A computer-implemented method for building socket transferring between containers in cloud-native environments by using kernel tracing techniques is provided including probing a connection-relevant system call event by using an eBPF to collect and filter data at a router, creating a mirror call at a host namespace with a dummy server and dummy client by creating the dummy server with mirror listening parameters, sending a server host address mapping to overlay the server host address to the client coordinator in an overlay process, and creating and connecting the dummy client to return a client host address to the server coordinator. The method further includes transferring mirror connections to the overlay process via a forwarder by temporary namespaces entering and injecting socket system calls and probing a transfer call event to map an overlay socket with a transferred dummy socket to activate duplication when the overlay socket is not locked.

A method and apparatus for providing IP address filtering. The method identifies one or more suspicious Uniform Resource Locators (URLs) and resolves the one or more suspicious URLs to one or more suspicious IP addresses. A suspicious IP address list is created containing the one or more suspicious IP addresses. The suspicious IP address list may be used to facilitate a security response to filter one or more of the IP addresses in the suspicious IP address list.

An enterprise organization may operate a central network and one or more remote networks, each comprising a plurality of computing devices. For protection against malicious actors, the central network may be configured to filter network traffic associated with the computing devices based on identified threats. Traffic corresponding to computing devices connected to the remote network may be tunneled to the central network for filtering by the central network. A tunnel gateway device, associated with the remote network, may efficiently identify which communications are associated with Internet threats, and tunnel such identified traffic to the central network, where actions may be taken to protect the enterprise network.

A message-hold decision maker system used with an electronic mail processing system that processes electronic messages for a protected computer network improves the electronic mail processing system's performance by increasing the throughput performance of the system. The improvements are achieved by providing an electronic mail processing gateway with additional logic that makes fast and intelligent decisions on whether to hold, block, allow, or sandbox electronic messages in view of potential threats such as viruses or URL-based threats. A message hold decision maker uses current and stored information from a plurality of specialized classification engines to quickly make the decisions. In some examples, the message hold decision maker will instruct an email gateway to hold an electronic mail message while the classification engines perform further analysis.

A method for filtering communication data arriving from a communication partner via a communication connection, which provides access to at least one storage means of a receiving data processing device having at least one computation unit, in the data processing device, wherein PCI Express, in an interface unit, receiving the communication data, of the data processing device, a filter means, at least part of which is embodied as hardware, is used so that, according to configuration information, prescribed on the data processing device, containing at least one approval condition that rates the at least one property of the useful data contained in the communication data, only the communication data meeting at least one approval condition are forwarded from the interface unit to at least one further component of the data processing device.

A first correspondence table in a terminal device stores a correspondence between an identifier of a process running on the terminal device and an identifier of a data stream created by the process, a second correspondence table stores a second correspondence between an identifier of an application and an identifier of a process created by the application. The terminal device receives an identifier, sent by a network security device, of a first data stream. The terminal device can find, in the first correspondence table, a first record storing the identifier of the first data stream to obtain an identifier of a process. The terminal device can find in the second correspondence table, a second record storing the identifier of the process in the first record to obtain an identifier of an application from the second record. The identifier of the application is then sent to the network security device.

A system for efficiently parsing semi-structured deep packet inspection traffic data tied to a telecommunications entity. The system is capable of parsing such records at million-records-per-second scale through use of a numerical data model, leverage on proven fundamental algebraic techniques, and shortcuts to label streaming traffic on the fly. In some embodiments, the system may perform parallel accumulation of data traffic into business grade counters using elementary techniques and subsequently identify subscribers exhibiting specific data patterns in real time for contextual targeting of promotional offers. A method of efficiently parsing the traffic data via the system of the disclosure.

A processor may receive a packet configured to travel in a network. The packet may be configured to travel from a first device to a second device. The processor may analyze the packet. The processor may detect a password with the packet. The processor may determine whether the detected password complies with at least one password policy. The processor may provide a password policy compliance output to a user. The password policy compliance output may indicate to the user whether the detected password complies with the at least one password policy.

This disclosure is related to methods and apparatus used to for preventing malicious content from reaching a destination via a dynamic analysis engine may operate in real-time when packetized data is received. Data packets sent from a source computer may be received and be forwarded to an analysis computer that may monitor actions performed by executable program code included within the set of data packets when making determinations regarding whether the data packet set should be classified as malware. In certain instances all but a last data packet of the data packet set may also be sent to the destination computer while the analysis computer executes and monitors the program code included in the data packet set. In instances when the analysis computer identifies that the data packet set does include malware, the malware may be blocked from reaching the destination computer by not sending the last data packet to the destination computer.

At least one of a measure of trust or a measure of spoofing risk associated with a sender of a message is determined. A measure of similarity between an identifier of the sender of the message and an identifier of at least one trusted contact of a recipient of the message is determined. The measure of similarity is combined with at least one of the measure of trust or the measure of spoofing risk to at least in part determine a combined measure of risk associated with the message. Based at least in part on the combined measure of risk associated with the message, a verification action is performed including by automatically providing an inquiry message that requests a response to be provided.