Inventors list

Assignees list

Classification tree browser

Top 100 Inventors

Top 100 Assignees


Packet filtering

Subclass of:

726 - Information security

726002000 - ACCESS CONTROL OR AUTHENTICATION

726003000 - Network

726011000 - Firewall

Patent class list (only not empty are listed)

Deeper subclasses:

Entries
DocumentTitleDate
20130031621METHOD FOR APPLYING A HOST SECURITY SERVICE TO A NETWORK - A method for applying a host security service to a network is described herein. The network may include a host device and a network device. The network device may receive a request for security-based filtering. The request includes filtering parameters that restrict traffic between the host device and the network device. It is determined whether the filtering parameters conflict with an initial filtering configuration. The filtering parameters may be applied to traffic through the network device.01-31-2013
20090138959DEVICE, SYSTEM AND METHOD FOR DROPPING ATTACK MULTIMEDIA PACKET IN THE VoIP SERVICE - Disclosed is a device for dropping an attack multimedia packet. An object of the invention is to provide a device, a system and a method for dropping an attack multimedia packet, capable of filtering RTP packets received to selectively drop an attack multimedia packet, thereby providing a stable multimedia service. According to the invention, the received RTP packet is filtered to selectively drop an attack multimedia packet, so that it is possible to provide a stable multimedia service.05-28-2009
20130081131COMMUNICATION SYSTEM, COMMUNICATION DEVICE, SERVER, AND COMMUNICATION METHOD - A communication system includes a server that matches a packet against a definition pattern, provided for determining whether the packet is an invalid packet, and discards the packet if the packet is an invalid packet and, for other packets, notifies processing content, which is applied to the packets, to a sending source; and a communication device that forwards an unknown packet to the server and, based on processing content notified from the server, processes a received packet.03-28-2013
20130042317FRONTEND SYSTEM AND FRONTEND PROCESSING METHOD - In a frontend system in which a plurality of relay devices is mixed, the performance of end to end can be improved and a network can be flexibly established every policy. Specifically, the L7 (layer 7) processing is unified by providing a Front-End Processor (FEP), which have both a firewall (FW) and a load balancer (LB) recognizing a protocol of the L7 (layer 7) level, near a switch of a gateway to an external network.02-14-2013
20100043067SCALABLE SECURITY SERVICES FOR MULTICAST IN A ROUTER HAVING INTEGRATED ZONE-BASED FIREWALL - A multicast-capable firewall allows firewall security policies to be applied to multicast traffic. The multicast-capable firewall may be integrated within a routing device, thus allowing a single device to provide both routing functionality, including multicast support, as well as firewall services. The routing device provides a user interface by which a user specifies one or more zones to be recognized by the integrated firewall when applying stateful firewall services to multicast packets. The user interface supports a syntax that allows the user to define subsets of the plurality of interfaces associated with the zones, and define a single multicast policy to be applied to multicast sessions associated with a multicast group. The multicast policy identifies common services to be applied pre-replication, and exceptions specifying additional services to be applied post-replication to copies of the multicast packets for the one or more zones.02-18-2010
20090158419METHOD AND SYSTEM FOR PROTECTING A COMPUTER SYSTEM DURING BOOT OPERATION - A method for protecting a computer system from malicious network traffic is provided using a driver which inspects network packets. A security profile comprising packet inspection rules is compiled and stored on the computer system. During the startup or boot operation of an operating system, the driver loads the compiled security profile and inspects network packets using the inspection rules.06-18-2009
20100333188Method for protecting networks against hostile attack - An address-hopping method is provided to enhance security in computer networks. In embodiments, the method is carried out at a network node and includes storing an IP address that is temporarily valid as a destination address for the node; sequentially updating the stored IP address, at least at specified intervals of time, with new values that are each temporarily valid; and conditionally accepting or rejecting incoming packets according to whether there is a match between the destination IP address of the incoming packet and the temporarily valid IP address currently stored in the memory.12-30-2010
20100107239METHOD AND NETWORK DEVICE FOR DEFENDING AGAINST ATTACKS OF INVALID PACKETS - The present invention discloses a method and network device for defending against attacks of invalid packets, pertaining to the communication field. The method includes: receiving, by a network processor, a service feature state table from a service processing layer; receiving, by the network processor, a packet, searching the service feature state table for matching information of the packet and judging whether the packet is valid according to a search result, and if the packet is invalid, discarding the packet. The network device includes a network processor and a service processing module. With the present invention, the network processor judges whether a packet is valid according to a service feature state table and discards invalid packets early according to the judgment so as to avoid the waste of device bandwidths on the invalid packets and increase the anti-attack performance and security performance of the device.04-29-2010
20100107238SECURITY MODULE AND METHOD WITHIN AN INFORMATION HANDLING SYSTEM - A security module and method within an information handling system are disclosed. In a particular form, a processing module can include a local processor configurable to initiate access to resources of a host processing system. The processing module can also include a security module configured to enable use of the resources of the host processing system using a security metric. According to an aspect, the security module can be further configured to detect the security metric, and enable access to a resource of the host processing system in response to the security metric. The security module can further be configured to disable access to another resource of the host processing system in response to the security metric.04-29-2010
20120185930DOMAINS BASED SECURITY FOR CLUSTERS - Domains can be used to secure resources of a cluster. An administrator can configure a node of a cluster as a member of a particular domain. Membership in a cluster can be restricted to nodes that are members of the particular domain. When a node generates a cluster message, a kernel process or operating system process of the node will indicate the domain(s) of the node in the cluster message. The cluster message can be a command message to read or write to a storage resource of the cluster. When the cluster storage resource node or node that controls the storage resource receives the command message, the node will examine the command message to ensure the message indicates a domain that aligns with the cluster. If the proper domain is indicated in the command message, then the command message is processed. Otherwise, the command message is denied.07-19-2012
20090307766METHOD AND APPARATUS FOR VERIFYING DATA PACKET INTEGRITY IN A STREAMING DATA CHANNEL - Disclosed is a method for verifying data packet integrity in a streaming-data channel. In the method, data packets are received from the streaming-data channel. Each data packet includes a data payload and a corresponding message integrity code. The received data packets are processed in a first processing mode, wherein the received data packets are forwarded to an application module before checking the integrity of the data packets using the respective message integrity codes. An integrity-check-failure measurement is generated for monitoring an integrity-check-failure rate in the first processing mode. If the integrity-check-failure measurement exceeds an integrity-check threshold, then the method transitions to a second processing mode. A received data packet is forwarded to the application module in the second processing mode only after passing the integrity check.12-10-2009
20130061313ULTRA-LOW POWER SINGLE-CHIP FIREWALL SECURITY DEVICE, SYSTEM AND METHOD - A firewall security device, system and corresponding method are provided that includes an operating system of an entirely new architecture. The operating system is based fundamentally around a protocol stack (e.g., TCP/IP stack), rather than including a transport/network layer in a conventional core operating system. The firewall security device may include a processor and an operating system (OS) embedded in the processor. The OS may include a kernel. The operating system kernel is a state machine and may include a protocol stack for communicating with one or more devices via a network interface. The OS may be configured to receive and transmit data packets and block unauthorized data packets within one or more layers of the protocol stack based on predetermined firewall policies.03-07-2013
20120117642INFORMATION SECURITY PROTECTION HOST - An information security protection host is provided. The information security protection host comprises a network interface and a virtual machine monitor (VMM) device. The network interface is connected to a computer network and is configured to receive a fist packet. The VMM device is configured to run a first operating system, wherein the fist operating system provides a first network service. The VMM device is further configured to provide a first operating system information of the first operating system and a first network service information of the first network service instantaneously so as to determine the security of the first packet.05-10-2012
20130067561INTELLIGENT INTEGRATED NETWORK SECURITY DEVICE - Methods, computer program products and apparatus for processing data packets are described. Methods include receiving the data packet, examining the data packet, determining a single flow record associated with the packet and extracting flow instructions for two or more devices from the single flow record.03-14-2013
20130067560MULTI-METHOD GATEWAY-BASED NETWORK SECURITY SYSTEMS AND METHODS - Systems and methods for detecting and preventing network security breaches are described. The systems and methods present a gateway-based packet-forwarding network security solution to not only detect security breaches but also prevent them by directly dropping suspicious packets and connections. The systems and methods employ multiple techniques to detect and prevent network security breaches, including stateful signature detection, traffic signature detection, and protocol anomaly detection.03-14-2013
20110023109Network Firewall Host Application Identification and Authentication - Systems for providing information on network firewall host application identification and authentication include an identifying and transmitting agent on a host computer, configured to identify each application in use, tag the application identity with a host identity, combine these and other information into a data packet, and securely transmit the data packet to the network based firewall. The embodiment also includes an application identity listener on the network based firewall, configured to receive the information data packet, decode the data packet and provide to the network based firewall the identity of the application. The network based firewall is provided with an application-awareness via an extension of firewall filtering or security policy rules via the addition of a new application identity parameter upon which filtering can be based. Other systems and methods are also provided.01-27-2011
20090249468Method for establishing distributed filters in a packet-oriented network, based on abstract security defaults - A method for a packet-oriented network is provided. According to the method, after analysis of the network configuration and the existing network elements, the implementation of predefined security guidelines is automatically mapped onto the options of the different network elements and the distribution of the various security functions in the different network elements is optimized in such a way that the protection target is achieved, no network element receives too many configuration entries and no redundant functions are implemented.10-01-2009
20120272309Method and Apparatus for Fast Check and Update of Anti-Replay Window Without Bit-Shifting in Internet Protocol Security - An apparatus comprising a processor configured to implement an anti-replay check for a plurality of received packets and a plurality of corresponding sequence numbers; and a circular buffer coupled to the processor and comprising a bitmap, wherein the bitmap is slided in a circular manner by updating a low index that points to a first sequence number for a first received packet and a high index that points to a last sequence number for a last received packet without bit-shifting, and wherein, when the update results in the new value of one of the low index and the high index exceeding the end of the circular buffer, the one of the low index and the high index wraps around from the beginning of the circular buffer.10-25-2012
20130167219APPARATUS AND METHOD FOR CYBER-ATTACK PREVENTION - Provided are a method of preventing cyber-attack based on a terminal and a terminal apparatus therefor. The terminal apparatus includes: a packet processor configured to determine whether excessive traffic is generated by a transmission packet; an anomalous traffic detecting unit configured to determine whether anomalous traffic is generated, using a first condition of the excessive traffic being maintained for a first time period and a second condition of a generation count of the same kind of transmission packets exceeding a predetermined threshold value for a second time period; and a traffic block request unit configured to generate a traffic block request signal for requesting blockage of the transmission packet according to the result of determining whether anomalous traffic is generated.06-27-2013
20080295163Method and Apparatus for Updating Anti-Replay Window in Ipsec11-27-2008
20110283350Firewall Method and Apparatus for Industrial Systems - Method and apparatus for use with systems including networked resources where communication between resources is via dual packet protocols wherein a first protocol includes a frame that specifies a destination device/resource and a data field and the second protocol specifies a final destination device/resource and includes a data field, where the second packets are encapsulated in the first protocol packet frames, the method including specifying access control information for resources, for each first protocol packet transmitted on the network, intercepting the first protocol packet prior to the first protocol destination resource, examining a subset of the additional embedded packet information to identify one of the intermediate path resources and the final destination resource, identifying the access control information associated with the identified at least one of the intermediate path resources and the final destination resource and restricting transmission of the first protocol packet as a function of the identified access control information.11-17-2011
20110302648ANTI-MALWARE SYSTEM AND OPERATING METHOD THEREOF - Provided are an anti-malware system, and an operating method thereof. The anti-malware system matches an filtering operation on first target data to be filtered with a rule pattern, performs a filtering operation on the first target data according to a matching result, matches second target data to be malware-scanned with a malware pattern, and performs a malware scanning operation on the second target data according to a matching result, wherein the filtering operation and the scanning operation are performed on a system-on-chip (SoC).12-08-2011
20110296519REPUTATION BASED CONNECTION CONTROL - Methods and systems for operation upon one or more data processors for reputation based firewall processing of communications. The reputation based firewall processing includes receiving a communication identifying an entity, retrieving the reputation of the entity identified by the communication, and handling the communication based upon the retrieved reputation.12-01-2011
20110296518APPLICATION LAYER AUTHENTICATION IN PACKET NETWORKS - Techniques are disclosed for efficient authentication of an end user device at an application server of a communication network. For example, wherein it is assumed that, in a communication network, a first computing device is an end user device, a second computing device is a gateway server, and a third computing device is an application server, a method comprises the following steps. The second computing device authenticates one or more packets received from the first computing device. The second computing device marks the one or more packets with a first-layer identity before routing the one or more packets toward the third computing device such that the third computing device is able to authenticate the one or more packets from the first computing device by confirming an association between the first-layer identity and a second-layer identity. For example, the first-layer identity may comprise a link layer identity assigned to the first computing device (e.g., assigned by the gateway server or some other server), and the second-layer identity may comprise an application layer identity assigned to the first computing device (e.g., previously assigned by the application server or some other server).12-01-2011
