A device may receive a request for a network service configuration (NSC) that is to be used to configure network devices. The device may select a graphical data model that has been trained via machine learning to analyze a dataset that includes information relating to a set of network configuration services, where aspects of a subset of the set of network configuration services have been created over time. The device may determine, by using the graphical data model, a path through a set of states of the graphical data model, where the path corresponds to a particular NSC. The device may select the particular NSC based on the path determined. The device may perform a first group of actions to provide data identifying the particular NSC for display, and/or a second group of actions to implement the particular NSC on the network devices.

Techniques for malicious HTTP cookies detection and clustering are disclosed. In some embodiments, a system, process, and/or computer program product for malicious HTTP cookies detection and clustering includes receiving a sample at a cloud security service; extracting a cookie from network traffic associated with the sample; determining that the cookie is associated with malware; and generating a signature based on the cookie.

In a processor of a security appliance, an input of a sequence of characters is walked through a finite automata graph generated for at least one given pattern. At a marked node of the finite automata graph, if a specific type of the at least one given pattern is matched at the marked node, the input sequence of characters is processed through a reverse non-deterministic finite automata (rNFA) graph generated for the specific type of the at least one given pattern by walking the input sequence of characters backwards through the rNFA beginning from an offset of the input sequence of characters associated with the marked node. Generating the rNFA for a given pattern includes inserting processing nodes for processing an input sequence of patterns to determine a match for the given pattern. In addition, the rNFA is generated from the given type of pattern.

A security device for processing network flows includes one or more packet processors configured to receive incoming data packets associated with one or more network flows where a packet processor is assigned as an owner of one or more network flows and each packet processor processes data packets associated with flows for which it is the assigned owner; and a packet processing manager configured to assign ownership of network flows to the one or more packet processors where the packet processing manager includes a global flow table containing entries mapping network flows to packet processor ownership assignments. The packet processing manager informs a packet processor of an ownership assignment after one or more packets are received, and the one or more packet processors learns of ownership assignments of network flows from the packet processing manager.

Configuration of tunnel, firewall and/or other positional based functionality for routers operating within a multi-router network is contemplated. The functionality configured for one or more of the routers may be implemented automatically without manual input or identification, such as to facilitate an off-the-shelf implementation process where positioning and attendant functionality is routinely implemented according to a predefined set of roles.

The present disclosure provides a system for detecting and preventing the intrusion of malicious data flows in a software defined network (SDN). The system comprises at least one data storage or memory, configured to store flow states of data flows, and to share and update the flow states across the system, at least one shared-state forwarding element (FE) configured to block, forward, or replicate a received data flow based on a flow state of the data flow and/or a comparison of the data flow with predetermined patterns, and at least one inspection element (IE), configured to receive a replicated data flow, and to classify, whether the data flow is malicious or allowed. The IE is configured to alter the flow state of the data flow according to a classification result. The present disclosure provides a corresponding method for detecting and preventing intrusion of malicious data flows in a SDN.

A method for migrating a data schema comprising combining a first deterministic finite automaton with a second deterministic finite automaton to generate a modified deterministic finite automation. Identifying a state of the modified deterministic finite automaton without computed followers. Computing a new vector of original states for each state of the modified deterministic finite automaton corresponding to the identified state.

The disclosure generally relates method, system and apparatus to expedite processing of packet data through a network endpoint. In one embodiment, the disclosure relates to an Inline Security Engine (ISE) which may be deployed at network's edge, for example, at a network interface card or a network adaptor. The exemplary ISE may be configured to receive and analyze packets traversing through the endpoint device for compliance with the encryption protocols and other network requirements. Additionally, the ISE may implement steps to increase security of the data if the analysis suggests that the encryption may be weak or faulty or if certain predefined security rules are violated. All processes are implemented inline and at line speed without diminishing the data rate.

A method for IPSec communication between a source machine and a destination machine is provided. The method includes receiving, at the destination machine, first and second packets from the source machine through first and second VPN tunnels established between a first VTI of the source machine and a second VTI of the destination machine; determining the first packet corresponds to a first SA and the second packet corresponds to a second SA; processing, by a first processing core, the first packet based on the first SA, and processing, by a second processing core, the second packet based on the second SA; and updating, at the second VTI, states of one or more flows based on the first and second packets, the second VTI providing one or more stateful services for the one or more packet flows based on the one or more states.

A network apparatus detects connection requests and extracts related data. The data is analyzed to determine whether the host is in an active state, whether the host matches a domain referrer and an amount of time from a last connection request. If it is detected that the host is not in an active state, the host is not matching the domain referrer and the amount of time from the last connection request exceeds a predetermined new session threshold, then a connection request is classified as a main request. If the amount of time from the last connection request is below a predetermined continuous session threshold, then any connection requests following the main request are classified as sub-requests. If the domain of host in the active state does not match current host for a sub-request, the sub-request is classified as a third-party request.