CN103907330B - 在网络环境中用于重定向的防火墙发现的系统和方法 - Google Patents
在网络环境中用于重定向的防火墙发现的系统和方法 Download PDFInfo
- Publication number
- CN103907330B CN103907330B CN201280053580.XA CN201280053580A CN103907330B CN 103907330 B CN103907330 B CN 103907330B CN 201280053580 A CN201280053580 A CN 201280053580A CN 103907330 B CN103907330 B CN 103907330B
- Authority
- CN
- China
- Prior art keywords
- fire wall
- metadata
- network flow
- network
- fire
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2101—Auditing as a secondary aspect
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/10—Active monitoring, e.g. heartbeat, ping or trace-route
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
在一个示例实施例中提供了一种方法,其包括从主机在元数据信道上接收元数据。元数据可以与网络流相关,并且网络策略可以被应用于连接。在其他实施例中,可以从主机接收网络流,而没有与该流相关联的元数据,并且发现重定向可以被发送到主机。然后元数据可以被接收并且与流相关,以识别网络策略动作从而应用到所述流。
Description
技术领域
概括地说,本说明书涉及网络安全领域,更具体地说,涉及在网络环境中用于重定向的防火墙发现的系统和方法。
背景技术
在今天的社会中网络安全领域已经变得越来越重要。互联网已经可以使全世界的不同计算机网络能够互联。然而,互联网也已经给恶意操作者呈现了许多机会以利用这些网络。一旦某些类型的恶意软件(例如bot)已经感染了主机计算机,就可以配置软件以接收来自远程操作者的命令。可以指示软件执行任何数量的恶意行为,例如从主机计算机发送垃圾邮件或者恶意电子邮件、从与主机计算机相关联的商业或者个人窃取敏感信息、传播到其他主机计算机、和/或协助分布式拒绝服务攻击。此外,恶意操作者可以将访问权出售或者给予给其他恶意操作者,因此逐步升级对这些主机计算机的利用。因此,有效地保护和维持稳定的计算机和系统的能力对于部件制造商、系统设计者和网络运营商来说,继续呈现重大挑战。
附图说明
为了提供对本公开及其特征和优点的更加完全的理解,结合附图对以下的描述做出了参考,其中相似的参考数字代表相似的部分,其中:
图1是示出了按照本说明书的可以通过主机重定向发现防火墙的网络环境的示例实施例的简化框图;
图2是示出了与网络环境的一个潜在实施例相关联的额外细节的简化框图;
图3是示出了与网络环境的示例实施例相关联的潜在操作的简化交互图;
图4是示出了与网络环境的示例实施例相关联的潜在操作的简化交互图,其中所述网络环境具有识别对管理的路由无效的防火墙的陈旧防火墙缓存。
图5是示出了与网络环境的其他示例实施例相关联的潜在操作的简化交互图,其中所述网络环境具有识别对管理的路由无效的防火墙的陈旧防火墙缓存;以及
图6是与网络环境的示例实施例中的交换元数据相关联的示例分组数据单元格式。
具体实施方式
在一个示例实施例中提供了一种方法,其包括从主机通过元数据信道接收元数据。元数据可以与网络流有关,并且网络策略可以被应用于流。
在其他实施例中,可以从主机接收网络流,而没有与流相关联的元数据,并且可以将发现重定向发送到主机。然后可以接收元数据并且使其与流相关以识别网络策略动作以应用到流。
示例实施例
转到图1,图1是网络环境10的示例实施例的简化框图,其中通过主机重定向可以发现防火墙。在图1示出的实施例中,网络环境10可以包括互联网15、用户主机20a和20b、防火墙25、策略服务器30、邮件服务器35、以及网络服务器40。通常,用户主机20a-20b可以是在网络连接中的任何类型的终端节点,包括但不限于台式计算机、服务器、膝上计算机、移动电话、或者任何其他类型的可以与另一个节点接收或者建立连接的设备,例如邮件服务器35或者网络服务器40。防火墙25可以控制在用户主机20a-20b和附在互联网15或者另一网络上的其他节点之间的通信,例如通过阻挡未授权的访问同时允许授权的通信。在一些实例中,防火墙25可以耦合到或者集成到入侵阻止系统、网络访问控制设备、网络网关、电子邮件网关、或者在互联网15和用户主机20a-20b之间的任何其他类型的网关。此外,在靠近用户主机20a-20b的路由拓扑中的防火墙25的位置是任意的。策略服务器30可以耦合到或者集成到防火墙25,并且可以用于管理用户主机20a-20b,以及管理和分配网络策略。因此,在这个示例实施例中,如果由在防火墙25中执行并且由策略服务器30管理的策略允许,那么通过经过防火墙25建立连接,用户主机20a-20b可以与附在互联网15上的服务器通信,例如邮件服务器35或者网络服务器40。
图1中的每个元件可以通过简单的接口或者通过任何其它合适的连接(有线的或者无线的)而彼此耦合,所述连接提供用于网络通信的可行路径。此外,这些元件中的任何一个或多个可以基于特定的配置需要被合并或者被从架构中移除。网络环境10可以包括能够针对在网络中传送或者接收分组的传输控制协议/互联网协议(TCP/IP)通信的配置。网络环境10还可以在适当的地方和基于特定的需要结合用户数据报协议/IP(UDP/IP)或者任何其他合适的协议操作。
为了解释在示例实施例中用于提供网络安全的技术的目的,理解在给定的网络之内发生的活动是重要的。以下的基本信息可以被视为本公开被恰当解释的基础。认真地提供这样的信息仅仅是为了解释的目的,因此,不应当被解释为以任何方式限制本公开的宽的范围和其潜在应用。
在组织中和由个人使用的典型的网络环境包括与使用互联网的其他网络进行电子通信的能力,例如访问以连接到互联网的服务器为主机的网页、发送或者接收电子邮件(即电子邮件)消息、或者交换文件。然而,恶意用户继续开发用于使用互联网散布恶意软件和获取对机密信息的访问的新战术。恶意软件通常包括被设计用于访问和/或控制计算机而没有通知计算机所有者同意的任何软件,并且最通常被用作任何敌意的、入侵的、或者烦人的软件(例如计算机病毒、bot、间谍软件、广告软件等)的标签。一旦受到损害,恶意软件可以破坏主机并且用它进行恶意活动,例如发送垃圾邮件或者窃取信息。恶意软件还通常包括一个或多个传播向量,其使它能够在组织的网络之内进行散布,或者跨越其它网络散布到其他组织或者个人。一般的传播向量包括利用在本地网络之内的主机上的已知弱点,并且发送附有恶意程序的电子邮件或者在电子邮件之内提供恶意链接。
恶意软件可以操作的一种方式是通过使用与用户所期望的不同的网络协议交换来欺骗用户。恶意软件可以被打包以便说服用户允许访问从而以一些无害的方式运行它,因此允许它访问网络,其经常可能要求经过防火墙或者其他安全措施。恶意软件然后可以利用访问权以从事不是用户所预期的替代或者额外的活动。例如,游戏可以发送电子邮件消息,或者文字处理器可以打开网络连接。同时,恶意软件也可以使用标准协议以欺骗防火墙允许恶意软件建立远程连接。
例如僵尸网络(botnet)使用恶意软件,并且越来越威胁到计算机安全。在许多情况下,它们采用包括公知的和新的弱点的组合的复杂攻击方案。僵尸网络通常使用客户端-服务器架构,其中一种恶意软件(即bot)被放置在主机计算机上,并且与命令和控制(C&C)服务器通信,其可以由恶意用户(例如,僵尸网络操作者)控制。通常,僵尸网络由大量的bot组成,其可以由操作者使用C&C协议经过各种信道进行控制,包括互联网中继聊天(IRC)和点对点(P2P)通信。bot可以从C&C服务器接收命令以执行特定的恶意活动,并且因此可以执行这样的命令。bot还可以将任何结果或者窃取信息发送回C&C服务器。
bot通常被设计为发起与C&C服务器的通信,并且冒充为正常的网络浏览器流量。例如,bot可以使用通常被用于与网络服务器通信的端口。因此,在不执行更详细的网络流量的分组检查的情况下,现有的技术可能不会检测到这样的bot。此外,一旦bot被发现,僵尸网络操作者可以通过bot简单地找到另一种方式冒充网络流量以继续呈现为正常的网络流量。最近,僵尸网络操作者已经精心制作了bot以使用加密协议(例如安全套接字层(SSL)),因此加密恶意网络流量。这样的加密流量可以使用超文本传输协议安全(HTTPS)端口以便仅仅在加密的会话中所涉及的端点可以解密数据。因此,现存的防火墙和其他网络入侵阻止技术可能不能执行任何有意义的网络流量的检查,而bot可以继续感染在网络内的主机计算机。
其他软件安全技术聚焦在阻止未授权的程序文件在主机计算机上执行,这对于终端用户或者商业的雇员或者其他组织实体来说,可能有不期望的副作用。网络或者信息技术(IT)管理员可能负责制作关于商业实体所有方面的广泛的策略,以使雇员能够从期望的和信任的网络资源处得到软件和其他电子数据。没有适当的广泛策略,雇员可能被阻止从没有被特别授权的网络资源下载软件和其他电子数据,即使这样的软件和其他数据促进合法的和必需的商业活动。这样的系统可以是约束性的,以致如果在主机计算机找到未授权的软件,则任何主机计算机活动可能被暂停,等待网络管理员介入。此外,在网络级别可能简单的因为有太多应用,以致不能有效地追踪和并入策略。大的白名单或者黑名单可能难以维护并且可能降级网络性能,一些应用可能不容易被简单识别。
但是,在主机和防火墙之间可以共享信息,以共同和相互地实现更好的安全性。例如,主机可以理解应用为运行具有特定认证的进程的可执行文件,而防火墙可以理解应用为也可以与特定用户认证相关的在TCP连接中的协议。主机可以与防火墙共享会话描述符和其他元数据,而当需要时防火墙可以与主机共享网络策略,以使应用活动与期望的网络行为相关。网络策略可以包括安全策略的元素和其他网络特定参数,例如服务质量(QoS)和路由。主机还可以与通用唯一标识符(UUID)相关联,其可以被用于使起源于网络地址翻译器后面的连接和活动相关。
主机还可以通知防火墙:到主机的额外网络连接。例如,如果主机同时具有活动的无线和有线连接,那么可能会有这样的风险:在一个连接上接收到的数据被传输到另一个,因此可能希望约束对敏感数据的访问。主机也可以通知防火墙连接是否与虚拟机相关联,或者主机是否具有可装载的读/写介质(例如附上的USB棒)。
在网络环境10的一些实施例中,主机可以包括多个附加点,使得它具有多个IP地址。在其他实施例中,主机可以使用IP版本6(IPv6),可能包括隐私扩展(RFC4941),使得它具有一个或多个注册的和已知的IPv6地址和一个或多个隐藏的或者私有的IPv6地址。在这些实施例中,互锁防火墙可以简单地使用动态信息共享,以发现在主机上的所有地址的用户到主机映射。
在网络环境10中的互锁主机和防火墙之间的这个动态信息共享可以提供优于传统架构的几点好处。例如,通过与主机协调防火墙策略,防火墙可以不同地管理路由,例如通过根据在主机上的多个用户中的哪个正在尝试建立连接以允许或者拒绝流量。此外,仅仅需要被粒度控制的应用需要由防火墙控制。因此,防火墙可以控制任意的或者躲避的应用,提供更高的有效吞吐量,和控制移动用户流量。此外,可以限速不需要被完全允许或者拒绝的流量。利用防火墙上可用的处理信息,也可以对任意的或者躲避应用进行限速,差异化服务可以被提供给管理的和非管理的主机。
许多主机可能对所有路由仅使用单个防火墙。在主机上运行的代理可以维护能够识别这个防火墙的防火墙缓存。在更加复杂的场景中,主机可以使用不止一个防火墙,在这样的情况下,主机理解哪个防火墙将会处理给定的流是重要的。通过映射给定的网络路由到特定的防火墙,防火墙缓存可以提供通过不止一个防火墙的路由。路由通常是管理的或者非管理的。“管理的路由”通常是指通过可以被配置以接收网络流的元数据的防火墙的路由,而“非管理的路由”是通过不能接收元数据的防火墙的路由。防火墙缓存可以使网络(例如,由网络目的地和网络掩码识别出的)与例如被指定用于管理到网络的流的防火墙相关联,或者可以使非管理的路由与空值相关联。防火墙缓存可以由管理者初始化或者配置,提供分离的配置给每个命名的网络和/或当网络第一次使用时的默认配置。一些配置可以最初基于所有的全球IP地址是在互联网上的假设来为互联网地址定义一个防火墙。
会话描述符通常包括关于与给定的网络会话相关联的主机和应用的信息。例如,会话描述符可以包括与主机相关联的UUID和进程所有者的用户证书。由于用户可以运行具有不同用户证书的分离的过程,所以这样的信息对于Citrix和终端服务而言可以是特别有优势的。会话描述符可以额外地包括运行尝试建立网络连接的过程的应用文件的文件名、路径名、或者其它唯一标识符(例如C:\...\WINWORD.EXE)。例如,在一些实施例中,可以由应用的可执行文件的散列函数识别应用,以便使它对于恶意用户来讲更难以冒用应用名称。防火墙可以使这个信息与应用标识符或者协议相关,以确保应用如期望般地执行。会话描述符还可以包含关于主机环境的信息,例如在主机上安装的软件和软件的当前的配置和状态,允许防火墙用作网络访问控制设备。例如,会话描述符可以指示本地反病毒系统是否是最新的并且正在运行。如果基于主机的数据丢失阻止(HDLP)软件是可用的,那么会话描述符还可以包括用于文件传送的文件打字(file-typing)信息。HDLP通常判定被传送出网络的文件的类型(例如PDF、Word等)。防火墙可以具有关于正在被通过特定协议传输的某个文件类型的额外策略,其可能对于HDLP程序来说不是直接可见的。
在网络环境10的一些实施例中,会话描述符和其他元数据可以通过带外通信信道(“元数据信道”)进行交换,其可以借助对通信隐私提供认证和/或加密的协议实施。在更具体的实施例中,可以使用数据报传输层安全(DTLS)协议以提供具有通信隐私的元数据信道,主机和防火墙可以基于一般证书权限使用证书。在一些实施例中,策略服务器可以分配证书到主机和防火墙,而外部证书权限可以被用于其他实施例中。一些协议,包括DTLS,还可以被用于建立从防火墙到主机的反向信道,其可以例如用于误差消息和诊断。
主机可以在打开新的网络流之前发送元数据到防火墙,以便通常元数据在新流的第一分组之前到达防火墙。更具体的,在主机上的防火墙代理可以拦截新流的第一分组,并且发送与该流相关联的会话描述符和其他元数据,例如源IP地址和端口、目的地IP地址和端口以及协议。防火墙可以维护元数据缓存,并且如果防火墙代理释放网络流则使该流与元数据相关。更具体的,防火墙可以使元数据与网络流数据相关,其宽泛地指这样的信息:使给定的网络流与源节点(即发送或者尝试发送分组的节点)和一个目的地节点(即分组被寻址到的节点)或者多个目的地节点(例如广播或者多播地址)相关联。流数据还可以包括关于流的其他信息,例如协议族或者协议。
例如,TCP通常通过握手打开新的流(通常在TCP流的上下文中称作“连接”)—主机发送具有一个被设定以指示正在进行三次握手的TCP标志位(即SYN位)的第一分组。因此,通过检测在发送SYN分组(即具有设定的SYN位的分组)的源节点上的申请并且保持SYN分组,源节点上的代理可以拦截新的TCP连接。代理可能能够识别用于管理到与新连接相关联的目的地节点的路由的防火墙,例如通过在防火墙缓存中定位路由及其相关联的防火墙,并且通过安全的元数据信道发送元数据到防火墙(防火墙可以被缓存)。然后可以通过发送SYN分组到防火墙而释放连接请求,并且防火墙可以与源IP、目的地IP、协议等相关。