20080320584FIREWALL CONTROL SYSTEM - Generally speaking, systems, methods and media for implementing a firewall control system responsive to user authentications are disclosed. Embodiments of a method may include receiving a data request at a firewall where the data request is associated with a program. Embodiments may include determining whether an authentication plan is required to be matched for the associated program and, if so, accessing a stored authentication plan associated with the program and having one or more authentication records each having expected information relating to user access to a particular server. Embodiments may include accessing a current authentication plan from an authentication store, the current authentication plan having one or more authentication records each having information relating to user access to a particular server. Embodiments may include comparing the stored authentication plan with the received current authentication plan to determine whether they match and, in response, performing one or more firewall actions.12-25-2008
20100071054NETWORK SECURITY APPLIANCE - Systems and methods for combating and thwarting attacks by cybercriminals are provided. Network security appliances interposed between computer systems and public networks, such as the Internet, are configured to perform defensive and/or offensive actions against botnets and/or other cyber threats. According to some embodiments, network security appliances may be configured to perform coordinated defensive and/or offensive actions with other network security appliances.03-18-2010
20090183252PACKET RELAY APPARATUS - A packet relay apparatus keeps only packets specified as authentication target packets of MAC address authentication, to reduce the number of packets to be transferred from H/W to a CPU. In addition to a source MAC address, the authentication target packet of MAC address authentication is specified by an Ethernet type, a destination IP address, a protocol, a source port number and a destination port number of TCP/UDP, and the like. In this way, the packet relay apparatus excludes a terminal not transmitting authentication target packets of MAC address authentication, from the MAC address authentication target, while allowing selection from other authentication methods such as Web authentication and IEEE802.1X authentication.07-16-2009
20130219484System and Method for Providing Network and Computer Firewall Protection with Dynamic Address Isolation to a Device - A computer performs dynamic address isolation. The computer comprises an application associated with an application address, a network interface coupled to receive incoming data packets from and transmit outgoing data packets to an external network, a network address translation engine configured to translate between the application address and a public address, and a driver for automatically forwarding the outgoing data packets to the network address translation engine to translate the application address to the public address, and for automatically forwarding the incoming data packets to the network address translation engine to translate the public address to the application address. The computer may communicate with a firewall configured to handle both network-level security and application-level security.08-22-2013
20100281533METHOD AND APPARATUS FOR IMPLEMENTING A LAYER 3/LAYER 7 FIREWALL IN AN L2 DEVICE - Methods and apparatus for transferring packets in a packet switched communication system. A system is provided that includes an L11-04-2010
20080244726FIREWALL SYSTEM FOR INTERCONNECTING TWO IP NETWORKS MANAGED BY TWO DIFFERENT ADMINISTRATIVE ENTITIES - Firewall system for interconnecting a first IP network (10-02-2008
20100125900Network Intrusion Protection - Improved techniques are disclosed for use in an intrusion prevention system or the like. For example, a method comprises the following steps performed by a computing element of a network. A packet of a flow is received, the flow comprising a plurality of packets, wherein the plurality of packets represents data in the network. A network intrusion analysis cost-benefit value is determined representing a benefit for analyzing the received packet for intrusions in relation to a cost for analyzing the received packet for intrusions. The method compares the network intrusion analysis cost-benefit value to a network intrusion analysis cost-benefit threshold to determine whether analyzing the received packet for intrusions before forwarding the received packet is warranted. Responsive to a determination that analyzing the received packet for intrusions before forwarding the received packet is not warranted, the received packet is forwarded, an indication is made that subsequent packets of the flow should be forwarded, and a determination is made whether the received packet indicates an intrusion after forwarding the received packet.05-20-2010
20120036572SYSTEM-ON-A-CHIP MALICIOUS CODE DETECTION APPARATUS FOR A MOBILE DEVICE - System-on-chip (SoC)-based apparatus for detecting malicious code in portable terminal is provided. SoC-based apparatus includes SoC including central processing unit (CPU) configured to generally control respective units of SoC for SoC-based malicious code detection, SoC memory-based firewall configured to classify packets input from outside through network interface unit, perform filtering operation, such as allowing operation and dropping operation, on the classified packets according to a predetermined setting, and output the result of the filtering operation to an application memory or an anti-malware engine, the SoC memory-based anti-malware engine configured to detect malicious code by performing a pattern-matching operation between a code pattern in a file input from the firewall and a pattern of malicious code registered in a malware signature database (DB) of a mobile device application unit, and an SoC memory-based control module configured to control operation of the firewall and the anti-malware engine in connection with the CPU.02-09-2012
20120036571SMART CARD, ANTI-VIRUS SYSTEM AND SCANNING METHOD USING THE SAME - A smart card installed in a device receives from the device data to be scanned and determines whether a virus exists in the data. Accordingly, security of the device may be enhanced without using substantial resources of the device.02-09-2012
20120240215SOC-BASED DEVICE FOR PACKET FILTERING AND PACKET FILTERING METHOD THEREOF - Provided is a device including a chip that includes a firewall engine, and a driver, wherein the driver identifies an owner process of a packet to be transmitted, and transmits the packet to the chip only if the owner process is allowed to transmit the packet to an external device, wherein the chip performs filtering by applying a rule for packet filtering to the packet received from the driver.09-20-2012
20100125901AUTOMATIC INVOCATION OF DTN BUNDLE PROTOCOL - A system and method for providing DTN services to legacy applications is provided. According to one example, a method for providing delay tolerant networking (DTN) services to legacy applications includes acts of intercepting a packet addressed to a software application, the packet including a payload, the software application being resident on a first computer, determining suitability of the packet for DTN processing and encoding the payload into a DTN bundle. According to another example, a system for providing delay tolerant networking (DTN) services to legacy applications includes a network interface, a memory and a controller coupled to the network interface and the memory. In this example, the controller is configured to intercept a packet addressed to a software application, the packet including a payload, the software application being resident on a computer, determine suitability of the packet for DTN processing and encode the payload into a DTN bundle.05-20-2010
20100083364Method for Lawfully Intercepting Communication IP Packets Exchanged Between Terminals - A method for lawfully intercepting communication IP packets exchanged between terminals is provided. The method involves assigning an IP address associated with a telecommunication service provider to, for example, a sending terminal for use as its IP address in communications with a receiving terminal, the telecommunication service provider providing SIP proxy services for establishing communication between the sending and receiving terminals. The communication IP packets are intercepted in such a way that the terminals are unaware of the interception.04-01-2010
20110197273Real time firewall/data protection systems and methods - Methods and systems for firewall/data protection that filters data packets in real time and without packet buffering are disclosed. A data packet filtering hub, which may be implemented as part of a switch or router, receives a packet on one link, reshapes the electrical signal, and transmits it to one or more other links. During this process, a number of filters checks are performed in parallel, resulting in a decision about whether each packet should or should not be invalidated by the time that the last bit is transmitted. To execute this task, the filtering hub performs rules-based filtering on several levels simultaneously, preferably with a programmable logic or other hardware device. Various methods for packet filtering in real time and without buffering with programmable logic are disclosed. The system may include constituent elements of a stateful packet filtering hub, such as microprocessors, controllers, and integrated circuits. The system may be reset, enabled, disabled, configured, and/or reconfigured with toggles or other physical switches. Audio and visual feedback may be provided regarding the operation and status of the system.08-11-2011
20110173692METHOD FOR COMPUTING NETWORK REACHABILITY - A method is provided for computing network reachability in a computer network. The method includes: identifying each of the subnetworks that comprise a computer network; determining, for each pair of subnetworks, data paths between the two subnetworks; for each identified data path, identifying access control lists implemented along a given data path and formulating a diagram that merges reachability sets derived from the access control lists along the given data path; and, deriving, for each pair of subnetworks, a set of network packets that can traverse between the subnetworks from the formulated diagrams.07-14-2011
20090288158INTELLIGENT FIREWALL - An intelligent firewall that prevents unauthorized access to a system has been developed. The fire wall does not use a communication address. It receives a data packet and analyzes it to determine its final disposition. Finally, the firewall handles the data packet according to its final disposition.11-19-2009
20090144819FLOW CLASSIFICATION FOR ENCRYPTED AND TUNNELED PACKET STREAMS - Methods and systems for solving the problem of special processing required by various communication network subsystems (e.g., QOS, security, tunneling, etc). In some cases the processing by one communication subsystem may result in modified IP data packets which may affect the application of additional processing of such packets. The methods and systems solve problem by translating filters and setting up additional tunnels or other procedures based on the use case so that all the end and intermediate nodes can do the required processing on modified packets. The methods and systems may take into consideration an overlap or intersection of two or more different types of packet filters. A first set of packet filters is translated to provide the desired packet classification for modified packets. The second set of packet filters may be translated based upon the translation applied to the first set of packet filters.06-04-2009
20080244725METHOD AND APPARATUS FOR MANAGING PACKET BUFFERS - According to one example embodiment of the inventive subject matter, there is described herein a method and apparatus for securely and efficiently managing packet buffers between protection domains on an Intra-partitioned system using packet queues and triggers. According to one embodiment described in more detail below, there is provided a method and apparatus for optimally transferring packet data across contexts (protected and unprotected) in a commodity operating system.10-02-2008
20090265778Attack protection for a packet-based network - The invention relates to a protection unit (10-22-2009
20080282339ATTACK DEFENDING SYSTEM AND ATTACK DEFENDING METHOD - An attack defending system allows effective defense against attacks from external networks even when a communication system uses a communication path encryption technique such as SSL. A firewall device and a decoy device are provided. The firewall device refers to the header of an input IP packet and, when it is determined that the input IP packet is suspicious, it is guided into the decoy device. The decoy device monitors a process providing a service to detect the presence or absence of attacks. When an attack has been detected, an alert including the attack-source IP address is sent to the firewall device so as to reject subsequent packets from attack source.11-13-2008
20080209540FIREWALL INCLUDING LOCAL BUS - A gateway for screening packets transferred over a network. The gateway includes a plurality of network interfaces, a memory and a memory controller. Each network interface receives and forwards messages from a network through the gateway. The memory temporarily stores packets received from a network. The memory controller couples each of the network interfaces and is configured to coordinate the transfer of received packets to and from the memory using a memory bus. The gateway includes a firewall engine coupled to the memory bus. The firewall engine is operable to retrieve packets from the memory and screen each packet prior to forwarding a given packet through the gateway and out an appropriate network interface. A local bus is coupled between the firewall engine and the memory providing a second path for retrieving packets from memory when the memory bus is busy.08-28-2008
20080271134Method and system for combined security protocol and packet filter offload and onload - A network interface card (NIC) includes a security association database (SADB) comprising a plurality of security associations (SAs), a cryptographic offload engine configured to decrypt a packet using one of the plurality of SAs, a security policy database (SPD) comprising a plurality of security policies (SPs) and a plurality of filter policies, and a policy engine configured to determine an admittance of the packet using one of the plurality of SPs from the SPD and apply one of the plurality of filter policies to the packet.10-30-2008
20130219483CONTENT FILTERING APPARATUS AND METHOD - A content filtering apparatus may include a receiving unit to receive a data stream constituting content from at least one cloud server, a filtering unit to filter the content based on a service profile and a filtering condition corresponding to the at least one cloud server, and a control unit to search for data, in the data stream, associated with the filtering condition based on an index of the service profile matching the filtering condition.08-22-2013
20120198542Shared Security Device - A mechanism is provided for sharing one or more security appliances. A trusted system component associated with an application of a plurality of applications in a logically partitioned data processing system sets a destination address of a received packet to an address of a security appliance shared by the plurality of applications. The trusted system component sends the received packet to the security appliance. The trusted system component receives a response from the security appliance. The trusted system component determines whether the response indicates permitting the received packet to proceed to the intended recipient. The trusted system component sends the received packet to the recipient in response to the response indicating permitting the received packet to proceed.08-02-2012
20120198541METHODS AND APPARATUS FOR PREVENTING NETWORK INTRUSION - In one configuration, a non-volatile memory is provided having computer readable instructions configured to instruct a computer or controller to run a setup wizard to obtain setup and filtering module configuration rules from a user; reload the computer or controller with the settings obtained by the setup wizard; configure filtering module rules including rules for an industrial protocol filter; and filter received and/or transmitted packets in accordance with the filtering module rules. The configuration may also include instructions to further parse and analyze packets containing industrial protocols to determine whether to allow or deny ingress and/or egress of such packets.08-02-2012
20090013400Method of filtering undesirable streams coming from a terminal presumed to be malicious - A method of filtering undesirable streams coming from a terminal (01-08-2009
