or security processing enabling packet streaming through the architecture at nearly the full line rate. A scheduler schedules packets to packet processors for processing. An internal memory or local session database cache stores a session information database. The session information that is not in the internal memory is stored and retrieved to/from an additional memory. An application running on an initiator or target can a region of memory, which is made available to its peer for access without substantial host intervention through RDMA data transfer. A security system is also disclosed that enables a new way of implementing security capabilities inside enterprise networks in a distributed manner. | 01-15-2009 |
20090031413 | VLAN Router with Firewall Supporting Multiple Security Layers - A router containing a firewall capable of supporting a plurality of different security levels. The router of the present invention creates a plurality of Virtual Local Area Networks (VLANs) using a network switch. The VLAN Rules Table (VRT) allows a network administrator to designate a trust level for each VLAN. The trust level may be different for every VLAN and the administrator may designate different rules for each VLAN. The Security Program (SP) analyzes each packet passing through the firewall and determines if the packet is permitted under the rules for the VLAN trust level. An alternative embodiment in which the switch in the router is divided into a plurality of sub-switches is also disclosed. In the alternative embodiment, the firewall need only compare the packet to rules which were not applied in the lower trust levels, eliminating the redundant rules from the comparison process. | 01-29-2009 |
20090044263 | System and Method for On-Demand Dynamic Control of Security Policies/Rules by a Client Computing Device - A system and method for an end user to change the operation of a data flow filter mechanism, such as a firewall, that operates to control data flows between a plurality of protected computing devices and one or more non-protected computing devices. With the system and method, an administrator of a sub-network of computing devices may set a client computing device's scope of rules/policies that may be changed by a user of the client computing device, with regard to a data flow filter mechanism. The user of the client computing device, or the client computing device itself, may then log onto the data flow filter mechanism and modify the operation of the data flow filter mechanism within the limits established by the administrator. | 02-12-2009 |
20090064310 | Data relay device and data relay method - A data relay device has a plurality of security functions sequentially executes security functions on inputted data based on a predetermined rule, to determine whether or not to permit the relay of the data, and denies the relay of the data the relay is determined to be rejected. The data relay device has a determination result acquisition unit that acquires a determination result indicating permission or rejection of relay of the data, and a rule change unit that changes, based on the determination result acquired by the determination result acquisition unit, a rule defined for any one of the security functions located forward of the security function that has determined relay rejection, so that the relay of the communication data is determined to be rejected. | 03-05-2009 |
20090077648 | METHOD FOR MANAGING NETWORK FILTER BASED POLICIES - A method and system are provided for adding, removing, and managing a plurality of network policy filters in a network device. Filters are installed in a framework and designated as active or disabled. Each filter has a priority. When a new filter is to be installed into the framework, it is compared to installed filters to determine if a conflict exists. If no conflict exists, the new filter is added as an active filter. If a conflict exists, a higher priority conflicting filter is added as active and a lower priority filter is added as inactive. | 03-19-2009 |
20090113540 | CONTROLLING NETWORK ACCESS - Systems and methods for controlling network access determine that a client computer on the network is in compliance with administrator-defined network health policy standards before the client computer is granted access to the network. A packet exchange mechanism is defined wherein filtering instructions from a server are converted into firewall rules on the client computer to restrict client access to remediation servers on the network. The client computer obtains update patches from the remediation servers to become compliant with network health policy standards. | 04-30-2009 |
20090119769 | CROSS-SITE SCRIPTING FILTER - A reflected cross-site scripting (XSS) mitigation technique that can be implemented wholly on the client by installing a client-side filter that prevents reflected XSS vulnerabilities. XSS filtering performed entirely on the client-side enables web browsers to defend against XSS involving servers which may not have sufficient XSS mitigations in place. The technique accurately identifies XSS attacks using carefully selected heuristics and matching suspect portions of URLs and POST data with reflected page content. The technique used by the filter quickly identifies and passes through traffic which is deemed safe, keeping performance impact from the filter to a minimum. Non-HTML MIME types can be passed through quickly as well as requests which are same-site. For the remaining requests, regular expressions are not run across the full HTTP response unless XSS heuristics are matched in the HTTP request URL or POST data. | 05-07-2009 |
20090126003 | System And Method For Providing Network And Computer Firewall Protection With Dynamic Address Isolation To A Device - A computer performs dynamic address isolation. The computer comprises an application associated with an application address, a network interface coupled to receive incoming data packets from and transmit outgoing data packets to an external network, a network address translation engine configured to translate between the application address and a public address, and a driver for automatically forwarding the outgoing data packets to the network address translation engine to translate the application address to the public address, and for automatically forwarding the incoming data packets to the network address translation engine to translate the public address to the application address. The computer may communicate with a firewall configured to handle both network-level security and application-level security. | 05-14-2009 |
20090126004 | PACKET TRANSFER DEVICE, PACKET TRANSFER METHOD, AND PROGRAM - A packet transfer apparatus is provided with: storage means configured to store a predetermined search pattern and an address identifying a predetermined apparatus; determination means configured to determine whether predetermined data in a packet received from a network interface matches the search pattern; determination means configured to determine a network interface for outputting the packet using the determination result; replacement means configured to replace an address identifying a destination apparatus of the packet with an address identifying the predetermined apparatus when outputting the packet from a network interface connected to the predetermined apparatus; and packet sending means configured to send the packet to the determined network interface. | 05-14-2009 |
20090138959 | DEVICE, SYSTEM AND METHOD FOR DROPPING ATTACK MULTIMEDIA PACKET IN THE VoIP SERVICE - Disclosed is a device for dropping an attack multimedia packet. An object of the invention is to provide a device, a system and a method for dropping an attack multimedia packet, capable of filtering RTP packets received to selectively drop an attack multimedia packet, thereby providing a stable multimedia service. According to the invention, the received RTP packet is filtered to selectively drop an attack multimedia packet, so that it is possible to provide a stable multimedia service. | 05-28-2009 |
20090144818 | SYSTEM AND METHOD FOR USING VARIABLE SECURITY TAG LOCATION IN NETWORK COMMUNICATIONS - A method of packet security management to ensure a secure connection from one network node to another. The method includes creating a security tag for each packet in a network session, selecting one of a number of possible tag locations within the packet, inserting the security tag at that location, transmitting the tagged packets from a sending node to the receiving node, authenticating the packets' security tags at the receiving node, and dropping non-authenticated packets. The method also includes determining best possible tag locations when sending a packet and locating a security tag when receiving a packet. | 06-04-2009 |
20090144819 | FLOW CLASSIFICATION FOR ENCRYPTED AND TUNNELED PACKET STREAMS - Methods and systems for solving the problem of special processing required by various communication network subsystems (e.g., QOS, security, tunneling, etc). In some cases the processing by one communication subsystem may result in modified IP data packets which may affect the application of additional processing of such packets. The methods and systems solve problem by translating filters and setting up additional tunnels or other procedures based on the use case so that all the end and intermediate nodes can do the required processing on modified packets. The methods and systems may take into consideration an overlap or intersection of two or more different types of packet filters. A first set of packet filters is translated to provide the desired packet classification for modified packets. The second set of packet filters may be translated based upon the translation applied to the first set of packet filters. | 06-04-2009 |
20090158419 | METHOD AND SYSTEM FOR PROTECTING A COMPUTER SYSTEM DURING BOOT OPERATION - A method for protecting a computer system from malicious network traffic is provided using a driver which inspects network packets. A security profile comprising packet inspection rules is compiled and stored on the computer system. During the startup or boot operation of an operating system, the driver loads the compiled security profile and inspects network packets using the inspection rules. | 06-18-2009 |
20090172803 | METHOD AND APPARATUS FOR INCREMENTALLY DEPLOYING INGRESS FILTERING ON THE INTERNET - Ingress filtering has been adopted by the IETF as a methodology for preventing denial of service congestive attacks that spoof the source address in packets that are addressed to host server victims. Unless universally adopted by all ISPs on the Internet, however, a packet's source address cannot be totally trusted to be its actual source address. To take advantage of benefits of ingress filtering as it is gradually deployed by ISPs around the Internet, differentiated classes of service are used to transport packets whose source address can be trusted and packets whose source address cannot be trusted. A packet received by an access or edge router at an ISP that supports ingress filtering and has a source address that is properly associated with port on which it is received is forwarded in a privileged class of service and are dropped otherwise. A packet received by access or edge router at an ISP that does not support ingress filtering and whose source address cannot therefore be trusted is transported in an unprivileged class of service. At an intermediate exchange router within an intermediate ISP, where ISPs exchange packets, a packet received from an ISP that doesn't support ingress filtering is forwarded using the unprivileged class of service while a packet received from an ISP that does support ingress filtering is forwarded using the same class of service in which it is already marked. | 07-02-2009 |
20090183252 | PACKET RELAY APPARATUS - A packet relay apparatus keeps only packets specified as authentication target packets of MAC address authentication, to reduce the number of packets to be transferred from H/W to a CPU. In addition to a source MAC address, the authentication target packet of MAC address authentication is specified by an Ethernet type, a destination IP address, a protocol, a source port number and a destination port number of TCP/UDP, and the like. In this way, the packet relay apparatus excludes a terminal not transmitting authentication target packets of MAC address authentication, from the MAC address authentication target, while allowing selection from other authentication methods such as Web authentication and IEEE802.1X authentication. | 07-16-2009 |
20090217369 | Method and system for processing packet flows, and computer program product therefor - Packet flows are processed, e.g. to perform an intrusion detection function in a communication network, by means of a multiprocessor system including a plurality of processing units. The packets are distributed for processing among the processing units via a distribution function. Such a distribution function is selectively allotted to one of the processing units of the plurality. A preferred embodiment of the arrangement involves using a single Symmetric Multi-Processor machine with a single network port to Gigabit/sec link. The corresponding system architecture does not require any intermediate device, or any external load balancing mechanism. All the processing work is performed on a single system, which is able to dynamically balance the traffic load among the several independent CPUs. By resorting to a specific scheduling arrangement, such a system is able to effectively distribute the computations required to perform both the loadbalancing and the detection operations. | 08-27-2009 |
20090249468 | Method for establishing distributed filters in a packet-oriented network, based on abstract security defaults - A method for a packet-oriented network is provided. According to the method, after analysis of the network configuration and the existing network elements, the implementation of predefined security guidelines is automatically mapped onto the options of the different network elements and the distribution of the various security functions in the different network elements is optimized in such a way that the protection target is achieved, no network element receives too many configuration entries and no redundant functions are implemented. | 10-01-2009 |
20090249469 | PACKET TRANSFER APPARATUS - Plural retrieval units are prepared, and a retrieval unit which can reduce power consumption is selected according to the condition of a retrieval key. For example, in general, the retrieval unit including a CAM is used. However, when the condition of the retrieval key is simple as in a case where reference is made to only TOS in an interior node of Diffserv and QoS is determined, the retrieval unit including a dscp-QoS table constituted of an FF or RGF is used and the power consumption is reduced. A CAM retrieval start determination section determines that a process is performed by which retrieval unit in accordance with previously set setting information or a previously set header information item. | 10-01-2009 |
20090249470 | COMBINED FIREWALLS - A method of providing a firewall to protect a set of virtual machines on a host node that is one of multiple host nodes that host virtual machines. The method stores a table of allowed connections for each virtual machine on the host node. Upon a particular virtual machine moving from the host node to another host node, the method deletes records of a first set of allowed connections that each identify the particular virtual machine and do not identify any other virtual machine in the set of virtual machines. Also upon the virtual machine moving, the method edits records of a second set of allowed connections, each identifying the particular machine and one other virtual machine in the set of virtual machines on the first host node, to remove an identifier of the particular virtual machine. | 10-01-2009 |
20090249471 | REVERSIBLE FIREWALL POLICIES - A method of determining whether to allow multiple data packets to pass a firewall, each data packet having a source address and a destination address. The method evaluates a data packet by using a first set of policies when no previous packet with an opposite address has been allowed under the first set of policies. Two packets have opposite addresses when a source address of the first of the two packets is the same as the destination address of the second of the two packets and the destination address of the first packet is the same as the source address of the second packet. The method evaluates the data packet using a second set of policies when a previous packet with an opposite address has been allowed under the first set of policies. | 10-01-2009 |
20090265778 | Attack protection for a packet-based network - The invention relates to a protection unit ( | 10-22-2009 |
20090276842 | Load-Balancing Cluster - A load-balancing cluster includes a switch having a plurality of ports; and a plurality of servers connected to at least some of the plurality of ports of the switch. Each server is addressable by the same virtual Internet Protocol (VIP) address. Each server in the cluster has a mechanism constructed and adapted to respond to connection requests at the VIP by selecting one of the plurality of servers to handle that connection, wherein the selecting is based, at least in part, on a given function of information used to request the connection; and a firewall mechanism constructed and adapted to accept all requests for the VIP address for a particular connection only on the server that has been selected to handle that particular connection. The selected server determines whether it is responsible for the request and may hand it off to another cluster member. | 11-05-2009 |
20090276843 | SECURITY EVENT DATA NORMALIZATION - Normalizing security event data from multiple different network agents. The data from the multiple different agents is categorized and tagged with a descriptor that includes information about the nature of the event. Multiple different events from multiple different devices can therefore be evaluated using a common format which is common for the multiple different devices from different vendors. | 11-05-2009 |
20090288158 | INTELLIGENT FIREWALL - An intelligent firewall that prevents unauthorized access to a system has been developed. The fire wall does not use a communication address. It receives a data packet and analyzes it to determine its final disposition. Finally, the firewall handles the data packet according to its final disposition. | 11-19-2009 |
20090293114 | DIVERSITY STRING BASED PATTERN MATCHING - Diversity string based pattern matching is disclosed. In one embodiment, a method for inspecting multiple data patterns in a data block includes scanning the data block for a diversity string of each data pattern, where the diversity string is a subset of the each data pattern. The method further includes comparing the each data pattern with a respective segment of the data block only if the diversity string is present in the data block, and forwarding flag data if the each data pattern matches with the respective segment of the data block. | 11-26-2009 |
20090300751 | Unique packet identifiers for preventing leakage of sensitive information - In accordance with an aspect of the invention, leakage prevention is implemented by: a) associating—within a network—a unique identifier with a packet transmitted by a process which has previously accessed data containing sensitive information, and b) searching a packet before it exits a network for the unique identifier. This mechanism provides a strong guarantee against leakage of sensitive data out of a network by facilitating the monitoring of packets which potentially contain the sensitive information. The unique identifier may be located in the header of the packet, which is detectable without requiring a heavy investment of network resources. Additionally, a packet's movement within a network may be tracked by analyzing trapped system calls. Furthermore, an exiting packet may be analyzed by a network firewall, the firewall utilizing various policies to determine how to proceed when a packet containing a unique identifier is located. | 12-03-2009 |
20090307766 | METHOD AND APPARATUS FOR VERIFYING DATA PACKET INTEGRITY IN A STREAMING DATA CHANNEL - Disclosed is a method for verifying data packet integrity in a streaming-data channel. In the method, data packets are received from the streaming-data channel. Each data packet includes a data payload and a corresponding message integrity code. The received data packets are processed in a first processing mode, wherein the received data packets are forwarded to an application module before checking the integrity of the data packets using the respective message integrity codes. An integrity-check-failure measurement is generated for monitoring an integrity-check-failure rate in the first processing mode. If the integrity-check-failure measurement exceeds an integrity-check threshold, then the method transitions to a second processing mode. A received data packet is forwarded to the application module in the second processing mode only after passing the integrity check. | 12-10-2009 |
20090328185 | Detecting exploit code in network flows - Disclosed is a method and apparatus for detecting exploit code in network flows. Network data packets are intercepted by a flow monitor which generates data flows from the intercepted data packets. A content filter filters out legitimate programs from the data flows, and the unfiltered portions are provided to a code recognizer which detects executable code. Any embedded executable code in the unfiltered data flow portions is identified as a suspected exploit in the network flow. The executable code recognizer recognizes executable code by performing convergent binary disassembly on the unfiltered portions of the data flows. The executable code recognizer then constructs a control flow graph and performs control flow analysis, data flow analysis, and constraint enforcement in order to detect executable code. In addition to identifying detected executable code as a potential exploit, the detected executable code may then be used in order to generate a signature of the potential exploit, for use by other systems in detecting the exploit. | 12-31-2009 |
20090328186 | COMPUTER SECURITY SYSTEM - A method of packet management for restricting access to a resource of a computer system. The method includes identifying client parameters and network parameters, as a packet management information, used to determine access to the resource, negotiating a session key between client and server devices, generating a session ID based on at least the negotiated session key, inserting the packet management information and the session ID into each information packet sent from the client device to the server device, monitoring packet management information in each information packet from the client device, and filtering out respective information packets sent to the server device from the client device when the monitored packet management information indicates that access to the resource is restricted. | 12-31-2009 |
20090328187 | DISTRIBUTED WEB APPLICATION FIREWALL - A method for protecting a Web application running on a first local Web Server bases from hacker attacks, said Web Server being connectable to at least one client, the method comprising the following steps: —providing a plurality of preset rules on said Server, which correspond to specific characteristics of HTTP requests; —receiving an HTTP request on said server from the client, said HTTP request comprising a plurality of characteristics; —analyzing said characteristics of said received HTTP request in accordance with said rules provided on said server; —rejecting said HTTP request, if said rules identify said HTTP request as harmful request; —accepting said HTTP request, if said rules identify said HTTP request as trustable request; —classifying said HTTP request as doubtful request, if said rules identify said request neither as harmful request nor as trustable request; —evaluating the characteristics of said doubtful local request; —generating a learned rule on basis of the edge base evaluation. | 12-31-2009 |
20100017869 | Inferencing Data Types Of Message Components - A method of a device for filtering messages routing across a network includes extracting, by a filter configured on the device, a plurality of message components from messages received via a network. The plurality of message components is identified as having at least a field name in common, including a first field name. A learning engine configured on the device creates a list of data types for values of the first field name. The list includes one or more data types of a value of the first field name identified for each of the plurality of message components. The learning engine determines a most restrictive data type from the list of data types for the values of the first field name of the plurality of message components. | 01-21-2010 |
20100031340 | NETWORK SECURITY MODULE FOR ETHERNET-RECEIVING INDUSTRIAL CONTROL DEVICES - A high-speed security device for network connected industrial controls provides hybrid processing in tandem hardware and software security components. The software security component establishes state-less data identifying each packet that requires high-speed processing and loads a data table in the hardware component. The hardware component may then allow packets matching data of the data table to bypass the software component while passing other non-matching packets to the software component for more sophisticated state analysis. | 02-04-2010 |
20100037309 | METHOD AND APPARATUS FOR PROVIDING SECURITY IN AN INTRANET NETWORK - A method and an apparatus for providing security in an intranet network are disclosed. For example, the method receives a packet at a customer edge router, and applies an inbound access control list by the customer edge router to the packet if the packet is destined to a server in a protected server group, wherein said protected server group identifies one or more servers within the intranet network to be protected. The method applies an outbound access control list by the customer edge router to the packet if the packet is from a server in the protected server group. | 02-11-2010 |
20100037310 | DYNAMICALLY ADAPTIVE NETWORK FIREWALLS AND METHOD, SYSTEM AND COMPUTER PROGRAM PRODUCT IMPLEMENTING SAME - One embodiment creates a model of the traffic through a network firewall and uses that model to dynamically manipulate the network firewall. The firewall model defines nodes, connections between the nodes, and firewall rules applicable to the nodes, the connections between the nodes, or a combination thereof. Each of the nodes represents simultaneously a source and a destination for data packets. The firewall rules include dynamic chains of rules having defined places where firewall rules may be dynamically inserted into or deleted from the firewall while the firewall is operating on one or more machines connected to network segments where the nodes reside. | 02-11-2010 |
20100043067 | SCALABLE SECURITY SERVICES FOR MULTICAST IN A ROUTER HAVING INTEGRATED ZONE-BASED FIREWALL - A multicast-capable firewall allows firewall security policies to be applied to multicast traffic. The multicast-capable firewall may be integrated within a routing device, thus allowing a single device to provide both routing functionality, including multicast support, as well as firewall services. The routing device provides a user interface by which a user specifies one or more zones to be recognized by the integrated firewall when applying stateful firewall services to multicast packets. The user interface supports a syntax that allows the user to define subsets of the plurality of interfaces associated with the zones, and define a single multicast policy to be applied to multicast sessions associated with a multicast group. The multicast policy identifies common services to be applied pre-replication, and exceptions specifying additional services to be applied post-replication to copies of the multicast packets for the one or more zones. | 02-18-2010 |
