Patent application number | Description | Published |
20100192225 | EFFICIENT APPLICATION IDENTIFICATION WITH NETWORK DEVICES - In general, techniques are described for efficiently implementing application identification within network devices. In particular, a network device includes a control unit that stores data defining a group Deterministic Finite Automata (DFA) and an individual DFA. The group DFA is formed by merging non-explosive DFAs generated from corresponding non-explosive regular expressions (regexs) and fingerprint DFAs (f-DFAs) generated from signature fingerprints extracted from explosive regexs. The non-explosive regexs comprise regexs determined not to cause state explosion during generation of the group DFA, the signature fingerprints comprise segments of explosive regexs that uniquely identifies the explosive regexs, and the explosive regexs comprise regexs determined to cause state explosion during generation of the group DFA. The network device includes an interface that receives a packet and the control unit traverses first the group DFA and then, in some instances, the individual DFAs to more efficiently identify network applications to which packets correspond. | 07-29-2010 |
20100281539 | DETECTING MALICIOUS NETWORK SOFTWARE AGENTS - This disclosure describes techniques for determining whether a network session originates from an automated software agent. In one example, a network device, such as a router, includes a network interface to receive packets of a network session, a bot detection module to calculate a plurality of scores for network session data based on a plurality of metrics, wherein each of the metrics corresponds to a characteristic of a network session originated by an automated software agent, to produce an aggregate score from an aggregate of the plurality of scores, and to determine that the network session is originated by an automated software agent when the aggregate score exceeds a threshold, and an attack detection module to perform a programmed response when the network session is determined to be originated by an automated software agent. Each score represents a likelihood that the network session is originated by an automated software agent. | 11-04-2010 |
20110055921 | PROTECTING AGAINST DISTRIBUTED NETWORK FLOOD ATTACKS - A network security device performs a three-stage analysis of traffic to identify malicious clients. In one example, a device includes an attack detection module to, during a first stage, monitor network connections to a protected network device, during a second stage, to monitor a plurality of types of transactions for the plurality of network sessions when a parameter for the connections exceeds a connection threshold, and during a third stage, to monitor communications associated with network addresses from which transactions of the at least one of type of transactions originate when a parameter associated with the at least one type of transactions exceeds a transaction-type threshold. The device executes a programmed action with respect to at least one of the network addresses when the transactions of the at least one of the plurality of types of transactions originating from the at least one network address exceeds a client-transaction threshold. | 03-03-2011 |
20140096229 | VIRTUAL HONEYPOT - A virtual honeypot is configured within a security appliance by configuring one or more network addresses associated with the virtual honeypot. The security appliance receives network traffic destined for the virtual honeypot sent to the one or more network addresses associated with the virtual honeypot, and forwards the traffic to a remote honeypot such that the remote honeypot appears to be connected to a network local to the security appliance. | 04-03-2014 |
20140283061 | ATTACK DETECTION AND PREVENTION USING GLOBAL DEVICE FINGERPRINTING - This disclosure describes a global attacker database that utilizes device fingerprinting to uniquely identify devices. For example, a device includes one or more processors and network interface cards to receive network traffic directed to one or more computing devices protected by the device, send, to the remote device, a request for data points of the remote device, wherein the data points include characteristics associated with the remote device, and receive at least a portion of the requested data points. The device also includes a fingerprint module to compare the received portion of the data points to sets of data points associated with known attacker devices, and determine, based on the comparison, whether a first set of data points of a first known attacker device satisfies a similarity threshold. The device also includes an security module to selectively manage, based on the determination, additional network traffic directed to the computing devices. | 09-18-2014 |
20150106935 | DETECTING MALICIOUS NETWORK SOFTWARE AGENTS - This disclosure describes techniques for determining whether a network session originates from an automated software agent. In one example, a network device, such as a router, includes a network interface to receive packets of a network session, a bot detection module to calculate a plurality of scores for network session data based on a plurality of metrics, wherein each of the metrics corresponds to a characteristic of a network session originated by an automated software agent, to produce an aggregate score from an aggregate of the plurality of scores, and to determine that the network session is originated by an automated software agent when the aggregate score exceeds a threshold, and an attack detection module to perform a programmed response when the network session is determined to be originated by an automated software agent. Each score represents a likelihood that the network session is originated by an automated software agent. | 04-16-2015 |
20150121529 | DYNAMIC SERVICE HANDLING USING A HONEYPOT - A network device comprises one or more processors coupled to a memory, and a dynamic services module configured for execution by the one or more processors to receive, from a client device, a service request specifying a service. The dynamic service module is further configured for execution by the one or more processors to, in response to obtaining a negative indication for the service, send a representation of the service request to a honeypot to cause the honeypot to offer the service to the client device. | 04-30-2015 |
20150237068 | TARGETED ATTACK PROTECTION USING PREDICTIVE SANDBOXING - Provided herein are systems and methods for targeted attack protection using predictive sandboxing. In exemplary embodiments, a method includes retrieving a URL from a message of a user and performing a preliminary determination to see if the URL can be discarded if it is not a candidate for sandboxing. The exemplary method includes computing a plurality of selection criteria factors for the URL if the URL passes the preliminary determination, each selection criteria factor having a respective factor threshold. The method can further include determining if any of the selection criteria factors for the URL exceeds the respective factor threshold for the respective selection criteria factor. Based on the determining, if any of the selection criteria factors exceeds the factor threshold for the selection criteria factor, the exemplary method automatically processes the URL using a sandbox. | 08-20-2015 |