流不限于使用可靠协议(例如TCP)进行通信;流还可以包括使用不可靠的协议(例如UDP或者IP)进行通信。在其他实施例中,代理可以追踪使用不可靠协议的流,并且在它传输元数据时通过保持流的第一分组而拦截新流。代理还能够通过缓存流的第一分组的散列来重新传输元数据,并且比较所述散列与后续分组的散列以判定是否第一分组正被应用重新传输。在其他实施例中,防火墙可以追踪流并且缓存第一分组直到元数据到达。在其他实施例中,元数据可以在流中的每个分组中使用不可靠协议发送,或者从不发送。缓存第一分组数据可以是非常短暂的(例如,小于一秒到五秒)。
然而,主机并不总是能够识别或者定位这样的防火墙。例如,主机可以从一个网络移动到另一个(例如,膝上计算机从家庭网络移动到公司网络),可以有错误配置的路由表、陈旧的表条目、或者缺失的表条目,其可以造成主机发送元数据到不正确的防火墙(或者根本不发送元数据)。如果主机不能判定防火墙的位置,那么需要额外的机制。
按照在这里公开的实施例,网络环境10可以提供用于基于重定向的互锁防火墙的发现的系统和方法。防火墙可以维护管理的主机的列表,其可以在给定的子网范围内被识别出,或者例如通过IP地址或者主机名称而被明确地识别出。在一些实施例中,策略服务器可以提供列表到防火墙。防火墙可以缓存或者丢弃初始连接分组(例如SYN分组),并且发送防火墙-主机发现重定向到尝试打开连接而不发送适当的元数据的任何管理的主机。在更多的特定实施例中,通过不发送本地链路或者本地广播的发现重定向(例如在端口137上的网络基本输入输出系统探针),网络环境10可以减少重定向流量体积。
管理的主机和防火墙还可以维护用于认证重定向分组的共享秘密(例如密码、密钥等等)。共享秘密可以例如由策略服务器分配或者手动配置,防火墙可以与不止一个主机共享相同的秘密,包括站点内的所有主机。在某些实施例中,共享的秘密可以是时间的函数。在其他实施例中,管理的主机和防火墙可以使用非对称密钥密码机制(即公共密钥密码机制)以保护重定向分组。
在更多特定实施例中,可以在互联网控制消息协议(ICMP)分组(例如用于管理禁止通信(即ICMP类型3,代码13)的ICMP目的地不可达(DU)分组)中实现发现重定向。ICMP DU分组可以包括原始分组的IP报头和TCP(或者UDP)报头,并且可以进一步包括魔术数字和基于散列的消息认证代码(HMAC)。在这样的实施例中,魔术数字可以是32位的标识符(例如0x46484131或者“FHA1”),其也可以作为协议版本数字。总之,HMAC是涉及组合了共享秘密(例如密钥)的密码机制散列函数的消息认证代码(MAC)。MAC(和HMAC)可以被用于同时验证数据完整性和消息的真实性。HMAC可以例如包括:主机-防火墙共享秘密、源IP地址、目的地IP地址、IP认证、防火墙IP地址、以及TCP初始顺序数字。
在其他实施例中,防火墙可以具有公共/私有密钥对,它可用于建立元数据信道(例如DTLS连接)。防火墙的私有密钥可以被用于加密发现重定向分组的散列(例如使用RSA)。加密的散列可以被插入到发现重定向中,主机通过使用防火墙的公共密钥解密散列可以验证发现重定向。例如,ICMP DU分组可以如以上描述的那样使用,但是用加密的散列替换HMAC。
尽管主机可以忽略大多数这样类型的ICMP DU分组,但是当主机接收了具有HMAC或者加密的散列的发现重定向分组时,主机可以采取适当的动作。例如,主机可以使用它的共享密钥计算HMAC,并且通过比较计算出的HMAC和在发现重定向分组中接收到的HMAC来认证消息。如果消息是真实的,那么主机可以更新它的防火墙缓存以反映在发现重定向分组中的防火墙信息,并且为给定的连接发送元数据到防火墙。
转到图2,图2是示出了与网络环境10的潜在实施例相关联的额外细节的简化框图。图2包括互联网15、用户主机20a、防火墙25以及服务器45。用户主机20a和防火墙25中的每个可以包括各自的处理器50a-50b、各自的存储器元件55a-55b、以及各种硬件和/或软件模块。更具体地,用户主机20a可以包括应用60、配置数据库65、客户证书70、以及防火墙代理75,其可以维护防火墙缓存77。防火墙25可以包括主机管理器80和策略模块85,以及日志90、元数据缓存95和服务器证书97。
在一个示例实现中,用户主机20a-20b、防火墙25和/或策略服务器30是网络元件,其意图包含网络装置、服务器、路由器、交换机、网关、桥、负载均衡器、处理器、模块、或者任何其他合适的设备、部件、元件、或者可操作以在网络环境中交换信息的对象。网络元件可以包括促进其操作的任何合适的硬件、软件、部件、模块、或者对象,以及合适的接口,用于接收、传送和/或在网络环境中通信数据或者信息。这可能包含允许有效交换数据或者信息的适当算法和通信协议。然而,用户主机20a-20b可以区别于其他网络元件,因为他们趋于作为网络连接的终端点,这与趋于作为网络连接中的中间点的网关或者路由器相反。用户主机20a-20b也可以表示无线网络节点,例如i-Phone、i-Pad、安卓电话、或者其他类似的电信设备。
关于与网络环境10相关联的内部结构,每个用户主机20a-20b、防火墙25和/或策略服务器30可以包括用于存储将会用于在这里概述的操作的信息的存储器元件。每个用户主机20a-20b、防火墙25和/或策略服务器30可以在以下部件内保存信息:任何合适的存储器元件(例如随机访问存储器(RAM)、只读存储器(ROM)、可擦除可编程ROM(EPROM)、电可擦除可编程ROM(EEPROM)、专用集成电路(ASIC)等)、软件、硬件、或者在适当的地方和基于特定需要在任何其他合适的部件、设备、元件、或者对象。在这里讨论的任何存储器项目(例如存储器元件55a-55b)应当被解释为被包含在宽泛的术语“存储器元件”内。由用户主机20a-20b、防火墙25和/或策略服务器30使用的、追踪的、发送的、或者接收的信息,可以设置在任何数据库、寄存器、队列、表格、缓存、控制列表、或者其他存储结构中,其所有都可以在任何合适的时间表处参考。任何这样的存储选项可以被包括在如这里所使用的宽泛的术语“存储器元件”内。
在某些示例实现中,在这里概述的功能可以由逻辑实现,所述逻辑编码在一个或多个有形介质中(例如,在ASIC中设置的嵌入式逻辑、数字信号处理器(DSP)指令、将由处理器或者其他相似的机器执行的软件(潜在包括对象代码和源代码)等),其可能包括非瞬态介质。在这些实例的一些中,存储器元件(如图2所显示的)可以存储用于在这里描述的操作的数据。这包括可以存储以下各项的存储器元件:被执行以实施在这里描述的活动的软件、逻辑、代码、或者处理器指令。
在一个示例实现中,用户主机20a-20b、防火墙25和/或策略服务器30可以包括软件模块(例如防火墙代理75和/或主机管理器80)以实现或者培养如在这里概述的操作。在其他实施例中,这样的操作可以由硬件实施,在这些元件外部实现,或者包括在一些其他网络设备中以实现意图的功能。或者如在这里概述的,这些元件可以包括为了实现操作而协调的软件(或者往复的软件)。在其他实施例中,一个或所有这些设备可以包括促进其操作的任何合适的算法、硬件、软件、部件、模块、接口、或者对象。
此外,每个用户主机20a-20b、防火墙25、和/或策略服务器30可以包括处理器,其可以执行软件或者算法以执行如这里讨论的活动。处理器可以执行与数据相关联的任何类型的指令,以实现在这里详细描述的操作。在一个示例中,处理器(如图2所示)可以将元件或者物件(例如数据)从一种状态或者事物变换到另一种状态或者事物。在另一个示例中,在这里概述的活动可以借助固定逻辑或者可编程逻辑实施(例如由处理器执行的软件/计算机指令),在这里识别出的元件可以是一些类型的可编程处理器、可编程数字逻辑(例如现场可编程门阵列(FPGA)、EPROM、EEPROM)或者包括数字逻辑、软件、代码、电子指令、或者其中任何合适的组合的ASIC。在这里描述的任何潜在的处理元件、模块、以及机器应当被解释为被包含在宽泛的术语“处理器”之内。
图3是示出了潜在的与网络环境10的示例实施例相关联的操作的简化的交互程序,所述网络环境10具有识别了管理的路由的防火墙的防火墙缓存。图3包括应用60、防火墙代理75、防火墙缓存77,其可以被安装到用户主机中,例如用户主机20a。图3还示出了主机管理器80、元数据缓存95、以及策略模块85,其可以被安装到防火墙(例如防火墙25)中。图3中还描绘了内联网78、互联网15、以及服务器45。
应用(例如应用60)可以在305处尝试打开与服务器(例如服务器45)的新TCP连接。防火墙代理75可以拦截并且保持新的连接,在310处咨询防火墙缓存77(其可能被从配置初始化)以识别与到服务器45的路由相关联的防火墙。在图3的特定示例中,可以识别与主机管理器80相关联的防火墙(例如防火墙25),并且在315处可以例如使用由策略服务器分配的证书(例如客户证书70)打开到防火墙的连接(例如DTLS连接)。连接还可以在320处被添加到防火墙缓存77以供将来连接。防火墙代理75可以在325a处例如经由DTLS分组为到主机管理器80的连接发送元数据。在325b处主机管理器80可以在元数据缓存95中存储元数据。在330a处,防火墙代理75可以释放连接,允许来自应用60的数据流到主机管理器80。在330b处,主机管理器80可以提供连接数据(即TCP流数据,例如源IP地址/端口、目的地IP地址/端口、协议等)到策略模块85,在335处策略模块85可以使连接数据与来自元数据缓存95的元数据相关,以在340处应用适当的网络策略。在图3的示例中,网络策略允许连接,从而在345处连接可以被释放给服务器45,且在350处数据可以在服务器45和应用60之间流动。
图4是示出了可以与具有陈旧防火墙缓存的网络环境10的示例实施例相关联的潜在操作的简化的交互图,所述陈旧防火墙缓存识别用于管理的路由的无效的防火墙。图4包括应用60、防火墙代理75、以及防火墙缓存77,其可能被安装在用户主机中,例如用户主机20a。图4还示出了主机管理器80、元数据缓存95、以及策略模块85,其可以被安装在防火墙(例如防火墙25)中。图4中还描绘了内联网78、互联网15、服务器45,和无效的防火墙100。
应用(例如应用60)可以在405处尝试打开与服务器(例如服务器45)的新流。防火墙代理75可以拦截并且保有新流,并在410处咨询防火墙缓存77(其可能被从配置初始化)以识别与到服务器45的路由相关联的防火墙。在图4的特定示例中,防火墙缓存77可以包括陈旧条目,其为到服务器45的路由识别防火墙100,例如当膝上计算机或者其他移动设备从一个网络移动到另一个时可能会发生。因此,在415处防火墙代理75可以例如使用由策略服务器分配的证书打开、尝试打开、或者相信它已经在之前打开了到防火墙100的连接(例如,DTLS连接)。到防火墙100的DTLS连接还可以在420处被添加到防火墙缓存77以供将来连接。在415处防火墙代理75可能未能打开DTLS连接,或者如果它相信连接已经打开,则它可能在425处经由DTLS分组为到防火墙100的连接发送元数据。防火墙100可能从未接收到元数据,因为它甚至不再能被防火墙代理75访问(例如没有到防火墙100的路由),在这种情况下元数据在传输中丢失。如果防火墙100接收元数据,它可以被添加到与防火墙100相关联的元数据缓存,但是在这个特定的示例中可能被忽略,因为防火墙100不再负责管理到服务器45的路由。在430a处,防火墙代理75可以释放新流,并且来自应用60的数据可以流到主机管理器80。在430b处主机管理器80可以提供流数据到策略模块85,在435处策略模块85可以尝试使流数据与来自元数据缓存95的元数据相关,以在440处应用适当的网络策略。然而在这个示例场景中,由于流的元数据被发送到另一个防火墙(例如防火墙100),所以在435处策略模块85可能不能够取回流的元数据。但是在图4的示例中,网络策略可以允许没有元数据的流,所以在445处流可以被释放给服务器45,在450处数据可以在服务器45和应用60之间流动。
策略模块85可以记录事件(即释放没有元数据的新流),并且在455a处通知主机管理器80。主机管理器80可以在455b处发送发现重定向到防火墙代理75,其可以包括基于HMAC的共享的秘密。防火墙代理75可以接收发现重定向,并且还可以例如基于HMAC认证发现重定向,并且在460处相应地更新防火墙缓存77。防火墙代理75还可以打开到主机管理器80的连接(例如DTLS连接),并且在465处发送元数据。在470处,主机管理器80可以存储元数据在元数据缓存95中。可以沿着已经正在经过与主机管理器80相关联的防火墙的流审核元数据。
图5是示出了可以与具有陈旧防火墙缓存的网络环境10的其他示例实施例相关联的潜在操作的简化的交互图,所述陈旧防火墙缓存识别用于管理的路由的无效的防火墙。图5包括应用60、防火墙代理75、以及防火墙缓存77,其可以被安装在用户主机中,例如用户主机20a。图5还示出了主机管理器80、元数据缓存95、以及策略模块85,其可以被安装在防火墙(例如防火墙25)中。图5中还描绘了内联网78、互联网15、服务器45、以及无效防火墙100。
应用(例如应用60)可以在505处尝试打开与服务器(例如服务器45)的新TCP连接。防火墙代理75可以拦截并且保有新的连接,并且在510处咨询防火墙缓存77以识别与到服务器45的路由相关联的防火墙。在图5的特定示例中,防火墙缓存77可以包括陈旧条目,其为到服务器45的路由识别防火墙100,例如当膝上计算机或者其他移动设备从一个网络移动到另一个时可能会发生。在这个场景中,防火墙缓存77还可以识别到防火墙100的打开连接515。因此,在520处,防火墙代理75可以经由DTLS分组为到防火墙100的连接发送元数据,但是在这个特定的示例中由于防火墙100不再负责管理到服务器45的路由,因此这个元数据通常可能被防火墙100忽略。在525a处,防火墙代理75可以释放连接,并且来自应用60的数据可能流到主机管理器80。在525b处主机管理器80可以提供连接数据到策略模块85,并且在530处策略模块85可以尝试使连接数据与来自元数据缓存95的元数据相关,以在535处应用适当的网络策略。然而在这个示例场景中,由于用于连接的元数据被发送到另一个防火墙(例如防火墙100),所以在530处策略模块85可能不能够取回用于连接的元数据。在图5的示例中,在535处,网络策略可以阻挡没有元数据的连接,所以防火墙(例如主机管理器80或者策略模块85)可以丢弃初始连接分组,而不尝试重置连接(例如通过发送TCP RST分组)。
在540a处,策略模块85可以记录事件(即,因为没有接收到元数据而丢弃初始连接分组),并且通知主机管理器80。主机管理器80可以在540b处发送发现重定向到防火墙代理75。防火墙代理75可以接收发现重定向,并且还可以例如基于HMAC认证发现重定向,并且在545处相应地更新防火墙缓存77。在通常的情况下,如果防火墙丢弃初始连接分组(而不重置连接),应用60在550处重新传输它的连接请求,并且应用60不接收来自服务器45的确认(例如ACK分组)。防火墙代理75可以再次拦截并且保有连接,并且在555处咨询防火墙缓存77以识别与到服务器45的路径相关联的防火墙。更新的防火墙缓存77然后可以识别与主机管理器80相关联的防火墙(例如防火墙25)。防火墙代理75还可以在560处打开到主机管理器80的连接(例如DTLS连接),并且在565处添加新连接到防火墙缓存77以供将来连接。在570a处防火墙75可以发送元数据,在570b处主机管理器80可以把所述元数据存储在元数据缓存95。
