Systems, methods, and software described herein manage traffic rules in association with fully qualified domain names (FQDNs). In one implementation, a domain name system (DNS) security service obtains notifications associated with an FQDN included in DNS requests. In response to the notifications, the DNS security service generates scores for the FQDN based on trust factors associated with the FQDN and determines traffic rules based on the scores.

Data can originate from at least one device. The data can be received by at least one network element corresponding to a network. The data can be sent over the network by the at least one device. The data can be analyzed to determine a presence of one or more keywords or key phrases in the data received. A determination can be performed to determine whether or not to filter or block the data. The data can be blocked or filtered according to the determination.

A method and system for controlling access to external networks by an air-gapped endpoint is provided. The method includes providing, on the air-gapped endpoint, a plurality of isolated security zones by instantiating a plurality of corresponding virtual machines using a hypervisor; selecting one security zone of the plurality of isolated security zones; and tunneling a traffic from the selected security zone to a designated network location, wherein the tunneling is through a virtual private network (VPN).

The present disclosure envisages enforcing micro-segmentation policies on a user computer that intermittently migrates between a secured enterprise network and an unsecured network, for instance, a public network. The present disclosure envisages switching between appropriate micro-segmentation policies, in-line with the change in the current location of the user device, the change triggered by the user device migrating from the enterprise network to an unsecured network or vice-versa. The present disclosure envisages selectively enforcing micro-segmentation policies upon a user device based on the current location thereof, such that the micro-segmentation policies and the corresponding access permissions assigned to the user device differ in line with the current location of the user device, thereby exposing sensitive enterprise resources, forming a part of the enterprise network, in a selective and restricted manner, in line with the micro-segmentation policies enforced upon the user device based primarily on the current location of the user device.

Disclosed embodiments are a computing system and a computer-implemented method related to minimizing the number of rules/policies needed to be stored to enforce those rules/policies. The minimizing comprising generating adjacency data structures mapping as adjacent pairs of network nodes, which are allowed to communicate with one another according to the plurality rules, and applying them for pruning the rule dataset. This allows an original set of rules/policies to be reduced into a smaller set, which conserves computational resources.

Systems and methods for allocating a per-interface access control list (ACL) counter are disclosed. An ACL is applied to a data packet received at an interface of the network element. In response to matching the highest priority ACL rule, a counter value is obtained based on a combination of a base index and an expansion index value. The base index, expansion index, and counter values are stored in their respective tables. The counter value is uniquely associated with the specific ACL rule hit and the interface used to receive the data packet. Systems and methods also allocate a next set of expansion and counter tables when their storage capacity is exceeded. When the next set of tables are allocated, the older set of tables along with their index mappings and entries are preserved.

Systems, devices, and methods are discussed for forward testing rule sets at a granularity that is less than all activity on the network. In some cases, the granularity is that of an individual application.

An apparatus and method for improving the security of trigger action platforms of a type providing interoperability between computer services send the trigger service additional information about an interoperability rule for the computer services so that the trigger service may implement a minimizer reducing the data communicated when the interoperability is implemented. Implementation of the minimizer may be done in a way that is transparent to the trigger action platform eliminating the need for disruption of existing interoperability services.

Some embodiments provide a method for defining an adaptable monitoring profile for a network. The defined network monitoring profile is independent of the security policy defined for the network and includes one or more log generation rules, each of which defines a logging policy for a set of data compute nodes (DCNs) that share a common attribute. A log generation rule specifies whether the network activities of a set of DCNs that share a common attribute should be logged or not. A log generation rule can also specify other logging parameters such as priority level of the logs and the required logging protocol for transmission of the logs. The logging policy of a log generation rule is associated with a set of service rules (e.g., firewall rules) through a dynamic service group, and is applied to the service rules when any of these rules is triggered.

Provided is a CAN communication based abnormal message detection method including obtaining reception times of reception messages; a reception filtering operation for performing a period calculation for comparing a difference between reception times of reception messages having the same message ID and a reference period of the corresponding message ID; an abnormal message detecting operation for determining the reception messages as abnormal messages when, as a result of the period calculation, the difference between the reception times is smaller than the reference period and determining the reception messages as normal messages when the difference between the reception times is greater than the reference period; and a blocking operation for blocking the abnormal messages.