20110231929SYSTEMS AND METHODS FOR PROVIDING A VPN SOLUTION - A system, apparatus and a method for implementing a secured communications link at a layer other than that at which packets are filtered are disclosed. In one embodiment, a computer system is configured to form a virtual private network (“VPN”) and comprises an address inspection driver to identify initial target packet traffic addressed to a target server. Also, the computer system includes a pseudo server module to receive rerouted initial target packet traffic from the address inspection driver. The pseudo server module is configured to convey packet regeneration instructions to a VPN gateway. The address inspection driver functions to identify additional target packet traffic addressed to the target server and routes the additional target packet traffic to the pseudo server. In one embodiment, the pseudo server is configured to strip header information from the additional target packet traffic to form a payload, and thereafter, to route the payload to the target.09-22-2011
20120096539WIRELESS INTRUSION PREVENTION SYSTEM AND METHOD - A wireless intrusion prevention system and method to prevent, detect, and stop malware attacks is presented. The wireless intrusion prevention system monitors network communications for events characteristic of a malware attack, correlates a plurality of events to detect a malware attack, and performs mitigating actions to stop the malware attack.04-19-2012
20090249470COMBINED FIREWALLS - A method of providing a firewall to protect a set of virtual machines on a host node that is one of multiple host nodes that host virtual machines. The method stores a table of allowed connections for each virtual machine on the host node. Upon a particular virtual machine moving from the host node to another host node, the method deletes records of a first set of allowed connections that each identify the particular virtual machine and do not identify any other virtual machine in the set of virtual machines. Also upon the virtual machine moving, the method edits records of a second set of allowed connections, each identifying the particular machine and one other virtual machine in the set of virtual machines on the first host node, to remove an identifier of the particular virtual machine.10-01-2009
20110145912MEDIA ACCESS CONTROL ADDRESS TRANSLATION IN VIRTUALIZED ENVIRONMENTS - Some embodiments provide a method that transmits network packets through a network security device. The method receives receiving a request to send a network packet from a first computing device to a second computing device over a network that includes the network security device. The network packet includes a first network interface identifier for identifying the first computing device on the network and a second network interface identifier for identifying the second computing device on the network. The method identifies third and fourth network interface identifiers that cause the network packet to be transmitted through the network security device when the network packet is transmitted using the third and fourth network interface identifiers. The method transmits the network packet over the network through the network security device using the third and fourth network interface identifiers. The method transmits the network packet to the second computing device using the first and second network interface identifiers.06-16-2011
20110145911Network-Based Security Services for Managed Internet Service - Data traffic is routed from a customer edge (CE) router to an Ethernet services router via a generic routing encapsulation (GRE) tunnel. Upon routing the data traffic from the CE router to the Ethernet services router, the data traffic is routed from the Ethernet services router to an aggregation switch. Upon routing the data traffic from the Ethernet services router to the aggregation switch, the data traffic is routed from the aggregation switch to a service switch through a security module, the security module configured to filter the data traffic. The filtered data traffic is routed from the service switch to the Ethernet services router. Upon routing the filtered data traffic from the service switch to the Ethernet services router, the filtered data traffic is routed from the Ethernet services router to a provider edge (PE) router.06-16-2011
20090249471REVERSIBLE FIREWALL POLICIES - A method of determining whether to allow multiple data packets to pass a firewall, each data packet having a source address and a destination address. The method evaluates a data packet by using a first set of policies when no previous packet with an opposite address has been allowed under the first set of policies. Two packets have opposite addresses when a source address of the first of the two packets is the same as the destination address of the second of the two packets and the destination address of the first packet is the same as the source address of the second packet. The method evaluates the data packet using a second set of policies when a previous packet with an opposite address has been allowed under the first set of policies.10-01-2009
20090249469PACKET TRANSFER APPARATUS - Plural retrieval units are prepared, and a retrieval unit which can reduce power consumption is selected according to the condition of a retrieval key. For example, in general, the retrieval unit including a CAM is used. However, when the condition of the retrieval key is simple as in a case where reference is made to only TOS in an interior node of Diffserv and QoS is determined, the retrieval unit including a dscp-QoS table constituted of an FF or RGF is used and the power consumption is reduced. A CAM retrieval start determination section determines that a process is performed by which retrieval unit in accordance with previously set setting information or a previously set header information item.10-01-2009
20090276842Load-Balancing Cluster - A load-balancing cluster includes a switch having a plurality of ports; and a plurality of servers connected to at least some of the plurality of ports of the switch. Each server is addressable by the same virtual Internet Protocol (VIP) address. Each server in the cluster has a mechanism constructed and adapted to respond to connection requests at the VIP by selecting one of the plurality of servers to handle that connection, wherein the selecting is based, at least in part, on a given function of information used to request the connection; and a firewall mechanism constructed and adapted to accept all requests for the VIP address for a particular connection only on the server that has been selected to handle that particular connection. The selected server determines whether it is responsible for the request and may hand it off to another cluster member.11-05-2009
20100180333Communication Abuse Prevention - Communication abuse prevention techniques are described. In an implementation, a reputation level for a communication is determined based on relation information for a sender and an intended recipient of the communication. A challenged is invoked that is to be completed by the sender before the communication is sent. The challenge is selected based on the reputation level for the communication.07-15-2010
20100154049TERMINAL, SECURITY SETTING METHOD, AND PROGRAM THEREOF - [Problems to be solved] To provide a system capable of controlling a PC firewall responding to a location, thereby to prevent a third person from intruding into a PC without being restricted by an application.06-17-2010
20100162383Cluster Architecture for Network Security Processing - A computing device may be joined to a cluster by discovering the device, determining whether the device is eligible to join the cluster, configuring the device, and assigning the device a cluster role. A device may be assigned to act as a cluster master, backup master, active device, standby device, or another role. The cluster master may be configured to assign tasks, such as network flow processing to the cluster devices. The cluster master and backup master may maintain global, run-time synchronization data pertaining to each of the network flows, shared resources, cluster configuration, and the like. The devices within the cluster may monitor one another. Monitoring may include transmitting status messages comprising indicators of device health to the other devices in the cluster. In the event a device satisfies failover conditions, a failover operation to replace the device with another standby device, may be performed.06-24-2010
20100162382PACKET PROCESSING METHOD AND TOE HARDWARE - Provided is a TOE hardware which includes intrusion prevention system hardware for inspection and real-time interrupt against static/dynamic attacks over network as well as fast TCP/IP processing, and a packet processing method in the TOE hardware. When a network packet is received, it is segmented to extract a header and a payload. A pattern matching inspection is performed for the payload, and the payload passed the inspection is transferred to the host. For the header, a header inspection is performed and a TCP/IP processing is performed on the header passed the inspection. Processing on the payload is performed in parallel with processing on the header. Accordingly, the packet processing speed of the TOE hardware increases.06-24-2010
20100162381HOST TRUST REPORT BASED FILTERING MECHANISM IN A REVERSE FIREWALL - Disclosed is a computer implemented method and computer program product to throttle traffic from a source internet protocol address. The reverse firewall inspects payloads of a plurality of packets each packet having a source address identical to the source internet protocol address and a target address corresponding to a receiver host. Responsive to detecting purported good content within at least one of the plurality of packets, the reverse firewall forwards packets having the source address. The reverse firewall determines whether a count of packets having the source address exceeds a safe threshold. The reverse firewall requests a demanded positive trust report from the receiver host, responsive to a determination that the count of packets having the source address exceeds the safe threshold. The reverse firewall determines whether a positive trust report is received from the receiver host that indicates that the source internet protocol address is good. The reverse firewall analyzes a header of packet having the source address without analyzing a payload of the packet, responsive to a determination that the positive trust report is received from the receiver host.06-24-2010
20100192217System and method for information sharing between non-secure devices - A method for communicating information packets from a first host system operating in a first security domain and in accordance with a non-secure communications protocol, using a dataguard, to a second host system operating in a second security domain different than the first security domain, and where the second host system is also operating in accordance with the non-secure communications protocol. The method may involve: using a first driver operating with the dataguard to interface the dataguard with the first host system; using a first proxy task group operating with the dataguard to interface the dataguard to the first driver and to communicate with the first driver in accordance with a protocol of the first security domain; using a second driver operating with the dataguard to interface the dataguard to the second host system; and using a second proxy task group operating with the dataguard to interface the dataguard to the second proxy task group and to communicate with the second driver in accordance with a protocol of the second security domain.07-29-2010
20100212005DISTRIBUTED DENIAL-OF-SERVICE SIGNATURE TRANSMISSION - A system and method of transmitting a DDoS, or distributed denial of service, signature from an intra-network to an internet is presented. The method includes identifying a DDoS signature and employing an inter-domain routing protocol configured to enable-operational information to be exchanged between nodes. The DDoS signature is embedded as payload of the standards-compliant inter-domain routing protocol. The step of embedding occurs within a network. The embedded DDoS signature is then sent from the network to an internet node outside of the network. The method further includes applying the DDoS signature to enable the internet nodes to filter packets matching the DDoS signature.08-19-2010
20090044263System and Method for On-Demand Dynamic Control of Security Policies/Rules by a Client Computing Device - A system and method for an end user to change the operation of a data flow filter mechanism, such as a firewall, that operates to control data flows between a plurality of protected computing devices and one or more non-protected computing devices. With the system and method, an administrator of a sub-network of computing devices may set a client computing device's scope of rules/policies that may be changed by a user of the client computing device, with regard to a data flow filter mechanism. The user of the client computing device, or the client computing device itself, may then log onto the data flow filter mechanism and modify the operation of the data flow filter mechanism within the limits established by the administrator.02-12-2009
20100251355METHOD FOR OBTAINING DATA FOR INTRUSION DETECTION - A method for obtaining data for intrusion detection obtains data after forward chain filtering of a firewall. Modes of obtaining the data include a socket communication mode and a character device work mode. The method for obtaining the data for intrusion detection obtains the data filtered by the firewall, and reduces false alarms. Moreover, the method obtains the data after a network address translation (NAT) operation, so as to locate an attacker and a victim correctly. The method further obtains a decrypted Internet Protocol Security (IPsec) data packet, so as to process an IPsec data stream normally.09-30-2010
20090144818SYSTEM AND METHOD FOR USING VARIABLE SECURITY TAG LOCATION IN NETWORK COMMUNICATIONS - A method of packet security management to ensure a secure connection from one network node to another. The method includes creating a security tag for each packet in a network session, selecting one of a number of possible tag locations within the packet, inserting the security tag at that location, transmitting the tagged packets from a sending node to the receiving node, authenticating the packets' security tags at the receiving node, and dropping non-authenticated packets. The method also includes determining best possible tag locations when sending a packet and locating a security tag when receiving a packet.06-04-2009
20110113482Method And Apparatus For Automatic Filter Generation And Maintenance - Automatic filter generation and maintenance comprises detecting, from network packets, an IP address and a first MAC address; the IP address and the first MAC address are used to determine that the IP address and another MAC address that are detected in second network packets is an illegal binding and the other MAC address is different from the first MAC address; causing a network element to create, in an ARP filter, based on the IP address and the first MAC address, rules that cause the network element to prevent an address resolution protocol table from including a binding that includes only one of the IP address and the first MAC address; in response to detecting the IP address and said another MAC address in the second network packets, preventing the address resolution protocol table from including the illegal binding that includes the IP address and the other MAC address.05-12-2011
20100192218METHOD AND SYSTEM FOR PACKET FILTERING FOR LOCAL HOST-MANAGEMENT CONTROLLER PASS-THROUGH COMMUNICATION VIA NETWORK CONTROLLER - A network controller in a communication device may be operable to provide pass-through communication of local host-management traffic between a local host and a management controller within the communication device, wherein the local host may be operable to utilize its network processing resources during communication of the local host-management traffic. The network controller may use packet filtering to provide the pass-through communication, wherein the network controller may utilize a plurality filtering rules during filtering of packets received in the network controller. The filtering rules may specify packet processing and/or forwarding actions by said network controller based on one or more specified conditions. The specified conditions may based on one or more match criteria; wherein the match criteria comprising source address, destination address, and/or traffic type data in the received packets. Address learning mechanisms may be used in the network controller to enable configuring and/or performing packet filtering transparently.07-29-2010
20090328187DISTRIBUTED WEB APPLICATION FIREWALL - A method for protecting a Web application running on a first local Web Server bases from hacker attacks, said Web Server being connectable to at least one client, the method comprising the following steps: —providing a plurality of preset rules on said Server, which correspond to specific characteristics of HTTP requests; —receiving an HTTP request on said server from the client, said HTTP request comprising a plurality of characteristics; —analyzing said characteristics of said received HTTP request in accordance with said rules provided on said server; —rejecting said HTTP request, if said rules identify said HTTP request as harmful request; —accepting said HTTP request, if said rules identify said HTTP request as trustable request; —classifying said HTTP request as doubtful request, if said rules identify said request neither as harmful request nor as trustable request; —evaluating the characteristics of said doubtful local request; —generating a learned rule on basis of the edge base evaluation.12-31-2009