在575a处防火墙代理75可以释放连接,允许来自应用60的数据流到主机管理器80。在575b处主机管理器80可以发送连接数据到策略模块85,并且在580处策略模块85可以使连接数据与来自元数据缓存95的元数据相关,以在585处应用适当的网络策略。在图5的示例中,网络策略允许连接,因此在590处连接可以被释放到服务器45,并且在595处数据可以在服务器45和应用60之间流动。
在另一个实施例中,主机管理器80可以短时期内缓存初始连接分组,使得在570b处当接收到元数据时连接能进行,而不等待应用60重新传输初始连接分组,这可以使流量流得更快。在另一个实施例中,防火墙代理75可以缓存初始连接分组并且当它接收到发现重定向时重新传输它。
在各种其他场景中,防火墙代理可以没有关于防火墙的信息(甚至没有配置信息)。在一些实施例中,防火墙代理可以允许新流经到防火墙而不发送元数据。如果防火墙接收到没有元数据的新流,则随后可以类似于例如以上参考图4和图5所描述的从具有陈旧防火墙缓存条目的防火墙代理接收流来处理所述流。在这样的场景中,防火墙代理在非管理的路由上没有招致流的开销。
主机代理还可以发送PING消息到预配置的地址,以强制发现特定的路径,例如通过发送PING消息到公共互联网地址以强制发现互联网路径。主机代理还可以在初始的连接上发送这样的PING消息到新的网络设备。
如示出的,在上面的各种示例实施例中,响应于发现重定向,防火墙缓存例如在460和545处可以被更新。在更多的特定实施例中,防火墙代理可以通过添加与重定向消息相关联的子网来更新它的防火墙缓存(例如用于IPv4的/24条目、用于IPv6的/64)。或者,防火墙代理可以搜索防火墙缓存,寻找匹配目标地址的最长前缀,并且添加新条目,该新条目使得在发现重定向中识别出的防火墙/端口与由用于IPv4的八位(即目标/8=防火墙:端口)或者通过用于IPv6的十六位(即目标/16=防火墙:端口)掩码的地址相关联。
如果在防火墙缓存中找到匹配条目,则防火墙代理可以比较该条目与在发现重定向中识别出的防火墙/端口。如果来自发现重定向的防火墙/端口与在可应用的防火墙缓存条目中的防火墙/端口不匹配,那么可以通过添加用于发现目标的新条目来更新防火墙缓存,所述新条目具有超过匹配条码的递增修改的掩码长度(即,通过递增增加或者减少用于发现目标的条目的粒度来拆分条目)。
例如,条目的掩码长度可以被增加八位,并且造成网络标识符关联于发现目标。如果条目不能够被进一步拆分(即,对于IPv4地址掩码长度已经是32位),那么条目可以被代替,以便条目使得发现目标与发现重定向中的防火墙/端口相关联(即用目标/32=重定向防火墙:端口代替条目)。
在另一个示例中,可以通过增加更加特定的条目(例如用于IPv4的/24、用于IPv6的/64)拆分防火墙缓存条目,并且如果接收到重叠发现重定向,则使所述防火墙缓存条目一般化。防火墙的路由知识还可以被用于判定粒度,或者在一些实施例中与豁免区(exemptzone)相关联的子网可以被传达到防火墙代理。
网络环境10也可以无缝地与非管理的路由一起操作。例如,防火墙代理可以拦截从应用到服务器的新连接,并且根据防火墙缓存判定路由是非管理的。防火墙代理可以释放连接,并且可以建立与服务器的连接,而没有额外的分组开销。
图6是示例分组数据单元(PDU)格式600,其可以与在网络环境10的示例实施例中通过元数据信道交换元数据相关联。PDU格式600可以例如包括网络流数据605和会话描述符数据610。网络流数据605可以提供与来自源的新流相关联的信息,例如在管理的主机上的应用。在PDU格式600中,例如,网络流数据605可以识别协议(short protocol)(例如TCP、UDP、ICMP、GRE、IPSec等)、源节点的IP地址(IPaddress source_address)、打开连接的进程的端口号(short source_port)、目的地节点的IP地址(IPaddress dest_address)、以及在目的地节点接收连接的进程的端口号(short dest_port)。会话描述符610可以提供关于与打开连接的应用相关联的用户的信息,例如安全ID(string sid)、与用户相关联的域(string domain)、以及用户名(string user)、还有关于应用的信息,例如应用的完整路径(string application_path)。在会话描述符610中的其他信息可以提供关于源节点(例如主机)的状态的数据,包括主机防火墙的状态(boolean FW_enabled)以及在主机上运行的防病毒软件(boolean AV_enabled)、以及关于在源节点上的接口的信息(Interfaceinterface[])。但是PDU格式600仅仅是解释性的并且可以容易的适合于提供替代的或者额外的元数据,例如关于入侵阻止系统、路由信息、额外的供应商信息等的信息。
网络环境10可以提供显著的优点,其中一些已经被讨论。例如,网络环境10可以提供主机/防火墙互锁数据的安全以及低协议开销。网络环境10可以利用配置数据、协议(例如DTLS)、以及在TCP中的计时器和应用层协议,容易地适合于重用标准代码分组。
在上面提供的示例以及许多其他潜在示例中,交互可以依据两个、三个或者四个网络元件来进行描述。然而,网络元件的数量已经被限制仅仅用于清晰和示例目的。在某些情况下,通过仅仅参考有限数量的网络元件,描述一个或多个给定的操作集的功能可能更加简单。应当理解,网络环境10是容易扩展的并且可以容纳大量的部件,还有更复杂/精细的布置和配置。因此,当潜在地应用于无数其他架构时,提供的示例不应当限制范围或者禁止网络环境10的宽泛的教导。此外,尽管参考特定的场景进行了描述,其中特定的模块(例如策略模块85)被提供在网络元件之内,但这些模块可以被提供在外部,或者以任何合适的方式整合和/或组合。在某些实例中,这样的模块可以被提供在单个专属单元中。
注意到以下也是重要的:在附图中的步骤仅仅示出可以被网络环境10执行或者在网络环境10之内的一些可能的场景和模式。这些步骤中的一些可以在适当的地方被删除或者移除,或者这些步骤可以被显著修改或者改变而不偏离在这里提供的教导的范围。此外,若干这些操作已经被描述为与一个或多个额外的操作并发或并行执行。然而,这些操作的定时可以被显著变更。为了示例和讨论的目的已经给出了前面的操作流。网络环境10提供的实质灵活性体现在:可以提供任何合适的布置、顺序、配置、以及时间机制而不偏离在这里提供的教导。
本领域的技术人员可以确定大量其他改变、替代、变化、变更、以及修改,并且本公开旨在包含所有这样的改变、替代、变化、变更、以及修改,视为落在所附权利要求的范围之内。为了协助美国专利商标局(USPTO)以及基于本申请发表的任何专利的任何读者解释所附于此的权利要求,申请人希望指出申请人:(a)不意图任何所附的权利要求引用35U.S.C段落112的段落六(6),因为它存在于其递交日,除非词语“用于…的模块”或者“用于…的步骤”被特别用于特定的权利要求;以及(b)不打算通过在说明书中的任何陈述以不在所附权利要求中反映的任何形式限制本公开。
Claims (23)
1.一种用于重定向的防火墙发现的方法,包括:
在防火墙处,拦截来自源节点的网络流;
当所述防火墙不能够取回针对所述网络流的元数据时,发送发现重定向到所述源节点,以更新防火墙缓存以识别所述防火墙;
在所述防火墙处,接收与所述网络流相关联的所述元数据;以及
在所述防火墙处,使所述元数据与所述网络流相关以将网络策略应用到所述网络流。
2.如权利要求1所述的方法,其中所述发现重定向是互联网控制消息协议分组。
3.如权利要求1所述的方法,其中所述发现重定向包括基于散列的消息认证代码。
4.如权利要求1所述的方法,其中所述发现重定向包括具有共享秘密的基于散列的消息认证代码。
5.如权利要求1所述的方法,其中所述发现重定向包括所述发现重定向的散列的私有密钥加密。
6.如权利要求1-5中任一项所述的方法,其中所述元数据是在元数据信道上接收到的。
7.如权利要求1-5中任一项所述的方法,其中使用数据报传输层安全协议接收所述元数据。
8.如权利要求1-5中任一项所述的方法,进一步包括:缓存在所述网络流中第一分组。
9.一种用于重定向的防火墙发现的方法,包括:
在源节点处,拦截从所述源节点到目的地节点的网络流;
使用防火墙缓存,识别用于管理到所述目的地节点的路由的防火墙;
发送与所述网络流相关联的元数据到所述防火墙;
释放所述网络流;
从第二防火墙接收发现重定向;
更新所述防火墙缓存以识别用于管理到所述目的地的所述路由的所述第二防火墙;以及
经由元数据信道将所述元数据发送到所述第二防火墙。
10.如权利要求9所述的方法,其中所述网络流使用传输控制协议,并且拦截所述网络流包括检测来自所述源节点的SYN分组。
11.如权利要求9所述的方法,其中所述网络流使用不可靠协议,并且拦截所述网络流包括缓存流的第一分组直到所述元数据被发送。
12.如权利要求9所述的方法,其中,所述元数据是使用数据报传输层安全协议被发送到所述第二防火墙的。
13.如权利要求9所述的方法,进一步包括:
使用所述发现重定向的散列的公共密匙解密或消息认证代码中的一个来认证所述发现重定向。
14.如权利要求9所述的方法,进一步包括:
缓存在所述网络流中的第一分组;
发送所述第一分组到所述第二防火墙。
15.如权利要求9所述的方法,进一步包括:
其中更新所述防火墙缓存包括:添加所述目的地节点的新条目,其具有超过所述目的地节点的先前条目的递增修改的掩码长度。
16.一种用于重定向防火墙发现的装置,所述装置包括:
主机管理器;以及
一个或多个处理器,其能够操作以执行与所述主机管理器相关联的指令,其中所述主机管理器被配置用于:
在防火墙处,拦截来自源节点的网络流;
当所述防火墙不能够取回针对所述网络流的元数据时,发送发现重定向到所述源节点,以更新防火墙缓存以识别所述防火墙;
在所述防火墙处,接收与所述网络流相关联的所述元数据;以及
在所述防火墙处,使所述元数据与所述网络流相关以将网络策略应用到所述网络流。
17.如权利要求16所述的装置,其中所述发现重定向是互联网控制消息协议目的地不可达分组。
18.如权利要求16-17中任一项所述的装置,其中所述发现重定向包括基于散列的消息认证代码。
19.如权利要求16-17中任一项所述的装置,其中所述发现重定向包括所述发现重定向的散列的私有密钥加密。
20.一种用于重定向的防火墙发现的装置,所述装置包括:
防火墙代理;以及
一个或多个处理器,其能操作以执行与所述防火墙代理相关联的指令,其中所述防火墙代理被配置用于:
在源节点处,拦截从所述源节点到目的地节点的网络流;
使用防火墙缓存,识别用于管理到所述目的地节点的路由的防火墙;
发送与所述网络流相关联的元数据到所述防火墙;
释放所述网络流;
从第二防火墙接收发现重定向;
更新所述防火墙缓存以识别用于管理到所述目的地的所述路由的所述第二防火墙;以及
经由元数据信道将所述元数据发送到所述第二防火墙。
21.如权利要求20所述的装置,其中使用数据报传输层安全协议发送所述元数据。
22.一种用于重定向的防火墙发现的装置,包括用于执行如权利要求1-5中任一项所述的方法的单元。
23.一种用于重定向的防火墙发现的装置,包括用于执行如权利要求9-15中任一项所述的方法的单元。
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US13/275,249 US8713668B2 (en) | 2011-10-17 | 2011-10-17 | System and method for redirected firewall discovery in a network environment |
US13/275,249 | 2011-10-17 | ||
PCT/US2012/057312 WO2013058944A1 (en) | 2011-10-17 | 2012-09-26 | System and method for redirected firewall discovery in a network environment |
Publications (2)
Publication Number | Publication Date |
---|---|
CN103907330A CN103907330A (zh) | 2014-07-02 |
CN103907330B true CN103907330B (zh) | 2017-06-20 |
Family
ID=48086899
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201280053580.XA Active CN103907330B (zh) | 2011-10-17 | 2012-09-26 | 在网络环境中用于重定向的防火墙发现的系统和方法 |
Country Status (4)
Country | Link |
---|---|
US (4) | US8713668B2 (zh) |
EP (1) | EP2769509B1 (zh) |
CN (1) | CN103907330B (zh) |
WO (1) | WO2013058944A1 (zh) |
Families Citing this family (59)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7856661B1 (en) | 2005-07-14 | 2010-12-21 | Mcafee, Inc. | Classification of software on networked systems |
US7757269B1 (en) | 2006-02-02 | 2010-07-13 | Mcafee, Inc. | Enforcing alignment of approved changes and deployed changes in the software change life-cycle |
US7895573B1 (en) | 2006-03-27 | 2011-02-22 | Mcafee, Inc. | Execution environment file inventory |
US9860274B2 (en) | 2006-09-13 | 2018-01-02 | Sophos Limited | Policy management |
US8332929B1 (en) | 2007-01-10 | 2012-12-11 | Mcafee, Inc. | Method and apparatus for process enforced configuration management |
US9424154B2 (en) | 2007-01-10 | 2016-08-23 | Mcafee, Inc. | Method of and system for computer system state checks |
US8381284B2 (en) | 2009-08-21 | 2013-02-19 | Mcafee, Inc. | System and method for enforcing security policies in a virtual environment |
