An engine architecture for processing finite automata includes a hyper non-deterministic automata (HNA) processor specialized for non-deterministic finite automata (NFA) processing. The HNA processor includes a plurality of super-clusters and an HNA scheduler. Each super-cluster includes a plurality of clusters. Each cluster of the plurality of clusters includes a plurality of HNA processing units (HPUs). A corresponding plurality of HPUs of a corresponding plurality of clusters of at least one selected super-cluster is available as a resource pool of HPUs to the HNA scheduler for assignment of at least one HNA instruction to enable acceleration of a match of at least one regular expression pattern in an input stream received from a network.

Management of IoT devices through a private cloud. An IoT device is coupled to a gateway. A request from the IoT device to connect to a private cloud, wherein the private cloud is used to manage IoT devices, is received at a private cloud control center agent. An identification of the IoT device is determined. The IoT device is onboarded, using the identification, for management through the private cloud. A device profile of the IoT device is generated. The flow of data to and from the IoT device is regulated through application of IoT rules of an IoT firewall according to the device profile of the IoT device.

A high speed intelligent network recorder for recording a plurality of flows of network data packets into and out of a computer network over a relevant data time window is disclosed. The high speed intelligent network recorder includes a printed circuit board; a high speed network switching device mounted to the printed circuit board; and an X column by Y row array of a plurality of intelligent hard drives with micro-computers mounted to the printed circuit board and coupled in parallel with the high speed network switching device.

A method for network recording is disclosed. In one embodiment, the method includes the following: receiving a plurality of incoming packets, wherein each incoming packet belongs to a conversation flow; forming a capture stream of packet records for the incoming packets; and performing intelligent load balancing on the capture stream of packet records, the load balancing including reading the metadata for each packet record, determining a packet record is part of either a hot flow or a cold flow, selecting a destination node for each packet record based on the flow hash, and steering the packet record to one of a plurality of encapsulation buffers based on the destination node, wherein a cold flow tends to be maintained in a flow coherency at a node. The method may further include operations that include querying and back-testing in order to enable distributed analytics by using low cost, low band width nodes.

A computer security architecture applies selected rules from among a set of rules defining one or more security policies to a given set of security context parameters to produce security verdicts, each representing whether a certain action requested by a subject entity is permissible. Each security policy is associated with a corresponding communication interface. A plurality of gateway engines are each associated with at least one of the subject entities and dedicated to interfacing with the security server. Each of the gateway engines carries out monitoring of requested actions by the associated subject entity and, for each requested action, identifies a security context. A security policy is determined for the requested action based on a corresponding security context, and a security verdict is obtained via a communication interface corresponding to the applicable security policy.

A system including a guest virtual machine with one or more virtual machine measurement points configured to collect virtual machine operating characteristics metadata and a hypervisor control point configured to receive virtual machine operating characteristics metadata from the virtual machine measurement points. The hypervisor control point is further configured to send the virtual machine operating characteristics metadata to a hypervisor associated with the guest virtual machine. The system further includes the hypervisor configured to receive the virtual machine operating characteristics metadata and to forward the virtual machine operating characteristics metadata to a hypervisor device driver in a virtual vault machine. The system further includes the virtual vault machine configured to determine a classification for the guest virtual machine based on the virtual machine operating characteristics metadata and to send the determined classification to a vault management console.

A cloud storage server-based approach allows detection of ransomware activity in cloud storage systems caused by ransomware infections on an endpoint device. A heuristic or rule-based technique is employed for recognizing sequences of file operations that may indicate ransomware activity. In some embodiments, users may be offered an opportunity to approve or disapprove of the possible ransomware activity. In others, cloud system file activity may be suspended or halted for the affected user upon recognition of possible ransomware actions. Enhanced recovery of files affected prior to recognition of the ransomware activity may be performed in some embodiments.

Examples relate to model-based computer attack analytics orchestration. In one example, a computing device may: generate, using an attack model that specifies behavior of a particular attack on a computing system, a hypothesis for the particular attack, the hypothesis specifying, for a particular state of the particular attack, at least one attack action; identify, using the hypothesis, at least one analytics function for determining whether the at least one attack action specified by the hypothesis occurred on the computing system; provide an analytics device with instructions to execute the at least one analytics function on the computing system; receive analytics results from the analytics device; and update a state of the attack model based on the analytics results.

A signature matching hardware accelerator system comprising one or more hardware accelerator circuits, wherein each of the hardware accelerator circuit utilizes a compressed deterministic finite automata (DFA) comprising a state table representing a database of digital signatures defined by a plurality of states and a plurality of characters, wherein the plurality of states are divided into groups, each group comprising a leader state having a plurality of leader state transitions and one or more member states, each having a plurality of member state transitions is disclosed. The hardware accelerator circuit comprises a memory circuit configured to store the leader state transitions within each group of the compressed DFA, only the member state transitions that are different from the leader state transitions for a respective character within each group of the compressed DFA and a plurality of member transition bitmasks associated respectively with the plurality of member state transitions.

A computer-implemented method, computerized apparatus and computer program product for monitoring traffic in a computer network. The computer network comprises a plurality of devices configured to apply a transformation function on a target port identifier of a requested transmission by an application program executing thereon and direct the transmission to a different target port per the scrambled identifier thereby obtained. The transformation function depends on at least one parameter shared among the plurality of devices and applying thereof is conditioned on the application program requesting transmission being listed in a list of authorized application programs. Attempts to access invalid ports as defined by the transformation function are identified and an action for mitigating a security threat ascribed thereto is provided.

A signature matching hardware accelerator system comprising one or more hardware accelerator circuits, wherein each of the hardware accelerator circuit utilizes a compressed deterministic finite automata (DFA) comprising a state table representing a database of digital signatures defined by a plurality of states and a plurality of characters, wherein the plurality of states are divided into groups, each group comprising a leader state having a plurality of leader state transitions and one or more member states, each having a plurality of member state transitions is disclosed. The hardware accelerator circuit comprises a memory circuit configured to store a single occurrence of a most repeated leader state transition within each group, the unique leader state transitions comprising the leader state transitions that are different from the most repeated leader state transition within the respective group; and leader transition bitmasks associated respectively with the leader states within each group.