20090328185Detecting exploit code in network flows - Disclosed is a method and apparatus for detecting exploit code in network flows. Network data packets are intercepted by a flow monitor which generates data flows from the intercepted data packets. A content filter filters out legitimate programs from the data flows, and the unfiltered portions are provided to a code recognizer which detects executable code. Any embedded executable code in the unfiltered data flow portions is identified as a suspected exploit in the network flow. The executable code recognizer recognizes executable code by performing convergent binary disassembly on the unfiltered portions of the data flows. The executable code recognizer then constructs a control flow graph and performs control flow analysis, data flow analysis, and constraint enforcement in order to detect executable code. In addition to identifying detected executable code as a potential exploit, the detected executable code may then be used in order to generate a signature of the potential exploit, for use by other systems in detecting the exploit.12-31-2009
20090276843SECURITY EVENT DATA NORMALIZATION - Normalizing security event data from multiple different network agents. The data from the multiple different agents is categorized and tagged with a descriptor that includes information about the nature of the event. Multiple different events from multiple different devices can therefore be evaluated using a common format which is common for the multiple different devices from different vendors.11-05-2009
20110023108Mobile Radio Terminal Device Having a Filter Means and a Network Element for the Configuration of the Filter Means - A mobile radio terminal device having a communicator for communicating with network elements via data packets and a filter for monitoring the data packets, wherein the filter is implemented to receive a filter regulation from a first network element and to prevent a communication with a second network element when a data packet for communicating with the second network element does not correspond to the filter regulation.01-27-2011
20100333190LATENCY REDUCTION METHOD AND NETWORK CONNECTION APPARATUS - A latency reduction method executed by a network connection apparatus, includes starting to output an incoming packet before an access control processing with respect to the incoming packet has completed, and changing the incoming packet to an invalid packet and outputting the invalid packet when determined by the access control processing to discard the incoming packet.12-30-2010
20100333191SYSTEM AND METHOD FOR PROTECTING CPU AGAINST REMOTE ACCESS ATTACKS - A system and method that provides for protection of a CPU of a router, by establishing a management port on a router. Hosts which are connected to a non-management ports of the router are denied access to management functions of a CPU of the router. The system and method can utilize an application specific integrated circuit, in conjunction with a CAM-ACL, which analyzes data packets received on the ports of router, and the ASIC operates to drop data packets which are directed to the CPU of the router. This system and method operates to filter data packets which may be generated in attempts to hack in to control functions of a network device, and the operation does not require that the CPU analyze all received data packets in connection with determining access to the control functions of the router.12-30-2010
20100333189METHOD AND SYSTEM FOR ENFORCING SECURITY POLICIES ON NETWORK TRAFFIC - A computer readable medium that includes computer readable program code embodied therein. The computer readable medium causes the computer system to receive, by a data link rule enforcer, a packet from a packet source of the packets, and obtain a data link rule applying to a data link. The data link is operatively connected to the packet source, and the data link is associated with a media access control (MAC) address. The computer readable medium further causes the computer system to determine, by the data link rule enforcer, whether the packet complies with the data link rule, and drop, by the data link rule enforcer, the packet when the packet fails to comply with the data link rule.12-30-2010
20110010769Preventing Spoofing - A method and access node for preventing spoofing while connecting subscribers to an Ethernet network. The access node includes a filter mechanism for filtering packets destined to subscribers attached to the access node. The filter mechanism includes a database of allocated IP destination addresses and MAC addresses. The filter mechanism blocks any packet directed to a subscriber but containing an incorrect IP or MAC address. The mechanism prevents users from changing their address information to illegally appropriate packets from other users or to disguise their identity.01-13-2011
20110035795PORT HOPPING AND SEEK YOU PEER TO PEER TRAFFIC CONTROL METHOD AND SYSTEM - A network apparatus, system, and method for operating a server to identify and subsequently control suspected peer-to-peer (P2P) sources transmitting traffic from a first network to a second network. Identifying a peer-to-peer source by a characteristic of destination port profile. Identifying a peer-to-peer source by a characteristic of destination host IP address profile. Determining when hopping ports usage comprise a data stream. Determining when destination IP address usage represent “Seek You” (CQ) like call behavior analogous to a radio invitation for any operators listening to respond.02-10-2011
20110041176Signal transfer point front end processor - In an SS7 network, each of a plurality of Signal Transfer Points is fronted by a front-end processor (STP-FEP) that has a network presence. The STP-FEP implements at least the MTP2 layer of the SS7 protocol stack and implements security rules at the MTP2 and MTP3 layers.02-17-2011
20110119752METHOD AND SYSTEM FOR INCLUDING SECURITY INFORMATION WITH A PACKET - A method and system for including security information with a packet is disclosed. A packet is detected as it exits a first network and enters a second network. The first network is configured to support a network security technique, and the second network is not configured to support the network security technique. Network security information associated with the network security technique is included with the packet. A network device is configured to include network security information in overhead of a packet. A method for identifying a first network device in a network is also disclosed. Identification information of the first network is communicated to a second network device.05-19-2011
20090077648METHOD FOR MANAGING NETWORK FILTER BASED POLICIES - A method and system are provided for adding, removing, and managing a plurality of network policy filters in a network device. Filters are installed in a framework and designated as active or disabled. Each filter has a priority. When a new filter is to be installed into the framework, it is compared to installed filters to determine if a conflict exists. If no conflict exists, the new filter is added as an active filter. If a conflict exists, a higher priority conflicting filter is added as active and a lower priority filter is added as inactive.03-19-2009
20110078782IP COMMUNICATION DEVICE AS FIREWALL BETWEEN NETWORK AND COMPUTER SYSTEM - Methods, systems, and apparatuses are described for implementations of an Internet protocol (IP) communication device (e.g., an IP phone) that contains a firewall. The IP communication device is coupled between a computer system and a network. A data packet is received at a first port of the IP communication device. The data packet is filtered with the firewall included in the IP communication device. The filtered data packet may be transmitted from a second port of the IP communication device (in modified or unmodified form), or may be canceled based on the filtering. In one implementation, the first port is coupled to the network and the second port is coupled to the computer system. In another implementation, the first port is coupled to the computer system and the second port is coupled to the network.03-31-2011
20100132031METHOD, SYSTEM, AND DEVICE FOR FILTERING PACKETS - A method, system, and device for filtering packets are disclosed. The method includes: by a deep packet inspection (DPI) proxy server configured at the access-network user side, identifying the service type and/or contents of a received packet, and performing DPI filtering on the packet by using a preset DPI filtering policy according to the identified service type and/or contents. In the technical solution of the present invention, DPI proxy servers are configured at the access-network user side on a distributed basis; each DPI proxy server receives packets only from a user equipment (UE) on a customer premises network (CPN), where the UE corresponds to the DPI proxy server. Compared with the DPI server configured at the edge between the core network and the access network in the prior art, the DPI proxy server provided in embodiments of the present invention processes fewer packets, thus performing real-time DPI on the packets.05-27-2010
20090031413VLAN Router with Firewall Supporting Multiple Security Layers - A router containing a firewall capable of supporting a plurality of different security levels. The router of the present invention creates a plurality of Virtual Local Area Networks (VLANs) using a network switch. The VLAN Rules Table (VRT) allows a network administrator to designate a trust level for each VLAN. The trust level may be different for every VLAN and the administrator may designate different rules for each VLAN. The Security Program (SP) analyzes each packet passing through the firewall and determines if the packet is permitted under the rules for the VLAN trust level. An alternative embodiment in which the switch in the router is divided into a plurality of sub-switches is also disclosed. In the alternative embodiment, the firewall need only compare the packet to rules which were not applied in the lower trust levels, eliminating the redundant rules from the comparison process.01-29-2009
20100037310DYNAMICALLY ADAPTIVE NETWORK FIREWALLS AND METHOD, SYSTEM AND COMPUTER PROGRAM PRODUCT IMPLEMENTING SAME - One embodiment creates a model of the traffic through a network firewall and uses that model to dynamically manipulate the network firewall. The firewall model defines nodes, connections between the nodes, and firewall rules applicable to the nodes, the connections between the nodes, or a combination thereof. Each of the nodes represents simultaneously a source and a destination for data packets. The firewall rules include dynamic chains of rules having defined places where firewall rules may be dynamically inserted into or deleted from the firewall while the firewall is operating on one or more machines connected to network segments where the nodes reside.02-11-2010
20090217369Method and system for processing packet flows, and computer program product therefor - Packet flows are processed, e.g. to perform an intrusion detection function in a communication network, by means of a multiprocessor system including a plurality of processing units. The packets are distributed for processing among the processing units via a distribution function. Such a distribution function is selectively allotted to one of the processing units of the plurality. A preferred embodiment of the arrangement involves using a single Symmetric Multi-Processor machine with a single network port to Gigabit/sec link. The corresponding system architecture does not require any intermediate device, or any external load balancing mechanism. All the processing work is performed on a single system, which is able to dynamically balance the traffic load among the several independent CPUs. By resorting to a specific scheduling arrangement, such a system is able to effectively distribute the computations required to perform both the loadbalancing and the detection operations.08-27-2009
20100037309METHOD AND APPARATUS FOR PROVIDING SECURITY IN AN INTRANET NETWORK - A method and an apparatus for providing security in an intranet network are disclosed. For example, the method receives a packet at a customer edge router, and applies an inbound access control list by the customer edge router to the packet if the packet is destined to a server in a protected server group, wherein said protected server group identifies one or more servers within the intranet network to be protected. The method applies an outbound access control list by the customer edge router to the packet if the packet is from a server in the protected server group.02-11-2010
20100058459NETWORK INTERFACE CARD WITH PACKET FILTERING FUNCTION AND FILTERING METHOD THEREOF - A network interface card with a packet filtering function and a filtering method thereof are applicable to realize packet filtering through both software and hardware manners. The network interface card includes a connection port, a first filtering module, a second filtering module, and a storage unit. The connection port is used to receive a packet data from Internet. The first filtering module is connected to the connection port, and is used to detect the packet data according to a content address memory (CAM) table. The detecting process is executed by a firmware of the network interface card. The second filtering module is connected to the first filtering module, and executes a packet content detecting procedure for detecting a content of the packet data, thereby detecting the packet data by using software/firmware respectively, and thus a working efficiency of the network interface card is enhanced.03-04-2010
20100077471One Button Security Lockdown of a Process Control Network - Proper function and security of a complex network for communicating data within a process control system may be manually or automatically “locked-down” with a single command for an entire process control network or portions of the network. A user or application monitors network communication over multiple network devices. Once the network is configured and properly communicates data over the process control network, the application may lock down the network by deactivating or “locking out” access points on the network that are open and unused or have invalid connections. Locking down the network may essentially freeze it in a properly configured and functioning state and restrict future re-configuration of the network devices or harmful communication over an open or unused access point. When locked, is a currently connected device is unplugged and a different device is plugged into the access point, the network device may refuse the connection.03-25-2010
20110252469SYSTEM FOR PREVENTING NORMAL USER BEING BLOCKED IN NETWORK ADDRESS TRANSLATION (NAT) BASED WEB SERVICE AND METHOD FOR CONTROLLING THE SAME - A system for preventing normal user from being in network address translation(nat)-based web service and a method for controlling the same are disclosed. The system discriminates between an attacker PC and a normal user PC that use the same public IP address in the NAT network, blocks a Web-page request generated from the attacker PC, processes a Web-page request of a normal user PC, and makes an Internet service of the normal user PC possible. The system discriminates between the attacker PC and the normal user PC that use the same IP address in the NAT network, blocks access of a packet of the attacker PC on the basis of the matching result obtained from a blacklist rule table, converts a Web-server host address into a virtual IP address upon receiving traffic of the normal user, allows the normal user traffic to access the Web server without any restriction caused by a blacklist rule table, such that the normal user can freely access the Web service of the Web server10-13-2011
20110093946ROUTER AND METHOD FOR PROTECTING TCP PORTS UTILIZING THE SAME - A router and method for protecting transfer control protocol (TCP) ports of a local computer include receiving a SYN packet from a remote computer, recording a timestamp of the SYN packet, and counting a number of suspicious TCP connections established during a first time interval before the timestamp of the SYN packet. The router and method further include identifying the remote computer as an attacker if the counted number exceeds a preset maximum connection value, and rejecting all TCP packets transmitted from the remote computer during the second time interval after the timestamp of the SYN packet.04-21-2011
20120304278METHODS AND SYSTEMS FOR ACHIEVING HIGH ASSURANCE COMPUTING USING LOW ASSURANCE OPERATING SYSTEMS AND PROCESSES - A device for providing a blended protection scheme for a high assurance communication device includes a reconfigurable firewall and packet inspection device for enforcing isolation and separation between a communication device's CPUs, memory, and the communication device, where the reconfigurable firewall is implemented on an integrated chip or motherboard chipset. The device further includes a protected CPU that is adapted to manage security functions and to reconfigure the reconfigurable firewall. In embodiments, the device is a firewall and virus infection inspection system. In other embodiments the device is a virtual private network for network based communications.11-29-2012
