Systems, methods, and computer-readable media for annotating process and user information for network flows. In some embodiments, a capturing agent, executing on a first device in a network, can monitor a network flow associated with the first device. The first device can be, for example, a virtual machine, a hypervisor, a server, or a network device. Next, the capturing agent can generate a control flow based on the network flow. The control flow may include metadata that describes the network flow. The capturing agent can then determine which process executing on the first device is associated with the network flow and label the control flow with this information. Finally, the capturing agent can transmit the labeled control flow to a second device, such as a collector, in the network.

The present invention provides apparatuses, methods, computer programs, computer program products and computer-readable media regarding SDN security. The method comprises checking whether messages in the user plane comply to a preconfigured rule, and if it is determined that the messages comply to the preconfigured rule, checking whether a number of specific signaling messages related to address allocation that are sent to a controller has reached a predetermined threshold, and if the predetermined threshold has been reached, throttling transmission of the specific signaling messages to the controller.

Systems, methods, and computer-readable media for updating configurations in sensors deployed in multi-layer virtualized environments. In some examples, a system can track information of sensors and collectors in the network. In response to determining that a specific collector becomes unavailable (e.g., the specific collector is down, offline or becomes unsupported), the system can determine affected sensors corresponding to the specific collector, determine a new collector among active collectors of the network for each of the affected sensors, and dynamically update configuration and settings of the affected sensors to maintain proper collector-to-sensor mappings and other settings on the affected sensors.

Systems, methods, and computer-readable media for updating configurations in sensors deployed in multi-layer virtualized environments. In some examples, a system can track information of sensors and collectors in the network. In response to determining that a specific collector becomes unavailable (e.g., the specific collector is down, offline or becomes unsupported), the system can determine affected sensors corresponding to the specific collector, determine a new collector among active collectors of the network for each of the affected sensors, and dynamically update configuration and settings of the affected sensors to maintain proper collector-to-sensor mappings and other settings on the affected sensors.

Systems, methods, and computer-readable media are provided for determining a packet's round trip time (RTT) in a network. A system can receive information of a packet sent by a component of the network and further determine an expected acknowledgement (ACK) sequence number associated with the packet based upon received information of the packet. The system can receive information of a subsequent packet received by the component and determine an ACK sequence number and a receiving time of the subsequent packet. In response to determining that the ACK sequence number of the subsequent TCP packet matches the expected ACK sequence number, the system can determine a round trip time (RTT) of the packet based upon the received information of the packet and the received information of the subsequent packet.

Methods, systems, and devices for server-initiated secure sessions are described. A browser application may connect to a portal, where the portal may transmit a command to a server agent to initiate a secure session with an endpoint device. The server agent may be housed in a destination server, and may establish a secure connection with an intermediary server using a secure communication protocol. The secure connection may be made by directing the destination server to open an out-bound connection through a firewall of the destination server. A browser session may be redirected to the intermediary server from the browser application, and the intermediary server may route the browser session traffic to the secure connection.

A cloud-based firewall system and service is provided to protect customer sites from attacks, leakage of confidential information, and other security threats. In various embodiments, such a firewall system and service can be implemented in conjunction with a content delivery network (CDN) having a plurality of distributed content servers. The CDN servers receive requests for content identified by the customer for delivery via the CDN. The CDN servers include firewalls that examine those requests and take action against security threats, so as to prevent them from reaching the customer site. The CDN provider implements the firewall system as a managed firewall service, with the operation of the firewalls for given customer content being defined by that customer, independently of other customers. In some embodiments, a customer may define different firewall configurations for different categories of that customer's content identified for delivery via the CDN.

According to one embodiment, a web application layer attack detector (AD) is coupled between an HTTP client and a web application server. Responsive to receipt of a set of packets from the HTTP client carrying a web application layer message that violates a condition of a security rule, the AD transmits an alert package to an automatic attribute value generation and rule feedback module (AVGRFM). The AVGRFM uses the alert package, and optionally other alert packages from the same AD or other ADs, to automatically generate a new set of attribute values for each of a set of attribute identifiers for use, by the AD or other ADs, in a different security rule than the violated security rule. The new set of attribute values may be used in an attack specific rule to detect a previously unknown web application layer attack.

Systems, methods, and computer-readable media are provided for determining a packet's round trip time (RTT) in a network. A system can receive information of a packet sent by a component of the network and further determine an expected acknowledgement (ACK) sequence number associated with the packet based upon received information of the packet. The system can receive information of a subsequent packet received by the component and determine an ACK sequence number and a receiving time of the subsequent packet. In response to determining that the ACK sequence number of the subsequent TCP packet matches the expected ACK sequence number, the system can determine a round trip time (RTT) of the packet based upon the received information of the packet and the received information of the subsequent packet.

A method provides for receiving network traffic from a host having a host IP address and operating in a data center, and analyzing a malware tracker for IP addresses of hosts having been infected by a malware to yield an analysis. When the analysis indicates that the host IP address has been used to communicate with an external host infected by the malware to yield an indication, the method includes assigning a reputation score, based on the indication, to the host. The method can further include applying a conditional policy associated with using the host based on the reputation score. The reputation score can include a reduced reputation score from a previous reputation score for the host.