Disclosed are a packet processing method and apparatus applicable to a network device. The method comprises: receiving a first packet; determining the number of second packets received within a preset duration after the first packet passes basic detection successfully, wherein packet information of the second packet is identical to first packet information of the first packet; determining whether the number of the second packets received is greater than a preset number threshold; if so, removing a first table entry from a fast forwarding table, wherein the first table entry contains second packet information of the first packet; and performing attack detection on the first packet. With the application of the technical solution provided by an example of the present disclosure, the security risk in a network device is efficiently reduced.

An apparatus and method are disclosed for detecting intrusions in Voice over Internet Protocol systems, without the use of an attack signature database. In particular, the illustrative embodiment is based on the observation that some VoIP-related protocols (e.g., the Session Initiation Protocol [SIP], etc.) are simple enough to be represented by a finite-state machine (FSM) of compact size. A finite-state machine is maintained for each session/node/protocol combination, and any illegal state or state transition—which might be the result of a malicious attack—is flagged as a potential intrusion.

Context-based application firewall functionality. A user session is initiated with a client device. The user session allows access a remote resource on a server device coupled with the client device over a network. The connection between the client device and the remote resource is through an application firewall. An application firewall context setup is performed with the application firewall in response to the user session. The application firewall context comprises firewall context information to be used during the user session to perform network and application security operations with the application firewall. A response is created to provide information from the remote resource to the client device. The response includes metadata to be used to update the firewall context information. The firewall context information is updated with the application firewall based on the metadata. The response is transmitted to the client device.

Mechanisms are provided for performing an operation on a received data packet. A data packet is received and a hash operation on a header field value of a header of the data packet is performed to generate a hash value. A lookup operation is performed in a hash table associated with a type of the header field value to identify a hash table entry. A bit string associated with the hash table entry is retrieved, where each bit in the bit string corresponds to a class of rules of a rule set of a firewall. A matching operation of the header field value to rules in classes of rules corresponding to bits set in the bit string is performed to select one or more search trees. Operations are performed based on rules in the classes of rules being matched by header field value of the data packet.

Methods and systems for an integrated solution to the rate based denial of service attacks targeting the Session Initiation Protocol are provided. According to one embodiment, header, state, rate and content anomalies are prevented and network policy enforcement is provided for session initiation protocol (SIP). A hardware-based apparatus helps identify SIP rate-thresholds through continuous and adaptive learning. The apparatus can determine SIP header and SIP state anomalies and drop packets containing those anomalies. SIP requests and responses are inspected for known malicious contents using a Content Inspection Engine. The apparatus integrates advantageous solutions to prevent anomalous packets and enables a policy based packet filter for SIP.

A novel method for stateful packet classification that uses hardware resources for performing stateless lookups and software resources for performing stateful connection flow handshaking is provided. To classify an incoming packet from a network, some embodiments perform stateless look up operations for the incoming packet in hardware and forward the result of the stateless look up to the software. The software in turn uses the result of the stateless look up to perform the stateful connection flow handshaking and to determine the result of the stateful packet classification.

A method for specialized processing of data in a port-extended network comprises receiving, by the control node of the port-extended network, a data frame that includes, at a first field of the data frame, information indicative of an incoming port at which the data frame was received, the first field having been inserted by a satellite node associated with the port. The method also comprises determining that one or more packets of a frame require specialized processing, and replacing the information contained in the first field with information indicative of the specialized processing. The method further comprises replacing information contained in a second field with information indicative of an outgoing port of a second satellite node of the port-extended network. A modified data frame is transmitted onto the port-extended network, the modified data frame that includes the information indicative of the specialized processing in the first field.

Systems, computer program products, and methods are described herein for scalable encryption framework using virtualization and adaptive sampling. The present invention is configured to receive metadata associated with one or more intrusion types from an intrusion data lake; initiate an adaptive instance sampling engine on the metadata associated with the one or more intrusion types to generate a sampled intrusion data lake; initiate one or more simulations of atomic intrusion on a firewall; generate one or more prioritized combination of the one or more sampled intrusion types; initiate one or more simulations of cumulative intrusion on the firewall using the one or more prioritized combination of the one or more sampled intrusion types; determine an atomic performance metric and a cumulative performance metric of the firewall; and generate a robustness report for the firewall.

This disclosure describes methods, devices, and systems related to routing packets over enterprise network sites. A method may be disclosed for routing packets between hosts at a first site and hosts at a second site in a network using a firewall. The method may comprise receiving a request, in a first packet, from a first router to send one or more packets to two or more hosts at the second site. The method may comprise receiving a first sub-network prefix, in a route advertisement, corresponding to two or more hosts at the first site from the first router, and receiving a first community value, in a first advertisement, associated with the first sub-network prefix. The method may comprise generating a first local preference value based at least in part on the first community value. And the method may comprise sending the request, first sub-network prefix, and first local preference value to a second router, in a second advertisement.

The disclosed embodiment provides a method and device for vulnerability scanning, the method comprising: a reverse scanning agent module acquires a client message; the reverse scanning agent module transmits the client message to a vulnerability scanner, enabling the vulnerability scanner to identify a vulnerability of the client according to the client message; or the reverse scanning agent module identifies the vulnerability of the client according to the client message and transmits the vulnerability to the vulnerability scanner; the reverse scanning agent module receives a control instruction from the vulnerability scanner, changes operation manner and/or mode according to the control instruction, and updates a vulnerability rule. The reverse scanning agent module in the disclosure acquires and analyzes the client message to identify the vulnerability of the client, which supplements server security issue remote detection with client security issue analysis, thereby realizing security detection for the entire network.