20100050248 | NETWORK SURVEILLANCE - A method of network surveillance includes receiving network packets handled by a network entity and building at least one long-term and at least one short-term statistical profile from a measure of the network packets that monitors data transfers, errors, or network connections. A comparison of the statistical profiles is used to determine whether the difference between the statistical profiles indicates suspicious network activity. | 02-25-2010 |
20100058459 | NETWORK INTERFACE CARD WITH PACKET FILTERING FUNCTION AND FILTERING METHOD THEREOF - A network interface card with a packet filtering function and a filtering method thereof are applicable to realize packet filtering through both software and hardware manners. The network interface card includes a connection port, a first filtering module, a second filtering module, and a storage unit. The connection port is used to receive a packet data from Internet. The first filtering module is connected to the connection port, and is used to detect the packet data according to a content address memory (CAM) table. The detecting process is executed by a firmware of the network interface card. The second filtering module is connected to the first filtering module, and executes a packet content detecting procedure for detecting a content of the packet data, thereby detecting the packet data by using software/firmware respectively, and thus a working efficiency of the network interface card is enhanced. | 03-04-2010 |
20100071054 | NETWORK SECURITY APPLIANCE - Systems and methods for combating and thwarting attacks by cybercriminals are provided. Network security appliances interposed between computer systems and public networks, such as the Internet, are configured to perform defensive and/or offensive actions against botnets and/or other cyber threats. According to some embodiments, network security appliances may be configured to perform coordinated defensive and/or offensive actions with other network security appliances. | 03-18-2010 |
20100077471 | One Button Security Lockdown of a Process Control Network - Proper function and security of a complex network for communicating data within a process control system may be manually or automatically “locked-down” with a single command for an entire process control network or portions of the network. A user or application monitors network communication over multiple network devices. Once the network is configured and properly communicates data over the process control network, the application may lock down the network by deactivating or “locking out” access points on the network that are open and unused or have invalid connections. Locking down the network may essentially freeze it in a properly configured and functioning state and restrict future re-configuration of the network devices or harmful communication over an open or unused access point. When locked, is a currently connected device is unplugged and a different device is plugged into the access point, the network device may refuse the connection. | 03-25-2010 |
20100083364 | Method for Lawfully Intercepting Communication IP Packets Exchanged Between Terminals - A method for lawfully intercepting communication IP packets exchanged between terminals is provided. The method involves assigning an IP address associated with a telecommunication service provider to, for example, a sending terminal for use as its IP address in communications with a receiving terminal, the telecommunication service provider providing SIP proxy services for establishing communication between the sending and receiving terminals. The communication IP packets are intercepted in such a way that the terminals are unaware of the interception. | 04-01-2010 |
20100088756 | MULTI-PATTERN PACKET CONTENT INSPECTION MECHANISMS EMPLOYING TAGGED VALUES - Methods and apparatus for performing content inspection using multi-pattern packet content inspection mechanisms employing tagged values. Pattern data structures are employed to facilitate multi-pattern searches via corresponding string-search algorithm machines. The pattern data structures include tagged values defining search offsets and depths for corresponding search patterns. Incoming packets are classified to flows, and stored in corresponding flow queues. Flow table entries are used to identify the pattern data structure for a given flow. During content inspection, the algorithm machine employs the tagged values to effectively skip portions of a data stream up to the offset for each search pattern and to cease searching for a pattern upon reaching the depth for the pattern. | 04-08-2010 |
20100095370 | SELECTIVE PACKET CAPTURING METHOD AND APPARATUS USING KERNEL PROBE - The present invention discloses a packet capturing method using a kernel probe, which is for capturing traffic generated only by a specific application. The packet capturing method using a kernel probe comprises the steps of: acquiring the 5-tuple information of a packet associated with the application to capture by intercepting a specific set of operating system networking kernel functions using a kernel probe which intercepts calls to the functions; capturing packets inputted and outputted through a network device; and identifying traffic generated by the application by comparing the 5-tuple information with 5-tuple information of the captured packets. | 04-15-2010 |
20100107238 | SECURITY MODULE AND METHOD WITHIN AN INFORMATION HANDLING SYSTEM - A security module and method within an information handling system are disclosed. In a particular form, a processing module can include a local processor configurable to initiate access to resources of a host processing system. The processing module can also include a security module configured to enable use of the resources of the host processing system using a security metric. According to an aspect, the security module can be further configured to detect the security metric, and enable access to a resource of the host processing system in response to the security metric. The security module can further be configured to disable access to another resource of the host processing system in response to the security metric. | 04-29-2010 |
20100107239 | METHOD AND NETWORK DEVICE FOR DEFENDING AGAINST ATTACKS OF INVALID PACKETS - The present invention discloses a method and network device for defending against attacks of invalid packets, pertaining to the communication field. The method includes: receiving, by a network processor, a service feature state table from a service processing layer; receiving, by the network processor, a packet, searching the service feature state table for matching information of the packet and judging whether the packet is valid according to a search result, and if the packet is invalid, discarding the packet. The network device includes a network processor and a service processing module. With the present invention, the network processor judges whether a packet is valid according to a service feature state table and discards invalid packets early according to the judgment so as to avoid the waste of device bandwidths on the invalid packets and increase the anti-attack performance and security performance of the device. | 04-29-2010 |
20100125900 | Network Intrusion Protection - Improved techniques are disclosed for use in an intrusion prevention system or the like. For example, a method comprises the following steps performed by a computing element of a network. A packet of a flow is received, the flow comprising a plurality of packets, wherein the plurality of packets represents data in the network. A network intrusion analysis cost-benefit value is determined representing a benefit for analyzing the received packet for intrusions in relation to a cost for analyzing the received packet for intrusions. The method compares the network intrusion analysis cost-benefit value to a network intrusion analysis cost-benefit threshold to determine whether analyzing the received packet for intrusions before forwarding the received packet is warranted. Responsive to a determination that analyzing the received packet for intrusions before forwarding the received packet is not warranted, the received packet is forwarded, an indication is made that subsequent packets of the flow should be forwarded, and a determination is made whether the received packet indicates an intrusion after forwarding the received packet. | 05-20-2010 |
20100125901 | AUTOMATIC INVOCATION OF DTN BUNDLE PROTOCOL - A system and method for providing DTN services to legacy applications is provided. According to one example, a method for providing delay tolerant networking (DTN) services to legacy applications includes acts of intercepting a packet addressed to a software application, the packet including a payload, the software application being resident on a first computer, determining suitability of the packet for DTN processing and encoding the payload into a DTN bundle. According to another example, a system for providing delay tolerant networking (DTN) services to legacy applications includes a network interface, a memory and a controller coupled to the network interface and the memory. In this example, the controller is configured to intercept a packet addressed to a software application, the packet including a payload, the software application being resident on a computer, determine suitability of the packet for DTN processing and encode the payload into a DTN bundle. | 05-20-2010 |
20100132030 | INTELLIGENT INTEGRATED NETWORK SECURITY DEVICE - Methods, computer program products and apparatus for processing data packets are described. Methods include receiving the data packet, examining the data packet, determining a single flow record associated with the packet and extracting flow instructions for two or more devices from the single flow record. | 05-27-2010 |
20100132031 | METHOD, SYSTEM, AND DEVICE FOR FILTERING PACKETS - A method, system, and device for filtering packets are disclosed. The method includes: by a deep packet inspection (DPI) proxy server configured at the access-network user side, identifying the service type and/or contents of a received packet, and performing DPI filtering on the packet by using a preset DPI filtering policy according to the identified service type and/or contents. In the technical solution of the present invention, DPI proxy servers are configured at the access-network user side on a distributed basis; each DPI proxy server receives packets only from a user equipment (UE) on a customer premises network (CPN), where the UE corresponds to the DPI proxy server. Compared with the DPI server configured at the edge between the core network and the access network in the prior art, the DPI proxy server provided in embodiments of the present invention processes fewer packets, thus performing real-time DPI on the packets. | 05-27-2010 |
20100154049 | TERMINAL, SECURITY SETTING METHOD, AND PROGRAM THEREOF - [Problems to be solved] To provide a system capable of controlling a PC firewall responding to a location, thereby to prevent a third person from intruding into a PC without being restricted by an application. | 06-17-2010 |
20100162381 | HOST TRUST REPORT BASED FILTERING MECHANISM IN A REVERSE FIREWALL - Disclosed is a computer implemented method and computer program product to throttle traffic from a source internet protocol address. The reverse firewall inspects payloads of a plurality of packets each packet having a source address identical to the source internet protocol address and a target address corresponding to a receiver host. Responsive to detecting purported good content within at least one of the plurality of packets, the reverse firewall forwards packets having the source address. The reverse firewall determines whether a count of packets having the source address exceeds a safe threshold. The reverse firewall requests a demanded positive trust report from the receiver host, responsive to a determination that the count of packets having the source address exceeds the safe threshold. The reverse firewall determines whether a positive trust report is received from the receiver host that indicates that the source internet protocol address is good. The reverse firewall analyzes a header of packet having the source address without analyzing a payload of the packet, responsive to a determination that the positive trust report is received from the receiver host. | 06-24-2010 |
20100162382 | PACKET PROCESSING METHOD AND TOE HARDWARE - Provided is a TOE hardware which includes intrusion prevention system hardware for inspection and real-time interrupt against static/dynamic attacks over network as well as fast TCP/IP processing, and a packet processing method in the TOE hardware. When a network packet is received, it is segmented to extract a header and a payload. A pattern matching inspection is performed for the payload, and the payload passed the inspection is transferred to the host. For the header, a header inspection is performed and a TCP/IP processing is performed on the header passed the inspection. Processing on the payload is performed in parallel with processing on the header. Accordingly, the packet processing speed of the TOE hardware increases. | 06-24-2010 |
20100162383 | Cluster Architecture for Network Security Processing - A computing device may be joined to a cluster by discovering the device, determining whether the device is eligible to join the cluster, configuring the device, and assigning the device a cluster role. A device may be assigned to act as a cluster master, backup master, active device, standby device, or another role. The cluster master may be configured to assign tasks, such as network flow processing to the cluster devices. The cluster master and backup master may maintain global, run-time synchronization data pertaining to each of the network flows, shared resources, cluster configuration, and the like. The devices within the cluster may monitor one another. Monitoring may include transmitting status messages comprising indicators of device health to the other devices in the cluster. In the event a device satisfies failover conditions, a failover operation to replace the device with another standby device, may be performed. | 06-24-2010 |
20100175124 | METHODS AND APPARATUS FOR IMPLEMENTING A SEARCH TREE - Apparatus and methods are provided for implementing a firewall in a network infrastructure component. A method comprises generating a search tree for a plurality of rules. The search tree comprises a first node having a first field bounds and a first set of rules of the plurality of rules, and a plurality of child nodes for the first node. Each child node has child field bounds based on an intersection of the first field bounds and the first set of rules, and each child node is assigned a respective subset of the first set of rules based on the respective child field bounds. The method further comprises receiving a first packet, identifying a first child node of the plurality of child nodes based on values for one or more fields of the first packet, and applying the respective subset of rules assigned to the first child node to the first packet. | 07-08-2010 |
20100180333 | Communication Abuse Prevention - Communication abuse prevention techniques are described. In an implementation, a reputation level for a communication is determined based on relation information for a sender and an intended recipient of the communication. A challenged is invoked that is to be completed by the sender before the communication is sent. The challenge is selected based on the reputation level for the communication. | 07-15-2010 |
20100180334 | NETWROK APPARATUS AND METHOD FOR TRANSFERING PACKETS - A network apparatus cluster for transferring multiple packets of a communication session to a network node includes a primary unit and a subordinate unit coupled together. The primary unit is operable for receiving the packets comprising a first packet and multiple subsequent packets, for generating a session data set indicating the communication session and a balance data set based on the first packet, and for determining that the subsequent packets belong to the communication session according to the session data set. The balance data set indicates whether the first packet is distributed to the primary unit or the subordinate unit. The subsequent packets are transferred from the primary unit to the network node according to the balance data set. | 07-15-2010 |
20100192217 | System and method for information sharing between non-secure devices - A method for communicating information packets from a first host system operating in a first security domain and in accordance with a non-secure communications protocol, using a dataguard, to a second host system operating in a second security domain different than the first security domain, and where the second host system is also operating in accordance with the non-secure communications protocol. The method may involve: using a first driver operating with the dataguard to interface the dataguard with the first host system; using a first proxy task group operating with the dataguard to interface the dataguard to the first driver and to communicate with the first driver in accordance with a protocol of the first security domain; using a second driver operating with the dataguard to interface the dataguard to the second host system; and using a second proxy task group operating with the dataguard to interface the dataguard to the second proxy task group and to communicate with the second driver in accordance with a protocol of the second security domain. | 07-29-2010 |
20100192218 | METHOD AND SYSTEM FOR PACKET FILTERING FOR LOCAL HOST-MANAGEMENT CONTROLLER PASS-THROUGH COMMUNICATION VIA NETWORK CONTROLLER - A network controller in a communication device may be operable to provide pass-through communication of local host-management traffic between a local host and a management controller within the communication device, wherein the local host may be operable to utilize its network processing resources during communication of the local host-management traffic. The network controller may use packet filtering to provide the pass-through communication, wherein the network controller may utilize a plurality filtering rules during filtering of packets received in the network controller. The filtering rules may specify packet processing and/or forwarding actions by said network controller based on one or more specified conditions. The specified conditions may based on one or more match criteria; wherein the match criteria comprising source address, destination address, and/or traffic type data in the received packets. Address learning mechanisms may be used in the network controller to enable configuring and/or performing packet filtering transparently. | 07-29-2010 |
20100212005 | DISTRIBUTED DENIAL-OF-SERVICE SIGNATURE TRANSMISSION - A system and method of transmitting a DDoS, or distributed denial of service, signature from an intra-network to an internet is presented. The method includes identifying a DDoS signature and employing an inter-domain routing protocol configured to enable-operational information to be exchanged between nodes. The DDoS signature is embedded as payload of the standards-compliant inter-domain routing protocol. The step of embedding occurs within a network. The embedded DDoS signature is then sent from the network to an internet node outside of the network. The method further includes applying the DDoS signature to enable the internet nodes to filter packets matching the DDoS signature. | 08-19-2010 |
20100251355 | METHOD FOR OBTAINING DATA FOR INTRUSION DETECTION - A method for obtaining data for intrusion detection obtains data after forward chain filtering of a firewall. Modes of obtaining the data include a socket communication mode and a character device work mode. The method for obtaining the data for intrusion detection obtains the data filtered by the firewall, and reduces false alarms. Moreover, the method obtains the data after a network address translation (NAT) operation, so as to locate an attacker and a victim correctly. The method further obtains a decrypted Internet Protocol Security (IPsec) data packet, so as to process an IPsec data stream normally. | 09-30-2010 |
20100263040 | Method and Arrangement for Security Activation Detection in a Telecommunication System - A method and apparatus is provided for detecting the start of a secure mode by a user terminal ( | 10-14-2010 |
20100269171 | METHODS FOR EFFECTIVE NETWORK-SECURITY INSPECTION IN VIRTUALIZED ENVIRONMENTS - The present invention discloses methods for effective network-security inspection in virtualized environments, the methods including the steps of: providing a data packet, embodied in machine-readable signals, being sent from a sending virtual machine to a receiving virtual machine via a virtual switch; intercepting the data packet by a sending security agent associated with the sending virtual machine; injecting the data packet into an inspecting security agent associated with a security virtual machine via a direct transmission channel which bypasses the virtual switch; forwarding the data packet to the security virtual machine by employing a packet-forwarding mechanism; determining, by the security virtual machine, whether the data packet is allowed for transmission; upon determining the data packet is allowed, injecting the data packet back into the sending security agent via the direct transmission channel; and forwarding the data packet to the receiving virtual machine via the virtual switch. | 10-21-2010 |
20100281533 | METHOD AND APPARATUS FOR IMPLEMENTING A LAYER 3/LAYER 7 FIREWALL IN AN L2 DEVICE - Methods and apparatus for transferring packets in a packet switched communication system. A system is provided that includes an L | 11-04-2010 |
20100299742 | BIDIRECTIONAL GATEWAY WITH ENHANCED SECURITY LEVEL - A bidirectional gateway with enhanced security level between a high-security communication network and a low-security communication network. The return pathway from the low-security network to the high-security network comprises a low-speed link. The physical layer of the low-speed link differs from the physical layers involved in the high-security network and the low-security network. The low-speed link having a linking layer according to a protocol differing from the protocols used on the linking layers used on the high-security network and the low-security network. The linking layer of the low-speed link has an authentication protocol to guarantee the data's origin. | 11-25-2010 |
20100333188 | Method for protecting networks against hostile attack - An address-hopping method is provided to enhance security in computer networks. In embodiments, the method is carried out at a network node and includes storing an IP address that is temporarily valid as a destination address for the node; sequentially updating the stored IP address, at least at specified intervals of time, with new values that are each temporarily valid; and conditionally accepting or rejecting incoming packets according to whether there is a match between the destination IP address of the incoming packet and the temporarily valid IP address currently stored in the memory. | 12-30-2010 |
20100333189 | METHOD AND SYSTEM FOR ENFORCING SECURITY POLICIES ON NETWORK TRAFFIC - A computer readable medium that includes computer readable program code embodied therein. The computer readable medium causes the computer system to receive, by a data link rule enforcer, a packet from a packet source of the packets, and obtain a data link rule applying to a data link. The data link is operatively connected to the packet source, and the data link is associated with a media access control (MAC) address. The computer readable medium further causes the computer system to determine, by the data link rule enforcer, whether the packet complies with the data link rule, and drop, by the data link rule enforcer, the packet when the packet fails to comply with the data link rule. | 12-30-2010 |
20100333190 | LATENCY REDUCTION METHOD AND NETWORK CONNECTION APPARATUS - A latency reduction method executed by a network connection apparatus, includes starting to output an incoming packet before an access control processing with respect to the incoming packet has completed, and changing the incoming packet to an invalid packet and outputting the invalid packet when determined by the access control processing to discard the incoming packet. | 12-30-2010 |
20100333191 | SYSTEM AND METHOD FOR PROTECTING CPU AGAINST REMOTE ACCESS ATTACKS - A system and method that provides for protection of a CPU of a router, by establishing a management port on a router. Hosts which are connected to a non-management ports of the router are denied access to management functions of a CPU of the router. The system and method can utilize an application specific integrated circuit, in conjunction with a CAM-ACL, which analyzes data packets received on the ports of router, and the ASIC operates to drop data packets which are directed to the CPU of the router. This system and method operates to filter data packets which may be generated in attempts to hack in to control functions of a network device, and the operation does not require that the CPU analyze all received data packets in connection with determining access to the control functions of the router. | 12-30-2010 |
20110004932 | Firewall for tunneled IPv6 traffic - A NAT device and method implemented on the device for filtering tunneled IPv6 traffic is disclosed. The method comprises: receiving an IP traffic stream at an ingress network interface to the NAT, performing deep packet inspection on the traffic stream to detect the tunneled IPv6 packets, and applying a filter to the IPv6 packets. | 01-06-2011 |
20110010769 | Preventing Spoofing - A method and access node for preventing spoofing while connecting subscribers to an Ethernet network. The access node includes a filter mechanism for filtering packets destined to subscribers attached to the access node. The filter mechanism includes a database of allocated IP destination addresses and MAC addresses. The filter mechanism blocks any packet directed to a subscriber but containing an incorrect IP or MAC address. The mechanism prevents users from changing their address information to illegally appropriate packets from other users or to disguise their identity. | 01-13-2011 |
20110016519 | DEVICE PROGRAMMABLE NETWORK BASED PACKET FILTER - A method is provided for filtering unwanted packets in a communication system. The communication system includes a first network, a wireless network and at least one wireless communication device. An instruction to add an entry to a blocked list is received from a specific wireless device. The entry includes blocking criteria. A first packet is received from the first network. The first packet is destined for the specific wireless communication device. If the first packet exhibits the blocking criteria included in the blocked list, the first packet is discarded before it can be distributed by the wireless network. | 01-20-2011 |
20110023108 | Mobile Radio Terminal Device Having a Filter Means and a Network Element for the Configuration of the Filter Means - A mobile radio terminal device having a communicator for communicating with network elements via data packets and a filter for monitoring the data packets, wherein the filter is implemented to receive a filter regulation from a first network element and to prevent a communication with a second network element when a data packet for communicating with the second network element does not correspond to the filter regulation. | 01-27-2011 |
20110023109 | Network Firewall Host Application Identification and Authentication - Systems for providing information on network firewall host application identification and authentication include an identifying and transmitting agent on a host computer, configured to identify each application in use, tag the application identity with a host identity, combine these and other information into a data packet, and securely transmit the data packet to the network based firewall. The embodiment also includes an application identity listener on the network based firewall, configured to receive the information data packet, decode the data packet and provide to the network based firewall the identity of the application. The network based firewall is provided with an application-awareness via an extension of firewall filtering or security policy rules via the addition of a new application identity parameter upon which filtering can be based. Other systems and methods are also provided. | 01-27-2011 |