US8925101B2 (en) | 2010-07-28 | 2014-12-30 | Mcafee, Inc. | System and method for local protection against malicious software |
US8938800B2 (en) | 2010-07-28 | 2015-01-20 | Mcafee, Inc. | System and method for network level protection against malicious software |
US9112830B2 (en) | 2011-02-23 | 2015-08-18 | Mcafee, Inc. | System and method for interlocking a host and a gateway |
US9594881B2 (en) | 2011-09-09 | 2017-03-14 | Mcafee, Inc. | System and method for passive threat detection using virtual memory inspection |
US8800024B2 (en) | 2011-10-17 | 2014-08-05 | Mcafee, Inc. | System and method for host-initiated firewall discovery in a network environment |
US8713668B2 (en) | 2011-10-17 | 2014-04-29 | Mcafee, Inc. | System and method for redirected firewall discovery in a network environment |
US8856960B2 (en) * | 2012-02-09 | 2014-10-07 | Alcatel Lucent | Data leakage prevention for cloud and enterprise networks |
US8739272B1 (en) | 2012-04-02 | 2014-05-27 | Mcafee, Inc. | System and method for interlocking a host and a gateway |
US8751615B2 (en) * | 2012-07-18 | 2014-06-10 | Accedian Networks Inc. | Systems and methods of discovering and controlling devices without explicit addressing |
US8973146B2 (en) | 2012-12-27 | 2015-03-03 | Mcafee, Inc. | Herd based scan avoidance system in a network environment |
US9491189B2 (en) * | 2013-08-26 | 2016-11-08 | Guardicore Ltd. | Revival and redirection of blocked connections for intention inspection in computer networks |
EP3061030A4 (en) | 2013-10-24 | 2017-04-19 | McAfee, Inc. | Agent assisted malicious application blocking in a network environment |
US9635114B2 (en) * | 2014-01-24 | 2017-04-25 | Netapp, Inc. | Externally initiated application session endpoint migration |
US9609018B2 (en) * | 2014-05-08 | 2017-03-28 | WANSecurity, Inc. | System and methods for reducing impact of malicious activity on operations of a wide area network |
US9667637B2 (en) | 2014-06-09 | 2017-05-30 | Guardicore Ltd. | Network-based detection of authentication failures |
EP3289476B1 (en) * | 2015-04-30 | 2022-01-26 | Fortinet, Inc. | Computer network security system |
US11228937B2 (en) * | 2015-07-16 | 2022-01-18 | Nokia Technologies Oy | User-plane enhancements supporting in-bearer sub-flow QoS differentiation |
US10200308B2 (en) | 2016-01-27 | 2019-02-05 | Oracle International Corporation | System and method for supporting a scalable representation of link stability and availability in a high performance computing environment |
US11533307B2 (en) * | 2016-03-28 | 2022-12-20 | Zscaler, Inc. | Enforcing security policies on mobile devices in a hybrid architecture |
WO2018004600A1 (en) | 2016-06-30 | 2018-01-04 | Sophos Limited | Proactive network security using a health heartbeat |
US10225161B2 (en) * | 2016-10-31 | 2019-03-05 | Accedian Networks Inc. | Precise statistics computation for communication networks |
US11146578B2 (en) | 2016-12-16 | 2021-10-12 | Patternex, Inc. | Method and system for employing graph analysis for detecting malicious activity in time evolving networks |
US10154067B2 (en) | 2017-02-10 | 2018-12-11 | Edgewise Networks, Inc. | Network application security policy enforcement |
US10439985B2 (en) | 2017-02-15 | 2019-10-08 | Edgewise Networks, Inc. | Network application security policy generation |
CN107147588B (zh) | 2017-05-16 | 2020-03-31 | 网宿科技股份有限公司 | 流量引导方法和装置 |
US10958623B2 (en) * | 2017-05-26 | 2021-03-23 | Futurewei Technologies, Inc. | Identity and metadata based firewalls in identity enabled networks |
US11487868B2 (en) * | 2017-08-01 | 2022-11-01 | Pc Matic, Inc. | System, method, and apparatus for computer security |
US10560428B2 (en) * | 2017-08-17 | 2020-02-11 | Texas Instruments Incorporated | Flexible hybrid firewall architecture |
US10885212B2 (en) * | 2017-09-12 | 2021-01-05 | Sophos Limited | Secure management of process properties |
US10361859B2 (en) | 2017-10-06 | 2019-07-23 | Stealthpath, Inc. | Methods for internet communication security |
US10375019B2 (en) | 2017-10-06 | 2019-08-06 | Stealthpath, Inc. | Methods for internet communication security |
US10630642B2 (en) | 2017-10-06 | 2020-04-21 | Stealthpath, Inc. | Methods for internet communication security |
US10374803B2 (en) | 2017-10-06 | 2019-08-06 | Stealthpath, Inc. | Methods for internet communication security |
US10397186B2 (en) | 2017-10-06 | 2019-08-27 | Stealthpath, Inc. | Methods for internet communication security |
US10367811B2 (en) | 2017-10-06 | 2019-07-30 | Stealthpath, Inc. | Methods for internet communication security |
US10721246B2 (en) * | 2017-10-30 | 2020-07-21 | Bank Of America Corporation | System for across rail silo system integration and logic repository |
US10728256B2 (en) | 2017-10-30 | 2020-07-28 | Bank Of America Corporation | Cross channel authentication elevation via logic repository |
US10621341B2 (en) | 2017-10-30 | 2020-04-14 | Bank Of America Corporation | Cross platform user event record aggregation system |
US10348599B2 (en) | 2017-11-10 | 2019-07-09 | Edgewise Networks, Inc. | Automated load balancer discovery |
US11140195B2 (en) | 2018-04-04 | 2021-10-05 | Sophos Limited | Secure endpoint in a heterogenous enterprise network |
US11271950B2 (en) | 2018-04-04 | 2022-03-08 | Sophos Limited | Securing endpoints in a heterogenous enterprise network |
US11616758B2 (en) | 2018-04-04 | 2023-03-28 | Sophos Limited | Network device for securing endpoints in a heterogeneous enterprise network |
US10972431B2 (en) | 2018-04-04 | 2021-04-06 | Sophos Limited | Device management based on groups of network adapters |
US10862864B2 (en) * | 2018-04-04 | 2020-12-08 | Sophos Limited | Network device with transparent heartbeat processing |
US10826941B2 (en) | 2018-05-10 | 2020-11-03 | Fortinet, Inc. | Systems and methods for centrally managed host and network firewall services |
US11563722B2 (en) | 2019-08-22 | 2023-01-24 | Hewlett Packard Enterprise Development Lp | Firewall coordination in a network |
US11228431B2 (en) * | 2019-09-20 | 2022-01-18 | General Electric Company | Communication systems and methods for authenticating data packets within network flow |
US11558423B2 (en) | 2019-09-27 | 2023-01-17 | Stealthpath, Inc. | Methods for zero trust security with high quality of service |
CN110891059A (zh) * | 2019-11-26 | 2020-03-17 | 武汉卓云智方科技有限公司 | 一种互联网安全管理平台 |
US11095612B1 (en) | 2020-10-30 | 2021-08-17 | Palo Alto Networks, Inc. | Flow metadata exchanges between network and security functions for a security service |
EP4221092A1 (en) * | 2020-10-30 | 2023-08-02 | Palo Alto Networks, Inc. | Flow metadata exchanges between network and security functions for a security service |