20110088089METHOD, APPARATUS AND SYSTEM FOR MANAGING PACKET DELIVERY - Portable electronic devices typically have reduced computing resources, including reduced available bandwidth to receive communications. A method, apparatus and system is provided to manage packet delivery to electronic devices to mitigate some of these problems.04-14-2011
20110179479SYSTEM AND METHOD FOR GUARDING AGAINST DISPERSED BLOCKING ATTACKS - A system and a method are provided for guarding against dispersed blocking attacks in a network. The system includes detection apparatus for detecting and guiding the dispersed blocking attacks, and a guarding apparatus for receiving and filtering the flow of packets guided by the detection apparatus. The guarding apparatus includes a filtering module for filtering irregular packets according to preset filtering rules; a routing device for receiving and transmitting the filtered flow of packets; and an adjusting module for analyzing the filtered flow of packets, thereby adjusting the preset filtering rules and providing warning messages. The method includes detecting, guiding and filtering, in a multi-layered manner, irregular packet flows at major nodes of the network; and enhancing filtering based on the analyzed and adjusted preset filtering rules, thereby preventing network services from being interrupted by dispersed blocking attacks.07-21-2011
20110083175Methods and Apparatuses for Policing and Prioritizing of Data Services - Methods and apparatuses, including computer program products, are described for policing and prioritizing of data services. Each packet in a data stream is directed to a substream policer of a plurality of substream policers. Each packet is allowed through the substream policer based on rate parameters associated with the substream policer. The packets allowed by the substream policer are directed to an aggregate policer. Each packet allowed through the substream policer is allowed through the aggregate policer based on rate parameters associated with the aggregate policer. The substream policer and the aggregate policer are charged for each packet allowed by both the substream policer and the aggregate policer. The substream policer and the aggregate policer are not charged for each packet not allowed by either the substream policer or the aggregate policer.04-07-2011
20110083176ASYNCHRONOUS PROCESSING OF EVENTS FOR MALWARE DETECTION - A system, method and computer program product for malware detection based on the behavior of applications running on a computer system, including: asynchronous processing of system events for malware threat analyses using application filters; analyzing events using heuristic and signature data; analyzing applications behavior and detecting abnormal behavior of “clean” applications; automatically classifying applications (i.e., detecting new versions) based on behavior analysis; automatically analyzing the reliability of web sites based on behavior triggered by the web site accesses; in enterprise networks, detecting abnormalities in configuration of user computer systems; recognizing a user by his behavior profile and using the profile for an automatic configuration of user applications.04-07-2011
20110072508TRUST BASED APPLICATION FILTERING - Methods, devices, and systems are provided for filtering packets and other communication messages or portions thereof. Particularly, mechanisms are provided for efficiently determining and applying a set of trust-based filtering rules. Trust scores may be assigned to various connections and packets received on a particular connection may have filtering rules applied thereto in accordance with the trust score of the connection.03-24-2011
20110030049System and Method for Reducing Data Stream Interruption During Failure of a Firewall Device - A system includes first and second firewalls and a controller. The first firewall is configured to perform a firewall function on a first redundant input data packet and output the first input packet as a first redundant output data packet according to the firewall function. The second firewall is configured to perform the firewall function on a second redundant input data packet and output the second input packet as a second redundant output data packet according to the firewall function. The output packets are at least substantially similar when the firewall devices function properly. The controller is configured to receive the output packets from the firewalls, transmit at a given time one of the output packets, transmit the first output packet while the second firewall is failed, and transmit the second output packet while the first firewall is failed.02-03-2011
20130160107SIGNAL TRANSFER POINT FRONT END PROCESSOR - In an SS7 network, each of a plurality of Signal Transfer Points is fronted by a front-end processor (STP-FEP) that has a network presence. The STP-FEP implements at least the MTP2 layer of the SS7 protocol stack and implements security rules at the MTP2 and MTP3 layers.06-20-2013
20110016519DEVICE PROGRAMMABLE NETWORK BASED PACKET FILTER - A method is provided for filtering unwanted packets in a communication system. The communication system includes a first network, a wireless network and at least one wireless communication device. An instruction to add an entry to a blocked list is received from a specific wireless device. The entry includes blocking criteria. A first packet is received from the first network. The first packet is destined for the specific wireless communication device. If the first packet exhibits the blocking criteria included in the blocked list, the first packet is discarded before it can be distributed by the wireless network.01-20-2011
20100269171METHODS FOR EFFECTIVE NETWORK-SECURITY INSPECTION IN VIRTUALIZED ENVIRONMENTS - The present invention discloses methods for effective network-security inspection in virtualized environments, the methods including the steps of: providing a data packet, embodied in machine-readable signals, being sent from a sending virtual machine to a receiving virtual machine via a virtual switch; intercepting the data packet by a sending security agent associated with the sending virtual machine; injecting the data packet into an inspecting security agent associated with a security virtual machine via a direct transmission channel which bypasses the virtual switch; forwarding the data packet to the security virtual machine by employing a packet-forwarding mechanism; determining, by the security virtual machine, whether the data packet is allowed for transmission; upon determining the data packet is allowed, injecting the data packet back into the sending security agent via the direct transmission channel; and forwarding the data packet to the receiving virtual machine via the virtual switch.10-21-2010
20100263040Method and Arrangement for Security Activation Detection in a Telecommunication System - A method and apparatus is provided for detecting the start of a secure mode by a user terminal (10-14-2010
20110154475MODEM AND METHOD FOR CONSERVING POWER CONSUMPTION OF AN ELECTRONIC DEVICE - A modem and method for conserving power of an electronic device includes storing a black list and a white list, each of the black list and the white list including one or more Internet Protocol (IP) addresses. The modem and method further includes receiving a packet from an IP address, determining if the IP address is in the black list or the white list, dropping the packet if the IP address is in the black list, or resetting the timer and sending the packet to the electronic device if the IP address is in the white list.06-23-2011
20110258695PUBLIC NETWORK ACCESS SERVER HAVING A USER-CONFIGURABLE FIREWALL - A user-configurable firewall and method in which a user-changeable security setting for a client computer is maintained by an access server through which a user accesses the public network. The user-changeable security setting can be used to specify which outside computers or network devices may access the client computer and what type of access to the client computer is allowed. If an attempt to access the client computer is made, the user-configurable security setting is checked to determine if the attempted access is allowed by the current security setting. If the attempted access is allowed by the current security setting, access is allowed to the client computer; otherwise, access is not allowed. If the user changes the user-configurable security setting, the changes to the user-configurable security setting are provided to the access server.10-20-2011
20110258694HIGH PERFORMANCE PACKET PROCESSING USING A GENERAL PURPOSE PROCESSOR - A packet processing device includes a control logic processor for filtering packets according to a set of stored rules and an arithmetic logic processor for executing packet processing instructions based on the content of the packet. The control logic processor spawns a new thread for each incoming packet, relieving the arithmetic logic processor of the need to do so. The control logic processor and the arithmetic logic processor preferably are integrated via a thread queue. The control logic processor preferably assigns a policy to each incoming packet. A policy action table stores one or more policy instructions which may be easily changed to update policies to be implemented. The policy action table preferably maps a virtual packet flow identification code to the physical memory address of an action code and a state block associated to the identification code. The arithmetic logic processor processes a packet based on the stored policy assigned to that packet.10-20-2011
20080229404AUTOMATED METHODS AND PROCESSES FOR ESTABLISHING MEDIA STREAMING CONNECTIONS THROUGH FIREWALLS AND PROXY SERVERS AND COUNTERMEASURES THERETO - A streaming media application attempting to establish a streaming media connection first attempts to establish the connection directly using a format such as UDP. If no direct connection can be established, the media application attempts to establish a connection through a proxy server using proxy server information obtained from installed software components such as browsers that manage Internet connections. If necessary, an auto configuration web page is utilized to obtain the proxy server address. The invention also includes methods for blocking streaming media connections.09-18-2008
20100088756MULTI-PATTERN PACKET CONTENT INSPECTION MECHANISMS EMPLOYING TAGGED VALUES - Methods and apparatus for performing content inspection using multi-pattern packet content inspection mechanisms employing tagged values. Pattern data structures are employed to facilitate multi-pattern searches via corresponding string-search algorithm machines. The pattern data structures include tagged values defining search offsets and depths for corresponding search patterns. Incoming packets are classified to flows, and stored in corresponding flow queues. Flow table entries are used to identify the pattern data structure for a given flow. During content inspection, the algorithm machine employs the tagged values to effectively skip portions of a data stream up to the offset for each search pattern and to cease searching for a pattern upon reaching the depth for the pattern.04-08-2010
20090328186COMPUTER SECURITY SYSTEM - A method of packet management for restricting access to a resource of a computer system. The method includes identifying client parameters and network parameters, as a packet management information, used to determine access to the resource, negotiating a session key between client and server devices, generating a session ID based on at least the negotiated session key, inserting the packet management information and the session ID into each information packet sent from the client device to the server device, monitoring packet management information in each information packet from the client device, and filtering out respective information packets sent to the server device from the client device when the monitored packet management information indicates that access to the resource is restricted.12-31-2009
20090126004PACKET TRANSFER DEVICE, PACKET TRANSFER METHOD, AND PROGRAM - A packet transfer apparatus is provided with: storage means configured to store a predetermined search pattern and an address identifying a predetermined apparatus; determination means configured to determine whether predetermined data in a packet received from a network interface matches the search pattern; determination means configured to determine a network interface for outputting the packet using the determination result; replacement means configured to replace an address identifying a destination apparatus of the packet with an address identifying the predetermined apparatus when outputting the packet from a network interface connected to the predetermined apparatus; and packet sending means configured to send the packet to the determined network interface.05-14-2009
20090126003System And Method For Providing Network And Computer Firewall Protection With Dynamic Address Isolation To A Device - A computer performs dynamic address isolation. The computer comprises an application associated with an application address, a network interface coupled to receive incoming data packets from and transmit outgoing data packets to an external network, a network address translation engine configured to translate between the application address and a public address, and a driver for automatically forwarding the outgoing data packets to the network address translation engine to translate the application address to the public address, and for automatically forwarding the incoming data packets to the network address translation engine to translate the public address to the application address. The computer may communicate with a firewall configured to handle both network-level security and application-level security.05-14-2009
20090064310Data relay device and data relay method - A data relay device has a plurality of security functions sequentially executes security functions on inputted data based on a predetermined rule, to determine whether or not to permit the relay of the data, and denies the relay of the data the relay is determined to be rejected. The data relay device has a determination result acquisition unit that acquires a determination result indicating permission or rejection of relay of the data, and a rule change unit that changes, based on the determination result acquired by the determination result acquisition unit, a rule defined for any one of the security functions located forward of the security function that has determined relay rejection, so that the relay of the communication data is determined to be rejected.03-05-2009
20110055916METHODS, SYSTEMS, AND COMPUTER READABLE MEDIA FOR ADAPTIVE PACKET FILTERING - The subject matter described herein includes methods, systems, and computer readable media for adaptive packet filtering. One method includes identifying at least one subset of rules and an ordered set of firewall packet filtering rules that defines a firewall policy such that the subset contains disjoint rules. Disjoint rules are defined as rules whose order can be changed without changing integrity of the firewall policy. Rules in the subset are sorted to statistically decrease the number of comparisons that will be applied to each packet that a firewall encounters. Packets are filtered at the firewall using the sorted rules in the subset by comparing each packet to each of the sorted rules in the subset until the packet is allowed or denied and ceasing the comparing for the packet in response to the packet being allowed or denied and thereby achieving sub-linear searching for packets filtered using the sorted rules in the subset.03-03-2011
20110119753METHOD AND APPARATUS FOR BEST EFFORT PROPAGATION OF SECURITY GROUP INFORMATION - A method and system for best effort propagation of security group information is disclosed. The method includes determining if a reserved group identifier is associated with a destination and, if the reserved group identifier is associated with the destination, indicating that a packet received at a network node can be sent to another network node. The packet includes destination information that identifies the destination as a destination of the packet.05-19-2011
20110004932Firewall for tunneled IPv6 traffic - A NAT device and method implemented on the device for filtering tunneled IPv6 traffic is disclosed. The method comprises: receiving an IP traffic stream at an ingress network interface to the NAT, performing deep packet inspection on the traffic stream to detect the tunneled IPv6 packets, and applying a filter to the IPv6 packets.01-06-2011
20120311692COMMUNICATION CONTOL APPARATUS AND PACKET FILTERING METHOD - A communication control apparatus (12-06-2012