20110030049 | System and Method for Reducing Data Stream Interruption During Failure of a Firewall Device - A system includes first and second firewalls and a controller. The first firewall is configured to perform a firewall function on a first redundant input data packet and output the first input packet as a first redundant output data packet according to the firewall function. The second firewall is configured to perform the firewall function on a second redundant input data packet and output the second input packet as a second redundant output data packet according to the firewall function. The output packets are at least substantially similar when the firewall devices function properly. The controller is configured to receive the output packets from the firewalls, transmit at a given time one of the output packets, transmit the first output packet while the second firewall is failed, and transmit the second output packet while the first firewall is failed. | 02-03-2011 |
20110035795 | PORT HOPPING AND SEEK YOU PEER TO PEER TRAFFIC CONTROL METHOD AND SYSTEM - A network apparatus, system, and method for operating a server to identify and subsequently control suspected peer-to-peer (P2P) sources transmitting traffic from a first network to a second network. Identifying a peer-to-peer source by a characteristic of destination port profile. Identifying a peer-to-peer source by a characteristic of destination host IP address profile. Determining when hopping ports usage comprise a data stream. Determining when destination IP address usage represent “Seek You” (CQ) like call behavior analogous to a radio invitation for any operators listening to respond. | 02-10-2011 |
20110041176 | Signal transfer point front end processor - In an SS7 network, each of a plurality of Signal Transfer Points is fronted by a front-end processor (STP-FEP) that has a network presence. The STP-FEP implements at least the MTP2 layer of the SS7 protocol stack and implements security rules at the MTP2 and MTP3 layers. | 02-17-2011 |
20110055916 | METHODS, SYSTEMS, AND COMPUTER READABLE MEDIA FOR ADAPTIVE PACKET FILTERING - The subject matter described herein includes methods, systems, and computer readable media for adaptive packet filtering. One method includes identifying at least one subset of rules and an ordered set of firewall packet filtering rules that defines a firewall policy such that the subset contains disjoint rules. Disjoint rules are defined as rules whose order can be changed without changing integrity of the firewall policy. Rules in the subset are sorted to statistically decrease the number of comparisons that will be applied to each packet that a firewall encounters. Packets are filtered at the firewall using the sorted rules in the subset by comparing each packet to each of the sorted rules in the subset until the packet is allowed or denied and ceasing the comparing for the packet in response to the packet being allowed or denied and thereby achieving sub-linear searching for packets filtered using the sorted rules in the subset. | 03-03-2011 |
20110072508 | TRUST BASED APPLICATION FILTERING - Methods, devices, and systems are provided for filtering packets and other communication messages or portions thereof. Particularly, mechanisms are provided for efficiently determining and applying a set of trust-based filtering rules. Trust scores may be assigned to various connections and packets received on a particular connection may have filtering rules applied thereto in accordance with the trust score of the connection. | 03-24-2011 |
20110078782 | IP COMMUNICATION DEVICE AS FIREWALL BETWEEN NETWORK AND COMPUTER SYSTEM - Methods, systems, and apparatuses are described for implementations of an Internet protocol (IP) communication device (e.g., an IP phone) that contains a firewall. The IP communication device is coupled between a computer system and a network. A data packet is received at a first port of the IP communication device. The data packet is filtered with the firewall included in the IP communication device. The filtered data packet may be transmitted from a second port of the IP communication device (in modified or unmodified form), or may be canceled based on the filtering. In one implementation, the first port is coupled to the network and the second port is coupled to the computer system. In another implementation, the first port is coupled to the computer system and the second port is coupled to the network. | 03-31-2011 |
20110083175 | Methods and Apparatuses for Policing and Prioritizing of Data Services - Methods and apparatuses, including computer program products, are described for policing and prioritizing of data services. Each packet in a data stream is directed to a substream policer of a plurality of substream policers. Each packet is allowed through the substream policer based on rate parameters associated with the substream policer. The packets allowed by the substream policer are directed to an aggregate policer. Each packet allowed through the substream policer is allowed through the aggregate policer based on rate parameters associated with the aggregate policer. The substream policer and the aggregate policer are charged for each packet allowed by both the substream policer and the aggregate policer. The substream policer and the aggregate policer are not charged for each packet not allowed by either the substream policer or the aggregate policer. | 04-07-2011 |
20110083176 | ASYNCHRONOUS PROCESSING OF EVENTS FOR MALWARE DETECTION - A system, method and computer program product for malware detection based on the behavior of applications running on a computer system, including: asynchronous processing of system events for malware threat analyses using application filters; analyzing events using heuristic and signature data; analyzing applications behavior and detecting abnormal behavior of “clean” applications; automatically classifying applications (i.e., detecting new versions) based on behavior analysis; automatically analyzing the reliability of web sites based on behavior triggered by the web site accesses; in enterprise networks, detecting abnormalities in configuration of user computer systems; recognizing a user by his behavior profile and using the profile for an automatic configuration of user applications. | 04-07-2011 |
20110088089 | METHOD, APPARATUS AND SYSTEM FOR MANAGING PACKET DELIVERY - Portable electronic devices typically have reduced computing resources, including reduced available bandwidth to receive communications. A method, apparatus and system is provided to manage packet delivery to electronic devices to mitigate some of these problems. | 04-14-2011 |
20110093946 | ROUTER AND METHOD FOR PROTECTING TCP PORTS UTILIZING THE SAME - A router and method for protecting transfer control protocol (TCP) ports of a local computer include receiving a SYN packet from a remote computer, recording a timestamp of the SYN packet, and counting a number of suspicious TCP connections established during a first time interval before the timestamp of the SYN packet. The router and method further include identifying the remote computer as an attacker if the counted number exceeds a preset maximum connection value, and rejecting all TCP packets transmitted from the remote computer during the second time interval after the timestamp of the SYN packet. | 04-21-2011 |
20110099621 | Process for monitoring, filtering and caching internet connections - A one-box system and process for controlling Internet usage by users on a network. The system controls usage by combining two or more of the following functions into a single operating unit: 1) monitoring and logging internet access on a user and/or work station basis; 2) preventing or authorizing access on a user and/or work station basis to ULR's (or groups of URL's) that have been previously designated an inappropriate or appropriate, respectively, for that user or work station; 3) preventing or authorizing the downloading of files with any pre-designated file extension to any user or workstation; 4) blocking of peer-to-peer access of any pre-designated Internet file-sharing or other service (such as Kazaa, RealPlayer, AOL Instant Messaging, etc); 5) periodically or immediately alerting a designated representative of the attempt by any user or work station to access of pre-determined inappropriate site or file; 6) allowing remote review of the Internet activity log for any user by anyone (such as a student's parents) with knowledge of that user's log-in information (i.e., name and password); and 7) caching downloaded Internet objects for subsequent in-network retrieval. The system and process of this invention can also be configured to perform the traditional firewall function as well. | 04-28-2011 |
20110099622 | APPARATUS FOR DETECTING AND FILTERING APPLICATION LAYER DDOS ATTACK OF WEB SERVICE - Disclosed is a DDoS attack detection and response apparatus. The DDoS attack detection and response apparatus comprises: a receiver unit receiving HTTP requests from a client terminal which is characterized as an IP address; a data measuring unit computing the number of HTTP requests by IP and the number of URIs per HTTP over a certain time period; a DDoS discrimination unit comparing the number of HTTPs per URI with a threshold value and defining an access of the client terminal having the IP address as a DDoS attack when the number of HTTPs per URI is larger than the threshold value; and a blocking unit blocking packets from the IP address when the DDoS discrimination unit detects a DDoS attack. | 04-28-2011 |
20110113482 | Method And Apparatus For Automatic Filter Generation And Maintenance - Automatic filter generation and maintenance comprises detecting, from network packets, an IP address and a first MAC address; the IP address and the first MAC address are used to determine that the IP address and another MAC address that are detected in second network packets is an illegal binding and the other MAC address is different from the first MAC address; causing a network element to create, in an ARP filter, based on the IP address and the first MAC address, rules that cause the network element to prevent an address resolution protocol table from including a binding that includes only one of the IP address and the first MAC address; in response to detecting the IP address and said another MAC address in the second network packets, preventing the address resolution protocol table from including the illegal binding that includes the IP address and the other MAC address. | 05-12-2011 |
20110119752 | METHOD AND SYSTEM FOR INCLUDING SECURITY INFORMATION WITH A PACKET - A method and system for including security information with a packet is disclosed. A packet is detected as it exits a first network and enters a second network. The first network is configured to support a network security technique, and the second network is not configured to support the network security technique. Network security information associated with the network security technique is included with the packet. A network device is configured to include network security information in overhead of a packet. A method for identifying a first network device in a network is also disclosed. Identification information of the first network is communicated to a second network device. | 05-19-2011 |
20110119753 | METHOD AND APPARATUS FOR BEST EFFORT PROPAGATION OF SECURITY GROUP INFORMATION - A method and system for best effort propagation of security group information is disclosed. The method includes determining if a reserved group identifier is associated with a destination and, if the reserved group identifier is associated with the destination, indicating that a packet received at a network node can be sent to another network node. The packet includes destination information that identifies the destination as a destination of the packet. | 05-19-2011 |
20110126277 | METHODS, SYSTEMS, AND COMPUTER READABLE MEDIA FOR PROVIDING DIAMETER SIGNALING ROUTER WITH FIREWALL FUNCTIONALITY - According to one aspect, the subject matter described herein includes a system for Diameter routing and firewall filtering. The system includes a Diameter signaling router comprising a network interface for receiving, from a first Diameter node, a first Diameter message having Diameter information. The Diameter signaling router also includes a firewall module for determining whether the first Diameter message satisfies a firewall policy. The firewall policy is based on at least a portion of the Diameter information in the first Diameter message. The Diameter signaling router further includes a routing module for forwarding at least a portion of the first Diameter message towards a second Diameter node in response to the first Diameter message satisfying the firewall policy. | 05-26-2011 |
20110131646 | APPARATUS AND METHOD FOR PREVENTING NETWORK ATTACKS, AND PACKET TRANSMISSION AND RECEPTION PROCESSING APPARATUS AND METHOD USING THE SAME - An apparatus for preventing network attacks includes: a packet buffer for storing received packets from a network; a filtering unit for filtering harmful packets based on a result of comparison between information of the received packets and preset filtering information to select a first filtering target packet; an SYN cookie handler for selecting a second filtering target packet using an SYN cookie if it is determined that there is a TCP SYN flooding attack based on the information of the received packets after said filtering; and a session manager for selecting a third filtering target packet through session management if there is a TCP flag flooding attack based on the information of the received packets after said filtering. The apparatus further includes a packet transmission and receipt processing method and apparatus using above. | 06-02-2011 |
20110145911 | Network-Based Security Services for Managed Internet Service - Data traffic is routed from a customer edge (CE) router to an Ethernet services router via a generic routing encapsulation (GRE) tunnel. Upon routing the data traffic from the CE router to the Ethernet services router, the data traffic is routed from the Ethernet services router to an aggregation switch. Upon routing the data traffic from the Ethernet services router to the aggregation switch, the data traffic is routed from the aggregation switch to a service switch through a security module, the security module configured to filter the data traffic. The filtered data traffic is routed from the service switch to the Ethernet services router. Upon routing the filtered data traffic from the service switch to the Ethernet services router, the filtered data traffic is routed from the Ethernet services router to a provider edge (PE) router. | 06-16-2011 |
20110145912 | MEDIA ACCESS CONTROL ADDRESS TRANSLATION IN VIRTUALIZED ENVIRONMENTS - Some embodiments provide a method that transmits network packets through a network security device. The method receives receiving a request to send a network packet from a first computing device to a second computing device over a network that includes the network security device. The network packet includes a first network interface identifier for identifying the first computing device on the network and a second network interface identifier for identifying the second computing device on the network. The method identifies third and fourth network interface identifiers that cause the network packet to be transmitted through the network security device when the network packet is transmitted using the third and fourth network interface identifiers. The method transmits the network packet over the network through the network security device using the third and fourth network interface identifiers. The method transmits the network packet to the second computing device using the first and second network interface identifiers. | 06-16-2011 |
20110154475 | MODEM AND METHOD FOR CONSERVING POWER CONSUMPTION OF AN ELECTRONIC DEVICE - A modem and method for conserving power of an electronic device includes storing a black list and a white list, each of the black list and the white list including one or more Internet Protocol (IP) addresses. The modem and method further includes receiving a packet from an IP address, determining if the IP address is in the black list or the white list, dropping the packet if the IP address is in the black list, or resetting the timer and sending the packet to the electronic device if the IP address is in the white list. | 06-23-2011 |
20110162060 | WIRELESS LOCAL AREA NETWORK INFRASTRUCTURE DEVICES HAVING IMPROVED FIREWALL FEATURES - Methods and systems are provided for improving a firewall implemented at a WLAN infrastructure device (WID). The WID includes a stateful firewall that implements firewall rules based on an ESSID of the WID to specify whether traffic is allowed to or from the ESSID. For example, in one implementation of such a firewall rule, packets that are required to be sent out on all wired ports can be blocked from being flooded out on WLANs (e.g., the packet is allowed to pass only to the wired ports). A method and system are provided for preventing a malicious wireless client device (WCD) that is transmitting undesirable traffic from using RF resources by deauthenticating the malicious WCD to remove it from the WLAN and blacklisting it to prevent it from rejoining the WLAN for a time period. Method and systems are also provided for either “on-demand” and/or predicatively communicating state information regarding an existing firewall session. | 06-30-2011 |
20110162061 | PORT-BASED PACKET FILTER - A method, apparatus, and program product for reducing unwanted host wake-up messages. A host computer finds a port in use by a host application, selects program information based on the port in use by the application, and sends the program information to a port filter. The port filter receives a packet that contains a port identifier. The port-filter uses the program information to decide whether there is a host application associated with the port identifier and sends a wake-up message to the host computer only when there is an associated host application. | 06-30-2011 |
20110173692 | METHOD FOR COMPUTING NETWORK REACHABILITY - A method is provided for computing network reachability in a computer network. The method includes: identifying each of the subnetworks that comprise a computer network; determining, for each pair of subnetworks, data paths between the two subnetworks; for each identified data path, identifying access control lists implemented along a given data path and formulating a diagram that merges reachability sets derived from the access control lists along the given data path; and, deriving, for each pair of subnetworks, a set of network packets that can traverse between the subnetworks from the formulated diagrams. | 07-14-2011 |
20110179479 | SYSTEM AND METHOD FOR GUARDING AGAINST DISPERSED BLOCKING ATTACKS - A system and a method are provided for guarding against dispersed blocking attacks in a network. The system includes detection apparatus for detecting and guiding the dispersed blocking attacks, and a guarding apparatus for receiving and filtering the flow of packets guided by the detection apparatus. The guarding apparatus includes a filtering module for filtering irregular packets according to preset filtering rules; a routing device for receiving and transmitting the filtered flow of packets; and an adjusting module for analyzing the filtered flow of packets, thereby adjusting the preset filtering rules and providing warning messages. The method includes detecting, guiding and filtering, in a multi-layered manner, irregular packet flows at major nodes of the network; and enhancing filtering based on the analyzed and adjusted preset filtering rules, thereby preventing network services from being interrupted by dispersed blocking attacks. | 07-21-2011 |
20110197273 | Real time firewall/data protection systems and methods - Methods and systems for firewall/data protection that filters data packets in real time and without packet buffering are disclosed. A data packet filtering hub, which may be implemented as part of a switch or router, receives a packet on one link, reshapes the electrical signal, and transmits it to one or more other links. During this process, a number of filters checks are performed in parallel, resulting in a decision about whether each packet should or should not be invalidated by the time that the last bit is transmitted. To execute this task, the filtering hub performs rules-based filtering on several levels simultaneously, preferably with a programmable logic or other hardware device. Various methods for packet filtering in real time and without buffering with programmable logic are disclosed. The system may include constituent elements of a stateful packet filtering hub, such as microprocessors, controllers, and integrated circuits. The system may be reset, enabled, disabled, configured, and/or reconfigured with toggles or other physical switches. Audio and visual feedback may be provided regarding the operation and status of the system. | 08-11-2011 |
20110219444 | DYNAMICALLY ADAPTIVE NETWORK FIREWALLS AND METHOD, SYSTEM AND COMPUTER PROGRAM PRODUCT IMPLEMENTING SAME - A system, method, and computer program product for controlling data through a firewall which may be dynamically configurable. The method may comprise defining at least one node, wherein the at least one node is associated with two or more network interfaces; associating a set of firewall rules with the at least one node; receiving a packet at a first node of the at least one node; and accepting or denying the packet based on the set of firewall rules. The firewall rules include dynamic chains of rules having defined places where firewall rules may be dynamically inserted into or deleted from the firewall while the firewall is operating on one or more machines connected to network segments where the nodes reside. | 09-08-2011 |
20110231929 | SYSTEMS AND METHODS FOR PROVIDING A VPN SOLUTION - A system, apparatus and a method for implementing a secured communications link at a layer other than that at which packets are filtered are disclosed. In one embodiment, a computer system is configured to form a virtual private network (“VPN”) and comprises an address inspection driver to identify initial target packet traffic addressed to a target server. Also, the computer system includes a pseudo server module to receive rerouted initial target packet traffic from the address inspection driver. The pseudo server module is configured to convey packet regeneration instructions to a VPN gateway. The address inspection driver functions to identify additional target packet traffic addressed to the target server and routes the additional target packet traffic to the pseudo server. In one embodiment, the pseudo server is configured to strip header information from the additional target packet traffic to form a payload, and thereafter, to route the payload to the target. | 09-22-2011 |
20110252469 | SYSTEM FOR PREVENTING NORMAL USER BEING BLOCKED IN NETWORK ADDRESS TRANSLATION (NAT) BASED WEB SERVICE AND METHOD FOR CONTROLLING THE SAME - A system for preventing normal user from being in network address translation(nat)-based web service and a method for controlling the same are disclosed. The system discriminates between an attacker PC and a normal user PC that use the same public IP address in the NAT network, blocks a Web-page request generated from the attacker PC, processes a Web-page request of a normal user PC, and makes an Internet service of the normal user PC possible. The system discriminates between the attacker PC and the normal user PC that use the same IP address in the NAT network, blocks access of a packet of the attacker PC on the basis of the matching result obtained from a blacklist rule table, converts a Web-server host address into a virtual IP address upon receiving traffic of the normal user, allows the normal user traffic to access the Web server without any restriction caused by a blacklist rule table, such that the normal user can freely access the Web service of the Web server | 10-13-2011 |
20110258694 | HIGH PERFORMANCE PACKET PROCESSING USING A GENERAL PURPOSE PROCESSOR - A packet processing device includes a control logic processor for filtering packets according to a set of stored rules and an arithmetic logic processor for executing packet processing instructions based on the content of the packet. The control logic processor spawns a new thread for each incoming packet, relieving the arithmetic logic processor of the need to do so. The control logic processor and the arithmetic logic processor preferably are integrated via a thread queue. The control logic processor preferably assigns a policy to each incoming packet. A policy action table stores one or more policy instructions which may be easily changed to update policies to be implemented. The policy action table preferably maps a virtual packet flow identification code to the physical memory address of an action code and a state block associated to the identification code. The arithmetic logic processor processes a packet based on the stored policy assigned to that packet. | 10-20-2011 |
20110258695 | PUBLIC NETWORK ACCESS SERVER HAVING A USER-CONFIGURABLE FIREWALL - A user-configurable firewall and method in which a user-changeable security setting for a client computer is maintained by an access server through which a user accesses the public network. The user-changeable security setting can be used to specify which outside computers or network devices may access the client computer and what type of access to the client computer is allowed. If an attempt to access the client computer is made, the user-configurable security setting is checked to determine if the attempted access is allowed by the current security setting. If the attempted access is allowed by the current security setting, access is allowed to the client computer; otherwise, access is not allowed. If the user changes the user-configurable security setting, the changes to the user-configurable security setting are provided to the access server. | 10-20-2011 |
20110283350 | Firewall Method and Apparatus for Industrial Systems - Method and apparatus for use with systems including networked resources where communication between resources is via dual packet protocols wherein a first protocol includes a frame that specifies a destination device/resource and a data field and the second protocol specifies a final destination device/resource and includes a data field, where the second packets are encapsulated in the first protocol packet frames, the method including specifying access control information for resources, for each first protocol packet transmitted on the network, intercepting the first protocol packet prior to the first protocol destination resource, examining a subset of the additional embedded packet information to identify one of the intermediate path resources and the final destination resource, identifying the access control information associated with the identified at least one of the intermediate path resources and the final destination resource and restricting transmission of the first protocol packet as a function of the identified access control information. | 11-17-2011 |
20110296518 | APPLICATION LAYER AUTHENTICATION IN PACKET NETWORKS - Techniques are disclosed for efficient authentication of an end user device at an application server of a communication network. For example, wherein it is assumed that, in a communication network, a first computing device is an end user device, a second computing device is a gateway server, and a third computing device is an application server, a method comprises the following steps. The second computing device authenticates one or more packets received from the first computing device. The second computing device marks the one or more packets with a first-layer identity before routing the one or more packets toward the third computing device such that the third computing device is able to authenticate the one or more packets from the first computing device by confirming an association between the first-layer identity and a second-layer identity. For example, the first-layer identity may comprise a link layer identity assigned to the first computing device (e.g., assigned by the gateway server or some other server), and the second-layer identity may comprise an application layer identity assigned to the first computing device (e.g., previously assigned by the application server or some other server). | 12-01-2011 |
