Systems and methods implemented by a unified agent application executed on a mobile device, for unified service discovery and secure availability include authenticating a user into a plurality of cloud services including a proxy service and a Virtual Private Network (VPN) service, wherein the proxy service is utilized for Internet traffic and the VPN service is for Intranet traffic; creating and operating a link local network at the mobile device with a virtual network interface and multiple listening sockets; and intercepting traffic at the virtual network interface from one or more client applications on the mobile device and splitting the traffic between the proxy service, the VPN service, and the Internet based on a type of the traffic, a destination, and the one or more client applications.

Systems and methods in a mobile device communicatively coupled to a cloud based security system, the method for detecting and processing in-channel events associated with a network agnostic mobile application, the method includes intercepting outgoing data from the network agnostic mobile application at a tunnel interface on the mobile device; monitoring the outgoing data for network transactions from the network agnostic mobile application to maintain a context of the network transactions and intended responses for every request; transmitting the outgoing data from the tunnel interface to the cloud based security system; and receiving a response from the cloud based security system responsive to the outgoing data and processing any deviation from the intended responses.

Systems and methods implemented in a cloud node in a cloud based security system for network access control of a mobile device based on multidimensional risk profiling thereof include receiving posture data from the mobile device; determining a device fingerprint and a risk index of the mobile device based on the posture data; and, responsive to a request by the mobile device for network resources through the cloud based security system, performing a multidimensional risk analysis based on the device fingerprint and the risk index and allowing or denying the request based on the multidimensional risk analysis.

A source of a transmission control protocol (TCP) connection includes a processor to establish the TCP connection based on a TCP source port number and a TCP destination port number associated with a destination. The processor also generates a TCP shim header including the TCP source port number and the TCP destination port number. The processor further generates a plurality of TCP headers including a plurality of proxy port numbers and a shim port number that indicates the TCP shim header. The source also includes a transceiver to transmit a plurality of packets comprising the plurality of TCP headers and the TCP shim header. The destination of the TCP connection includes a processor configured to establish the TCP connection and a transceiver to receive the plurality of packets via the TCP connection.

Methods and apparatus for memory allocation and reallocation in networking stack infrastructures. Unlike prior art monolithic networking stacks, the exemplary networking stack architecture described hereinafter includes various components that span multiple domains (both in-kernel, and non-kernel). For example, unlike traditional “socket” based communication, disclosed embodiments can transfer data directly between the kernel and user space domains. A user space networking stack is disclosed that enables extensible, cross-platform-capable, user space control of the networking protocol stack functionality. The user space networking stack facilitates tighter integration between the protocol layers (including TLS) and the application or daemon. Exemplary systems can support multiple networking protocol stack instances (including an in-kernel traditional network stack). Due to this disclosed architecture, physical memory allocations (and deallocations) may be more flexibly implemented.

A data processing system arranged for receiving over a network, according to a data transfer protocol, data directed to any of a plurality of destination identities, the data processing system comprising: data storage for storing data received over the network; and a first processing arrangement for performing processing in accordance with the data transfer protocol on received data in the data storage, for making the received data available to respective destination identities; and a response former arranged for: receiving a message requesting a response indicating the availability of received data to each of a group of destination identities; and forming such a response; wherein the system is arranged to, in dependence on receiving the said message.

In an approach for managing network sockets, a computer receives a request to create a network socket to transfer data. The computer identifies information associated with the received request, including one or more of: a default network protocol, one or more supported network protocols, ahead of time initialization, a data transfer policy, a failure policy, and a security policy. The computer creates a second level hash map based on the identified information, wherein the second level hash map includes the supported network socket protocols and a connection state. The computer determines a network protocol to utilize associated with the received request. The computer establishes a connection for the network socket over the determined network protocol.

Methods and apparatus for efficient data transfer within a user space network stack. Unlike prior art monolithic networking stacks, the exemplary networking stack architecture described hereinafter includes various components that span multiple domains (both in-kernel, and non-kernel). For example, unlike traditional “socket” based communication, disclosed embodiments can transfer data directly between the kernel and user space domains. Direct transfer reduces the per-byte and per-packet costs relative to socket based communication. A user space networking stack is disclosed that enables extensible, cross-platform-capable, user space control of the networking protocol stack functionality. The user space networking stack facilitates tighter integration between the protocol layers (including TLS) and the application or daemon. Exemplary systems can support multiple networking protocol stack instances (including an in-kernel traditional network stack).

A system includes a hypervisor, a virtual machine (VM), and a host system. The VM includes a kernel and an application and the VM is in communication with the hypervisor. The host system includes a memory and one or more processors, where the one or more processors are in communication with the memory. The host system hosts the VM and the hypervisor. The one or more processors is configured to perform creating, via the kernel, a first socket accessible to the application. A second socket in communication with an endpoint is created at the host system. A virtual communication channel between the hypervisor and the kernel of the VM connects the first socket to the hypervisor. The hypervisor is configured to transmit inputs/outputs (I/Os) received from the application through the virtual channel to the endpoint via the second socket.

A user-mode protocol stack-based network isolation method includes: at a bottom-layer network card interface of a user-mode protocol stack, for each network card, adding an isolation space pointer for binding to a network isolation space; when a service application is initialized, configuring a plurality of user-mode protocol stack network isolation spaces with independent protocol stack private tables based on the user-mode protocol stack; for each network card, designating a corresponding user-mode protocol stack network isolation space through the isolation space pointer of each network card; and for service data received from each network card, performing data processing on the service data through protocol stack private tables in a user-mode protocol stack network isolation space corresponding to the network card.