20110126277METHODS, SYSTEMS, AND COMPUTER READABLE MEDIA FOR PROVIDING DIAMETER SIGNALING ROUTER WITH FIREWALL FUNCTIONALITY - According to one aspect, the subject matter described herein includes a system for Diameter routing and firewall filtering. The system includes a Diameter signaling router comprising a network interface for receiving, from a first Diameter node, a first Diameter message having Diameter information. The Diameter signaling router also includes a firewall module for determining whether the first Diameter message satisfies a firewall policy. The firewall policy is based on at least a portion of the Diameter information in the first Diameter message. The Diameter signaling router further includes a routing module for forwarding at least a portion of the first Diameter message towards a second Diameter node in response to the first Diameter message satisfying the firewall policy.05-26-2011
20100180334NETWROK APPARATUS AND METHOD FOR TRANSFERING PACKETS - A network apparatus cluster for transferring multiple packets of a communication session to a network node includes a primary unit and a subordinate unit coupled together. The primary unit is operable for receiving the packets comprising a first packet and multiple subsequent packets, for generating a session data set indicating the communication session and a balance data set based on the first packet, and for determining that the subsequent packets belong to the communication session according to the session data set. The balance data set indicates whether the first packet is distributed to the primary unit or the subordinate unit. The subsequent packets are transferred from the primary unit to the network node according to the balance data set.07-15-2010
20090300751Unique packet identifiers for preventing leakage of sensitive information - In accordance with an aspect of the invention, leakage prevention is implemented by: a) associating—within a network—a unique identifier with a packet transmitted by a process which has previously accessed data containing sensitive information, and b) searching a packet before it exits a network for the unique identifier. This mechanism provides a strong guarantee against leakage of sensitive data out of a network by facilitating the monitoring of packets which potentially contain the sensitive information. The unique identifier may be located in the header of the packet, which is detectable without requiring a heavy investment of network resources. Additionally, a packet's movement within a network may be tracked by analyzing trapped system calls. Furthermore, an exiting packet may be analyzed by a network firewall, the firewall utilizing various policies to determine how to proceed when a packet containing a unique identifier is located.12-03-2009
20090293114DIVERSITY STRING BASED PATTERN MATCHING - Diversity string based pattern matching is disclosed. In one embodiment, a method for inspecting multiple data patterns in a data block includes scanning the data block for a diversity string of each data pattern, where the diversity string is a subset of the each data pattern. The method further includes comparing the each data pattern with a respective segment of the data block only if the diversity string is present in the data block, and forwarding flag data if the each data pattern matches with the respective segment of the data block.11-26-2009
20100031340NETWORK SECURITY MODULE FOR ETHERNET-RECEIVING INDUSTRIAL CONTROL DEVICES - A high-speed security device for network connected industrial controls provides hybrid processing in tandem hardware and software security components. The software security component establishes state-less data identifying each packet that requires high-speed processing and loads a data table in the hardware component. The hardware component may then allow packets matching data of the data table to bypass the software component while passing other non-matching packets to the software component for more sophisticated state analysis.02-04-2010
20120042374EFFICIENT CLASSIFICATION OF NETWORK PACKETS - Embodiments describe a system and/or method for efficient classification of network packets. According to an aspect a method includes describing a packet as a feature vector and mapping the feature vector to a feature space. The method can further include defining a feature prism, classifying the packet relative to the feature prism, and determining if the feature vector matches the feature prism. If the feature vector matches the feature prism the packet is passed to a data recipient, if not, the packet is blocked. Another embodiment is an apparatus that includes an identification component that defines at least one feature of a packet and a classification component that classifies the packet based at least in part upon the at least one defined feature.02-16-2012
20080320585METHOD AND SYSTEM TO MITIGATE LOW RATE DENIAL OF SERVICE (DoS) ATTACKS - A technique to mitigate low rate Denial-of-Service (DoS) attacks at routers in the Internet is described. In phase 1, necessary flow information from the packets traversing through the router is stored in fast memory; and in phase 2, stored flow information is periodically moved to slow memory from the fast memory for further analysis. The system detects a sudden increase in the traffic load of expired flows within a short period. In a network without low rate DoS attacks, the traffic load of all the expired flows is less than certain thresholds which are derived from real Internet traffic analysis. The system can also include a filtering solution to drop attack packets. The filtering scheme treats the long-lived flows in the Internet preferentially, and drops the attack traffic by monitoring the queue length if the queue length exceeds a threshold percent of the queue limit.12-25-2008
20090172803METHOD AND APPARATUS FOR INCREMENTALLY DEPLOYING INGRESS FILTERING ON THE INTERNET - Ingress filtering has been adopted by the IETF as a methodology for preventing denial of service congestive attacks that spoof the source address in packets that are addressed to host server victims. Unless universally adopted by all ISPs on the Internet, however, a packet's source address cannot be totally trusted to be its actual source address. To take advantage of benefits of ingress filtering as it is gradually deployed by ISPs around the Internet, differentiated classes of service are used to transport packets whose source address can be trusted and packets whose source address cannot be trusted. A packet received by an access or edge router at an ISP that supports ingress filtering and has a source address that is properly associated with port on which it is received is forwarded in a privileged class of service and are dropped otherwise. A packet received by access or edge router at an ISP that does not support ingress filtering and whose source address cannot therefore be trusted is transported in an unprivileged class of service. At an intermediate exchange router within an intermediate ISP, where ISPs exchange packets, a packet received from an ISP that doesn't support ingress filtering is forwarded using the unprivileged class of service while a packet received from an ISP that does support ingress filtering is forwarded using the same class of service in which it is already marked.07-02-2009
20090119769CROSS-SITE SCRIPTING FILTER - A reflected cross-site scripting (XSS) mitigation technique that can be implemented wholly on the client by installing a client-side filter that prevents reflected XSS vulnerabilities. XSS filtering performed entirely on the client-side enables web browsers to defend against XSS involving servers which may not have sufficient XSS mitigations in place. The technique accurately identifies XSS attacks using carefully selected heuristics and matching suspect portions of URLs and POST data with reflected page content. The technique used by the filter quickly identifies and passes through traffic which is deemed safe, keeping performance impact from the filter to a minimum. Non-HTML MIME types can be passed through quickly as well as requests which are same-site. For the remaining requests, regular expressions are not run across the full HTTP response unless XSS heuristics are matched in the HTTP request URL or POST data.05-07-2009
20120042375SYSTEM-ON-CHIP MALICIOUS CODE DETECTION APPARATUS AND APPLICATION-SPECIFIC INTEGRATED CIRCUIT FOR A MOBILE DEVICE - System-on-chip (SoC) and application-specific integrated circuit (ASIC)-based apparatus for detecting malicious code in portable terminal is provided. Apparatus includes SoC including hardware-based firewall packet-filtering packet received from outside through media access control unit according to setting of firewall setting unit in SoC memory and storing filtered packet in application memory or transferring filtered packet to anti-malware engine, hardware-based anti-malware engine detecting malicious code by performing pattern-matching operation between code pattern in file transferred from firewall or file received through input/output (I/O) interface unit and pattern of malicious code registered in malware signature database (DB) of mobile device application unit, SoC memory providing setting of firewall and support file decoding function for file format recognition of anti-malware engine, and hardware-based controller controlling switching operation to transfer file filtered by firewall directly to application memory or to anti-malware engine and control malicious code detection cycle of anti-malware engine.02-16-2012
20120047573METHODS AND APPARATUS FOR DETECTING INVALID IPV6 PACKETS - In one embodiment, a non-transitory processor-readable medium stores code representing instructions to cause a processor to determine (1) whether an IPv6 packet includes an extension header of an illegal type and (2) a quantity of extension headers present in the IPv6 packet that are of a preselected type. When the IPv6 packet includes the extension header of the illegal type, the code can send a first signal to block transmission of the IPv6 packet. When the quantity of extension headers that are of the preselected type is greater than a preselected quantity, the code can send a second signal to block transmission of the IPv6 packet.02-23-2012
20120047571SYSTEMS AND METHODS FOR DETECTING PRESELECTED QUERY TYPE WITHIN A DNS QUERY - In some embodiments, a non-transitory processor-readable medium storing code representing instructions to cause a processor to perform a process includes code to determine whether an IPv4 packet is associated with a Domain Name System (DNS) query based on an IPv4 header of the IPv4 packet. If the IPv4 packet is a DNS query packet, the non-transitory processor-readable medium includes code to determine whether the IPv4 packet has a preselected query type based on a payload of the IPv4 packet. If the IPv4 packet is a DNS query packet and has the preselected query type, the non-transitory processor-readable medium includes code to send a signal to block transmission of the IPv4 packet. In some embodiments, the preselected query type has a DNS record type value of 28.02-23-2012
20120005743INTERNAL NETWORK MANAGEMENT SYSTEM, INTERNAL NETWORK MANAGEMENT METHOD, AND PROGRAM - A relay apparatus log analysis apparatus 132 periodically receives log data from a relay apparatus 112, when detecting a traffic abnormality, an abnormality detection apparatus 131 notifies the IP address of a terminal device that has caused the abnormality to the relay apparatus log analysis apparatus 132, the relay apparatus log analysis apparatus 132 analyzes traffic information generated by a router apparatus 121 to identify a time when the traffic abnormality has occurred, the relay apparatus log analysis apparatus 132 analyzes the log data, based on the occurrence time of the traffic abnormality and the IP address of the terminal device that has caused the abnormality, identifies an address accessed by the terminal device, regards the identified address as the destination from the malware, and sets the relay apparatus 112 so as to block a packet to the address.01-05-2012
20120011584SYSTEM AND METHOD FOR ARP ANTI-SPOOFING SECURITY - A system and method that provides for copying ARP replies, and generating data packets which include the ARP reply, and other information such as an identification of the port on the ARP reply was received. These data packets are then transmitted to an ARP collector which stores the ARP reply and port information. The ARP collector then uses this stored information, and analyzes future data packets relative to the stored information to detect occurrences of ARP spoofing. The ARP collector further provides for generating alerts and taking security actions when ARP reply spoofing is detected.01-12-2012
20120017270SYSTEMS, DEVICES, AND METHODS FOR PROVIDING MULTIPLE SERVICES TO PREMISES OVER COMMUNICATION NETWORKS - Methods, systems, and devices for providing one or more virtual networks for a plurality of services are disclosed. The device may include a secure access node coupled to a wide area communication network and a premises communication network. The secure access node may have a node software platform, one or more node processors, a node storage device, and one or more node communication interfaces. Further, the secure access node may receive a plurality of data packets through one of the one or more node communication interfaces. The node software platform may execute on one of the node processors and may include a node deep packet inspection engine, a node rules generation engine, a node rule check and notification generation engine, a node service segregation engine, a node communication software application, and a node service adapter software application.01-19-2012
20120023572Malicious Attack Response System and Associated Method - A system and method for detecting and identifying intruders in a computer network environment by providing a network traffic evaluation and simulation module at the interface between a protected network and external traffic source. The evaluation and simulation module identifies suspected intruders by observing intrusion pattern behavior and then presents a simulated network to the intruder. The simulated network appears to offer the intruder valuable information and provides the intruder with the appearance of success in breaking down the layers of the simulated network to keep the intruder engaged in the intrusion effort while information is gathered to trace and identify the source of the intrusion. Intrusion attempts are identified and categorized in an intrusion analysis module. The network traffic evaluation and simulated network may be provided as a self contained physical module that does not require modification of existing network software.01-26-2012
20120110657APPARATUS AND METHOD FOR HOST-BASED NETWORK SEPARATION - The invention relates to an apparatus for host-based network separation, comprising: a network separation switch which, when a process is being executed on a host computer, checks whether the network allocated to the process is an internal network or an external network in accordance with the network access authority allocated to the process, and separates the process by IPs allocated to each network; and a packet processor which blocks the access of packet data when the packet data of the process separated by IPs by the network separation switch access a network other than the network to which the relevant IP is allocated.05-03-2012
20120110656SELECTIVE INVALIDATION OF PACKET FILTERING RESULTS - Example embodiments relate to selective invalidation of packet filtering cache results based on rule priority. In example embodiments, a network node determines whether a rule identifier included in a cache entry of a cache of results of a packet filtering rule set is of a higher priority than a highest priority rule corresponding to a rule set version identifier included in the cache entry. If so, the network node may apply an action included in the cache entry.05-03-2012
20120124661METHOD FOR DETECTING A WEB APPLICATION ATTACK - A method of detecting a web application attack is provided. The method includes the steps of when packets forming HTTP traffic are received, a web application firewall recombining the HTTP traffic, analyzing the recombined HTTP traffic and determining whether or not the recombined HTTP traffic includes the attack-relevant content, if the recombined HTTP traffic does not include the attack-relevant content, sending the recombined HTTP traffic to a web server or a user server and normally processing the recombined HTTP traffic, and if the recombined HTTP traffic includes the attack-relevant content, detecting the recombined HTTP traffic as an attack and reprocessing the same.05-17-2012
20100095370SELECTIVE PACKET CAPTURING METHOD AND APPARATUS USING KERNEL PROBE - The present invention discloses a packet capturing method using a kernel probe, which is for capturing traffic generated only by a specific application. The packet capturing method using a kernel probe comprises the steps of: acquiring the 5-tuple information of a packet associated with the application to capture by intercepting a specific set of operating system networking kernel functions using a kernel probe which intercepts calls to the functions; capturing packets inputted and outputted through a network device; and identifying traffic generated by the application by comparing the 5-tuple information with 5-tuple information of the captured packets.04-15-2010