20110296519 | REPUTATION BASED CONNECTION CONTROL - Methods and systems for operation upon one or more data processors for reputation based firewall processing of communications. The reputation based firewall processing includes receiving a communication identifying an entity, retrieving the reputation of the entity identified by the communication, and handling the communication based upon the retrieved reputation. | 12-01-2011 |
20110302648 | ANTI-MALWARE SYSTEM AND OPERATING METHOD THEREOF - Provided are an anti-malware system, and an operating method thereof. The anti-malware system matches an filtering operation on first target data to be filtered with a rule pattern, performs a filtering operation on the first target data according to a matching result, matches second target data to be malware-scanned with a malware pattern, and performs a malware scanning operation on the second target data according to a matching result, wherein the filtering operation and the scanning operation are performed on a system-on-chip (SoC). | 12-08-2011 |
20120005743 | INTERNAL NETWORK MANAGEMENT SYSTEM, INTERNAL NETWORK MANAGEMENT METHOD, AND PROGRAM - A relay apparatus log analysis apparatus 132 periodically receives log data from a relay apparatus 112, when detecting a traffic abnormality, an abnormality detection apparatus 131 notifies the IP address of a terminal device that has caused the abnormality to the relay apparatus log analysis apparatus 132, the relay apparatus log analysis apparatus 132 analyzes traffic information generated by a router apparatus 121 to identify a time when the traffic abnormality has occurred, the relay apparatus log analysis apparatus 132 analyzes the log data, based on the occurrence time of the traffic abnormality and the IP address of the terminal device that has caused the abnormality, identifies an address accessed by the terminal device, regards the identified address as the destination from the malware, and sets the relay apparatus 112 so as to block a packet to the address. | 01-05-2012 |
20120011584 | SYSTEM AND METHOD FOR ARP ANTI-SPOOFING SECURITY - A system and method that provides for copying ARP replies, and generating data packets which include the ARP reply, and other information such as an identification of the port on the ARP reply was received. These data packets are then transmitted to an ARP collector which stores the ARP reply and port information. The ARP collector then uses this stored information, and analyzes future data packets relative to the stored information to detect occurrences of ARP spoofing. The ARP collector further provides for generating alerts and taking security actions when ARP reply spoofing is detected. | 01-12-2012 |
20120017270 | SYSTEMS, DEVICES, AND METHODS FOR PROVIDING MULTIPLE SERVICES TO PREMISES OVER COMMUNICATION NETWORKS - Methods, systems, and devices for providing one or more virtual networks for a plurality of services are disclosed. The device may include a secure access node coupled to a wide area communication network and a premises communication network. The secure access node may have a node software platform, one or more node processors, a node storage device, and one or more node communication interfaces. Further, the secure access node may receive a plurality of data packets through one of the one or more node communication interfaces. The node software platform may execute on one of the node processors and may include a node deep packet inspection engine, a node rules generation engine, a node rule check and notification generation engine, a node service segregation engine, a node communication software application, and a node service adapter software application. | 01-19-2012 |
20120023572 | Malicious Attack Response System and Associated Method - A system and method for detecting and identifying intruders in a computer network environment by providing a network traffic evaluation and simulation module at the interface between a protected network and external traffic source. The evaluation and simulation module identifies suspected intruders by observing intrusion pattern behavior and then presents a simulated network to the intruder. The simulated network appears to offer the intruder valuable information and provides the intruder with the appearance of success in breaking down the layers of the simulated network to keep the intruder engaged in the intrusion effort while information is gathered to trace and identify the source of the intrusion. Intrusion attempts are identified and categorized in an intrusion analysis module. The network traffic evaluation and simulated network may be provided as a self contained physical module that does not require modification of existing network software. | 01-26-2012 |
20120030750 | System and Method for Network Level Protection Against Malicious Software - A method in one example implementation includes receiving information related to a network access attempt on a first computing device with the information identifying a software program file associated with the network access attempt. The method also includes evaluating a first criterion to determine whether network traffic associated with the software program file is permitted and then creating a restriction rule to block the network traffic if the network traffic is not permitted. The first criterion includes a trust status of the software program file. In specific embodiments, the method includes pushing the restriction rule to a network protection device that intercepts the network traffic associated with the software program file and applies the restriction rule to the network traffic. In more specific embodiments, the method includes searching a whitelist identifying trustworthy software program files to determine the trust status of the software program file. | 02-02-2012 |
20120036571 | SMART CARD, ANTI-VIRUS SYSTEM AND SCANNING METHOD USING THE SAME - A smart card installed in a device receives from the device data to be scanned and determines whether a virus exists in the data. Accordingly, security of the device may be enhanced without using substantial resources of the device. | 02-09-2012 |
20120036572 | SYSTEM-ON-A-CHIP MALICIOUS CODE DETECTION APPARATUS FOR A MOBILE DEVICE - System-on-chip (SoC)-based apparatus for detecting malicious code in portable terminal is provided. SoC-based apparatus includes SoC including central processing unit (CPU) configured to generally control respective units of SoC for SoC-based malicious code detection, SoC memory-based firewall configured to classify packets input from outside through network interface unit, perform filtering operation, such as allowing operation and dropping operation, on the classified packets according to a predetermined setting, and output the result of the filtering operation to an application memory or an anti-malware engine, the SoC memory-based anti-malware engine configured to detect malicious code by performing a pattern-matching operation between a code pattern in a file input from the firewall and a pattern of malicious code registered in a malware signature database (DB) of a mobile device application unit, and an SoC memory-based control module configured to control operation of the firewall and the anti-malware engine in connection with the CPU. | 02-09-2012 |
20120042374 | EFFICIENT CLASSIFICATION OF NETWORK PACKETS - Embodiments describe a system and/or method for efficient classification of network packets. According to an aspect a method includes describing a packet as a feature vector and mapping the feature vector to a feature space. The method can further include defining a feature prism, classifying the packet relative to the feature prism, and determining if the feature vector matches the feature prism. If the feature vector matches the feature prism the packet is passed to a data recipient, if not, the packet is blocked. Another embodiment is an apparatus that includes an identification component that defines at least one feature of a packet and a classification component that classifies the packet based at least in part upon the at least one defined feature. | 02-16-2012 |
20120042375 | SYSTEM-ON-CHIP MALICIOUS CODE DETECTION APPARATUS AND APPLICATION-SPECIFIC INTEGRATED CIRCUIT FOR A MOBILE DEVICE - System-on-chip (SoC) and application-specific integrated circuit (ASIC)-based apparatus for detecting malicious code in portable terminal is provided. Apparatus includes SoC including hardware-based firewall packet-filtering packet received from outside through media access control unit according to setting of firewall setting unit in SoC memory and storing filtered packet in application memory or transferring filtered packet to anti-malware engine, hardware-based anti-malware engine detecting malicious code by performing pattern-matching operation between code pattern in file transferred from firewall or file received through input/output (I/O) interface unit and pattern of malicious code registered in malware signature database (DB) of mobile device application unit, SoC memory providing setting of firewall and support file decoding function for file format recognition of anti-malware engine, and hardware-based controller controlling switching operation to transfer file filtered by firewall directly to application memory or to anti-malware engine and control malicious code detection cycle of anti-malware engine. | 02-16-2012 |
20120047571 | SYSTEMS AND METHODS FOR DETECTING PRESELECTED QUERY TYPE WITHIN A DNS QUERY - In some embodiments, a non-transitory processor-readable medium storing code representing instructions to cause a processor to perform a process includes code to determine whether an IPv4 packet is associated with a Domain Name System (DNS) query based on an IPv4 header of the IPv4 packet. If the IPv4 packet is a DNS query packet, the non-transitory processor-readable medium includes code to determine whether the IPv4 packet has a preselected query type based on a payload of the IPv4 packet. If the IPv4 packet is a DNS query packet and has the preselected query type, the non-transitory processor-readable medium includes code to send a signal to block transmission of the IPv4 packet. In some embodiments, the preselected query type has a DNS record type value of 28. | 02-23-2012 |
20120047572 | DECAPSULATION OF DATA PACKET TUNNELS TO PROCESS ENCAPSULATED IPV4 OR IPV6 PACKETS - In one embodiment, a non-transitory processor-readable medium stores code representing instructions to cause a processor to determine whether an IPv4 payload of an IPv4 packet includes a tunneled IPv6 packet. When the IPv4 payload includes the tunneled IPv6 packet, the code can determine a location of a payload of the tunneled IPv6 packet based at least in part on a header of the tunneled IPv6 packet, and send a signal to block transmission of the IPv4 packet when the payload of the tunneled IPv6 packet is not a valid IPv6 payload. | 02-23-2012 |
20120047573 | METHODS AND APPARATUS FOR DETECTING INVALID IPV6 PACKETS - In one embodiment, a non-transitory processor-readable medium stores code representing instructions to cause a processor to determine (1) whether an IPv6 packet includes an extension header of an illegal type and (2) a quantity of extension headers present in the IPv6 packet that are of a preselected type. When the IPv6 packet includes the extension header of the illegal type, the code can send a first signal to block transmission of the IPv6 packet. When the quantity of extension headers that are of the preselected type is greater than a preselected quantity, the code can send a second signal to block transmission of the IPv6 packet. | 02-23-2012 |
20120096539 | WIRELESS INTRUSION PREVENTION SYSTEM AND METHOD - A wireless intrusion prevention system and method to prevent, detect, and stop malware attacks is presented. The wireless intrusion prevention system monitors network communications for events characteristic of a malware attack, correlates a plurality of events to detect a malware attack, and performs mitigating actions to stop the malware attack. | 04-19-2012 |
20120102563 | METHOD AND APPARATUS FOR CONTROLLING LOADS OF A PACKET INSPECTION APPARATUS - The present invention periodically monitors the amount of packets flowing into a packet inspection apparatus, i.e., a load level, and compares the load level with a predetermined upper or lower limit value. Accordingly, the present invention blocks some of the packets or passes along some of the packets through the packet inspection apparatus when the load level exceeds a certain level, and thus the load controlling method and apparatus guarantees continuous operation of the packet inspection apparatus even in an overloaded state. In addition, the load controlling method and apparatus according to the present invention effectively selects packets to be blocked or passed without departing from the original functions of the packet inspection apparatus. The load controlling method and apparatus is configured simply so as not to additionally induce a load in the process of selection, and the load controlling apparatus selectively operates only in an overloaded state. | 04-26-2012 |
20120110656 | SELECTIVE INVALIDATION OF PACKET FILTERING RESULTS - Example embodiments relate to selective invalidation of packet filtering cache results based on rule priority. In example embodiments, a network node determines whether a rule identifier included in a cache entry of a cache of results of a packet filtering rule set is of a higher priority than a highest priority rule corresponding to a rule set version identifier included in the cache entry. If so, the network node may apply an action included in the cache entry. | 05-03-2012 |
20120110657 | APPARATUS AND METHOD FOR HOST-BASED NETWORK SEPARATION - The invention relates to an apparatus for host-based network separation, comprising: a network separation switch which, when a process is being executed on a host computer, checks whether the network allocated to the process is an internal network or an external network in accordance with the network access authority allocated to the process, and separates the process by IPs allocated to each network; and a packet processor which blocks the access of packet data when the packet data of the process separated by IPs by the network separation switch access a network other than the network to which the relevant IP is allocated. | 05-03-2012 |
20120117642 | INFORMATION SECURITY PROTECTION HOST - An information security protection host is provided. The information security protection host comprises a network interface and a virtual machine monitor (VMM) device. The network interface is connected to a computer network and is configured to receive a fist packet. The VMM device is configured to run a first operating system, wherein the fist operating system provides a first network service. The VMM device is further configured to provide a first operating system information of the first operating system and a first network service information of the first network service instantaneously so as to determine the security of the first packet. | 05-10-2012 |
20120124661 | METHOD FOR DETECTING A WEB APPLICATION ATTACK - A method of detecting a web application attack is provided. The method includes the steps of when packets forming HTTP traffic are received, a web application firewall recombining the HTTP traffic, analyzing the recombined HTTP traffic and determining whether or not the recombined HTTP traffic includes the attack-relevant content, if the recombined HTTP traffic does not include the attack-relevant content, sending the recombined HTTP traffic to a web server or a user server and normally processing the recombined HTTP traffic, and if the recombined HTTP traffic includes the attack-relevant content, detecting the recombined HTTP traffic as an attack and reprocessing the same. | 05-17-2012 |
20120131663 | TRANSMITTING KEEP-ALIVE PACKETS ON BEHALF OF A MOBILE COMMUNICATIONS DEVICE WITHIN A WIRELESS COMMUNICATIONS SYSTEM - In an embodiment, a mobile communications device (MCD) is positioned within an internal network that is separated from an external network by network address translation (NAT) and/or a firewall. The MCD establishes settings with the NAT and/or firewall by which the MCD can be contacted through from the external network. The settings are configured to be disabled by the NAT and/or firewall after a threshold period of traffic inactivity. An application server receives information associated with the settings, and instructs an assisting application server (AAS) within the internal network to transmit keep-alive packets on behalf of the MCD so as to maintain the settings for the MCD. The AAS receives the instructions from the application server, and instructs an assisting wireless communications device (WCD) within the internal network to transmit keep-alive packets on behalf of the MCD. The WCD then transmits the keep-alive packets in accordance with the instructions. | 05-24-2012 |
20120131664 | METHOD AND APPARATUS FOR CONTENT AWARE OPTIMIZED TUNNELING IN A MOBILITY ENVIRONMENT - A method, computer readable medium and apparatus for performing content aware optimized tunneling in a communication network are disclosed. For example, the method authenticates a user endpoint device, establishes a tunnel to the user endpoint device if the user endpoint device is authenticated, analyzes content of a data packet transmitted through the tunnel to determine if the tunnel should be re-directed, and re-directs the tunnel to a gateway general packet radio services support node light based upon the content of the data packet. | 05-24-2012 |
20120151572 | ARCHITECTURE FOR NETWORK MANAGEMENT IN A MULTI-SERVICE NETWORK - A mechanism is provided for a non-converged network for a service provider. A core network is divided into individually managed domains, where each of the domains comprises multiprotocol label switching for packets. A management system is coupled to each of the domains. Network elements in each of the domains are restricted from directly transferring packets to network elements in another one of domains. Each of the domains has a domain firewall at an edge of the domains, and the domain firewall restricts packets from being received from other domains. To transfer packets from one domain to another domain, the management system receives the packets from one domain and transfers the packets to the other domain after authentication. | 06-14-2012 |
20120185930 | DOMAINS BASED SECURITY FOR CLUSTERS - Domains can be used to secure resources of a cluster. An administrator can configure a node of a cluster as a member of a particular domain. Membership in a cluster can be restricted to nodes that are members of the particular domain. When a node generates a cluster message, a kernel process or operating system process of the node will indicate the domain(s) of the node in the cluster message. The cluster message can be a command message to read or write to a storage resource of the cluster. When the cluster storage resource node or node that controls the storage resource receives the command message, the node will examine the command message to ensure the message indicates a domain that aligns with the cluster. If the proper domain is indicated in the command message, then the command message is processed. Otherwise, the command message is denied. | 07-19-2012 |
20120198541 | METHODS AND APPARATUS FOR PREVENTING NETWORK INTRUSION - In one configuration, a non-volatile memory is provided having computer readable instructions configured to instruct a computer or controller to run a setup wizard to obtain setup and filtering module configuration rules from a user; reload the computer or controller with the settings obtained by the setup wizard; configure filtering module rules including rules for an industrial protocol filter; and filter received and/or transmitted packets in accordance with the filtering module rules. The configuration may also include instructions to further parse and analyze packets containing industrial protocols to determine whether to allow or deny ingress and/or egress of such packets. | 08-02-2012 |
20120198542 | Shared Security Device - A mechanism is provided for sharing one or more security appliances. A trusted system component associated with an application of a plurality of applications in a logically partitioned data processing system sets a destination address of a received packet to an address of a security appliance shared by the plurality of applications. The trusted system component sends the received packet to the security appliance. The trusted system component receives a response from the security appliance. The trusted system component determines whether the response indicates permitting the received packet to proceed to the intended recipient. The trusted system component sends the received packet to the recipient in response to the response indicating permitting the received packet to proceed. | 08-02-2012 |
20120216273 | SECURING A VIRTUAL ENVIRONMENT - Securing a virtual environment includes: in a host device, intercepting a packet addressed to a virtual machine implemented by the host device; redirecting the packet to a security device external to the host device through an egress tunnel; and delivering the packet to the virtual machine if the host device receives an indication from the security device that the packet is approved. | 08-23-2012 |
20120216274 | INFERENCING DATA TYPES OF MESSAGE COMPONENTS - A method of a device for filtering messages routing across a network includes extracting, by a filter configured on the device, a plurality of message components from messages received via a network. The plurality of message components is identified as having at least a field name in common, including a first field name. A learning engine configured on the device creates a list of data types for values of the first field name. The list includes one or more data types of a value of the first field name identified for each of the plurality of message components. The learning engine determines a most restrictive data type from the list of data types for the values of the first field name of the plurality of message components. | 08-23-2012 |
20120216275 | SCALABLE TRANSPARENT PROXY - A facility for proxying network traffic between a pair of nodes is described. The facility receives packets traveling between the pair of nodes that together constitute a distinguished network connection. For each packet of the connection that is part of a transport protocol setup process, the facility updates a representation of the status of the setup process to reflect the packet, and forwards the packet to its destination without proxying the packet. For each packet of the connection that is subsequent to the setup process, the facility proxies the contents of the packet to the packet's destination. | 08-23-2012 |
20120240215 | SOC-BASED DEVICE FOR PACKET FILTERING AND PACKET FILTERING METHOD THEREOF - Provided is a device including a chip that includes a firewall engine, and a driver, wherein the driver identifies an owner process of a packet to be transmitted, and transmits the packet to the chip only if the owner process is allowed to transmit the packet to an external device, wherein the chip performs filtering by applying a rule for packet filtering to the packet received from the driver. | 09-20-2012 |
20120254979 | UNATTACKABLE HARDWARE INTERNET PACKET PROCESSING DEVICE FOR NETWORK SECURITY - Hardware internet packet processing device for network security constructed in such a manner that packet data is packet processed by hardware without a receiving memory or MCU and interruption of internet packets for network security is implemented by hardware construction. | 10-04-2012 |
20120254980 | Switching hub, a system, a method of the switching hub and a program thereof - A switching hub, system and method for restricting a communication between terminals within a second network isolated form a first network. The terminals are connected to the first network or the second network, wherein a terminal with sufficient security level is connected to the first network and a terminal with insufficient security level is connected to the second network. And a communication between the terminals within the second network is restricted. | 10-04-2012 |
20120266232 | METHOD AND SYSTEM FOR PROTECTING A COMPUTER SYSTEM DURING BOOT OPERATION - A method for protecting a computer system from malicious network traffic is provided using a driver which inspects network packets. A security profile comprising packet inspection rules is compiled and stored on the computer system. During the startup or boot operation of an operating system, the driver loads the compiled security profile and inspects network packets using the inspection rules. | 10-18-2012 |
20120266233 | Signal Transfer Point Front End Processor - In an SS7 network, each of a plurality of Signal Transfer Points is fronted by a front-end processor (STP-FEP) that has a network presence. The STP-FEP implements at least the MTP2 layer of the SS7 protocol stack and implements security rules at the MTP2 and MTP3 layers. | 10-18-2012 |
20120272309 | Method and Apparatus for Fast Check and Update of Anti-Replay Window Without Bit-Shifting in Internet Protocol Security - An apparatus comprising a processor configured to implement an anti-replay check for a plurality of received packets and a plurality of corresponding sequence numbers; and a circular buffer coupled to the processor and comprising a bitmap, wherein the bitmap is slided in a circular manner by updating a low index that points to a first sequence number for a first received packet and a high index that points to a last sequence number for a last received packet without bit-shifting, and wherein, when the update results in the new value of one of the low index and the high index exceeding the end of the circular buffer, the one of the low index and the high index wraps around from the beginning of the circular buffer. | 10-25-2012 |
20120304278 | METHODS AND SYSTEMS FOR ACHIEVING HIGH ASSURANCE COMPUTING USING LOW ASSURANCE OPERATING SYSTEMS AND PROCESSES - A device for providing a blended protection scheme for a high assurance communication device includes a reconfigurable firewall and packet inspection device for enforcing isolation and separation between a communication device's CPUs, memory, and the communication device, where the reconfigurable firewall is implemented on an integrated chip or motherboard chipset. The device further includes a protected CPU that is adapted to manage security functions and to reconfigure the reconfigurable firewall. In embodiments, the device is a firewall and virus infection inspection system. In other embodiments the device is a virtual private network for network based communications. | 11-29-2012 |
20120311692 | COMMUNICATION CONTOL APPARATUS AND PACKET FILTERING METHOD - A communication control apparatus ( | 12-06-2012 |
20120324568 | MOBILE WEB PROTECTION - On a mobile communications device, visiting a link from a messaging application or web browser may result in an undesired action, such as visiting a phishing site, downloading malware, causing unwanted charges, using too much battery, or the device being exploited. In an implementation, a mobile application intercepts a request including an identifier associated with an action to be performed by another application on the device and evaluates the identifier to determine when the request should be permitted, blocked, or conditionally permitted. The client may use local data or make a request to a server to evaluate the identifier. In an implementation, server communications are optimized to minimize latency by caching evaluation results on the device, proactively priming the device's DNS cache, optimizing when DNS lookups are performed, and adapting evaluation policy based on factors such as the source of the request, and the currently active network connection. | 12-20-2012 |
