Systems, devices, and methods are disclosed for an agent device within a company's network firewall to initiate an HTTP connection with a cloud-based gateway and then upgrade the connection to a WebSockets protocol in order to have an interactive session. Over this interactive session, a mobile device, which connects to the cloud-based intermediary, can request data from servers inside the company's firewalls. Because the firewall is traversed using HTTP protocols (with WebSockets), it can be as safe as letting employees browse the web from inside the company's network.

Systems and methods for increasing layer 2 visibility of layer 3 network devices so as to facilitate implementation of device-oriented policy actions by layer 3 network devices are provided. According to one embodiment, unique physical addresses of one or more host devices are retrieved by a dynamic host configuration protocol (DHCP) agent that is operatively coupled with a DHCP server. The physical addresses are mapped to corresponding Internet Protocol (IP) addresses assigned by the DHCP server to the one or more host devices. The mapping is relayed directly or indirectly to a network security device. Network traffic management/security policies are defined within the network security device corresponding to at least one of the unique physical addresses.

A system including a guest virtual machine with one or more virtual machine measurement points configured to collect virtual machine operating characteristics metadata and a hypervisor control point configured to receive virtual machine operating characteristics metadata from the virtual machine measurement points. The hypervisor control point is further configured to send the virtual machine operating characteristics metadata to a hypervisor associated with the guest virtual machine. The system further includes the hypervisor configured to receive the virtual machine operating characteristics metadata and to forward the virtual machine operating characteristics metadata to a hypervisor device driver in a virtual vault machine. The system further includes the virtual vault machine configured to determine a classification for the guest virtual machine based on the virtual machine operating characteristics metadata and to send the determined classification to a vault management console.

An in-flight entertainment and communications (IFEC) system is configured to interconnect an avionics data bus to a local area network. An avionics interface is connectable to the avionics data bus, and receptive to avionics data transmitted on the avionics data bus by one or more avionics nodes over a predetermined protocol. A local network interface establishes the local area network, and portable electronic devices may be connectable to the local network interface over the local area network to establish a data communications link thereon. A data processor is connected to the avionics interface and the local network interface, and relays the avionics data from the avionics interface to the local network interface for transmission to the one or more portable electronics devices. This transmission is according to the predetermined protocol over the data communications link established on the local area network.

Methods and systems for improving accuracy, speed, and efficiency of context-aware pattern matching are provided. According to one embodiment, a packet stream is received by a first stage of a hardware accelerator of a network device. A pre-matching process is performed by the first stage to identify a candidate packet that matches a string or over-flow pattern associated with access control (e.g., IPS or ADC) rules. A candidate rule is identified based on a correlation of results of the pre-matching process. The candidate packet is tokened to produce matching tokens and corresponding locations. A full-match process is performed on the candidate packet by a second stage of the hardware accelerator to determine whether it satisfies the candidate rule by performing one or more of (i) context-aware pattern matching, (ii) context-aware string matching and (iii) regular expression matching based on contextual information, the matching tokens and the corresponding locations.

In an example embodiment, A PICNEEC is provided. It includes one or more Virtual Customized Rules Enforcer (VCRE) instances, each VCRE instance corresponding to a group of mobile devices and defining a set of policies personalized for the group of mobile devices. Each VCRE is configured to, upon receiving a data packet communicated between a packet-based network and a mobile device in the corresponding group via a radio network, execute one or more policy rules stored in the VCRE instance to the data packet prior to forwarding the data packet. Each VCRE instance is controlled independently of one another via direct accessing of the VCRE instance by a different customer of the mobile network provider.

Techniques for time-based network authentication challenges are disclosed. In some embodiments, a system, process, and/or computer program product for time-based network authentication challenges includes monitoring a session at a firewall to identify a user associated with the session, generating a timestamp for an authentication factor associated with the user after the user successfully authenticates for access to a resource based on an authentication profile, intercepting another request from the user for access to the resource at the firewall, and determining whether the timestamp for the authentication factor is expired based on the authentication profile.

Some embodiments of the invention provide a method for a first security controller that performs security operations on the packets that are transmitted within a network. The method of some embodiments receives a packet from a forwarding element in the network based on a decision made by a security agent that operates along with the forwarding element. When the first security controller stores a security rule for the packet, the method processes the packet according to the stored security rule. When the first security controller does not store a security rule for the packet, the method (i) determines that a second security controller stores a security rule for the packet based on a set of header values of the packet, and (ii) sends the packet to the second security controller for security processing according to the security rule for the packet stored on the second security controller.

A dark web monitoring, analysis and alert system comprising a data receiving module configured to receive data collected from the dark web and structured; a Structured Data Database (SDD) connected with the data receiving module, the SDD configured to store the structured data; a Text Search and Analytic Engine (TSAE) connected with the SDD, the TSAE configured to enable advanced search and basic analysis in the structured data; a Knowledge Deduction Service (KDS) connected with the TSAE, the KDS configured to deeply analyze the collected data; the deep analysis comprises extracting insights regarding dark web surfers behavioral patterns and interactions; a Structured Knowledge Database (SKD) connected with the KDS, the SKD configured to store the deep analysis results; and an Alert Service connected with the TSAE and the SKD, the Alert Service configured to provide prioritized alerts based on the deep analysis.

The present invention relates to methods and apparatus for dynamically detecting and/or mitigating threats in communications systems. Exemplary methods and apparatus of the present invention allow for a combination of automated and operator controlled responses to threats. While an operator is provided an opportunity to provide input on how to respond to a threat, after one or more threats of a given type are identified, the system will automatically take corrective action without waiting for operator input and/or in the absence of operator input following notification of a threat.