US11785048B2 (en) | 2020-10-30 | 2023-10-10 | Palo Alto Networks, Inc. | Consistent monitoring and analytics for security insights for network and security functions for a security service |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1383295A (zh) * | 2001-04-25 | 2002-12-04 | 数位联合电信股份有限公司 | 可重行导向的连接上网系统 |
Family Cites Families (375)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US4982430A (en) | 1985-04-24 | 1991-01-01 | General Instrument Corporation | Bootstrap channel security arrangement for communication network |
US4688169A (en) | 1985-05-30 | 1987-08-18 | Joshi Bhagirath S | Computer software security system |
US5155847A (en) | 1988-08-03 | 1992-10-13 | Minicom Data Corporation | Method and apparatus for updating software at remote locations |
US5560008A (en) | 1989-05-15 | 1996-09-24 | International Business Machines Corporation | Remote authentication and authorization in a distributed data processing system |
CA2010591C (en) | 1989-10-20 | 1999-01-26 | Phillip M. Adams | Kernels, description tables and device drivers |
US5222134A (en) | 1990-11-07 | 1993-06-22 | Tau Systems Corporation | Secure system for activating personal computer software at remote locations |
US5390314A (en) | 1992-10-09 | 1995-02-14 | American Airlines, Inc. | Method and apparatus for developing scripts that access mainframe resources that can be executed on various computer systems having different interface languages without modification |
US5339261A (en) | 1992-10-22 | 1994-08-16 | Base 10 Systems, Inc. | System for operating application software in a safety critical environment |
US5584009A (en) | 1993-10-18 | 1996-12-10 | Cyrix Corporation | System and method of retiring store data from a write buffer |
JP3777196B2 (ja) | 1994-05-10 | 2006-05-24 | 富士通株式会社 | クライアント/サーバシステム用の通信制御装置 |
JP3042341B2 (ja) | 1994-11-30 | 2000-05-15 | 日本電気株式会社 | クラスタ結合型マルチプロセッサシステムにおけるローカル入出力制御方法 |
US6282712B1 (en) | 1995-03-10 | 2001-08-28 | Microsoft Corporation | Automatic software installation on heterogeneous networked computer systems |
US5699513A (en) | 1995-03-31 | 1997-12-16 | Motorola, Inc. | Method for secure network access via message intercept |
US5787427A (en) | 1996-01-03 | 1998-07-28 | International Business Machines Corporation | Information handling system, method, and article of manufacture for efficient object security processing by grouping objects sharing common control access policies |
US5842017A (en) | 1996-01-29 | 1998-11-24 | Digital Equipment Corporation | Method and apparatus for forming a translation unit |
US5907709A (en) | 1996-02-08 | 1999-05-25 | Inprise Corporation | Development system with methods for detecting invalid use and management of resources and memory at runtime |
US5884298A (en) | 1996-03-29 | 1999-03-16 | Cygnet Storage Solutions, Inc. | Method for accessing and updating a library of optical discs |
US5907708A (en) | 1996-06-03 | 1999-05-25 | Sun Microsystems, Inc. | System and method for facilitating avoidance of an exception of a predetermined type in a digital computer system by providing fix-up code for an instruction in response to detection of an exception condition resulting from execution thereof |
US5787177A (en) | 1996-08-01 | 1998-07-28 | Harris Corporation | Integrated network security access control system |
US5926832A (en) | 1996-09-26 | 1999-07-20 | Transmeta Corporation | Method and apparatus for aliasing memory data in an advanced microprocessor |
US5991881A (en) | 1996-11-08 | 1999-11-23 | Harris Corporation | Network surveillance system |
US5987611A (en) | 1996-12-31 | 1999-11-16 | Zone Labs, Inc. | System and methodology for managing internet access on a per application basis for client computers connected to the internet |
US6141698A (en) | 1997-01-29 | 2000-10-31 | Network Commerce Inc. | Method and system for injecting new code into existing application code |
US7821926B2 (en) | 1997-03-10 | 2010-10-26 | Sonicwall, Inc. | Generalized policy server |
US5944839A (en) | 1997-03-19 | 1999-08-31 | Symantec Corporation | System and method for automatically maintaining a computer system |
US6587877B1 (en) | 1997-03-25 | 2003-07-01 | Lucent Technologies Inc. | Management of time and expense when communicating between a host and a communication network |
US6192475B1 (en) | 1997-03-31 | 2001-02-20 | David R. Wallace | System and method for cloaking software |
US6167522A (en) | 1997-04-01 | 2000-12-26 | Sun Microsystems, Inc. | Method and apparatus for providing security for servers executing application programs received via a network |
US6356957B2 (en) | 1997-04-03 | 2002-03-12 | Hewlett-Packard Company | Method for emulating native object oriented foundation classes on a target object oriented programming system using a template library |
US5987557A (en) | 1997-06-19 | 1999-11-16 | Sun Microsystems, Inc. | Method and apparatus for implementing hardware protection domains in a system with no memory management unit (MMU) |
US6073142A (en) | 1997-06-23 | 2000-06-06 | Park City Group | Automated post office based rule analysis of e-mail messages and other data objects for controlled distribution in network environments |
US6275938B1 (en) | 1997-08-28 | 2001-08-14 | Microsoft Corporation | Security enhancement for untrusted executable code |
US6192401B1 (en) | 1997-10-21 | 2001-02-20 | Sun Microsystems, Inc. | System and method for determining cluster membership in a heterogeneous distributed system |
US6393465B2 (en) | 1997-11-25 | 2002-05-21 | Nixmail Corporation | Junk electronic mail detector and eliminator |
US5987610A (en) | 1998-02-12 | 1999-11-16 | Ameritech Corporation | Computer virus screening methods and systems |
WO1999057654A1 (fr) | 1998-05-06 | 1999-11-11 | Matsushita Electric Industrial Co., Ltd. | Procede et systeme d'emission/reception de donnees numeriques |
US6795966B1 (en) | 1998-05-15 | 2004-09-21 | Vmware, Inc. | Mechanism for restoring, porting, replicating and checkpointing computer systems using state extraction |
US6442686B1 (en) | 1998-07-02 | 2002-08-27 | Networks Associates Technology, Inc. | System and methodology for messaging server-based management and enforcement of crypto policies |
US6182142B1 (en) | 1998-07-10 | 2001-01-30 | Encommerce, Inc. | Distributed access management of information resources |
US6338149B1 (en) | 1998-07-31 | 2002-01-08 | Westinghouse Electric Company Llc | Change monitoring system for a computer system |
US6546425B1 (en) | 1998-10-09 | 2003-04-08 | Netmotion Wireless, Inc. | Method and apparatus for providing mobile and other intermittent connectivity in a computing environment |
JP3753873B2 (ja) | 1998-11-11 | 2006-03-08 | 株式会社島津製作所 | 分光光度計 |