20120331542 | PREVENTING NEIGHBOR-DISCOVERY BASED DENIAL OF SERVICE ATTACKS - A method is provided for preventing denial-of-service attacks on hosts attached to a subnet, where the attacks are initiated by a remote node over an external network. The method is performed by a router which forwards packets between the external network and the subnet. The router receives a packet for forwarding to a destination address in an address space of the subnet according to the IPv6 protocol and looks up the destination address in a Neighbor Discovery (ND) table. The ND table is populated by operations on the subnet that were completed prior to receipt of the packet. Entries in the ND table store address information of the hosts that have been verified by the router to be active. The router forwards the packet to the destination address if the destination address is stored in the ND table. Otherwise, the packet is discarded. | 12-27-2012 |
20120331543 | DETECTION OF ROGUE CLIENT-AGNOSTIC NAT DEVICE TUNNELS - Provided are techniques for the prevention of certain types of attacks on computing systems. The current disclosure, which describes one particular type of attack, is directed to the detection and prevention of an attack rather than the mechanics of the particular described attack. The claimed subject matter both detects and prevents an attack without exposing a network to denial-of-service (DoS) attacks by being too restrictive. | 12-27-2012 |
20120331544 | DETECTION OF ROGUE CLIENT-AGNOSTIC NAT DEVICE TUNNELS - Provided are techniques for the prevention of certain types of attacks on computing systems. The current disclosure, which describes one particular type of attack, is directed to the detection and prevention of an attack rather than the mechanics of the particular described attack. The claimed subject matter both detects and prevents an attack without exposing a network to denial-of-service (DoS) attacks by being too restrictive. | 12-27-2012 |
20130019302 | SYSTEM AND METHOD FOR SUPPORTING SUBNET MANAGEMENT PACKET (SMP) FIREWALL RESTRICTIONS IN A MIDDLEWARE MACHINE ENVIRONMENT - A system and method can provide subnet management packet (SMP) firewall restrictions in a middleware machine environment. A secure firmware implementation can be provided on a host channel adaptor (HCA), wherein the HCA is associated with a host in the middleware machine environment. The secure firmware implementation operates to receive at least one SMP from the host or destined to the host, and prevent the host from sending or receiving the at least one SMP. Furthermore, the secure firmware implementation can include a proxy function that can communicate with external management components on behalf of the host. | 01-17-2013 |
20130019303 | SYSTEM AND METHOD FOR PROVIDING SWITCH BASED SUBNET MANAGEMENT PACKET (SMP) TRAFFIC PROTECTION IN A MIDDLEWARE MACHINE ENVIRONMENT - A system and method can provide switch based subnet management packet (SMP) traffic protection in a middleware machine environment. The middleware machine environment includes a network switch that operates to receive at least one SMP destined for a subnet management agent (SMA). The network switch can check whether the at least one SMP includes a correct management key, and prevent the at least one SMP from being forwarded to the destined SMA when at least one SMP does not include the correct management key. Furthermore, the network switch can specify a different management key for each external port and can enforce separate restrictions on ingress and egress SMP traffic at a particular external port. | 01-17-2013 |
20130031621 | METHOD FOR APPLYING A HOST SECURITY SERVICE TO A NETWORK - A method for applying a host security service to a network is described herein. The network may include a host device and a network device. The network device may receive a request for security-based filtering. The request includes filtering parameters that restrict traffic between the host device and the network device. It is determined whether the filtering parameters conflict with an initial filtering configuration. The filtering parameters may be applied to traffic through the network device. | 01-31-2013 |
20130042317 | FRONTEND SYSTEM AND FRONTEND PROCESSING METHOD - In a frontend system in which a plurality of relay devices is mixed, the performance of end to end can be improved and a network can be flexibly established every policy. Specifically, the L7 (layer 7) processing is unified by providing a Front-End Processor (FEP), which have both a firewall (FW) and a load balancer (LB) recognizing a protocol of the L7 (layer 7) level, near a switch of a gateway to an external network. | 02-14-2013 |
20130055373 | PROTOCOL RATE FILTERING AT EDGE DEVICE - A method includes configuring a plurality of rate filters for a plurality of protocols. The plurality of rate filters are associated with a plurality of rate thresholds for the plurality of protocols. An edge device receives a packet for a flow. The packet is received from a customer premise equipment device for sending through an egress interface of the edge device. A rate of packets being sent for the flow and a protocol in the plurality of protocols associated with the packet are determined A rate filter in the plurality of rate filters that is associated with the determined protocol is determined where the rate filter is associated with a rate threshold in the plurality of rate thresholds. The method determines an event is occurring when the rate of packets exceeds the rate threshold associated with the determined rate filter and performs an action to mitigate the event. | 02-28-2013 |
20130055374 | System and Method for Denial of Service Attack Mitigation Using Cloud Services - A method to mitigate attack by an upstream service provider using cloud mitigation services. An edge detection device, which located at the subscriber's network edge, is able to communicate information via status messages about attacks to an upstream service provider. The service provider is then able to mitigate attacks based on the status messages. There is a feedback loop whereby the amount of dropped traffic by the service provider is added to the network traffic to keep the mitigation request open and prevent flapping. Likewise, the detection device includes time-to-engage and time-to-disengage timers to further prevent flapping. | 02-28-2013 |
20130055375 | Method and Protection System for Mitigating Slow HTTP Attacks Using Rate and Time Monitoring - A system and methods for mitigation slow HTTP, SSL/HTTPS, SMTP, and/or SIP attacks. A protection system monitors each TCP connection between a client and a server. The protection system monitors the header request time and minimum transfer rate for each client and TCP connection. If the client has not completed the data transfer in the minimum time or the data are not transferred at the minimum transfer rate, the protection system determines the connections are potentially a slow attack and resets the connections for the protected devices. | 02-28-2013 |
20130061313 | ULTRA-LOW POWER SINGLE-CHIP FIREWALL SECURITY DEVICE, SYSTEM AND METHOD - A firewall security device, system and corresponding method are provided that includes an operating system of an entirely new architecture. The operating system is based fundamentally around a protocol stack (e.g., TCP/IP stack), rather than including a transport/network layer in a conventional core operating system. The firewall security device may include a processor and an operating system (OS) embedded in the processor. The OS may include a kernel. The operating system kernel is a state machine and may include a protocol stack for communicating with one or more devices via a network interface. The OS may be configured to receive and transmit data packets and block unauthorized data packets within one or more layers of the protocol stack based on predetermined firewall policies. | 03-07-2013 |
20130067560 | MULTI-METHOD GATEWAY-BASED NETWORK SECURITY SYSTEMS AND METHODS - Systems and methods for detecting and preventing network security breaches are described. The systems and methods present a gateway-based packet-forwarding network security solution to not only detect security breaches but also prevent them by directly dropping suspicious packets and connections. The systems and methods employ multiple techniques to detect and prevent network security breaches, including stateful signature detection, traffic signature detection, and protocol anomaly detection. | 03-14-2013 |
20130067561 | INTELLIGENT INTEGRATED NETWORK SECURITY DEVICE - Methods, computer program products and apparatus for processing data packets are described. Methods include receiving the data packet, examining the data packet, determining a single flow record associated with the packet and extracting flow instructions for two or more devices from the single flow record. | 03-14-2013 |
20130081131 | COMMUNICATION SYSTEM, COMMUNICATION DEVICE, SERVER, AND COMMUNICATION METHOD - A communication system includes a server that matches a packet against a definition pattern, provided for determining whether the packet is an invalid packet, and discards the packet if the packet is an invalid packet and, for other packets, notifies processing content, which is applied to the packets, to a sending source; and a communication device that forwards an unknown packet to the server and, based on processing content notified from the server, processes a received packet. | 03-28-2013 |
20130097691 | INFORMATION PROCESSING APPARATUS COMMUNICATING WITH EXTERNAL DEVICE VIA NETWORK, AND INFORMATION PROCESSING METHOD THEREOF - An object of the present invention is to more appropriately filter a packet from an external device. This object is achieved by: obtaining address information of the external device from the packet; judging whether or not the address information of the external device has been registered as filter information; extracting, when it is judged that the address information has not been registered, device discrimination information of the external device from the address information of the external device; judging whether or not address information having the same device discrimination information as the extracted device discrimination information has been registered as the filter information; and registering, when it is judged that the address information having the same device discrimination information has been registered, the address information of the external device as the filter information. | 04-18-2013 |
20130125230 | FIREWALLS IN LOGICAL NETWORKS - Some embodiments provide a method for configuring a logical firewall in a hosting system that includes a set of nodes. The logical firewall is part of a logical network that includes a set of logical forwarding elements. The method receives a configuration for the firewall that specifies packet processing rules for the firewall. The method identifies several of the nodes on which to implement the logical forwarding elements. The method distributes the firewall configuration for implementation on the identified nodes. At a node, the firewall of some embodiments receives a packet, from a managed switching element within the node, through a software port between the managed switching element and the distributed firewall application. The firewall determines whether to allow the packet based on the received configuration. When the packet is allowed, the firewall the packet back to the managed switching element through the software port. | 05-16-2013 |
20130133060 | COMMUNICATION SYSTEM, CONTROL DEVICE AND CONTROL PROGRAM - In a communication system in which a terminal | 05-23-2013 |
20130139245 | System and Method for Incorporating Quality-of-Service and Reputation in an Intrusion Detection and Prevention System - An intrusion prevention system includes a processor, processing engines, buffers that are associated with a different range of reputation scores, and a storage device having a database and an application. The processor executes the application to determine that a firewall has admitted a packet, determine a reputation score for the packet from the database, provide the packet to a buffer that has a reputation score range that includes the reputation score of the packet, provide the packet from the buffer to a processing engine, process the packet by in the processing engine to determine if the packet includes an exploit, and forward the packet to the protected network if the first packet does not include the exploit. | 05-30-2013 |
20130139246 | TRANSPARENT BRIDGE DEVICE - The device provides protection for VoIP or like time-sensitive traffic. Packets arriving at a network interface in the data link layer are inspected to identify signaling packet, which are then queued for further analysis. The signaling packets are analyzed for compliance with adaptive criteria to determine whether the packets are considered safe to pass to a user, and the signaling packets failing to meet the adaptive criteria are rejected. The adaptive criteria based are updated based on historical data pertaining to the signaling packets from the same source address for the same user account. | 05-30-2013 |
20130152189 | AUTHENTICATION METHOD AND APPARATUS FOR DETECTING AND PREVENTING SOURCE ADDRESS SPOOFING PACKETS - An authentication apparatus for detecting and preventing a source address spoofing packet, includes a packet reception unit configured to receive a packet from a previous node or a user host; a self-assurance type ID generation unit configured to generate a self-assurance type ID of a source node of the received packet; and a self-assurance type ID verification unit configured to determine whether the source address of the received packet has been spoofed. Further, the authentication apparatus includes a white list storage unit configured to store a reliable source node; a black list storage unit configured to store an unreliable source node; and a packet transmission unit configured to transmit the packet whose source has been verified through the self-assurance type ID verification unit to a next network node. | 06-13-2013 |
20130152190 | Software Firewall Control - A software firewall that may be configured using rules specified for types of network interfaces rather than individual network interfaces. The network types may be specified with type identifiers that have a readily understandable meaning to a user, facilitating ease of configuring the firewall. The network types could include, for example, wired, wireless and remote access. A rule specified based on a network type can be implemented for network interfaces of that network type. The implementation may be performed automatically and may be updated based on network location awareness information. | 06-13-2013 |
20130160107 | SIGNAL TRANSFER POINT FRONT END PROCESSOR - In an SS7 network, each of a plurality of Signal Transfer Points is fronted by a front-end processor (STP-FEP) that has a network presence. The STP-FEP implements at least the MTP2 layer of the SS7 protocol stack and implements security rules at the MTP2 and MTP3 layers. | 06-20-2013 |
20130167219 | APPARATUS AND METHOD FOR CYBER-ATTACK PREVENTION - Provided are a method of preventing cyber-attack based on a terminal and a terminal apparatus therefor. The terminal apparatus includes: a packet processor configured to determine whether excessive traffic is generated by a transmission packet; an anomalous traffic detecting unit configured to determine whether anomalous traffic is generated, using a first condition of the excessive traffic being maintained for a first time period and a second condition of a generation count of the same kind of transmission packets exceeding a predetermined threshold value for a second time period; and a traffic block request unit configured to generate a traffic block request signal for requesting blockage of the transmission packet according to the result of determining whether anomalous traffic is generated. | 06-27-2013 |
20130205384 | Secure System for Interconnection Between Two Public Networks - A secure interconnection system between two public networks comprises at least one first router, a first firewall, a second router, a second firewall and a blade server, and a first virtual local area network containing the data streams exchanged between a first communications facility and a second communications facility, a second virtual local area network containing the management and maintenance streams of said system which are exchanged between a supervision centre and the blade server and a third virtual local area network containing the authentication streams for said first communications facility which are exchanged between the said second firewall and said blade server, said virtual local area networks being designed so as to exhibit an empty intersection. | 08-08-2013 |
20130212670 | Intelligent PHY with security detection for ethernet networks - A physical layer device includes memory, a memory control module, and a physical layer module. The memory control module is configured to control access to the memory. The physical layer module is configured to store packets in the memory via the memory control module. The physical layer module includes an interface configured to receive the packets from a network device via a network and an interface bus. The interface bus includes at least one of a control module and a regular expression module. The at least one of the control module and the regular expression module is configured to inspect the packets to determine a security level of the packets. A network interface is configured to, based on the security level, provide the packets to a device separate from the physical layer device. | 08-15-2013 |
20130219483 | CONTENT FILTERING APPARATUS AND METHOD - A content filtering apparatus may include a receiving unit to receive a data stream constituting content from at least one cloud server, a filtering unit to filter the content based on a service profile and a filtering condition corresponding to the at least one cloud server, and a control unit to search for data, in the data stream, associated with the filtering condition based on an index of the service profile matching the filtering condition. | 08-22-2013 |
20130219484 | System and Method for Providing Network and Computer Firewall Protection with Dynamic Address Isolation to a Device - A computer performs dynamic address isolation. The computer comprises an application associated with an application address, a network interface coupled to receive incoming data packets from and transmit outgoing data packets to an external network, a network address translation engine configured to translate between the application address and a public address, and a driver for automatically forwarding the outgoing data packets to the network address translation engine to translate the application address to the public address, and for automatically forwarding the incoming data packets to the network address translation engine to translate the public address to the application address. The computer may communicate with a firewall configured to handle both network-level security and application-level security. | 08-22-2013 |
20130232565 | Secure Routing Based on the Physical Locations of Routers - A system, method, and apparatus for secure routing based on the physical location of routers are disclosed herein. The disclosed method for secure data transmission of at least one data packet through a plurality of network nodes involves defining a source network node, a destination network node, and at least one security constraint, which is based on the physical location of at least one of the network nodes. The method further involves comparing available network nodes with the security constraint(s) to determine which of the available network nodes meet the security constraint(s) and, thus, are qualified network nodes. Additionally, the method involves determining a route comprising at least one of the qualified network nodes to route the data packet(s) through from the source network node to the destination network node. Further, the method involves transmitting the data packet(s) through the route of the qualified network node(s). | 09-05-2013 |
20130254872 | SYSTEM AND METHOD FOR MITIGATING A DENIAL OF SERVICE ATTACK USING CLOUD COMPUTING - A system and method for mitigating a denial of service attack that includes distributing network communication messages directed at a resource within a resource cloud, directing the distributed network communication messages, filtering the network communication messages according to filter parameters that relate to the legitimacy of the communication message, and sending the communication message to the resource if the communication message is filtered as legitimate or performing a request limiting response to the communication message if the communication message is filtered as illegitimate. | 09-26-2013 |
20130263247 | Transparent Provisioning of Network Access to an Application - An apparatus and method for enhancing the infrastructure of a network such as the Internet is disclosed. A packet interceptor/processor apparatus is coupled with the network so as to be able to intercept and process packets flowing over the network. Further, the apparatus provides external connectivity to other devices that wish to intercept packets as well. The apparatus applies one or more rules to the intercepted packets which execute one or more functions on a dynamically specified portion of the packet and take one or more actions with the packets. The apparatus is capable of analyzing any portion of the packet including the header and payload. Actions include releasing the packet unmodified, deleting the packet, modifying the packet, logging/storing information about the packet or forwarding the packet to an external device for subsequent processing. Further, the rules may be dynamically modified by the external devices. | 10-03-2013 |
20130263248 | SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR PREVENTING COMMUNICATION OF UNWANTED NETWORK TRAFFIC BY HOLDING ONLY A LAST PORTION OF THE NETWORK TRAFFIC - A system, method, and computer program product are provided for preventing communication of unwanted network traffic by holding only a last portion of the network traffic. In use, network traffic associated with a file transfer is received. Additionally, only a last portion of the network traffic associated with the file transfer is held for determining whether the file is unwanted. Further, the last portion of the network traffic associated with the file transfer is conditionally forwarded to a destination device, based on the determination. | 10-03-2013 |
20130269022 | Method and Apparatus for Fast Check and Update of Anti-Replay Window Without Bit-Shifting in Internet Protocol Security - An apparatus comprising a processor configured to implement an anti-replay check for a plurality of received packets and a plurality of corresponding sequence numbers; and a circular buffer coupled to the processor and comprising a bitmap, wherein the bitmap is slided in a circular manner by updating a low index that points to a first sequence number for a first received packet and a high index that points to a last sequence number for a last received packet without bit-shifting, and wherein, when the update results in the new value of one of the low index and the high index exceeding the end of the circular buffer, the one of the low index and the high index wraps around from the beginning of the circular buffer. | 10-10-2013 |
20130276092 | SYSTEM AND METHOD FOR DYNAMIC SECURITY INSERTION IN NETWORK VIRTUALIZATION - A method and apparatus for dynamic security insertion into virtualized networks is described. The method may include receiving, at a network device from a second network device, a data packet and application data extracted from the data packet. The method may also include generating a routing decision for a network connection associated with the data packet based, at least in part, on the application data. Furthermore, the method may include transmitting the routing decision for the data packet to the second device for the second device to route the data based on the routing decision. | 10-17-2013 |
20130276093 | FIREWALL INTERFACE CONFIGURATION TO ENABLE BI-DIRECTIONAL VOIP TRAVERSAL COMMUNICATIONS - Methods and systems for an intelligent network protection gateway (NPG) and network architecture are provided. According to one embodiment, a firewall provides network-layer protection to internal hosts against unauthorized access by hosts of an external network by performing network address translation (NAT) processing of Internet Protocol (IP) addresses. The firewall changes data in headers of VoIP packets and corresponding data contents of the VoIP packets, to enable bi-directional VoIP communications. An external VoIP interface of the firewall receives incoming VoIP packets having a user alias (e.g., an email address) and an indication regarding a VoIP port of external interface. The packets are directed to an appropriate internal host by the firewall performing port address forwarding based on the port indication to a media gateway within the internal network that maintains a mapping of user aliases to private addresses of the internal hosts. | 10-17-2013 |
20130283365 | INTER-AUTONOMOUS SYSTEM WEIGHSTATION - An approach for providing network security is disclosed. The system includes a first set of routing devices (e.g., routers, routing switches, etc.) operating redundantly within an autonomous system. The system also includes a second set of routing devices that are configured for redundant operation within the autonomous system and to communicate with another autonomous system. The sets of routing devices provide a communication path between the autonomous systems for transport of untrusted packets and trusted packets. Further, the system includes a security node (i.e., weighstation) configured to communicate with the sets of routing devices and to only receive the untrusted packets, wherein the untrusted packets are selectively forwarded to the other autonomous system. | 10-24-2013 |
20130283366 | FLEXIBLE NETWORK SECURITY SYSTEM AND METHOD FOR PERMITTING TRUSTED PROCESS - Disclosed herein is a flexible network security system and method for permitting a trusted process. The system includes a port monitoring unit for extracting information about a server port being used through a network communication program, an internal permitted program storage for extracting information about a program for which communication is permitted by the firewall, and registering the extracted information, an internal permitted by the firewall, and registering the extracted information, an internal permitted port storage, if the port monitoring unit extracts the information about the server port being used using the program registered in the internal permitted program storage, registering the extracted information about the server port; and a device for making the firewall flexible, determining whether a destination port of a packet of inbound traffic has been registered in the internal permitted port storage, and if the destination port has not been registered, transmitting the corresponding packet to the firewall, and if the destination port has been registered, allowing the corresponding packet to bypass the firewall. | 10-24-2013 |
20130298221 | FIREWALLS FOR FILTERING COMMUNICATIONS IN A DYNAMIC COMPUTER NETWORK - A method and apparatus for filtering data communications in a dynamic computer network is disclosed. The method includes receiving a data packet that includes a plurality of identity parameters. The data packet is filtered by comparing the plurality of identity parameters to a set of filtering rules. The filtering rules allow the data packet into the network if a set of said identity parameters have been pseudorandomly transformed to specify false identity parameters and those false identity parameters are within a set of currently allowed false identity parameters determined based on a mission plan. | 11-07-2013 |
20130298222 | HIGH AVAILABILITY SECURITY DEVICE - Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for processing a first plurality of packets using one or more processors and maintaining one or more flow records associated with the first plurality of packets, and processing a second plurality of packets without maintaining flow records associated with the second plurality of packets and allowing the second plurality of packets to pass to one or more destinations. | 11-07-2013 |
