Blue Coat Systems Inc. Patent applications |
Patent application number | Title | Published |
20160127906 | Mobile Application Identification and Control through WiFi Access Points - A network access point secures a WiFi network, and acts as a picocell, by identifying applications running on computer-based devices, such as mobile phones, tablet computers, and the like, that seek to access the Internet (or another network) via the access point and applying network access policies to data communications by those applications according to application, location, context, device and/or user characteristics. | 05-05-2016 |
20140273950 | Mobile Application Identification and Control through WiFi Access Points - A network access point secures a WiFi network, and acts as a picocell, by identifying applications running on computer-based devices, such as mobile phones, tablet computers, and the like, that seek to access the Internet (or another network) via the access point and applying network access policies to data communications by those applications according to application, location, context, device and/or user characteristics. | 09-18-2014 |
20140198982 | SYSTEM AND METHOD FOR RECOGNIZING OFFENSIVE IMAGES - According to one aspect, a method for categorizing at least one image includes obtaining the at least one image and mapping the at least one image to at least a first grid. The first grid is a two-dimensional grid that includes a plurality of cells. The method also includes characterizing the first grid, wherein categorizing the first grid includes determining whether the first grid is indicative of an offensive characteristic, and identifying the at least one image as offensive when it is determined that the first grid is indicative of the offensive characteristic. When it is determined that the first grid is not indicative of the offensive characteristic, the at least one image is identified as not offensive. | 07-17-2014 |
20140095865 | EXCHANGE OF DIGITAL CERTIFICATES IN A CLIENT-PROXY-SERVER NETWORK CONFIGURATION - Various techniques are described to authenticate the identity of a proxy in a client-proxy-server configuration. The configuration may have a client-side and a server-side SSL session. In the server-side session, if the proxy has access to the private keys of the client, the proxy may select a client certificate from a collection of client certificates and send the selected certificate to the server to satisfy a client authentication request of the server. If the proxy does not have access to the private keys, the proxy may instead send an emulated client certificate to the server. Further, the client certificate received from the client may be embedded within the emulated client certificate so as to allow the server to directly authenticate the client, in addition to the proxy. An emulated client certificate chain may be formed instead of an emulated client certificate. Similar techniques may be applied to the client-side session. | 04-03-2014 |
20130179551 | Split-Domain Name Service - In one embodiment, a method includes receiving an address of a DNS server of a network. A secure communication tunnel is established with a client of the network. The client is notified that requests to the address of the DNS server of the network should not pass through the secure communication tunnel. A request for a DNS lookup of a name of a host of the network is received through the secure communication tunnel. A DNS referral that includes the address of the DNS server of the network is sent to the client. | 07-11-2013 |
20130133032 | System and Method for Capturing Network Traffic - In certain embodiments, a method includes receiving, by a capture device, traffic flows transmitted by a plurality of client devices, each of the traffic flows being associated with one of the plurality of client devices and comprising encrypted data. The method further includes receiving, by the capture device, flow information communicated from a proxy server communicatively coupled to the capture device, the flow information comprising an identification of a particular traffic flow and a session key associated with the particular traffic flow. The method further includes storing, by the capture device, encrypted data of the particular traffic flow identified by the flow information supplied by the proxy server; storing, by the capture device, the session key associated with the particular traffic flow; and discarding, by the capture device, any of the plurality of received traffic flows not identified in the flow information received from the proxy server. | 05-23-2013 |
20130103834 | Multi-Tenant NATting for Segregating Traffic Through a Cloud Service - An apparatus, system, and method for segregating customer traffic through a cloud service are disclosed. The apparatus, system, and method perform network address translation (NAT) on first data packets received from a subnet to translate a first private network IP address into a second private network IP addresses, perform network address and port translation (NAPT) on the first data packets to translate the second private network IP address into a second public network IP address before sending the first data packets to a remote host, perform NAPT on second data packets received from the remote host to translate the second private network IP address back into the first private network IP address, and perform NAT on the second data packets to translate the second private network IP address back into the first private network IP address before sending the second data packets to the subnet. | 04-25-2013 |
20130080611 | Managing Network Content - In one embodiment, downloading one or more content items; determining which ones of the one or more content items are popular among a plurality of users; categorizing the one or more content items into one or more groups, wherein each group comprises one or more related content items; associating one or more keywords with each group, wherein the one or more keywords describe content of the one or more related content items in the corresponding group; and caching the one or more content items categorized into the one or more groups and the one or more keywords associated with each group. | 03-28-2013 |
20120284416 | Establishing Tunnels Between Selective Endpoint Devices Along Communication Paths - In one embodiment, an intermediary device situated along a communication path between two endpoint devices may receive communication packets sent along the communication path. If the intermediary device receives a connection-initiating packet having a customization indicator and a connection-acknowledgement packet having a customization indicator, then the intermediary device may install a bypass rule. | 11-08-2012 |
20120271964 | Load Balancing for Network Devices - In one embodiment, an electronic device receives a request; obtains a current state from each of a plurality of electronic devices; and selects one of the plurality of electronic devices to service the request based on the current state of each of the plurality of electronic devices. The current state of each of the plurality of electronic devices is one of a plurality of states in a state model. Each of the plurality of states in the state model indicates a discrete level of workload for the plurality of electronic devices. | 10-25-2012 |