JP3522141B2 (ja) | 1999-01-28 | 2004-04-26 | 富士通株式会社 | 修正プログラムを継承したプログラムの自動生成方法、プログラム自動生成装置及び修正プログラムを継承したプログラムを自動生成するプログラムを記録した記録媒体 |
US6969352B2 (en) | 1999-06-22 | 2005-11-29 | Teratech Corporation | Ultrasound probe with integrated electronics |
US6453468B1 (en) | 1999-06-30 | 2002-09-17 | B-Hub, Inc. | Methods for improving reliability while upgrading software programs in a clustered computer system |
US6496477B1 (en) | 1999-07-09 | 2002-12-17 | Texas Instruments Incorporated | Processes, articles, and packets for network path diversity in media over packet applications |
US6567857B1 (en) | 1999-07-29 | 2003-05-20 | Sun Microsystems, Inc. | Method and apparatus for dynamic proxy insertion in network traffic flow |
US7340684B2 (en) | 1999-08-19 | 2008-03-04 | National Instruments Corporation | System and method for programmatically generating a second graphical program based on a first graphical program |
US7406603B1 (en) | 1999-08-31 | 2008-07-29 | Intertrust Technologies Corp. | Data protection systems and methods |
US6256773B1 (en) | 1999-08-31 | 2001-07-03 | Accenture Llp | System, method and article of manufacture for configuration management in a development architecture framework |
US6990591B1 (en) | 1999-11-18 | 2006-01-24 | Secureworks, Inc. | Method and system for remotely configuring and monitoring a communication device |
US6321267B1 (en) | 1999-11-23 | 2001-11-20 | Escom Corporation | Method and apparatus for filtering junk email |
US6662219B1 (en) | 1999-12-15 | 2003-12-09 | Microsoft Corporation | System for determining at subgroup of nodes relative weight to represent cluster by obtaining exclusive possession of quorum resource |
US6526418B1 (en) | 1999-12-16 | 2003-02-25 | Livevault Corporation | Systems and methods for backing up data files |
US6460050B1 (en) | 1999-12-22 | 2002-10-01 | Mark Raymond Pace | Distributed content identification system |
US7836494B2 (en) | 1999-12-29 | 2010-11-16 | Intel Corporation | System and method for regulating the flow of information to or from an application |
US6769008B1 (en) | 2000-01-10 | 2004-07-27 | Sun Microsystems, Inc. | Method and apparatus for dynamically altering configurations of clustered computer systems |
WO2001069439A1 (en) | 2000-03-17 | 2001-09-20 | Filesx Ltd. | Accelerating responses to requests made by users to an internet |
US6748534B1 (en) | 2000-03-31 | 2004-06-08 | Networks Associates, Inc. | System and method for partitioned distributed scanning of a large dataset for viruses and other malware |
US6941470B1 (en) | 2000-04-07 | 2005-09-06 | Everdream Corporation | Protected execution environments within a computer system |
CA2305078A1 (en) | 2000-04-12 | 2001-10-12 | Cloakware Corporation | Tamper resistant software - mass data encoding |
US7325127B2 (en) | 2000-04-25 | 2008-01-29 | Secure Data In Motion, Inc. | Security server system |
US6377808B1 (en) | 2000-04-27 | 2002-04-23 | Motorola, Inc. | Method and apparatus for routing data in a communication system |
JP4700884B2 (ja) | 2000-04-28 | 2011-06-15 | インターナショナル・ビジネス・マシーンズ・コーポレーション | コンピュータのセキュリティ情報を管理するための方法およびシステム |
US6769115B1 (en) | 2000-05-01 | 2004-07-27 | Emc Corporation | Adaptive interface for a software development environment |
US6847993B1 (en) | 2000-05-31 | 2005-01-25 | International Business Machines Corporation | Method, system and program products for managing cluster configurations |
US6934755B1 (en) | 2000-06-02 | 2005-08-23 | Sun Microsystems, Inc. | System and method for migrating processes on a network |
US6611925B1 (en) | 2000-06-13 | 2003-08-26 | Networks Associates Technology, Inc. | Single point of entry/origination item scanning within an enterprise or workgroup |
US20030061506A1 (en) | 2001-04-05 | 2003-03-27 | Geoffrey Cooper | System and method for security policy |
US6901519B1 (en) | 2000-06-22 | 2005-05-31 | Infobahn, Inc. | E-mail virus protection system and method |
US8204999B2 (en) | 2000-07-10 | 2012-06-19 | Oracle International Corporation | Query string processing |
US7093239B1 (en) | 2000-07-14 | 2006-08-15 | Internet Security Systems, Inc. | Computer immune system and method for detecting unwanted code in a computer system |
US7350204B2 (en) | 2000-07-24 | 2008-03-25 | Microsoft Corporation | Policies for secure software execution |
EP1307988B1 (en) | 2000-08-04 | 2004-04-21 | Xtradyne Technologies Aktiengesellschaft | Method and system for session based authorization and access control for networked application objects |
AUPQ968100A0 (en) | 2000-08-25 | 2000-09-21 | Telstra Corporation Limited | A management system |
CN1751473A (zh) | 2000-09-01 | 2006-03-22 | Tut系统公司 | 用于实现基于策略的网络业务管理的方法和系统 |
US20020165947A1 (en) | 2000-09-25 | 2002-11-07 | Crossbeam Systems, Inc. | Network application apparatus |
US7707305B2 (en) | 2000-10-17 | 2010-04-27 | Cisco Technology, Inc. | Methods and apparatus for protecting against overload conditions on nodes of a distributed network |
US7146305B2 (en) | 2000-10-24 | 2006-12-05 | Vcis, Inc. | Analytical virtual machine |
US7606898B1 (en) | 2000-10-24 | 2009-10-20 | Microsoft Corporation | System and method for distributed management of shared computers |
US7054930B1 (en) | 2000-10-26 | 2006-05-30 | Cisco Technology, Inc. | System and method for propagating filters |
US6930985B1 (en) | 2000-10-26 | 2005-08-16 | Extreme Networks, Inc. | Method and apparatus for management of configuration in a network |
US6834301B1 (en) | 2000-11-08 | 2004-12-21 | Networks Associates Technology, Inc. | System and method for configuration, management, and monitoring of a computer network using inheritance |
US6766334B1 (en) | 2000-11-21 | 2004-07-20 | Microsoft Corporation | Project-based configuration management method and apparatus |
US20020069367A1 (en) | 2000-12-06 | 2002-06-06 | Glen Tindal | Network operating system data directory |
US6907600B2 (en) | 2000-12-27 | 2005-06-14 | Intel Corporation | Virtual translation lookaside buffer |
JP2002244898A (ja) | 2001-02-19 | 2002-08-30 | Hitachi Ltd | データベース管理プログラム及びデータベースシステム |
US6993012B2 (en) * | 2001-02-20 | 2006-01-31 | Innomedia Pte, Ltd | Method for communicating audio data in a packet switched network |
US7739497B1 (en) * | 2001-03-21 | 2010-06-15 | Verizon Corporate Services Group Inc. | Method and apparatus for anonymous IP datagram exchange using dynamic network address translation |
WO2002093334A2 (en) | 2001-04-06 | 2002-11-21 | Symantec Corporation | Temporal access control for computer virus outbreaks |
US6918110B2 (en) | 2001-04-11 | 2005-07-12 | Hewlett-Packard Development Company, L.P. | Dynamic instrumentation of an executable program by means of causing a breakpoint at the entry point of a function and providing instrumentation code |