20130312081 | MALICIOUS CODE BLOCKING SYSTEM - Disclosed is a malicious code blocking system including: a fake website detector that repeatedly accesses a website to be monitored to detect an attack, stores a detection log of the attacked site, and provides a URL address of the attacked site or server; a malicious URL storage that temporarily stores a URL address of the attacked site or server and stores a status flag indicating whether or not a malicious URL list containing information on malicious URLs changes; and a URL filter associated with a user terminal to monitor a network packet transmitted or received by the user terminal, check whether or not the status flag changes in a case where DNS query request for visiting a specific site is generated, and update a malicious URL list containing information on a malicious URL based on information stored in the malicious URL storage if the status flag changes. | 11-21-2013 |
20130312082 | COMMUNICATION METHOD, NODE, AND NETWORK SYSTEM - A communication method executed by a node in an ad hoc network having multiple nodes, includes receiving from a neighboring node of the node in the ad hoc network, a first packet that includes a sender address of the neighboring node and a first packet transmission count of packet transmissions from the neighboring node; extracting the first packet transmission count from the first packet; receiving from the neighboring node and after reception of the first packet, a second packet that includes the sender address of the neighboring node and a second packet transmission count of packet transmissions from the neighboring node; extracting the second packet transmission count from the second packet; determining whether the second packet is an invalid packet, based on the first packet transmission count and the second packet transmission count; and discarding the second packet upon determining the second packet to be an invalid packet. | 11-21-2013 |
20130326609 | FORCING ALL MOBILE NETWORK TRAFFIC OVER A SECURE TUNNEL CONNECTION - A process is disclosed in which all network traffic between a mobile device and an untrusted network arriving before the establishment of a VPN tunnel are dropped in response to rules imposed by the mobile device's operating system. Once a VPN tunnel is established all communication from the mobile device is secured, without an intervention on the part of the user of the device. A device supporting such a process is also disclosed. | 12-05-2013 |
20130326610 | SYSTEM AND METHOD FOR CONTROLLING ACCESS TO A PLANT NETWORK - A system for centrally controlling access by computers in a corporate network to a plant network that runs plant applications. The system includes an access control computer in communication with the corporate network and includes a memory, a processor coupled to the memory and a multi-user application stored in the memory and executable by the processor. The multi-user application communicates with a plurality of computers in the corporate network concurrently and communicates with at least one plant application running in the plant network to retrieve data from and pass data to the plant application on behalf of the plurality of computers in the corporate network concurrently. Since all communication from the plurality of computers is tunneled through the access control computer, the likelihood of any virus or worm spreading into the plant network is minimized. | 12-05-2013 |
20130347095 | ISOLATION AND SECURITY HARDENING AMONG WORKLOADS IN A MULTI-TENANT NETWORKED ENVIRONMENT - A method and associated systems for enhanced isolation and security hardening among multi-tenant workloads. An agent running on a processor of a networked computer system on which multicast and broadcast communications have been disabled captures an address-resolution query message from a querying tenant, converts the query message to a unicast message, and forwards the converted unicast query message to a switch. The switch forwards the converted unicast message to a redirection device and in response receives an address-resolution response message only after the redirection device verifies that the query and response messages comply with security policies. The switch forwards the address-resolution response to the querying tenant in conformance with security policies. | 12-26-2013 |
20140007216 | METHODS, SYSTEMS, AND COMPUTER READABLE MEDIA FOR ADAPTIVE PACKET FILTERING | 01-02-2014 |
20140007217 | System and Method for Incorporating Quality-of-Service and Reputation in an Intrusion Detection and Prevention System | 01-02-2014 |
20140007218 | SYSTEMS AND METHODS FOR PROVIDING A VPN SOLUTION | 01-02-2014 |
20140033295 | NETWORK SECURITY MODULE FOR ETHERNET-RECEIVING INDUSTRIAL CONTROL DEVICES - A high-speed security device for network connected industrial controls provides hybrid processing in tandem hardware and software security components. The software security component establishes state-less data identifying each packet that requires high-speed processing and loads a data table in the hardware component. The hardware component may then allow packets matching data of the data table to bypass the software component while passing other non-matching packets to the software component for more sophisticated state analysis. | 01-30-2014 |
20140047534 | Filtering Network Packets in Multiple Forwarding Information Base Systems - In some implementations, a method for routing communication includes determining a binding interface for a communication session based on a forwarding information base (FIB) and a destination for the communication session. The communication session is from an application running on user equipment (UE), and the binding interface is included in a virtual private network (VPN) tunnel established through an Internet Protocol (IP) security (IPsec) interface. Whether to filter the communication session is determined based on which perimeter of the UE includes the binding interface and which perimeter of the UE includes the IPsec interface. | 02-13-2014 |
20140075535 | METHOD AND APPARATUS FOR STREAMING VIDEO SECURITY - A streaming video security device is provided that comprises an input LAN interface, at least one streaming video decoder, an output LAN interface, at least one streaming video encoder coupled at one side to said LAN interface for streaming video output and coupled at the other side to a raw video display-compatible output interface; and unidirectional data flow element coupled at the transmitting side to the streaming video decoder through the raw video display-compatible output interface and coupled at the receiving side to one or more video encoder through the raw video display-compatible input interface. | 03-13-2014 |
20140075536 | DETECTION OF INFECTED NETWORK DEVICES VIA ANALYSIS OF RESPONSELESS OUTGOING NETWORK TRAFFIC - The present disclosure describes one or more systems, methods, routines and/or techniques for detection of infected network devices via analysis of responseless outgoing network traffic. A computer implemented method may include executing a routine that receives as input first packet information. The method may include executing a routine that analyzes the first packet information to determine whether the first packet information identifies an outgoing network packet that is associated with the initiation of a network communication. The method may include executing a routine that causes storage and/or tracking, in one or more data stores, of the first packet information if the first packet information is determined to be a potential responseless packet. The method may include executing a routine that causes removal and/or ends tracking of the first packet information if the first packet information is determined to not be a responseless packet based on analysis of second packet information. | 03-13-2014 |
20140075537 | METHOD AND APPARATUS FOR CONTROLLING BLOCKING OF SERVICE ATTACK BY USING ACCESS CONTROL LIST - An attack blocking control method uses an access control list (ACL). The method includes investigating the ACL if a packet is input, and checking whether or not the packet is registered in the ACL, comparing a current time count value with a blocking time of the packet if the packet is determined to be registered in the ACL. Further, the method includes increasing the number of blocking times of the packet by 1 if the current time count value is smaller than or equal to the blocking time. Further, the method includes automatically renewing the blocking time, and removing registration information for the packet from the ACL if the current time count value is greater than the blocking time. | 03-13-2014 |
20140075538 | IP SPOOFING DETECTION APPARATUS - An IP spoofing detection apparatus is provided. The IP spoofing detection apparatus comprising, a tunnel information extracting unit which extracts a first TEID and a user equipment IP address from a payload of a first GTP packet, and an abnormal packet detecting unit which extracts a second TEID from a header of a second GTP packet, and extracts a source IP address from a payload of the second GTP packet, wherein the abnormal packet detecting unit detects the second GTP packet as an IP spoofing packet if the first TEID and the second TEID are equal to each other, and the user equipment IP address and the source IP address are different from each other. | 03-13-2014 |
20140075539 | PACKET CLASSIFICATION IN A NETWORK SECURITY DEVICE - Methods and apparatuses are described for inspecting data packets in a computer network. One or more data packets through the network have associated header data and content. One method includes receiving a data packet, examining the data packet to classify the data packet including classifying the data packet using information included in the header and content, determining flow instructions for processing the packet based on both the header information and the content and processing of the packet using the flow instructions. | 03-13-2014 |
20140075540 | GEOGRAPHIC FILTER FOR REGULATING INBOUND AND OUTBOUND NETWORK COMMUNICATIONS - A system and method for regulating and analyzing inbound and outbound communications in and between computer networks on the basis of geographic security assertions are provided. Geographic information is collected, optimized, and shared between network objects to enforce network access control on the basis of configurable security assertions. Security assertions are configured and metrics displayed using maps and other geographic data in a graphical user interface. | 03-13-2014 |
20140090047 | MULTIPLE CPU ARCHITECTURE PLATFORM NETWORK FIREWALL - A system includes a communication processor and an application processor communicatively coupled to the communication processor. The communication processor is configured to detect a receipt of an incoming data packet, initially process at least a portion of the incoming data packet in the communication processor to determine if the incoming packet satisfies a first set of pre-determined criteria and automatically enable a transfer of the incoming data packet to the application processor depending upon an outcome of the initial processing of the incoming data packet. | 03-27-2014 |
20140096228 | SYSTEM AND METHOD FOR AUTOMATIC PROVISIONING OF MULTI-STAGE RULE-BASED TRAFFIC FILTERING - Methods and systems for filtering communication packets using a multi-stage filtering system that receives a large volume of communication packets from a communication network that filters the packets in two or more successive stages. The system comprises at least one front-end filtering unit and multiple back-end filtering units. Typically although not necessarily, the front-end filtering unit filters the packets based on layer-2 to layer-4 attributes of the packets. The back-end filtering units, on the other hand, filter the packets based on content extracted from the packet payloads. The back-end filtering units may perform filtering, for example, based on keyword spotting, application classification, malware detection and other content-related criteria. The front-end filtering unit typically performs filtering at the individual packet level and/or at the level of request-response transactions. The back-end filtering units, on the other hand, typically perform filtering at the level of entire reconstructed packet flows. | 04-03-2014 |
20140101751 | HARDWARE ENGINE FOR HIGH-CAPACITY PACKET PROCESSING OF NETWORK BASED DATA LOSS PREVENTION APPLIANCE - Provided is a network-based data loss prevention (DLP) system. The network-based DLP system includes a FPGA engine including a pattern matcher and a MCP engine including a session list filter. The a pattern matcher hash-processes a payload of an input packet in units of a certain size, compares a pre-stored pattern and the hash-processed packet, checks a matching rule ID and an upload channel ID corresponding to the pre-stored pattern when there is a match therebetween, adds tagging information to a header of the input packet, and outputs the packet. The session list filter receives the packet with the tagging information added thereto, and performs pre-registered processing on the pre-registered session, or passes the received packet. The processor uploads, forwards, or drops the received packet in correspondence with the matching rule ID. | 04-10-2014 |
20140115687 | INTRUSION AND MISUSE DETERRENCE SYSTEM EMPLOYING A VIRTUAL NETWORK - A method and apparatus is disclosed for increasing the security of computer networks through the use of an Intrusion and Misuse Deterrence System (IMDS) operating on the network. The IMDS is a system that creates a synthetic network complete with synthetic hosts and routers. It is comprised of a network server with associated application software that appears to be a legitimate portion of a real network to a network intruder. The IMDS consequently invites inquiry and entices the intruder away from the real network. Simulated services are configured to appear to be running on virtual clients with globally unique, class “C” IP addresses. Since there are no legitimate users of the virtual network simulated by the IMDS, all such activity must be inappropriate and can be treated as such. Consequently, the entire set of transactions by an intruder can be collected and identified rather than just those transactions that meet a predefined attack profile. Also, new exploits and attacks are handled just as effectively as known attacks, resulting in better identification of attack methodologies as well as the identification and analysis of new attack types. Since the IMDS only has to be concerned with the traffic going to its simulated hosts it additionally eliminates the bandwidth limitation that plagues a traditional IDS. | 04-24-2014 |
20140115688 | MULTI-METHOD GATEWAY-BASED NETWORK SECURITY SYSTEMS AND METHODS - Systems and methods for detecting and preventing network security breaches are described. The systems and methods present a gateway-based packet-forwarding network security solution to not only detect security breaches but also prevent them by directly dropping suspicious packets and connections. The systems and methods employ multiple techniques to detect and prevent network security breaches, including stateful signature detection, traffic signature detection, and protocol anomaly detection. | 04-24-2014 |
20140123266 | INCOMING REDIRECTION MECHANISM ON A REVERSE PROXY - A system is provided for filtering packets. The system includes: a filter for determining, by applying a set of at least one filtering rule, whether a packet is permitted to be routed towards a receiving entity. The system includes a verification element for verifying validity of an authentication token included in a request received by the filtering system and adds, to the set, after receiving an initial request, a so-called top-level filtering rule, permitting the routing, towards the verification element, of at least one packet received via a predetermined communication port of the device, in which the source address is identical to the source address of the initial request, regardless of the source communication port of the subsequent request. A routing element routes a subsequent request including a valid authentication token towards a receiving entity of the subsequent request. | 05-01-2014 |
20140130146 | MEDIA ACCESS CONTROL ADDRESS TRANSLATION IN VIRTUALIZED ENVIRONMENTS - A method and a network device are provided to transmit network packets through a network security device. The method, performed by the network device, receives a request to send a network packet from a first computing device to a second computing device over a network that includes the network device and the network security device. The network packet includes a first network interface identifier for identifying the first computing device and a second network interface identifier for identifying the second computing device. The method identifies third and fourth network interface identifiers that cause the network packet to be transmitted through the network security device. The method transmits the network packet over the network through the network security device using the third and fourth network interface identifiers. The method transmits the network packet to the second computing device using the first and second network interface identifiers. | 05-08-2014 |
20140157396 | EFFICIENT PACKET HANDLING, REDIRECTION, AND INSPECTION USING OFFLOAD PROCESSORS - A method for handling packets is disclosed. The method can include providing at least one main processor connected to a plurality of offload processors by a memory bus; configuring the offload processors to provide security related services on packets prior to redirection to the main processor; and operating a virtual switch respectively connected to the main processor and the plurality of offload processors using the memory bus, with the virtual switch capable of receiving memory read/write data over the memory bus. | 06-05-2014 |
20140157397 | EFFICIENT PACKET HANDLING, REDIRECTION, AND INSPECTION USING OFFLOAD PROCESSORS - A packet handling system is disclosed that can include at least one main processor, a plurality of offload processors connected to a memory bus and configured to provide security related services on packets prior to redirection to the main processor; an arbiter connected to each of the plurality of offload processors, the arbiter capable of scheduling resource priority for instructions or data received from the memory bus; and a virtual switch respectively connected to the main processor and the plurality of offload processors using the memory bus, with the virtual switch capable of receiving memory read/write data over the memory bus, and further directing at least some memory read/write data to the arbiter. | 06-05-2014 |
20140165183 | System and Methods for an Alternative to Network Controller Sideband Interface (NC-SI) Used in Out of Band Management - A system and a method for operating a plurality of information handling systems forming a network are provided. The system includes a host computer processing unit (CPU); a band management controller (BMC); and a switch having a first port coupled to the host CPU, a second port coupled to the BMC, and an external port coupled to a network; wherein the switch is configured to perform lookups and send an ingress traffic including an internet content to the host CPU, and to send the ingress traffic including a management content to the BMC accordingly. A computer program product including a non-transitory computer readable medium having computer readable and executable code for instructing a processor in a management unit for a plurality of information handling systems forming a network to perform a method using a system as above is also provided. | 06-12-2014 |
20140181952 | METHODS, SYSTEMS, AND COMPUTER READABLE MEDIA FOR PROVIDING DIAMETER SIGNALING ROUTER WITH FIREWALL FUNCTIONALITY - According to one aspect, the subject matter described herein includes a system for Diameter routing and firewall filtering. The system includes a Diameter signaling router comprising a network interface for receiving, from a first Diameter node, a first Diameter message having Diameter information. The Diameter signaling router also includes a firewall module for determining whether the first Diameter message satisfies a firewall policy. The firewall policy is based on at least a portion of the Diameter information in the first Diameter message. The Diameter signaling router further includes a routing module for forwarding at least a portion of the first Diameter message towards a second Diameter node in response to the first Diameter message satisfying the firewall policy. | 06-26-2014 |
20140181953 | Method and Apparatus for Best Effort Propagation of Security Group Information - A method and system for best effort propagation of security group information is disclosed. The method includes determining if a reserved group identifier is associated with a destination and, if the reserved group identifier is associated with the destination, indicating that a packet received at a network node can be sent to another network node. The packet includes destination information that identifies the destination as a destination of the packet. | 06-26-2014 |
20140201828 | ANTI-MALWARE SYSTEM, METHOD OF PROCESSING PACKET IN THE SAME, AND COMPUTING DEVICE - An anti-malware (AM) apparatus includes: a hardware-based firewall (FW) engine, including a packet matching engine configured to perform matching of a packet with a plurality of FW rules, and to generate a matching results; and an FW function module configured to determine an action for filtering the packet on the basis of the matching result. | 07-17-2014 |
20140215599 | METHOD AND SYSTEM FOR DEFEATING DENIAL OF SERVICE ATTACKS - Software, systems and methods for defeating DoS and DDoS attacks according to certain embodiments include detecting a DoS/DDoS attack, connecting to attacking node(s) by allowing a network handshake to complete between a network connected device and the attacking nodes. Then the network connected device under attack drops the traffic from the attacking node(s) rather that rejecting it. The acceptance and dropping is repeated until the attack is defeated. | 07-31-2014 |
20140215600 | ROUTING A PACKET BY A DEVICE - Methods and apparatus for transferring packets in a packet switched communication system. A system is provided that includes an L2 device including a controller determining for each packet received whether the received packet is to be inspected, an inspection device operable to inspect and filter packets identified by the controller including using a zone specific policy and an L2 controller for transferring inspected packets in accordance with L2 header information using L2 protocols. | 07-31-2014 |
20140223540 | FIREWALL INTERFACE CONFIGURATION TO ENABLE BI-DIRECTIONAL VOIP TRAVERSAL COMMUNICATIONS - Methods and systems for an intelligent network protection gateway (NPG) and network architecture are provided. According to one embodiment, a firewall provides network-layer protection to internal hosts against unauthorized access by hosts of an external network by performing network address translation (NAT) processing of Internet Protocol (IP) addresses. The firewall changes data in headers of VoIP packets and corresponding data contents of the VoIP packets, to enable bi-directional VoIP communications. An external VoIP interface of the firewall receives incoming VoIP packets having a user alias (e.g., an email address) and an indication regarding a VoIP port of external interface. The packets are directed to an appropriate internal host by the firewall performing port address forwarding based on the port indication to an appropriate media gateway within the internal network that maintains a mapping of user aliases to private addresses of the internal hosts. | 08-07-2014 |
20140250520 | FIREWALL METHOD AND APPARATUS FOR INDUSTRIAL SYSTEMS - Method and apparatus for use with systems including networked resources where communication between resources is via dual packet protocols wherein a first protocol includes a frame that specifies a destination device/resource and a data field and the second protocol specifies a final destination device/resource and includes a data field, where the second packets are encapsulated in the first protocol packet frames, the method including specifying access control information for resources, for each first protocol packet transmitted on the network, intercepting the first protocol packet prior to the first protocol destination resource, examining a subset of the additional embedded packet information to identify one of the intermediate path resources and the final destination resource, identifying the access control information associated with the identified at least one of the intermediate path resources and the final destination resource and restricting transmission of the first protocol packet as a function of the identified access control information. | 09-04-2014 |
20140259145 | Light Weight Profiling Apparatus Distinguishes Layer 7 (HTTP) Distributed Denial of Service Attackers From Genuine Clients - An apparatus discerns clients by the requests made to a web application server through a web application firewall, which injects client side code into the responses with a randomized challenge that needs a unique answer to be returned in the cookie. The client side code generates cookies, which identify a browser to the web application server, or the web application firewall in subsequent requests if made by a normally configured browser and a fail threshold is checked for subsequent requests originating from such a browser. Each browser is thus fingerprinted and if the expected answer failures exceed a threshold, the client is marked as suspicious and a subsequent Turing test is enforced to these suspicious clients, failing which, a subsequent defined action is taken. | 09-11-2014 |
20140259146 | INTELLIGENT INTEGRATED NETWORK SECURITY DEVICE - Methods, computer program products and apparatus for processing data packets are described. Methods include receiving the data packet, examining the data packet, determining a single flow record associated with the packet and extracting flow instructions for two or more devices from the single flow record. | 09-11-2014 |
20140283004 | FILTERING NETWORK DATA TRANSFERS - Aspects of this disclosure relate to filtering network data transfers. In some variations, multiple packets may be received. A determination may be made that a portion of the packets have packet header field values corresponding to a packet filtering rule. Responsive to such a determination, an operator specified by the packet filtering rule may be applied to the portion of packets having the packet header field values corresponding to the packet filtering rule. A further determination may be made that one or more of the portion of the packets have one or more application header field values corresponding to one or more application header field criteria specified by the operator. Responsive to such a determination, at least one packet transformation function specified by the operator may be applied to the one or more of the portion of the packets. | 09-18-2014 |
20140289840 | SYSTEM AND METHOD FOR INTEGRATED HEADER, STATE, RATE AND CONTENT ANOMALY PREVENTION FOR SESSION INITIATION PROTOCOL - Methods and systems for an integrated solution to the rate based denial of service attacks targeting the Session Initiation Protocol are provided. According to one embodiment, header, state, rate and content anomalies are prevented and network policy enforcement is provided for session initiation protocol (SIP). A hardware-based apparatus helps identify SIP rate-thresholds through continuous and adaptive learning. The apparatus can determine SIP header and SIP state anomalies and drop packets containing those anomalies. SIP requests and responses are inspected for known malicious contents using a Content Inspection Engine. The apparatus integrates advantageous solutions to prevent anomalous packets and enables a policy based packet filter for SIP. | 09-25-2014 |