20110099622APPARATUS FOR DETECTING AND FILTERING APPLICATION LAYER DDOS ATTACK OF WEB SERVICE - Disclosed is a DDoS attack detection and response apparatus. The DDoS attack detection and response apparatus comprises: a receiver unit receiving HTTP requests from a client terminal which is characterized as an IP address; a data measuring unit computing the number of HTTP requests by IP and the number of URIs per HTTP over a certain time period; a DDoS discrimination unit comparing the number of HTTPs per URI with a threshold value and defining an access of the client terminal having the IP address as a DDoS attack when the number of HTTPs per URI is larger than the threshold value; and a blocking unit blocking packets from the IP address when the DDoS discrimination unit detects a DDoS attack.04-28-2011
20110099621Process for monitoring, filtering and caching internet connections - A one-box system and process for controlling Internet usage by users on a network. The system controls usage by combining two or more of the following functions into a single operating unit: 1) monitoring and logging internet access on a user and/or work station basis; 2) preventing or authorizing access on a user and/or work station basis to ULR's (or groups of URL's) that have been previously designated an inappropriate or appropriate, respectively, for that user or work station; 3) preventing or authorizing the downloading of files with any pre-designated file extension to any user or workstation; 4) blocking of peer-to-peer access of any pre-designated Internet file-sharing or other service (such as Kazaa, RealPlayer, AOL Instant Messaging, etc); 5) periodically or immediately alerting a designated representative of the attempt by any user or work station to access of pre-determined inappropriate site or file; 6) allowing remote review of the Internet activity log for any user by anyone (such as a student's parents) with knowledge of that user's log-in information (i.e., name and password); and 7) caching downloaded Internet objects for subsequent in-network retrieval. The system and process of this invention can also be configured to perform the traditional firewall function as well.04-28-2011
20120131663TRANSMITTING KEEP-ALIVE PACKETS ON BEHALF OF A MOBILE COMMUNICATIONS DEVICE WITHIN A WIRELESS COMMUNICATIONS SYSTEM - In an embodiment, a mobile communications device (MCD) is positioned within an internal network that is separated from an external network by network address translation (NAT) and/or a firewall. The MCD establishes settings with the NAT and/or firewall by which the MCD can be contacted through from the external network. The settings are configured to be disabled by the NAT and/or firewall after a threshold period of traffic inactivity. An application server receives information associated with the settings, and instructs an assisting application server (AAS) within the internal network to transmit keep-alive packets on behalf of the MCD so as to maintain the settings for the MCD. The AAS receives the instructions from the application server, and instructs an assisting wireless communications device (WCD) within the internal network to transmit keep-alive packets on behalf of the MCD. The WCD then transmits the keep-alive packets in accordance with the instructions.05-24-2012
20120131664METHOD AND APPARATUS FOR CONTENT AWARE OPTIMIZED TUNNELING IN A MOBILITY ENVIRONMENT - A method, computer readable medium and apparatus for performing content aware optimized tunneling in a communication network are disclosed. For example, the method authenticates a user endpoint device, establishes a tunnel to the user endpoint device if the user endpoint device is authenticated, analyzes content of a data packet transmitted through the tunnel to determine if the tunnel should be re-directed, and re-directs the tunnel to a gateway general packet radio services support node light based upon the content of the data packet.05-24-2012
20120216273SECURING A VIRTUAL ENVIRONMENT - Securing a virtual environment includes: in a host device, intercepting a packet addressed to a virtual machine implemented by the host device; redirecting the packet to a security device external to the host device through an egress tunnel; and delivering the packet to the virtual machine if the host device receives an indication from the security device that the packet is approved.08-23-2012
20120216275SCALABLE TRANSPARENT PROXY - A facility for proxying network traffic between a pair of nodes is described. The facility receives packets traveling between the pair of nodes that together constitute a distinguished network connection. For each packet of the connection that is part of a transport protocol setup process, the facility updates a representation of the status of the setup process to reflect the packet, and forwards the packet to its destination without proxying the packet. For each packet of the connection that is subsequent to the setup process, the facility proxies the contents of the packet to the packet's destination.08-23-2012
20120216274INFERENCING DATA TYPES OF MESSAGE COMPONENTS - A method of a device for filtering messages routing across a network includes extracting, by a filter configured on the device, a plurality of message components from messages received via a network. The plurality of message components is identified as having at least a field name in common, including a first field name. A learning engine configured on the device creates a list of data types for values of the first field name. The list includes one or more data types of a value of the first field name identified for each of the plurality of message components. The learning engine determines a most restrictive data type from the list of data types for the values of the first field name of the plurality of message components.08-23-2012
20090113540CONTROLLING NETWORK ACCESS - Systems and methods for controlling network access determine that a client computer on the network is in compliance with administrator-defined network health policy standards before the client computer is granted access to the network. A packet exchange mechanism is defined wherein filtering instructions from a server are converted into firewall rules on the client computer to restrict client access to remediation servers on the network. The client computer obtains update patches from the remediation servers to become compliant with network health policy standards.04-30-2009
20100175124METHODS AND APPARATUS FOR IMPLEMENTING A SEARCH TREE - Apparatus and methods are provided for implementing a firewall in a network infrastructure component. A method comprises generating a search tree for a plurality of rules. The search tree comprises a first node having a first field bounds and a first set of rules of the plurality of rules, and a plurality of child nodes for the first node. Each child node has child field bounds based on an intersection of the first field bounds and the first set of rules, and each child node is assigned a respective subset of the first set of rules based on the respective child field bounds. The method further comprises receiving a first packet, identifying a first child node of the plurality of child nodes based on values for one or more fields of the first packet, and applying the respective subset of rules assigned to the first child node to the first packet.07-08-2010
20100299742BIDIRECTIONAL GATEWAY WITH ENHANCED SECURITY LEVEL - A bidirectional gateway with enhanced security level between a high-security communication network and a low-security communication network. The return pathway from the low-security network to the high-security network comprises a low-speed link. The physical layer of the low-speed link differs from the physical layers involved in the high-security network and the low-security network. The low-speed link having a linking layer according to a protocol differing from the protocols used on the linking layers used on the high-security network and the low-security network. The linking layer of the low-speed link has an authentication protocol to guarantee the data's origin.11-25-2010
20100050248NETWORK SURVEILLANCE - A method of network surveillance includes receiving network packets handled by a network entity and building at least one long-term and at least one short-term statistical profile from a measure of the network packets that monitors data transfers, errors, or network connections. A comparison of the statistical profiles is used to determine whether the difference between the statistical profiles indicates suspicious network activity.02-25-2010
20100017869Inferencing Data Types Of Message Components - A method of a device for filtering messages routing across a network includes extracting, by a filter configured on the device, a plurality of message components from messages received via a network. The plurality of message components is identified as having at least a field name in common, including a first field name. A learning engine configured on the device creates a list of data types for values of the first field name. The list includes one or more data types of a value of the first field name identified for each of the plurality of message components. The learning engine determines a most restrictive data type from the list of data types for the values of the first field name of the plurality of message components.01-21-2010
20090019538DISTRIBUTED NETWORK SECURITY SYSTEM AND A HARDWARE PROCESSOR THEREFOR - An architecture provides capabilities to transport and process Internet Protocol (IP) packets from Layer 2 through transport protocol layer and may also provide packet inspection through Layer 7. A set of engines may perform pass-through packet classification, policy processing and/or security processing enabling packet streaming through the architecture at nearly the full line rate. A scheduler schedules packets to packet processors for processing. An internal memory or local session database cache stores a session information database. The session information that is not in the internal memory is stored and retrieved to/from an additional memory. An application running on an initiator or target can a region of memory, which is made available to its peer for access without substantial host intervention through RDMA data transfer. A security system is also disclosed that enables a new way of implementing security capabilities inside enterprise networks in a distributed manner.01-15-2009
20090019537SYSTEMS AND METHODS FOR INHIBITING ATTACKS WITH A NETWORK - Systems and methods for inhibiting attacks with a network are provided. In some embodiments, methods for inhibiting attacks by forwarding packets through a plurality of intermediate nodes when being transmitted from a source node to a destination node are provided, the methods comprising: receiving a packet at one of the plurality of intermediate nodes; determining at the selected intermediate node whether the packet has been sent to the correct one of the plurality of intermediate nodes based on a pseudo random function; and forwarding the packet to the destination node, based on the determining. In some embodiments an intermediate node is selected based on a pseudo random function. In some embodiments, systems and methods for establishing access to a multi-path network are provided.01-15-2009
20120266232METHOD AND SYSTEM FOR PROTECTING A COMPUTER SYSTEM DURING BOOT OPERATION - A method for protecting a computer system from malicious network traffic is provided using a driver which inspects network packets. A security profile comprising packet inspection rules is compiled and stored on the computer system. During the startup or boot operation of an operating system, the driver loads the compiled security profile and inspects network packets using the inspection rules.10-18-2012
20080301798Apparatus and Method for Secure Updating of a Vulnerable System over a Network - An apparatus interposed between a vulnerable system and a network for secure updating of the system includes an internal interface connected to the system; an external interface connected to the network; and one or more filter modules for filtering out specific incoming network packets to block possible network attacks. The filtering may comprise filtering out all incoming TCP SYN packets; filtering out all incoming TCP SYN packets and UDP packets; and/or only allowing packets pertinent to any outgoing connection initiated by the system.12-04-2008
20110131646APPARATUS AND METHOD FOR PREVENTING NETWORK ATTACKS, AND PACKET TRANSMISSION AND RECEPTION PROCESSING APPARATUS AND METHOD USING THE SAME - An apparatus for preventing network attacks includes: a packet buffer for storing received packets from a network; a filtering unit for filtering harmful packets based on a result of comparison between information of the received packets and preset filtering information to select a first filtering target packet; an SYN cookie handler for selecting a second filtering target packet using an SYN cookie if it is determined that there is a TCP SYN flooding attack based on the information of the received packets after said filtering; and a session manager for selecting a third filtering target packet through session management if there is a TCP flag flooding attack based on the information of the received packets after said filtering. The apparatus further includes a packet transmission and receipt processing method and apparatus using above.06-02-2011
20120266233Signal Transfer Point Front End Processor - In an SS7 network, each of a plurality of Signal Transfer Points is fronted by a front-end processor (STP-FEP) that has a network presence. The STP-FEP implements at least the MTP2 layer of the SS7 protocol stack and implements security rules at the MTP2 and MTP3 layers.10-18-2012
20120324568MOBILE WEB PROTECTION - On a mobile communications device, visiting a link from a messaging application or web browser may result in an undesired action, such as visiting a phishing site, downloading malware, causing unwanted charges, using too much battery, or the device being exploited. In an implementation, a mobile application intercepts a request including an identifier associated with an action to be performed by another application on the device and evaluates the identifier to determine when the request should be permitted, blocked, or conditionally permitted. The client may use local data or make a request to a server to evaluate the identifier. In an implementation, server communications are optimized to minimize latency by caching evaluation results on the device, proactively priming the device's DNS cache, optimizing when DNS lookups are performed, and adapting evaluation policy based on factors such as the source of the request, and the currently active network connection.12-20-2012
20120331543DETECTION OF ROGUE CLIENT-AGNOSTIC NAT DEVICE TUNNELS - Provided are techniques for the prevention of certain types of attacks on computing systems. The current disclosure, which describes one particular type of attack, is directed to the detection and prevention of an attack rather than the mechanics of the particular described attack. The claimed subject matter both detects and prevents an attack without exposing a network to denial-of-service (DoS) attacks by being too restrictive.12-27-2012
20120331542PREVENTING NEIGHBOR-DISCOVERY BASED DENIAL OF SERVICE ATTACKS - A method is provided for preventing denial-of-service attacks on hosts attached to a subnet, where the attacks are initiated by a remote node over an external network. The method is performed by a router which forwards packets between the external network and the subnet. The router receives a packet for forwarding to a destination address in an address space of the subnet according to the IPv6 protocol and looks up the destination address in a Neighbor Discovery (ND) table. The ND table is populated by operations on the subnet that were completed prior to receipt of the packet. Entries in the ND table store address information of the hosts that have been verified by the router to be active. The router forwards the packet to the destination address if the destination address is stored in the ND table. Otherwise, the packet is discarded.12-27-2012
20120331544DETECTION OF ROGUE CLIENT-AGNOSTIC NAT DEVICE TUNNELS - Provided are techniques for the prevention of certain types of attacks on computing systems. The current disclosure, which describes one particular type of attack, is directed to the detection and prevention of an attack rather than the mechanics of the particular described attack. The claimed subject matter both detects and prevents an attack without exposing a network to denial-of-service (DoS) attacks by being too restrictive.12-27-2012
20120102563METHOD AND APPARATUS FOR CONTROLLING LOADS OF A PACKET INSPECTION APPARATUS - The present invention periodically monitors the amount of packets flowing into a packet inspection apparatus, i.e., a load level, and compares the load level with a predetermined upper or lower limit value. Accordingly, the present invention blocks some of the packets or passes along some of the packets through the packet inspection apparatus when the load level exceeds a certain level, and thus the load controlling method and apparatus guarantees continuous operation of the packet inspection apparatus even in an overloaded state. In addition, the load controlling method and apparatus according to the present invention effectively selects packets to be blocked or passed without departing from the original functions of the packet inspection apparatus. The load controlling method and apparatus is configured simply so as not to additionally induce a load in the process of selection, and the load controlling apparatus selectively operates only in an overloaded state.04-26-2012