US6715050B2 (en) | 2001-05-31 | 2004-03-30 | Oracle International Corporation | Storage access keys |
US6988101B2 (en) | 2001-05-31 | 2006-01-17 | International Business Machines Corporation | Method, system, and computer program product for providing an extensible file system for accessing a foreign file system from a local data processing system |
US6988124B2 (en) | 2001-06-06 | 2006-01-17 | Microsoft Corporation | Locating potentially identical objects across multiple computers based on stochastic partitioning of workload |
US7290266B2 (en) | 2001-06-14 | 2007-10-30 | Cisco Technology, Inc. | Access control by a real-time stateful reference monitor with a state collection training mode and a lockdown mode for detecting predetermined patterns of events indicative of requests for operating system resources resulting in a decision to allow or block activity identified in a sequence of events based on a rule set defining a processing policy |
US7065767B2 (en) | 2001-06-29 | 2006-06-20 | Intel Corporation | Managed hosting server auditing and change tracking |
US7069330B1 (en) | 2001-07-05 | 2006-06-27 | Mcafee, Inc. | Control of interaction between client computer applications and network resources |
US20030023736A1 (en) | 2001-07-12 | 2003-01-30 | Kurt Abkemeier | Method and system for filtering messages |
US20030014667A1 (en) | 2001-07-16 | 2003-01-16 | Andrei Kolichtchak | Buffer overflow attack detection and suppression |
US6877088B2 (en) | 2001-08-08 | 2005-04-05 | Sun Microsystems, Inc. | Methods and apparatus for controlling speculative execution of instructions based on a multiaccess memory condition |
US7007302B1 (en) | 2001-08-31 | 2006-02-28 | Mcafee, Inc. | Efficient management and blocking of malicious code and hacking attempts in a network environment |
US7010796B1 (en) | 2001-09-28 | 2006-03-07 | Emc Corporation | Methods and apparatus providing remote operation of an application programming interface |
US7278161B2 (en) | 2001-10-01 | 2007-10-02 | International Business Machines Corporation | Protecting a data processing system from attack by a vandal who uses a vulnerability scanner |
US7177267B2 (en) | 2001-11-09 | 2007-02-13 | Adc Dsl Systems, Inc. | Hardware monitoring and configuration management |
US7853643B1 (en) | 2001-11-21 | 2010-12-14 | Blue Titan Software, Inc. | Web services-based computing resource lifecycle management |
EP1315066A1 (en) | 2001-11-21 | 2003-05-28 | BRITISH TELECOMMUNICATIONS public limited company | Computer security system |
US7346781B2 (en) | 2001-12-06 | 2008-03-18 | Mcafee, Inc. | Initiating execution of a computer program from an encrypted version of a computer program |
US6959373B2 (en) | 2001-12-10 | 2005-10-25 | Incipient, Inc. | Dynamic and variable length extents |
US7159036B2 (en) | 2001-12-10 | 2007-01-02 | Mcafee, Inc. | Updating data from a source computer to groups of destination computers |
US7039949B2 (en) | 2001-12-10 | 2006-05-02 | Brian Ross Cartmell | Method and system for blocking unwanted communications |
US10033700B2 (en) | 2001-12-12 | 2018-07-24 | Intellectual Ventures I Llc | Dynamic evaluation of access rights |
JP4522705B2 (ja) | 2001-12-13 | 2010-08-11 | 独立行政法人科学技術振興機構 | ソフトウェア安全実行システム |
US7398389B2 (en) | 2001-12-20 | 2008-07-08 | Coretrace Corporation | Kernel-based network security infrastructure |
US7096500B2 (en) | 2001-12-21 | 2006-08-22 | Mcafee, Inc. | Predictive malware scanning of internet data |
JP3906356B2 (ja) | 2001-12-27 | 2007-04-18 | 独立行政法人情報通信研究機構 | 構文解析方法及び装置 |
US7743415B2 (en) | 2002-01-31 | 2010-06-22 | Riverbed Technology, Inc. | Denial of service attacks characterization |
US20030167399A1 (en) | 2002-03-01 | 2003-09-04 | Yves Audebert | Method and system for performing post issuance configuration and data changes to a personal security device using a communications pipe |
US6941449B2 (en) | 2002-03-04 | 2005-09-06 | Hewlett-Packard Development Company, L.P. | Method and apparatus for performing critical tasks using speculative operations |
US7600021B2 (en) | 2002-04-03 | 2009-10-06 | Microsoft Corporation | Delta replication of source files and packages across networked resources |
US20070253430A1 (en) | 2002-04-23 | 2007-11-01 | Minami John S | Gigabit Ethernet Adapter |
US7370360B2 (en) | 2002-05-13 | 2008-05-06 | International Business Machines Corporation | Computer immune system and method for detecting unwanted code in a P-code or partially compiled native-code program executing within a virtual machine |
US7823148B2 (en) | 2002-05-22 | 2010-10-26 | Oracle America, Inc. | System and method for performing patch installation via a graphical user interface |
US20030221190A1 (en) | 2002-05-22 | 2003-11-27 | Sun Microsystems, Inc. | System and method for performing patch installation on multiple devices |
US7024404B1 (en) | 2002-05-28 | 2006-04-04 | The State University Rutgers | Retrieval and display of data objects using a cross-group ranking metric |
US7512977B2 (en) | 2003-06-11 | 2009-03-31 | Symantec Corporation | Intrustion protection system utilizing layers |
US8843903B1 (en) | 2003-06-11 | 2014-09-23 | Symantec Corporation | Process tracking application layered system |
US7823203B2 (en) | 2002-06-17 | 2010-10-26 | At&T Intellectual Property Ii, L.P. | Method and device for detecting computer network intrusions |
US7139916B2 (en) | 2002-06-28 | 2006-11-21 | Ebay, Inc. | Method and system for monitoring user interaction with a computer |
US8924484B2 (en) | 2002-07-16 | 2014-12-30 | Sonicwall, Inc. | Active e-mail filter with challenge-response |
US7522906B2 (en) | 2002-08-09 | 2009-04-21 | Wavelink Corporation | Mobile unit configuration management for WLANs |
JP2004078507A (ja) | 2002-08-16 | 2004-03-11 | Sony Corp | アクセス制御装置及びアクセス制御方法、並びにコンピュータ・プログラム |
US7647410B2 (en) | 2002-08-28 | 2010-01-12 | Procera Networks, Inc. | Network rights management |
US7624347B2 (en) | 2002-09-17 | 2009-11-24 | At&T Intellectual Property I, L.P. | System and method for forwarding full header information in email messages |
US7546333B2 (en) | 2002-10-23 | 2009-06-09 | Netapp, Inc. | Methods and systems for predictive change management for access paths in networks |
US20040088398A1 (en) | 2002-11-06 | 2004-05-06 | Barlow Douglas B. | Systems and methods for providing autoconfiguration and management of nodes |
US7353501B2 (en) | 2002-11-18 | 2008-04-01 | Microsoft Corporation | Generic wrapper scheme |
US7865931B1 (en) | 2002-11-25 | 2011-01-04 | Accenture Global Services Limited | Universal authorization and access control security measure for applications |
US7346927B2 (en) | 2002-12-12 | 2008-03-18 | Access Business Group International Llc | System and method for storing and accessing secure data |