20120198441 | Bypass Mechanism for Virtual Computing Infrastructures - In accordance with one embodiment of the present disclosure, a system includes one or more computer systems including a memory, one or more processors, and a bypass switch with an open position and a closed position. The one or more computer systems further include computer-executable program code. The computer-executable program code includes one or more virtual machines modules including computer-executable instructions configured, when executed, to cause the one or more processors to implement one or more virtual machines that host one or more guest operating systems and one or more applications. The computer-executable program code further includes a virtual bypass switch module including computer-executable instructions configured, when executed, to cause the one or more processors to, responsive to the availability of the one or more applications, forward packets received on the first physical network interface to at least one of the one or more virtual machines. | 08-02-2012 |
20120198050 | SYSTEM AND METHOD FOR DISTRIBUTED DATA COLLECTION AND HEURISTIC REFINEMENT IN A NETWORK INTERMEDIARY DEVICE - Data useful in analyzing the effectiveness of policies for handling transactions involving client communications is automatically collected at network intermediary devices and delivered to an analysis server as part of feedback communications from the network intermediary devices. The data may be collected according to data collection directives distributed to the network intermediary devices along with updates to policies for handling transactions, those updates being configured to alter actions of the network intermediary devices, for example to accommodate changes in behaviors of content servers from which the network intermediary devices obtain content in connection with the client communications. | 08-02-2012 |
20120198038 | SYSTEM AND METHOD FOR DISTRIBUTING HEURISTICS TO NETWORK INTERMEDIARY DEVICES - A policy distribution server provides, on a subscription basis, policy updates to effect desired behaviors of network intermediary devices. The policy updates may specify caching policies, and may in some instances, include instructions for data collection by the network intermediary devices. Data collected in accordance with such instructions may be used to inform future policy updates distributed to the network intermediary devices. | 08-02-2012 |
20120079101 | Behavioral Classification of Network Data Flows - Methods, apparatuses and systems facilitating enhanced classification of network traffic based on observed flow-based and/or host-based behaviors. | 03-29-2012 |
20110242979 | Enhanced Random Early Discard for Networked Devices - Methods, apparatuses and systems directed to enhanced random early discard mechanisms implemented in various networked devices including end-systems such as servers and intermediate systems such as gateways and routers. In one implementation, the present invention enables a random early discard mechanism that intelligently biases the drop probabilities of select packets based on one or more application-aware and/or flow-aware metrics or state conditions. | 10-06-2011 |
20110182291 | Facilitating Transition of Network Operations from IP Version 4 to IP Version 6 - Methods, apparatuses and systems directed to facilitating transitions from IPv4 to IPv6 networks. In particular implementations, the invention facilitates or enables accessibility of network application services between IPv4 and IPv6 hosts, or traversal of network paths including both IPv6 or IPv4 domains. Particular implementations of the invention are directed to selective mapping of network layer addresses between IPv6 and IPv4 protocols and Domain Name System records under one or more policy controls. Other implementations of the invention are directed to a proxy-to-proxy based tunnel architecture allowing hosts implementing a first network layer protocol, such as IPv4, to traverse a network implementing a second network layer protocol, such as IPv6. | 07-28-2011 |
20100284300 | Classification Techniques for Encrypted Network Traffic - Methods, apparatuses and systems directed to detecting network applications whose data flows have been encrypted. The present invention extends beyond analysis of explicitly presented packet attributes of data flows and holistically analyzes the behavior of host or end systems as expressed in related data flows against a statistical behavioral model to classify the data flows. | 11-11-2010 |
20100281168 | Assymmetric Traffic Flow Detection - Methods, apparatuses and systems directed to detecting, and in some implementations, responding to, asymmetric routing in network deployments. In a particular embodiment, a first process detects asymmetric routing at connection initiation, while the second process can detect asymmetric routing that may after connection initiation. | 11-04-2010 |
20100118869 | Facilitating Transition of Network Operations from IP Version 4 to IP Version 6 - Methods, apparatuses and systems directed to facilitating transitions from IPv4 to IPv6 networks. In particular implementations, the invention facilitates or enables accessibility of network application services between IPv4 and IPv6 hosts, or traversal of network paths including both IPv6 or IPv4 domains. Particular implementations of the invention are directed to selective mapping of network layer addresses between IPv6 and IPv4 protocols and Domain Name System records under one or more policy controls. Other implementations of the invention are directed to a proxy-to-proxy based tunnel architecture allowing hosts implementing a first network layer protocol, such as IPv4, to traverse a network implementing a second network layer protocol, such as IPv6. | 05-13-2010 |
20100027544 | LAYER-2 PACKET RETURN IN PROXY-ROUTER COMMUNICATION PROTOCOL ENVIRONMENTS - A Layer 2 packet return mechanism in a proxy, such as a web cache, operatively associated with a redirecting router. In a particular embodiment, the present invention provides a Layer 2 packet return mechanism in a Web Cache Communication Protocol (WCCP) network environment. In one embodiment, the present invention provides an efficient mechanism allowing a proxy or web cache to recognize WCCP redirected packets, forwarded using Layer 2 forwarding mechanisms, and subsequently to return unprocessed packets to the original forwarding WCCP router using a Layer 2 packet return mechanism. | 02-04-2010 |
20090204980 | Method for implementing ejection-safe API interception - A DLL that includes an API hook is injected into the address space of a target computer process called by an application program. Upon termination of the application program, computer-readable instructions describing a process for filtering exceptions returned from the target computer process are stored in memory locations accessible to the target computer process and the DLL is ejected from the address space. | 08-13-2009 |
20080244085 | System and Method of Delaying Connection Acceptance to Support Connection Request Processing at Layer-7 - Techniques for suspending a TCP three-way handshake, offering the partial connection to an L-7 application or module at a proxy to perform further processing, and then allowing the L-7 application or module to instruct the proxy's network kernel to perform various actions are described. In various embodiments these actions may include: silently dropping the connection, verbosely rejecting the connection, accepting and processing the connection locally, or forwarding the connection to another proxy or the original destination. This additional functionality is provided, in one particular embodiment, via extensions to the POSIX socket API. | 10-02-2008 |