A method for visualizing network flows of a network is provided. The method monitors network flows between a group of machines in a network. The method associates identifiers with the monitored network flows. The method aggregates the monitored network flows into a set of groups based on the associated identifiers. The method displays a set of flow records for the each group of the set of groups.

A network apparatus is configured to detect a network connection request on a platform having a hardware accelerator to process network traffic, wherein the hardware accelerator implements computing tasks related to data packets of at least part of the network traffic. The network apparatus is further configured to intercept the network traffic related to the network connection request before the start of the hardware accelerator process, to extract network connection data required by a network traffic analysis function from the network traffic, to allow the hardware accelerator to start acceleration process after the network connection data extraction has finished, and to analyse the network connection based on the extracted network connection data.

A method and system are disclosed. A first service engine among a plurality of service engines detects a traffic violation of a web application policy for an instantiation of a virtual service on the first service engine. The service engines maintain corresponding instances of a shared state of policy violations for the web application policy. In response to detecting the traffic violation, a first instance of the shared state on the first service engine is updated. The first service engine broadcasts the updated first instance of the shared state. Remaining service engines, which have instantiations of the virtual service, update their instances of the shared state in response to receiving the updated first instance. The instances of the shared state are aggregated to obtain an aggregated shared state. It is detected whether the aggregated shared state triggers an application policy rule for the web application policy.

Several methods are disclosed for detecting and mitigating Distributed Denial-of-Service (DDoS) attacks that are intended to exhaust network resources. The methods use DDoS mitigation devices to detect DDoS attacks using operationally based thresholds. The methods also keep track of ongoing attacks, have an understanding of “protected IP space,” and activate appropriate mitigation tactics based on the severity of the attack and the capabilities of the DDoS mitigation devices.

A network device may determine a plurality of reputation indicators that indicate a measure of reputation associated with the flow. A first reputation indicator, of the plurality of reputation indicators, may be determined based on applying a first reputation analysis technique in association with the flow. A second reputation indicator, of the plurality of reputation indicators, may be determined based on applying a second reputation analysis technique in association with the flow. The second reputation analysis technique may be different from the first reputation analysis technique. The network device may determine a reputation score for the flow based on the plurality of reputation indicators. The network device may prioritize the flow based on the reputation score.

A system and method for provisionally authenticating a host moving from a source port of a switch device to a destination port of the switch device is disclosed. The host is initially authenticated at the source port and blocked from forwarding network traffic at the destination port. During a provisional authentication session, an authentication agent executing on the switch intercepts one or more authentication packets sourced by the host and headed for the destination port of the switch device and redirects the authentication packets to an authentication server for validating the host at the destination port of the switch device. The switch device removes the block at the destination port in response to receiving an acknowledgment of successful authentication at the destination port from the authentication server.

Embodiments relate to detecting and mitigating network intrusions. Packets are inspected at their source/destination hosts to identify packet trends local to the hosts. The local packet trends are combined to identify network-wide packet trends. The network-wide packet trends are used to detect anomalies or attacks, which in turn informs mitigation actions. The local inspection may be performed by reconfigurable/reprogrammable “smart” network interfaces (NICs) at each of the hosts. Local inspection involves identifying potentially suspect packet features based on statistical prevalence of recurring commonalities among the packets; pre-defined threat patterns are not required. For network-wide coherence, each host/NIC uses the same packet-identifying and occurrence-measuring algorithms. An overlay or control server collects and combines the local occurrence-measures to derive the network-wide occurrence-measures. The network-wide occurrences can be used to automatically detect and mitigate completely new types of attack packets.

Embodiments relate to detecting and mitigating network intrusions. Packets are inspected at their source/destination hosts to identify packet trends local to the hosts. The local packet trends are combined to identify network-wide packet trends. The network-wide packet trends are used to detect anomalies or attacks, which in turn informs mitigation actions. The local inspection may be performed by reconfigurable/reprogrammable “smart” network interfaces (NICs) at each of the hosts. Local inspection involves identifying potentially suspect packet features based on statistical prevalence of recurring commonalities among the packets; pre-defined threat patterns are not required. For network-wide coherence, each host/NIC uses the same packet-identifying and occurrence-measuring algorithms. An overlay or control server collects and combines the local occurrence-measures to derive the network-wide occurrence-measures. The network-wide occurrences can be used to automatically detect and mitigate completely new types of attack packets.

A proxy server receives, from multiple visitors of multiple client devices, a plurality of requests for actions to be performed on identified network resources belonging to a plurality of origin servers. At least some of the origin servers belong to different domains and are owned by different entities. The proxy server and the origin servers are also owned by different entities. The proxy server analyzes each request it receives to determine whether that request poses a threat and whether the visitor belonging to the request poses a threat. The proxy server blocks those requests from visitors that pose a threat or in which the request itself poses a threat. The proxy server transmits the requests that are not a threat and is from a visitor that is not a threat to the appropriate origin server.

Example methods are provided for a destination host to implement a firewall in a virtualized computing environment that includes the destination host and a source host. The method may comprise receiving, via a physical network interface controller (PNIC) of the destination host, an ingress packet sent by the source host. The ingress packet may be destined for a destination virtualized computing instance that is supported by the destination host and associated with a destination virtual network interface controller (VNIC). The method may further comprise retrieving a PNIC-level firewall rule associated with the destination virtualized computing instance, the PNIC-level firewall rule being applicable at the PNIC and generated by based on a VNIC-level firewall rule applicable at the destination VNIC. In response to determination that the PNIC-level firewall rule blocks the ingress packet from passing through, the ingress packet may be dropped such that the ingress packet is not sent to the destination VNIC.