20140298445 | Method and Apparatus for Filtering URL - A method and an apparatus for filtering a uniform resource locator (URL). According to the method, a first category corresponding to a URL connection request can be found in a pre-stored category information table; when the first category conforms to a predetermined URL passing through policy, the URL connection request is allowed to pass through; the URL connection request is forwarded to a corresponding server; a second category corresponding to a URL is determined according to web page content returned by the server; if the second category conforms to the predetermined URL passing through policy, the web page content is sent to a client; if the second category does not conform to the predetermined URL passing through policy, the web page content is blocked. A category to which a URL belongs can be determined in real time, and implementing a function of accurate category filtration. | 10-02-2014 |
20140304802 | LOCKED DOWN NETWORK INTERFACE - A logic device and method are provided for intercepting a data flow from a network source to a network destination. A data store holds a set of compliance rules and corresponding actions. A packet inspector is configured to inspect the intercepted data flow and identify from the data store a compliance rule associated with the inspected data flow. A packet filter is configured to, when the data flow is identified as being associated with a compliance rule, carry out an action with respect to the data flow corresponding to the compliance rule. | 10-09-2014 |
20140304803 | LOCKED DOWN NETWORK INTERFACE - A logic device and method are provided for intercepting a data flow from a network source to a network destination. A data store holds a set of compliance rules and corresponding actions wherein at least one of the set of compliance rules is a temporary compliance rule valid for a predetermined period. A packet inspector is configured to inspect the intercepted data flow and identify from the data store a temporary compliance rule associated with the inspected data flow. A packet filter is configured to when the data flow is identified as being associated with the temporary compliance rule, carry out an action with respect to the data flow corresponding to the temporary compliance rule while the temporary compliance rule is valid. | 10-09-2014 |
20140310796 | Multiple inspection avoidance (MIA) using a protection scope - A multiple inspection avoidance (MIA) technique is implemented in a virtualized environment. Preferably, the technique is implemented in a packet processing unit (PPU) and takes advantage of a protection scope determined in an automated manner. The protection scope may be MAC-based. The MIA technique ensures that the same packet is not inspected more than once by a same packet processing unit (PPU), and that the same packet is not inspected more than once by different PPUs. According to this disclosure, when a PPU implementing MIA receives a packet, it uses the protection scope to determine whether it needs to process the packet. Preferably, the determination of whether to process the packet depends on the source and destination addresses in the packet, whether those addresses are being protected by the PPU that receives the packet, the direction of the packet flow, and optionally one or more packet processing rules. | 10-16-2014 |
20140325634 | ADJUSTING DDOS PROTECTION BASED ON TRAFFIC TYPE - A system, method and computer readable storage medium that receives traffic/packets from external devices attempting to access protected devices in a protected network. A determination is made to whether a received packet belongs to one of a plurality of packet classifications. Each packet classification indicative of different classes of IP traffic. Countermeasures are applied to a received packet to prevent attack upon the protected devices. Applying a countermeasure to a received packet determined to belong to one of the plurality of packet classifications includes countermeasure modification/selection contingent upon the determined packet classification for the received packet. | 10-30-2014 |
20140325635 | HARDWARE IMPLEMENTATION OF COMPLEX FIREWALLS USING CHAINING TECHNIQUE - A firewall device may include a forwarding component that includes a filter block. The filter block may obtain a first hardware-implemented filter, where a hardware implementation limits the first hardware-implemented filter to a maximum quantity of rules; determine whether a last rule associated with the accessed hardware-implemented filter includes a split-filter action, where the split-filter action identifies a second hardware-implemented filter; and link the second hardware-implemented filter to the first hardware-implemented filter to make the second hardware-implemented filter a logical continuation of the first hardware-implemented filter, in response to determining that the last rule includes the split-filter action. The filter block may further determine whether a particular rule of the first hardware-implemented filter includes a next-filter action, where the next filter action identifies a third hardware-implemented filter; and process the third hardware-implemented filter independently of the sequence of hardware attachment points. | 10-30-2014 |
20140331311 | SECURITY PROCESSING IN ACTIVE SECURITY DEVICES - Methods, systems, and apparatus, including computer program products, featuring receiving at a first security device a packet. The first security device determines that the packet is associated with a flow assigned to a distinct second security device. The first security device sends the packet to the second security device. After the second security device performs security processing using the packet, the first security device receives from the second security device a message regarding the packet. The first security device transmits the packet. | 11-06-2014 |
20140337963 | SYSTEMS AND METHODS FOR HANDLING PACKETS FROM A TRUSTED NETWORK - Systems and methods for handling packets from a trusted network are provided. In some aspects, a system includes a communication module configured to receive a packet at a gateway from a server in a trusted network. The gateway is between the trusted network and a network external to the trusted network. The system also includes a verification module configured to determine whether the received packet is valid. The communication module is configured to route the received packet to a client in the external network if the received packet is determined to be valid. The communication module is configured to apply a corrective action to the received packet if the received packet is determined to be invalid. | 11-13-2014 |
20140337964 | Software Firewall Control - A software firewall that may be configured using rules specified for types of network interfaces rather than individual network interfaces. The network types may be specified with type identifiers that have a readily understandable meaning to a user, facilitating ease of configuring the firewall. The network types could include, for example, wired, wireless and remote access. A rule specified based on a network type can be implemented for network interfaces of that network type. The implementation may be performed automatically and may be updated based on network location awareness information. | 11-13-2014 |
20140344916 | METHOD FOR OPERATING A COMMUNICATION MODULE, AND COMMUNICATION MODULE - A method for operating a communication module of a network element of a communication network as well as the communication module itself are described. The communication module is embodied for the transmission of data. The network element has a communication module and an interface for communication with further network elements of the communication network. The communication module is embodied in such a way that the transmission, via the interface, of data for transmission is inhibited or authorized on the basis of a filter instruction. | 11-20-2014 |
20140366119 | REGIONAL FIREWALL CLUSTERING IN A NETWORKED COMPUTING ENVIRONMENT - An approach for regional firewall clustering for optimal state-sharing of different sites in a virtualized/networked (e.g., cloud) computing environment is provided. In a typical embodiment, each firewall in a given region is informed of its peer firewalls via a registration process with a centralized server. Each firewall opens up an Internet protocol (IP)-based communication channel to each of its peers in the region to share state table information. This allows for asymmetrical firewall flows through the network and allows routing protocols to ascertain the best path to a given destination without having to take firewall placement into consideration. | 12-11-2014 |
20140380457 | ADJUSTING DDOS PROTECTION - A system, method and computer readable storage medium that blocks network traffic exceeding a user selected value. Received data packets are analyzed to determine volumetric traffic flow so as to graphical represent the determined volumetric traffic flow for the received data packets on a display device. A countermeasure filter is provided having at least one traffic setting operational to block data packet traffic flow from the one or more external devices when the volumetric data packet flow exceeds a prescribed threshold value. The prescribed threshold value is determined by a user positioned indicator on a display device graphically representing the determined volumetric traffic flow. | 12-25-2014 |
20140380458 | APPARATUS FOR PREVENTING ILLEGAL ACCESS OF INDUSTRIAL CONTROL SYSTEM AND METHOD THEREOF - Disclosed is an apparatus for preventing illegal access of industrial control system and a method thereof in accordance with the present invention. The apparatus for preventing illegal access of industrial control system includes: a first interface communicating a packet by interoperating with a management network group that requests a control command; a second interface communicating a packet by interoperating with a control network group that receives a control command from the management network group and processes it; and a control device, which, when a packet flows therein from the management network group or the control network group, checks whether or not at least one filter rule is set and controls the packet flow between the management network group and the control network group using the filter where the rule is set. | 12-25-2014 |
20140380459 | ADAPTIVE PROBABILISTIC PACKET FILTERING ROUTER AND METHOD THEREOF - A router is provided. The router includes a packet marking unit that inserts marking information generated based on an address of the router into a packet received by the router, according to a packet marking probability that is dynamically set, and a marking probability determination unit that calculates filtering efficiency of the router, and determines the packet marking probability based on the filtering efficiency. The marking information is used to obtain the address of the router by a device that has received the packet containing the marking information. | 12-25-2014 |
20150020188 | Network Host Provided Security System for Local Networks - A gateway host connected to a network can be programmed to control packet traffic from other hosts on the network. The gateway host sends spoof packets to one or more of the other hosts, rendering them as controlled hosts. Each controlled host, having received the spoof packets, sends network packets for an intended destination, which are intercepted by the gateway host. The spoof packets have caused reconfiguration of the packet routing by the controlled host, such that network packets are rerouted upon their being sent from the controlled host. The gateway host renders a decision on the network packet traffic. | 01-15-2015 |
20150026794 | PACKET CLASSIFICATION FOR NETWORK ROUTING - Techniques for packet classification for network routing are disclosed. In some embodiments, packet classification for network routing includes receiving packets associated with a new flow at a security controller from a network device, in which the network device performs packet forwarding; classifying the flow; and determining an action for the flow based on a policy (e.g., a security policy). In some embodiments, the network device is a Software Defined Network (SDN) network device (e.g., a packet forwarding device that supports the OpenFlow protocol or another protocol). | 01-22-2015 |
20150033322 | LOGGING ATTACK CONTEXT DATA - Methods and systems for improved attack context data logging are provided. According to one embodiment, configuration information is received by a firewall device from a network administrator. The configuration information includes a number (N) of packets to capture by the firewall device responsive to an event detected by the firewall device that is potentially indicative of a threat or undesired activity. Multiple packets are received by the firewall device. The firewall device applies an attack detection algorithm, including one or more of a set of intrusion detection signatures, a set of malware detection signatures and a set of security policies, to the received packets. Responsive to the firewall device determining that a trigger packet is associated with a potential threat or potential undesired activity, the firewall device causes information regarding N packets of the received packets, inclusive of the trigger packet, to be stored in a log. | 01-29-2015 |
20150033323 | VIRTUAL PATCHING SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT - A system, method, and computer program product are provided for displaying, via at least one user interface, at least one option for dropping packets in connection with the at least one networked device for attack prevention. In use, it is determined whether an occurrence in connection with the at least one networked device is capable of taking advantage of the at least one actual vulnerability to which the at least one networked device is actually vulnerable. Further, based on the user input, packets are dropped in connection with the occurrence in immediate response to the detection thereof, to prevent an attack prior to completion of patch installation. | 01-29-2015 |
20150052600 | NETWORK ENVIRONMENT SEPARATION - The presently disclosed subject matter includes, inter alia, a separation module being operatively connectible to a network device operable to facilitate data communication in a communication network, the separation module being configured to control data communication in the communication network, the separation module being assigned with a network-id associating the separation module with a given network environment; the separation module being further configured to tag a data packet received by the network device from a first direction, in order to associate the data packet with a given network environment; and determine whether a tag, associated with a data packet received by the network device from a second direction, is compatible with the assigned network-id, and if it is, remove the tag from the data packet and allow transmission of the data packet. | 02-19-2015 |
20150052601 | METHODS, SYSTEMS, AND COMPUTER READABLE MEDIA FOR RAPID FILTERING OF OPAQUE DATA TRAFFIC - Methods, systems, and computer readable media for rapid filtering of opaque data traffic are disclosed. According to one method, the method includes receiving a packet containing a payload. The method also includes analyzing a portion of the payload for determining whether the packet contains compressed or encrypted data. The method further includes performing, if the packet contains compressed or encrypted data, at least one of sending the packet to an opaque traffic analysis engine for analysis, discarding the packet, logging the packet, or marking the packet. | 02-19-2015 |
20150074792 | LINE-RATE PACKET FILTERING TECHNIQUE FOR GENERAL PURPOSE OPERATING SYSTEMS - A method for mitigating denial of service attacks may include filtering out invalid packets from the received packets using a first filtering module, allowing the valid packets to pass through the first filtering module, and allowing some invalid packets to pass through the first filtering module. The method may also include passing the valid packets and the remaining invalid packets from the first filtering module to a second filtering module, filtering out more of the invalid packets using the second packet filtering module, allowing the valid packets to pass through the second filtering module, and allowing some invalid packets to pass through the second filtering module. The method may additionally include passing the valid packets and the remaining invalid packets to a protocol stack to filter the remaining invalid packets and pass the valid packets through to an application. | 03-12-2015 |
20150082417 | FIREWALL CONFIGURED WITH DYNAMIC COLLABORATION FROM NETWORK SERVICES IN A VIRTUAL NETWORK ENVIRONMENT - Techniques for automatic firewall configuration in a virtual network environment are described. In one example embodiment, firewall rules are configured using virtual machine (VM) inventory objects. The firewall rules are then transformed by replacing the VM inventory objects in the configured firewall rules with associated Internet protocol (IP) addresses using an IP address management table (IPAM) table and a network address translation (NAT) table. The transformed firewall rules are then sent to a firewall engine for filtering communication from and to VMs running on a first machine on one or more computing networks and communication from and to VMs running on a second machine on one or more computing networks at a firewall according to the transformed firewall rules. | 03-19-2015 |
20150089628 | System and Method for Provision of a Router / Firewall in a Network - A firewall/router is configured in a best practices approach for security and performance and, as such, greatly enables non-technical consumers to install it as a gateway point in a small network setting. Certain embodiments provide a means to monitor network usage, configure content filtering, schedule hours of access for certain networked devices and specify which network devices may connect to the WAN. It is envisioned that certain embodiments may also be capable of sending alerts to designated and configurable targets. WAN access may be granted or blocked or throttled on a per network device basis using parameters such as, but not limited to, time of day, throttling characteristics, and classification of the content being served by the target resource. | 03-26-2015 |
20150096008 | METHOD FOR PROVIDING AUTHORITATIVE APPLICATION-BASED ROUTING AND AN IMPROVED APPLICATION FIREWALL - A method for providing authoritative application-based routing and an improved application firewall, as well as a method for application classification, is described. The first embodiment, which provides a method for authoritative application-based routing, comprises tagging packets with an application identifier, and pushing the tagged packets to the network to enable the application identifier to be used in routing and priority decisions. In the second embodiment, a method for improving application firewall comprises using the application identifier to minimize the amount of processing required by the firewall when analyzing packet information. | 04-02-2015 |
20150096009 | NETWORK TRAFFIC MANGLING APPLICATION - A network traffic system includes a network traffic mangling application for modifying a signature of packets that are transmitted in the network traffic system. The network traffic mangling application includes a user module control agent and a kernel module for executing the network traffic mangling application. The user control module agent modifies and mangles the behavior of the kernel module and communicates with the kernel module. | 04-02-2015 |
20150096010 | COMPUTER SECURITY SYSTEM - A method of packet management for restricting access to a resource of a computer system. The method includes identifying client parameters and network parameters, as a packet management information, used to determine access to the resource, negotiating a session key between client and server devices, generating a session ID based on at least the negotiated session key, inserting the packet management information and the session ID into each information packet sent from the client device to the server device, monitoring packet management information in each information packet from the client device, and filtering out respective information packets sent to the server device from the client device when the monitored packet management information indicates that access to the resource is restricted. | 04-02-2015 |
20150101036 | NETWORK FILTERING DEVICE, NETWORK FILTERING METHOD AND COMPUTER-READABLE RECORDING MEDIUM HAVING STORED THEREIN A PROGRAM - Provided is effective protection of a machine which is connected to a network by including a monitoring unit configured to monitor an apparatus which receives a data packet through a network, a storage unit configured, when abnormality of the apparatus is detected, to store a first data packet which causes the abnormality, a comparison unit configured to compare a second data packet received by the apparatus and the first data packet, a specification unit configured to specify a portion in the first data packet which is changed by a threshold or more from the second data packet, and a registration unit configured to register data of the specified portion. | 04-09-2015 |
20150106912 | REMOTE MACHINE MONITORING SYSTEMS AND SERVICES - The present disclosure describes illustrative, non-limiting embodiments of systems, apparatuses, and methods that can be used to facilitate the remote monitoring and support for manufacturing machines. In one particular embodiment, the techniques may be realized as a method for remote monitoring comprising the steps of storing a measurement taken of an injection molding machine to a machine controller associated with that machine; receiving operation data for the injection molding machine including the stored measurement from the machine controller; and remotely displaying the received data including the stored measurement to a first user at a location distant from the machine. | 04-16-2015 |
20150106913 | Method, Apparatus, Host, and Network System for Processing Packet - A method, an apparatus, a host, and a network system for processing a packet. The method includes receiving, by a physical host through a virtual bridge in the physical host, a network packet sent by a source virtual machine in the physical host, where the network packet carries a source media access control (MAC) address and a target MAC address; obtaining, by the physical host according to the source MAC address and the target MAC address by querying correspondence between each virtual machine MAC address and a security domain, a security domain to which the source virtual machine corresponds and a security domain to which a target virtual machine corresponds; and controlling, by the physical host, the virtual bridge to discard the network packet, when the security domain to which the source virtual machine corresponds is different from a security domain corresponding to the virtual bridge. | 04-16-2015 |
20150113629 | MONITORING NETWORK TRAFFIC - The disclosure is related to monitoring data traffic of user equipment through a monitoring node. A monitoring node may receive a data packet from user equipment registered for a monitoring service through a secure channel. The monitoring node may perform a monitoring operation on the received data packet and determine whether the received data packet is a malicious packet or a non-malicious packet. When the received data packet is a non-malicious packet, the monitoring node may transmit the data packet to a destination through a communication network. | 04-23-2015 |
20150113630 | COMPUTERIZED SYSTEM AND METHOD FOR ADVANCED NETWORK CONTENT PROCESSING - A computerized system and method for processing network content in accordance with at least one content processing rule is provided. According to one embodiment, the network content is received at a first interface. A transmission protocol according to which the received network content is formatted is identified and used to intercept at least a portion of the received network content. The intercepted portion of the network content is redirected to a proxy, which buffers the redirected portion of network content. The buffered network content is scanned in accordance with a scanning criterion and processed in accordance with the at least one content processing rule based on the result of the scanning The processed portion of network content may be forwarded using a second interface. | 04-23-2015 |
20150128246 | METHODS AND APPARATUS FOR REDIRECTING ATTACKS ON A NETWORK - A system is disclosed for protecting a network against malicious attacks or attempts for unauthorized access. A network is connected to an external network by a number of firewalls. Inspectors detect packets blocked by the firewalls and some or all of the packets are detected to a labyrinth configured to emulated an operational network and response to the packets in order to engage an attacker. Blocked packets may be detected by comparing packets entering and exiting a firewall. Packets for which a corresponding packets are not received within a transit delay may be identified as blocked. Entering and exiting packets may be compared by comparing only header information. A central module may receive information from the inspectors and generate statistical information and generate instructions for the inspectors, such as blacklists of addresses known to be used by attackers. | 05-07-2015 |
20150128247 | CENTRALIZED DEVICE REPUTATION CENTER - A method and system for selective web traffic blocking are provided herein. The method may include: receiving a request from a user to receive a resource from a web server; collecting data from the received request; applying either background device inspection or foreground device inspection in response to the received request, based on the collected data; receiving fingerprint data in response to inspection; and providing a rule how to respond to the user based on the fingerprint data. The system comprises a service node to receive a request from a user to receive a resource from a web server, to collect data from the received request and to apply either background device inspection or foreground device inspection based on the collected data, and a centralized device reputation center to receive fingerprint data and to provide to said service node a rule how to respond to the user based on the fingerprint data. | 05-07-2015 |
20150143504 | SECURE AND LIGHTWEIGHT TRAFFIC FORWARDING SYSTEMS AND METHODS TO CLOUD BASED NETWORK SECURITY SYSTEMS - A method implemented by an agent operating on a mobile device communicating to a cloud-based system includes opening up local listening sockets on the mobile device; redirecting outgoing traffic from all application on the mobile device except the agent to the local listening sockets; and forwarding the outgoing traffic from the local listening sockets to the cloud-based system with additional information included therein for the cloud-based system. | 05-21-2015 |
20150295894 | METHOD AND APPARATUS TO PERFORM MULTIPLE PACKET PAYLOADS ANALYSIS - A method and apparatus for identifying data patterns of a file are described herein. In one embodiment, an exemplary process includes, but is not limited to, receiving a data packet of a data stream containing a file segment of a file originated from an external host and destined to a protected host of a local area network (LAN), the file being transmitted via multiple file segments contained in multiple data packets of the data stream, and performing a data pattern analysis on the received data packet to determine whether the received data packet contains a predetermined data pattern, without waiting for a remainder of the data stream to arrive. Other methods and apparatuses are also described. | 10-15-2015 |
