A method includes receiving, by a processing system of a user endpoint device, a network cookie directly from an internet service provider who provides a subscriber who is associated with the user endpoint device with connectivity to the internet, storing, by the processing system, the network cookie in a local memory of the user endpoint device, generating, by the processing system, a request to send to the Internet service provider, wherein the request comprises a request for an internet protocol address associated with a uniform resource locator of an internet content provider, attaching, by the processing system, the network cookie to the request, and sending, by the processing system, the request including the network cookie to the Internet service provider.

In accordance with an embodiment, described herein are systems and methods for use of a suffix tree to control blocking of blacklisted encrypted domains. A suffix tree includes encrypted hash keys corresponding to a plurality of domain nodes. A domain-related request packet is received, and a target domain name extracted from the packet. A pair of hash keys are generated for the request packet and target domain; and a hash table is searched with the generated hash key pair. If a corresponding entry is found in the hash table, then a corresponding hash suffix pointer is determined for the packet, and the suffix tree examined to determine whether the node identified by the query is part of a blacklisted node. If the suffix tree indicates the node to be part of a blacklisted node, then the system can perform a specified action associated with that node.

The method of synchronizes network address translation (NAT) records between an active gateway and a standby gateway. The method of some embodiments synchronizes NAT records of long-term data flows more frequently than those of short-term flows. Multiple data flows pass between a device at an internal source address and a device at an external destination address through the active NAT gateway. For each flow, the method generates a NAT record. The method then determines whether the data flow is a short-term flow or a long-term flow and synchronizes the NAT records of the long-term flows, but not the NAT records of the short-term flows, with the standby gateway. The method of some embodiments synchronizing NAT records more frequently when NAT records are being generated quickly relative to prior generation rates and less frequently when NAT records are being generated slowly relative to the prior generation rates.

Methods and systems for monitoring activity on a local area networks (LAN). In particular, embodiments described herein provide systems and methods for associating packets with the devices from which they were communicated, despite the obfuscatory behavior of any network address translators (NAT). A processor first receives packets that were collectively communicated, by a plurality of devices, via a NAT-serviced LAN. The processor aggregates the packets into multiple packet aggregations on a per device basis. Fields that are contained in the respective packet headers of the packets are used. The packet aggregations may be grouped. The embodiments use unencrypted lower-level information (including, for example, IPIDs and domain names), such that aggregation and grouping may be successfully performed even if information in the application layer is encrypted.

Provided is a system and method for authentication of collectable objects. A hi-resolution digital camera in communication with a nonvolatile data storage device having a data partition capable of being made immutable is provided. The nonvolatile data storage device is compatible with a computerized device, and the hi-resolution digital camera is operated to record at least one hi-resolution digital image of at least one unique appearance characteristic of a collectable object at an image resolution of at least 300 pixel dots per inch at 1:1 image scale. The at least one hi-resolution digital image is stored in the data partition of the nonvolatile data storage device, together with additional image data. A tamper-resistant marking associated with the collectable object is placed on the nonvolatile data storage device.

Systems and methods for match and collect user data and/or user device data within a current Internet access session of a user for use by user notification systems that generate, distribute and display informational messages over the Internet. The system includes a source data reception unit configured to receive a source IP address and a source user device port matched with the translated IP address and with the translated port of the operator or the provider from the NAT service. A data matching unit matches user data and/or user device data from all available sources, including but not limited to operator or provider databases, using the received source IP address and the received user device port. The systems and methods provide delivery of informational messages based on collected/matched user data and/or user device data provided to the maximum number of real identified users.

Systems and methods are described for determining an on-net/off-set status of a client device. An endpoint security program running on the client device maintains an enterprise public Internet Protocol (IP) list containing one or more ranges of public IP addresses associated with an enterprise network. Further, the endpoint security program sends a request to a cloud-based service for information regarding a public IP address of the client device. In response to the request, the endpoint security program receives from the cloud-based service a response containing the public IP address and determines a connection status of the client device with respect to the enterprise network by comparing the public IP address to the enterprise public IP list.

The present disclosure provides a method of interconnecting between network applications and a type of network access apparatus, the method includes: acquiring a network address and a network application Port Number of a first network device and first validation information; receiving a network address and an application Port Number of a second network device and second validation information according to the network address and the network application Port Number of the first network device and the first validation information; validating whether the network address and the application Port Number of the second network device is connection information requested by the network application of the first network device according to the second validation information; if yes, connecting the network application of the first network device with the network application of the second network device according to the network address and the network application Port Number of the second network device.

A segmentation server generates and distributes management instructions for enforcing a segmentation policy. The segmentation server discovers a network configuration of workloads including an identification of workloads that are behind network address translation modules. The segmentation server generates management instructions for enforcing the rules in a manner dependent on the detected network configuration. Furthermore, the segmentation server monitors traffic flows and generates a traffic flow graph in a manner dependent on the detected network configuration.

This disclosure describes techniques for scaling resources that handle, participate, and/or control routing protocol sessions. In one example, this disclosure describes a method that includes instantiating a plurality of containerized routing protocol modules, each capable of storing routing information about a network having a plurality of routers; performing network address translation to enable each of the containerized routing protocol modules to communicate with each of the plurality of routers using a public address associated with the computing system; configuring each of the containerized routing protocol modules to peer with a different subset of the plurality of routers so that each of the containerized routing protocol modules share routing information with a respective different subset of the plurality of routers; and configuring each of the containerized routing protocol modules to peer with each other to share routing information received from the different subsets of the plurality of routers.