Some embodiments establish for an entity a virtual network over several public clouds of several public cloud providers and/or in several regions. In some embodiments, the virtual network is an overlay network that spans across several public clouds to interconnect one or more private networks (e.g., networks within branches, divisions, departments of the entity or their associated datacenters), mobile users, and SaaS (Software as a Service) provider machines, and other web applications of the entity. The virtual network in some embodiments can be configured to optimize the routing of the entity's data messages to their destinations for best end-to-end performance, reliability and security, while trying to minimize the routing of this traffic through the Internet. Also, the virtual network in some embodiments can be configured to optimize the layer 4 processing of the data message flows passing through the network.

Systems, methods, and computer-readable media for preserving source host context when firewall policies are applied to traffic in an enterprise network fabric. A data packet to a destination host from a source host can be received at a first border node instance in an enterprise network fabric as part of network traffic. The data packet can include a context associated with the source host. Further, the data packet can be sent to a firewall of the enterprise network fabric and can be received at a second border node instance after the firewall applies a firewall policy to the data packet. The data packet can then be selectively encapsulated with the context associated with the source host at the second border node instance for applying one or more policies to control transmission of the network traffic through the enterprise network fabric.

A system comprising email processing circuitry, web server circuitry, third-party interface circuitry, and a database, wherein the database stores information about a plurality of users. The system receives, via a network, a first email message and generates a modified first email message by insertion of a link to remotely-hosted content in the received email message. The system transmits, via a network interface, the modified first email message. The system receives, via a network, a request for the remotely-hosted content, and updates the database based on information contained in the request for the remotely-hosted content. The system receives, via a network, information about activity on a third-party system, and updates the database based on the information about activity on the third-party system. The system receives a second email message, determines an action to take on the second email message based on information in the database, and takes the action.

A real-time messaging system platform receives from, a communication application installed on a first user communication device, a first user identifier, an indication that a messaging service message composed by the first user is being directed to a first destination associated with a second user, and an identification of data present in the messaging service message. The identification of the data and a message transmission history of the first user is used to enable selection of a message of a first entity. The selected message of the first entity is caused to be displayed by the communication application within a message framework that frames the first user messaging service message. The first entity message is caused to be included in the messaging service message transmitted to the second user device, wherein the first entity is not provided with access to the identity of the first user or the second user.

According to certain implementations, an access control system controls access to secured data that is stored on a secured source. A requestor system may request information representing the secured data. The access control system receives the secured data from the secured source, and selects a portion of the secured data based on a lens including a filter criteria or a modification instruction. Adjusted data may be generated based on a modification of the selected portion of data, where the modification is based on the lens. The access control system provides the adjusted data to the requestor system via an access interface. In some cases, upon completion of a time period, the access control system prevents the requestor system from accessing the adjusted data, by disabling the access interface used to access the adjusted data. The adjusted data may be deleted from the access control system.

A system, method and computer program product for computer based open innovation including an asset valuation device receiving asset information regarding one or more tangible or non-tangible assets, and generating a valuation signal, based on the asset information; a self-executing code device receiving the valuation signal, and generating a self-executing code signal, based on the valuation signal; an air router device having both a low band radio channel, and an internet router channel for redundant internet communications, and a malicious code removal device for scrubbing malicious code from data received, receiving the valuation signal, and generating a node voting request signal, based on the valuation signal; and a mesh network having a plurality of node devices receiving the node voting request signal, and generating vote confirmation signals, based on the node voting request signal. The node devices are employed to perform problem solving, smart contract processing, and/or cryptocurrency mining.

A natural language processor extracts features from batches of unstructured traffic. A feature weighted distance engine computes a distance matrix between pairs of feature vectors for sessions of unstructured traffic using a weight vector that assigns importance to relative placement of features in feature vectors. The distance function used to compute the distance matrix with the weight vector is conducive to generating high-quality clusters and patterns in unstructured traffic. The sessions of unstructured traffic are clustered according to the pairwise distance matrix. Generated clusters are merged with clusters for previously analyzed sessions of unstructured traffic. A pattern identification engine extracts patterns from the merged clusters that correspond to behavior of applications generating the unstructured traffic.

Systems and methods include implementing dynamic runtime code manipulation to modify application code associated with calls related to networking, with the calls implemented by application software executed as a serverless workload; intercepting the calls from the application software based on the modified application code; determining whether to permit the calls based on a set of policies; responsive to permitting a call, making the call to an operating system interface on behalf of the application software; and, responsive to not permitting the call, providing a failure notification to the application software.

The instant disclosure is directed to an attack/unwanted activity detecting firewall for use in protecting authentication-based network resources. The instant system is adapted for installation inline or in sniffer mode. In various embodiments, defined rules are applied to network traffic to determine whether certain types of attacks are occurring on the network resources. If one such attack is detected, the system provides for several potential responses, including for example disconnecting the attacking remote machine, requiring the user at that machine to re-authenticate, and/or requiring a second factor of authentication from the user at that machine. In some example embodiments, regardless of any activity required of a user at the remote machine suspected of malicious behavior, the disclosed system generates an alarm or other alert for presentation as appropriate, such as via a graphical user interface or a third-party system using an API.

Some embodiments provide novel inline switches that distribute data messages from source compute nodes (SCNs) to different groups of destination service compute nodes (DSCNs). In some embodiments, the inline switches are deployed in the source compute nodes datapaths (e.g., egress datapath). The inline switches in some embodiments are service switches that (1) receive data messages from the SCNs, (2) identify service nodes in a service-node cluster for processing the data messages based on service policies that the switches implement, and (3) use tunnels to send the received data messages to their identified service nodes. Alternatively, or conjunctively, the inline service switches of some embodiments (1) identify service-nodes cluster for processing the data messages based on service policies that the switches implement, and (2) use tunnels to send the received data messages to the identified service-node clusters. The service-node clusters can perform the same service or can perform different services in some embodiments. This tunnel-based approach for distributing data messages to service nodes/clusters is advantageous for seamlessly implementing in a datacenter a cloud-based XaaS model (where XaaS stands for X as a service, and X stands for anything), in which any number of services are provided by service providers in the cloud.