20150295950 | METHOD, APPARATUS AND SYSTEM FOR DEFENDING AGAINST NETWORK ATTACK - A method, apparatus and system for defending against a network attack are provided in the disclosure. The method includes: receiving, by a defending server, data submitted by a client; extracting by the defending server, a first authentication value from the data; calculating by the defending server, a second authentication value based on a predetermined algorithm; and forwarding by the defending server, the data to a corresponding network server in a case that the first authentication value matches with the second authentication value. The method, apparatus and system for defending against a network attack described above may effectively defend against the network attack. | 10-15-2015 |
20150319139 | METHOD AND DEVICE FOR PROCESSING SOURCE ROLE INFORMATION - A method and device for processing source role information in which a source role tag is inserted into a packet as an inner VLAN tag of the packet and used to perform role based access control processing for the packet. | 11-05-2015 |
20150326534 | CONTEXT-AWARE PATTERN MATCHING ACCELERATOR - Methods and systems for improving accuracy, speed, and efficiency of context-aware pattern matching are provided. According to one embodiment, a packet stream is received by a first stage of a CPMP hardware accelerator of a network device. A pre-matching process is performed by the first stage to identify a candidate packet that matches a string or over-flow pattern associated with IPS or ADC rules. A candidate rule is identified based on a correlation of results of the pre-matching process. The candidate packet is tokened to produce matching tokens and corresponding locations. A full-match process is performed on the candidate packet by a second stage of the CPMP hardware accelerator to determine whether it satisfies the candidate rule by performing one or more of (i) context-aware pattern matching, (ii) context-aware string matching and (iii) regular expression matching based on contextual information, the matching tokens and the corresponding locations. | 11-12-2015 |
20150326593 | DETECTING NETWORK TRAFFIC CONTENT - A device for detecting network traffic content is provided. The device includes a memory configured for storing one or more signatures, each of the one or more signatures associated with content desired to be detected, and 5 defined by one or more predicates. The device a/so includes a processor configured to receive data associated with network traffic content, execute one or more instructions based on the one or more signatures and the data, and determine whether the network traffic content matches the content desired to be detected. | 11-12-2015 |
20150334090 | METHOD TO ENABLE DEEP PACKET INSPECTION (DPI) IN OPENFLOW-BASED SOFTWARE DEFINED NETWORK (SDN) - The present invention relates to a method and system for performing deep packet inspection of messages transmitted through a network switch in a Software Defined Network (SDN). Embodiments of the invention include a network switch, a controller, and a firewall in a software defined networking environment. In the present invention, the network switch is a simple network switch that is physically separate from the controller and the firewall. The invention may include a plurality of physically distinct network switches communicating with one or more controllers and firewalls. In certain instances, communications between the network switch, the controller, and the firewall are performed using the Open Flow standard communication protocol. | 11-19-2015 |
20150350161 | Network Traffic Analysis to Enhance Rule-Based Network Security - A method of interpreting a rule and a rule-interpreting apparatus for rule-based security apparatus, and an apparatus implementing the method. The method comprises the following steps: designating a suspicious timeslot; if any packet does not present in the designated timeslot, capturing current incoming packets or capturing other incoming packets in the designated timeslot next time; automatically associating the packets in the designated timeslot to form at least one traffic flow corresponding to a connection or call; analyzing the at least one traffic flow to select at least one suspicious target traffic flow; and outputting the at least one selected suspicious target flow. | 12-03-2015 |
20150350231 | METHOD AND AN APPARATUS TO PERFORM MULTIPLE PACKET PAYLOADS ANALYSIS - A method and an apparatus to perform multiple packet payload analysis have been disclosed. In one embodiment, the method includes receiving a plurality of data packets, each of the plurality of data packets containing a portion of a data pattern, determining whether each of the plurality of data packets is out of order, and making and storing a local copy of the corresponding data packet if the corresponding data packet is out of order. Other embodiments have been claimed and described. | 12-03-2015 |
20150358284 | Method and Firewall For Soliciting Incoming Packets - This disclosure relates to controlling unwanted traffic to a device ( | 12-10-2015 |
20150358287 | Incremental Application of Resources to Network Traffic Flows Based on Heuristics and Business Policies - Disclosed herein are system, method, and computer program product embodiments for increasingly applying network resources to traffic flows based on heuristics and policy conditions. A network determines that a traffic flow satisfies a first condition and transmits a first portion of the traffic flow to a network service. A network service then inspects the first portion of the traffic flow at a first level of detail and determines that the traffic flow satisfies a second condition. The network can then transmit a second portion of the traffic flow to the network service based on the determining the traffic flow satisfies the second condition. The network service can inspect the second portion of the traffic flow at a second level of detail, wherein the inspecting at the second level of detail requires a different amount of computing resources than the inspecting at the first level of detail. | 12-10-2015 |
20150358288 | USE OF STATELESS MARKING TO SPEED UP STATEFUL FIREWALL RULE PROCESSING - A novel method for stateful packet classification that uses hardware resources for performing stateless lookups and software resources for performing stateful connection flow handshaking is provided. To classify an incoming packet from a network, some embodiments perform stateless look up operations for the incoming packet in hardware and forward the result of the stateless look up to the software. The software in turn uses the result of the stateless look up to perform the stateful connection flow handshaking and to determine the result of the stateful packet classification. | 12-10-2015 |
20150358350 | PROTECTION METHOD AND DEVICE - A protection device ( | 12-10-2015 |
20150365378 | ONE-WAY DATA TRANSMISSION AND RECEPTION SYSTEM AND METHOD - A one-way data transmission and reception system and method, which mitigate the problem of a buffer overflow that may occur on a reception system while also mitigating the problem of data loss caused by a link error that may occur in the unidirectional line of a physical one-way data transmission system. The one-way data transmission system includes a first interface unit connected to a first network. A second interface unit is unidirectionally connected to a reception system connected to a second network. An interface integration module unit transmits a delayed Transmission Control Protocol (TCP) Acknowledgement (ACK) frame to a TCP session established with a device of the first network unit through the first interface unit, and transmits one or more identical data frames to the reception system through the second interface unit. | 12-17-2015 |
20150372978 | METHODS AND APPARATUS FOR DENIAL OF SERVICE RESISTANT POLICING OF PACKETS - Methods and apparatus for supporting secure packet communications, e.g., sRTP/sRTCP, which are resistant to denial of service attacks are described. A received packet is identified to correspond to a particular stream being received, the stream having a current expected set of packet sequence numbers, e.g., a current window including a next expected packet sequence number and at least one packet sequence number in the expected packet window on each side of the expected packet sequence number. Unencrypted information from the received packet, e.g., a received packet sequence number, is used to determine at least one of: to drop the received packet, or to assign the packet to one of a plurality of policing levels. If the packet passes policing at its assigned policing level, the packet may undergo authentication and decryption to determine if it is a valid packet. | 12-24-2015 |
20150372979 | Packet Filtering at an Application-Processor-to-Modem Interface - An application processor circuit comprises an interface circuit configured to communicate with a separate modem device, a user application module configured to execute one or more user-installed applications, and a core application module configured to execute one or more core applications and to access one or more modem services on the modem device, using the interface circuit and an IP socket application protocol interface (API), wherein packets sent to the modem device for accessing the one or more modem services include a destination IP address corresponding to the modem device. The application processor circuit further comprises an IP filter module configured to identify and discard outbound packets that include a destination IP address corresponding to the modem device and that originate from any of one or more disallowed applications in the application processor, without sending the identified packets to the modem device. | 12-24-2015 |
20160006692 | MONITORING DEVICE AND MONITORING METHOD - A monitoring device to operate as a first monitoring device in a network including communication devices and monitoring devices, the monitoring device includes: an acquisition unit to acquire information of packets transmitted or received by a first communication device monitored by the first monitoring device; a transmission unit to transmit a first join request message to a first multicast group in which a second monitoring device performs notification of communication information of a second communication device monitored by the second monitoring device, when the first communication device communicates with the second communication device, after the first communication device communicates with an external device not included in the network; and a determination unit to determine whether the external device is performing unauthorized access to the second communication device via the first communication device, based on packets transmitted from the second monitoring device to the first multicast group. | 01-07-2016 |
20160014083 | INTELLIGENT SORTING FOR N-WAY SECURE SPLIT TUNNEL | 01-14-2016 |
20160021058 | Network Traffic Classification - Some aspects as described herein are directed to mirroring, in upstream and/or downstream data traffic for a particular connection, markings of data packets (e.g., DSCP and/or other markings) that have been received in downstream data traffic for that same connection. A trusted device in the network may control the markings, rather than a less-trusted endpoint device and/or a less trusted software application operating in any device. | 01-21-2016 |
20160021059 | METHOD AND SYSTEM FOR PACKET ACQUISTION, ANALYSIS AND INTRUSION DETECTION IN FIELD AREA NETWORKS - A system for intrusion detection in a field area network where data is transmitted via packets, includes a processor for analyzing the packets to ascertain whether the packets conform to a sets of rules indicating an intrusion, and a database for storing an alert indicating an intrusion if the packets conform to at least one rule in the sets. The sets of rules are for field network layer data, internet protocol traffic data and field area application traffic data. A method for detecting intrusion in a field area network where data is transmitted via packets, including analyzing the packets to ascertain whether the packets conform to the sets of rules, and storing an alert indicating an intrusion if the packets conform to at least one rule in the sets of rules. | 01-21-2016 |
20160021060 | Reverse NFA Generation And Processing - In a processor of a security appliance, an input of a sequence of characters is walked through a finite automata graph generated for at least one given pattern. At a marked node of the finite automata graph, if a specific type of the at least one given pattern is matched at the marked node, the input sequence of characters is processed through a reverse non-deterministic finite automata (rNFA) graph generated for the specific type of the at least one given pattern by walking the input sequence of characters backwards through the rNFA beginning from an offset of the input sequence of characters associated with the marked node. Generating the rNFA for a given pattern includes inserting processing nodes for processing an input sequence of patterns to determine a match for the given pattern. In addition, the rNFA is generated from the given type of pattern. | 01-21-2016 |
20160021061 | DETECTING ADVERSE NETWORK CONDITIONS FOR A THIRD-PARTY NETWORK SITE - A network protection service for providing protective assistance to a subscribing host is presented. The network protection service is configured determine a set of rules for filtering network traffic for a subscribing host. The network protection service is further configured to receive network traffic on behalf of the subscribing host, filter the received network traffic according to the set of rules, and forward a portion of the filtered network traffic to the subscribing host. Still further, the network protection service is configured to analyze the received network traffic via the analysis server, and refine the set of rules for filtering the received network traffic based on the analysis of the received network traffic by the analysis server. | 01-21-2016 |
20160021062 | Attack Defense Processing Method and Protection Device - An attack defense processing method and a protection device. The attack defense processing method includes the protection device receives a first packet by a protection device, if it is determined that the first packet is an Internet Control Message Protocol version 6 (ICMPv6) Packet Too Big packet, parses the first packet to obtain an internet protocol (IP) address of a source node, an IP address of a destination node, and a Maximum Transmission Unit (MTU) value that are carried in the first packet, determines a range of valid MTUs on a path between the source node and the destination node according to the IP address of the source node and the IP address of the destination node, and performs attack defense processing for the first packet when it is determined that the MTU value does not belong to the range of the valid MTUs. | 01-21-2016 |
20160028691 | SYSTEM FOR AND METHOD OF SECURING A NETWORK UTILIZING CREDENTIALS - A system for and method of securing a network are described herein. A receiving device listens for packets with proper credentials. If a transmitting device sends the correct credentials, the receiving device will respond with an acknowledgment and further data is able to be transmitted. However, if the transmitting device does not send a packet with the proper credentials, then the receiving device will drop the packet and not respond. Thus, the transmitting device will be unaware of the presence of the receiving device, in particular when hackers are using scanning software to locate target devices. | 01-28-2016 |
20160028760 | POLYMORPHIC SECURITY POLICY ACTION - In one embodiment, a method of improving the security of a computing device comprises using a computing device that has received one or more messages that have been determined as unauthorized, obtaining a plurality of state data values from one or more of the computing device, the one or more messages, and a second computer; before admitting the one or more messages to a data communications network that the computing device is configured to protect: using the computing device and pseudo-random selection logic, based on the state data values, pseudo-randomly selecting a particular policy action from among a plurality of different stored policy actions; using the computing device, acting upon the one or more messages using the particular policy action; wherein the method is performed using one or more computing devices. | 01-28-2016 |
20160072816 | SYSTEM AND METHOD FOR PROVIDING AN INTEGRATED FIREWALL FOR SECURE NETWORK COMMUNICATION IN A MULTI-TENANT ENVIRONMENT - An integrated firewall provides security in a multi-tenant environment having a connection-based switched fabric directly connecting database servers which provide a plurality of database services with application servers hosting database service consumers each having a different database service consumer identity. The firewall functionality integrated into each database server provides access control by discarding communication packets which do not include a database service consumer identity and using the database service consumer identity in combination with an access control list to control access from the database service consumers to the database services. The access control includes address resolution access control, connection establishment access control, and data exchange access control based on said access control list. The integrated firewall enables direct connection of database servers and application servers via an InfiniBand network providing without requiring a separate intermediary firewall appliance or security node. | 03-10-2016 |
20160080323 | SYSTEM AND METHOD FOR CREATING A TRUSTED CLOUD SECURITY ARCHITECTURE - The present invention provides a method for providing a computer implemented method and system for creating a trusted cloud security architecture having the following steps: a primary agent communicating with two or more secondary agents creating a trust ring or other shape of agent communications, the primary agent operating on a primary guest OS and two or more secondary agents operating on two or more secondary guest OSs; implementing a latency based topology for the trust ring having a network of links between disparate IP addresses, the disparate IP addresses corresponding with the primary agent and two or more secondary agents; the primary agent and two or more secondary agents exchanging data packets between the latency based topology within the trust ring; and outputting the exchanged data packets to a processing engine, the processing engine determining a trust status for the trust ring, the trust status based on the data packets between the latency based topology. | 03-17-2016 |
20160094516 | HIGH AVAILABILITY SECURITY DEVICE - Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for processing a first plurality of packets using one or more processors and maintaining one or more flow records associated with the first plurality of packets, and processing a second plurality of packets without maintaining flow records associated with the second plurality of packets and allowing the second plurality of packets to pass to one or more destinations. | 03-31-2016 |
20160094518 | METHOD TO ENABLE DEEP PACKET INSPECTION (DPI) IN OPENFLOW-BASED SOFTWARE DEFINED NETWORK (SDN) - The present invention relates to a method and system for performing deep packet inspection of messages transmitted through a network switch in a Software Defined Network (SDN). Embodiments of the invention include a network switch, a controller, and a firewall in a software defined networking environment. In the present invention, the network switch is a simple network switch that is physically separate from the controller and the firewall. The invention may include a plurality of physically distinct network switches communicating with one or more controllers and firewalls. In certain instances, communications between the network switch, the controller, and the firewall are performed using the Open Flow standard communication protocol. | 03-31-2016 |
20160094519 | DIRECT CACHE ACCESS FOR NETWORK INPUT/OUTPUT DEVICES - Methods and systems for improving efficiency of direct cache access (DCA) are provided. According to one embodiment, a set of DCA control settings are defined by a network I/O device of a network security device for each of multiple I/O device queues based on network security functionality performed by corresponding CPUs of a host processor. The control settings specify portions of network packets that are to be copied to a cache of the corresponding CPU. A packet is received by the network I/O device. Information associated with the packet is queued onto an I/O device queue. The information is then transferred from the I/O device queue to a host memory of the network security device. Based on the control settings for the I/O device queue only those portions of the information corresponding to the one or more specified portions are copied to the cache of the corresponding CPU. | 03-31-2016 |
20160099942 | DATA LEAK PROTECTION - Methods and systems for Data Leak Prevention (DLP) in an enterprise network are provided. According to one embodiment, a data leak protection method is provided. Information regarding a watermark filtering rule is received by a network security device. The information includes a sensitivity level and an action to be applied to files observed by the network security device that match the watermark filtering rule. A file attempted to be passed through the network security device is received by the network security device. A watermark embedded within the received file is detected by the network security device. A sensitivity level associated with the watermark is compared by the network security device to the sensitivity level of the watermark. When the comparison results in a match, then the action specified by the watermark filtering rule is performed by the network security device. | 04-07-2016 |
20160127401 | CAPTURE TRIGGERS FOR CAPTURING NETWORK DATA - The disclosed embodiments provide a system that facilitates the processing of network data. During operation, the system provides a risk-identification mechanism for identifying a security risk from time-series event data generated from network packets captured by one or more remote capture agents distributed across a network. Next, the system provides a capture trigger for generating additional time-series event data from the network packets on the one or more remote capture agents based on the security risk, wherein the additional time-series event data includes one or more event attributes. | 05-05-2016 |
20160134589 | MEDIA ACCESS CONTROL ADDRESS TRANSLATION IN VIRTUALIZED ENVIRONMENTS - A method and a network device are provided to transmit network packets through a network security device. The method, performed by the network device, receives a request to send a network packet from a first computing device to a second computing device over a network that includes the network device and the network security device. The network packet includes a first network interface identifier for identifying the first computing device and a second network interface identifier for identifying the second computing device. The method identifies third and fourth network interface identifiers that cause the network packet to be transmitted through the network security device. The method transmits the network packet over the network through the network security device using the third and fourth network interface identifiers. The method transmits the network packet to the second computing device using the first and second network interface identifiers. | 05-12-2016 |
20160149861 | Firewall with Application Packet Classifier - An improved system for establishing rules in a firewall for an industrial network is disclosed. Rules are established at an application level, identifying, for example, actions to occur between two devices. The action may be, for example, read data table or get attribute, and each action may require multiple message packets to be transmitted between the two devices in order to complete. A network device executing the firewall is configured to receive message packets from a sending device and to inspect the message packets to determine which action the sending device is requesting to perform. If the action corresponds to a rule in the database, the network device manages communications between the two devices until all message packets have been transmitted. Thus, a single action, or application, may be defined in the rules database to permit multiple data packets to be communicated between the devices. | 05-26-2016 |
20160156591 | CONTEXT-AWARE DISTRIBUTED FIREWALL | 06-02-2016 |
20160164833 | METHOD AND APPARATUS FOR BEST EFFORT PROPAGATION OF SECURITY GROUP INFORMATION - A method and system for best effort propagation of security group information is disclosed. The method includes determining if a reserved group identifier is associated with a destination and, if the reserved group identifier is associated with the destination, indicating that a packet received at a network node can be sent to another network node. The packet includes destination information that identifies the destination as a destination of the packet. | 06-09-2016 |
20160164834 | EXAMINING AND CONTROLLING IPv6 EXTENSION HEADERS - Methods and systems for selectively blocking, allowing and/or reformatting IPv6 headers by traversing devices are provided. According to one embodiment, reputation information regarding observed senders of Internet Protocol (IP) version 6 (IPv6) packets and packet fragments is maintained by a traversing device based on conformity or nonconformity of extension headers contained within the IPv6 packets with respect to a set of security checks performed by the traversing device. When an IPv6 packet or packet fragment is received from a particular source IP address indicated by the reputation information to be associated with one or more nonconformity issues, then dropping, rate limiting or quarantining, by the traversing device, the IPv6 packet or the packet fragment. | 06-09-2016 |
20160164845 | IMPLEMENTING NETWORK COMMUNICATION - When a node device receives a packet transmitted from a device connecting with the node device, the node device searches a public network address of a next hop in a first table according to a private address of the next hop, searches for an IPsec security association (SA) in a second table according to the public network address searched out, performs IPsec encapsulation for the received packet by use of the IPsec SA corresponding to the public network address, and transmits the packet. | 06-09-2016 |
20160173451 | Dynamic Denial of Service Protection | 06-16-2016 |
20160173529 | CONTROLLED RESOURCE ACCESS TO MITIGATE ECONOMIC DENIAL OF SUSTAINABILITY ATTACKS AGAINST CLOUD INFRASTRUCTURES | 06-16-2016 |
20160182450 | LOAD BALANCING IN A NETWORK WITH SESSION INFORMATION | 06-23-2016 |
20160182452 | SYSTEMS AND METHODS OF GEO-LOCATION BASED COMMUNITY OF INTEREST | 06-23-2016 |
20160182453 | Anti-Replay Method and Apparatus | 06-23-2016 |
20160205072 | METHOD AND SYSTEM FOR ANALYZING A DATA FLOW | 07-14-2016 |
20160380971 | REAL-TIME AGREEMENT ANALYSIS - Techniques for informing a user about an agreement including agreement terms and trustworthiness of data source are described herein. In some examples, a processor receives agreement document data while the data is in route to a client device. A system receives network sources and content data of the agreement document. The network sources are to be processed by the processor with traffic analytics, and the content data is to be processed with text analytics. The output of these analytics is used to generate an agreement risk event for delivery to the client device with the original agreement document data. | 12-29-2016 |
20170237710 | METHOD AND SYSTEM OF A CLOUD-BASED MULTIPATH ROUTING PROTOCOL | 08-17-2017 |
20170237758 | Packet Transmission Method and Apparatus | 08-17-2017 |
20220141181 | ENFORCEMENT OF INTER-SEGMENT TRAFFIC POLICIES BY NETWORK FABRIC CONTROL PLANE - This disclosure describes techniques to operate a control plane in a network fabric. The techniques include determining a stateless rule corresponding to communication between a first segment of the network fabric and a second segment of the network fabric. The techniques further include configuring the control plane to enforce the stateless rule. | 05-05-2022 |