20100132030INTELLIGENT INTEGRATED NETWORK SECURITY DEVICE - Methods, computer program products and apparatus for processing data packets are described. Methods include receiving the data packet, examining the data packet, determining a single flow record associated with the packet and extracting flow instructions for two or more devices from the single flow record.05-27-2010
20120151572ARCHITECTURE FOR NETWORK MANAGEMENT IN A MULTI-SERVICE NETWORK - A mechanism is provided for a non-converged network for a service provider. A core network is divided into individually managed domains, where each of the domains comprises multiprotocol label switching for packets. A management system is coupled to each of the domains. Network elements in each of the domains are restricted from directly transferring packets to network elements in another one of domains. Each of the domains has a domain firewall at an edge of the domains, and the domain firewall restricts packets from being received from other domains. To transfer packets from one domain to another domain, the management system receives the packets from one domain and transfers the packets to the other domain after authentication.06-14-2012
20130019302SYSTEM AND METHOD FOR SUPPORTING SUBNET MANAGEMENT PACKET (SMP) FIREWALL RESTRICTIONS IN A MIDDLEWARE MACHINE ENVIRONMENT - A system and method can provide subnet management packet (SMP) firewall restrictions in a middleware machine environment. A secure firmware implementation can be provided on a host channel adaptor (HCA), wherein the HCA is associated with a host in the middleware machine environment. The secure firmware implementation operates to receive at least one SMP from the host or destined to the host, and prevent the host from sending or receiving the at least one SMP. Furthermore, the secure firmware implementation can include a proxy function that can communicate with external management components on behalf of the host.01-17-2013
20130019303SYSTEM AND METHOD FOR PROVIDING SWITCH BASED SUBNET MANAGEMENT PACKET (SMP) TRAFFIC PROTECTION IN A MIDDLEWARE MACHINE ENVIRONMENT - A system and method can provide switch based subnet management packet (SMP) traffic protection in a middleware machine environment. The middleware machine environment includes a network switch that operates to receive at least one SMP destined for a subnet management agent (SMA). The network switch can check whether the at least one SMP includes a correct management key, and prevent the at least one SMP from being forwarded to the destined SMA when at least one SMP does not include the correct management key. Furthermore, the network switch can specify a different management key for each external port and can enforce separate restrictions on ingress and egress SMP traffic at a particular external port.01-17-2013
20110162061PORT-BASED PACKET FILTER - A method, apparatus, and program product for reducing unwanted host wake-up messages. A host computer finds a port in use by a host application, selects program information based on the port in use by the application, and sends the program information to a port filter. The port filter receives a packet that contains a port identifier. The port-filter uses the program information to decide whether there is a host application associated with the port identifier and sends a wake-up message to the host computer only when there is an associated host application.06-30-2011
20110162060WIRELESS LOCAL AREA NETWORK INFRASTRUCTURE DEVICES HAVING IMPROVED FIREWALL FEATURES - Methods and systems are provided for improving a firewall implemented at a WLAN infrastructure device (WID). The WID includes a stateful firewall that implements firewall rules based on an ESSID of the WID to specify whether traffic is allowed to or from the ESSID. For example, in one implementation of such a firewall rule, packets that are required to be sent out on all wired ports can be blocked from being flooded out on WLANs (e.g., the packet is allowed to pass only to the wired ports). A method and system are provided for preventing a malicious wireless client device (WCD) that is transmitting undesirable traffic from using RF resources by deauthenticating the malicious WCD to remove it from the WLAN and blacklisting it to prevent it from rejoining the WLAN for a time period. Method and systems are also provided for either “on-demand” and/or predicatively communicating state information regarding an existing firewall session.06-30-2011
20080250491METHOD OF TRANSMITTING INFORMATION EFFECTIVELY IN SERVER/CLIENT NETWORK AND SERVER AND CLIENT APPARATUSES USING THE SAME - A method for transmitting information effectively in a server/client network system is provided, the network system including a client placed behind a firewall and a server that provides the client with a predetermined service. The method includes the client generating a hole packet which is for making a hole in the firewall to allow a packet to pass through the firewall from the server, the hole being maintained for a certain period of time, and transmitting the hole packet to the firewall; and transmitting a packet from the server to the client through the hole made by the hole packet.10-09-2008
20080235785Method, Apparatus, and Computer Program Product for Routing Packets Utilizing a Unique Identifier, Included within a Standard Address, that Identifies the Destination Host Computer System - A computer-implemented method, apparatus, and computer program product are disclosed in a data processing environment that includes host computer systems that are coupled to adapters utilizing a switched fabric for routing packets between the host computer systems and the adapters. A unique destination identifier is assigned to one of the host computer systems. A portion of a standard format packet destination address is selected. Within a particular packet, the portion is set equal to the unique identifier that is assigned to the host computer system. The particular packet is then routed through the fabric to the host computer system using the unique destination identifier.09-25-2008
20120254980Switching hub, a system, a method of the switching hub and a program thereof - A switching hub, system and method for restricting a communication between terminals within a second network isolated form a first network. The terminals are connected to the first network or the second network, wherein a terminal with sufficient security level is connected to the first network and a terminal with insufficient security level is connected to the second network. And a communication between the terminals within the second network is restricted.10-04-2012
20120254979UNATTACKABLE HARDWARE INTERNET PACKET PROCESSING DEVICE FOR NETWORK SECURITY - Hardware internet packet processing device for network security constructed in such a manner that packet data is packet processed by hardware without a receiving memory or MCU and interruption of internet packets for network security is implemented by hardware construction.10-04-2012
20130139246TRANSPARENT BRIDGE DEVICE - The device provides protection for VoIP or like time-sensitive traffic. Packets arriving at a network interface in the data link layer are inspected to identify signaling packet, which are then queued for further analysis. The signaling packets are analyzed for compliance with adaptive criteria to determine whether the packets are considered safe to pass to a user, and the signaling packets failing to meet the adaptive criteria are rejected. The adaptive criteria based are updated based on historical data pertaining to the signaling packets from the same source address for the same user account.05-30-2013
20130139245System and Method for Incorporating Quality-of-Service and Reputation in an Intrusion Detection and Prevention System - An intrusion prevention system includes a processor, processing engines, buffers that are associated with a different range of reputation scores, and a storage device having a database and an application. The processor executes the application to determine that a firewall has admitted a packet, determine a reputation score for the packet from the database, provide the packet to a buffer that has a reputation score range that includes the reputation score of the packet, provide the packet from the buffer to a processing engine, process the packet by in the processing engine to determine if the packet includes an exploit, and forward the packet to the protected network if the first packet does not include the exploit.05-30-2013
20130097691INFORMATION PROCESSING APPARATUS COMMUNICATING WITH EXTERNAL DEVICE VIA NETWORK, AND INFORMATION PROCESSING METHOD THEREOF - An object of the present invention is to more appropriately filter a packet from an external device. This object is achieved by: obtaining address information of the external device from the packet; judging whether or not the address information of the external device has been registered as filter information; extracting, when it is judged that the address information has not been registered, device discrimination information of the external device from the address information of the external device; judging whether or not address information having the same device discrimination information as the extracted device discrimination information has been registered as the filter information; and registering, when it is judged that the address information having the same device discrimination information has been registered, the address information of the external device as the filter information.04-18-2013
20130125230FIREWALLS IN LOGICAL NETWORKS - Some embodiments provide a method for configuring a logical firewall in a hosting system that includes a set of nodes. The logical firewall is part of a logical network that includes a set of logical forwarding elements. The method receives a configuration for the firewall that specifies packet processing rules for the firewall. The method identifies several of the nodes on which to implement the logical forwarding elements. The method distributes the firewall configuration for implementation on the identified nodes. At a node, the firewall of some embodiments receives a packet, from a managed switching element within the node, through a software port between the managed switching element and the distributed firewall application. The firewall determines whether to allow the packet based on the received configuration. When the packet is allowed, the firewall the packet back to the managed switching element through the software port.05-16-2013
20130133060COMMUNICATION SYSTEM, CONTROL DEVICE AND CONTROL PROGRAM - In a communication system in which a terminal 05-23-2013
20110219444DYNAMICALLY ADAPTIVE NETWORK FIREWALLS AND METHOD, SYSTEM AND COMPUTER PROGRAM PRODUCT IMPLEMENTING SAME - A system, method, and computer program product for controlling data through a firewall which may be dynamically configurable. The method may comprise defining at least one node, wherein the at least one node is associated with two or more network interfaces; associating a set of firewall rules with the at least one node; receiving a packet at a first node of the at least one node; and accepting or denying the packet based on the set of firewall rules. The firewall rules include dynamic chains of rules having defined places where firewall rules may be dynamically inserted into or deleted from the firewall while the firewall is operating on one or more machines connected to network segments where the nodes reside.09-08-2011
20080201772Method and Apparatus for Deep Packet Inspection for Network Intrusion Detection - In a method of determining whether a data stream includes unauthorized data, the data stream is analyzed using a hardware filter to detect a presence of one or more of a first set of patterns in the data stream. It is determined whether a packet in the data stream belongs to one of a plurality of data flows to be further inspected based on the analysis of the data stream by the hardware filter. A set of rules is applied to the packet to produce rule match status data if it is determined that the packet belongs to one of the plurality of data flows to be further inspected. The packet is analyzed to determine if the packet includes unauthorized data using software stored on a computer-readable medium and implemented on a processor if the rule match status data indicates that the packet potentially includes unauthorized data.08-21-2008
20130152189AUTHENTICATION METHOD AND APPARATUS FOR DETECTING AND PREVENTING SOURCE ADDRESS SPOOFING PACKETS - An authentication apparatus for detecting and preventing a source address spoofing packet, includes a packet reception unit configured to receive a packet from a previous node or a user host; a self-assurance type ID generation unit configured to generate a self-assurance type ID of a source node of the received packet; and a self-assurance type ID verification unit configured to determine whether the source address of the received packet has been spoofed. Further, the authentication apparatus includes a white list storage unit configured to store a reliable source node; a black list storage unit configured to store an unreliable source node; and a packet transmission unit configured to transmit the packet whose source has been verified through the self-assurance type ID verification unit to a next network node.06-13-2013
20130152190Software Firewall Control - A software firewall that may be configured using rules specified for types of network interfaces rather than individual network interfaces. The network types may be specified with type identifiers that have a readily understandable meaning to a user, facilitating ease of configuring the firewall. The network types could include, for example, wired, wireless and remote access. A rule specified based on a network type can be implemented for network interfaces of that network type. The implementation may be performed automatically and may be updated based on network location awareness information.06-13-2013
20120030750System and Method for Network Level Protection Against Malicious Software - A method in one example implementation includes receiving information related to a network access attempt on a first computing device with the information identifying a software program file associated with the network access attempt. The method also includes evaluating a first criterion to determine whether network traffic associated with the software program file is permitted and then creating a restriction rule to block the network traffic if the network traffic is not permitted. The first criterion includes a trust status of the software program file. In specific embodiments, the method includes pushing the restriction rule to a network protection device that intercepts the network traffic associated with the software program file and applies the restriction rule to the network traffic. In more specific embodiments, the method includes searching a whitelist identifying trustworthy software program files to determine the trust status of the software program file.02-02-2012
20120047572DECAPSULATION OF DATA PACKET TUNNELS TO PROCESS ENCAPSULATED IPV4 OR IPV6 PACKETS - In one embodiment, a non-transitory processor-readable medium stores code representing instructions to cause a processor to determine whether an IPv4 payload of an IPv4 packet includes a tunneled IPv6 packet. When the IPv4 payload includes the tunneled IPv6 packet, the code can determine a location of a payload of the tunneled IPv6 packet based at least in part on a header of the tunneled IPv6 packet, and send a signal to block transmission of the IPv4 packet when the payload of the tunneled IPv6 packet is not a valid IPv6 payload.02-23-2012
20130205384Secure System for Interconnection Between Two Public Networks - A secure interconnection system between two public networks comprises at least one first router, a first firewall, a second router, a second firewall and a blade server, and a first virtual local area network containing the data streams exchanged between a first communications facility and a second communications facility, a second virtual local area network containing the management and maintenance streams of said system which are exchanged between a supervision centre and the blade server and a third virtual local area network containing the authentication streams for said first communications facility which are exchanged between the said second firewall and said blade server, said virtual local area networks being designed so as to exhibit an empty intersection.08-08-2013
20130212670Intelligent PHY with security detection for ethernet networks - A physical layer device includes memory, a memory control module, and a physical layer module. The memory control module is configured to control access to the memory. The physical layer module is configured to store packets in the memory via the memory control module. The physical layer module includes an interface configured to receive the packets from a network device via a network and an interface bus. The interface bus includes at least one of a control module and a regular expression module. The at least one of the control module and the regular expression module is configured to inspect the packets to determine a security level of the packets. A network interface is configured to, based on the security level, provide the packets to a device separate from the physical layer device.08-15-2013

Patent applications in class Packet filtering