US20040143749A1 (en) | 2003-01-16 | 2004-07-22 | Platformlogic, Inc. | Behavior-based host-based intrusion prevention system |
US20040167906A1 (en) | 2003-02-25 | 2004-08-26 | Smith Randolph C. | System consolidation tool and method for patching multiple servers |
US7024548B1 (en) | 2003-03-10 | 2006-04-04 | Cisco Technology, Inc. | Methods and apparatus for auditing and tracking changes to an existing configuration of a computerized device |
US7529754B2 (en) | 2003-03-14 | 2009-05-05 | Websense, Inc. | System and method of monitoring and controlling application files |
JPWO2004095285A1 (ja) | 2003-03-28 | 2006-07-13 | 松下電器産業株式会社 | 記録媒体およびこれを用いる記録装置並びに再生装置 |
US8209680B1 (en) | 2003-04-11 | 2012-06-26 | Vmware, Inc. | System and method for disk imaging on diverse computers |
US7607010B2 (en) | 2003-04-12 | 2009-10-20 | Deep Nines, Inc. | System and method for network edge data protection |
US20050108516A1 (en) | 2003-04-17 | 2005-05-19 | Robert Balzer | By-pass and tampering protection for application wrappers |
US20040230963A1 (en) | 2003-05-12 | 2004-11-18 | Rothman Michael A. | Method for updating firmware in an operating system agnostic manner |
DE10324189A1 (de) | 2003-05-28 | 2004-12-16 | Robert Bosch Gmbh | Verfahren zur Steuerung des Zugriffs auf eine Ressource einer Applikation in einer Datenverarbeitungseinrichtung |
US7657599B2 (en) | 2003-05-29 | 2010-02-02 | Mindshare Design, Inc. | Systems and methods for automatically updating electronic mail access lists |
US20050108562A1 (en) | 2003-06-18 | 2005-05-19 | Khazan Roger I. | Technique for detecting executable malicious code using a combination of static and dynamic analyses |
US7827602B2 (en) * | 2003-06-30 | 2010-11-02 | At&T Intellectual Property I, L.P. | Network firewall host application identification and authentication |
US7454489B2 (en) * | 2003-07-01 | 2008-11-18 | International Business Machines Corporation | System and method for accessing clusters of servers from the internet network |
US7283517B2 (en) | 2003-07-22 | 2007-10-16 | Innomedia Pte | Stand alone multi-media terminal adapter with network address translation and port partitioning |
US7463590B2 (en) | 2003-07-25 | 2008-12-09 | Reflex Security, Inc. | System and method for threat detection and response |
US7526541B2 (en) | 2003-07-29 | 2009-04-28 | Enterasys Networks, Inc. | System and method for dynamic network policy management |
US7886093B1 (en) | 2003-07-31 | 2011-02-08 | Hewlett-Packard Development Company, L.P. | Electronic device network supporting compression and decompression in electronic devices |
US7925722B1 (en) | 2003-08-01 | 2011-04-12 | Avocent Corporation | Method and apparatus for discovery and installation of network devices through a network |
US7401104B2 (en) | 2003-08-21 | 2008-07-15 | Microsoft Corporation | Systems and methods for synchronizing computer systems through an intermediary file system share or device |
US7386888B2 (en) | 2003-08-29 | 2008-06-10 | Trend Micro, Inc. | Network isolation techniques suitable for virus protection |
US8539063B1 (en) | 2003-08-29 | 2013-09-17 | Mcafee, Inc. | Method and system for containment of networked application client software by explicit human input |
US7464408B1 (en) | 2003-08-29 | 2008-12-09 | Solidcore Systems, Inc. | Damage containment by translation |
US20050060566A1 (en) | 2003-09-16 | 2005-03-17 | Chebolu Anil Kumar | Online user-access reports with authorization features |
US7360097B2 (en) | 2003-09-30 | 2008-04-15 | Check Point Software Technologies, Inc. | System providing methodology for securing interfaces of executable files |
US20050081053A1 (en) | 2003-10-10 | 2005-04-14 | International Business Machines Corlporation | Systems and methods for efficient computer virus detection |
US7930351B2 (en) | 2003-10-14 | 2011-04-19 | At&T Intellectual Property I, L.P. | Identifying undesired email messages having attachments |
US7280956B2 (en) | 2003-10-24 | 2007-10-09 | Microsoft Corporation | System, method, and computer program product for file encryption, decryption and transfer |
US7814554B1 (en) | 2003-11-06 | 2010-10-12 | Gary Dean Ragner | Dynamic associative storage security for long-term memory storage devices |
US20050114672A1 (en) | 2003-11-20 | 2005-05-26 | Encryptx Corporation | Data rights management of digital information in a portable software permission wrapper |
US20040172551A1 (en) | 2003-12-09 | 2004-09-02 | Michael Connor | First response computer virus blocking. |
US7600219B2 (en) | 2003-12-10 | 2009-10-06 | Sap Ag | Method and system to monitor software interface updates and assess backward compatibility |
US7546594B2 (en) | 2003-12-15 | 2009-06-09 | Microsoft Corporation | System and method for updating installation components using an installation component delta patch in a networked environment |
US7840968B1 (en) | 2003-12-17 | 2010-11-23 | Mcafee, Inc. | Method and system for containment of usage of language interfaces |
JP2005202523A (ja) | 2004-01-13 | 2005-07-28 | Sony Corp | コンピュータ装置及びプロセス制御方法 |
US7272654B1 (en) | 2004-03-04 | 2007-09-18 | Sandbox Networks, Inc. | Virtualizing network-attached-storage (NAS) with a compact table that stores lossy hashes of file names and parent handles rather than full names |
JP4480422B2 (ja) | 2004-03-05 | 2010-06-16 | 富士通株式会社 | 不正アクセス阻止方法、装置及びシステム並びにプログラム |
US7783735B1 (en) | 2004-03-22 | 2010-08-24 | Mcafee, Inc. | Containment of network communication |
JP2005275839A (ja) | 2004-03-25 | 2005-10-06 | Nec Corp | ソフトウェア利用許可方法及びシステム |
US7966658B2 (en) | 2004-04-08 | 2011-06-21 | The Regents Of The University Of California | Detecting public network attacks using signatures and fast content analysis |
WO2005099342A2 (en) | 2004-04-19 | 2005-10-27 | Securewave S.A. | A generic framework for runtime interception and execution control of interpreted languages |
US7890946B2 (en) | 2004-05-11 | 2011-02-15 | Microsoft Corporation | Efficient patching |
US20060004875A1 (en) | 2004-05-11 | 2006-01-05 | Microsoft Corporation | CMDB schema |
US7818377B2 (en) | 2004-05-24 | 2010-10-19 | Microsoft Corporation | Extended message rule architecture |
WO2005117466A2 (en) | 2004-05-24 | 2005-12-08 | Computer Associates Think, Inc. | Wireless manager and method for managing wireless devices |
US7506170B2 (en) | 2004-05-28 | 2009-03-17 | Microsoft Corporation | Method for secure access to multiple secure networks |
US20050273858A1 (en) | 2004-06-07 | 2005-12-08 | Erez Zadok | Stackable file systems and methods thereof |
US7624445B2 (en) | 2004-06-15 | 2009-11-24 | International Business Machines Corporation | System for dynamic network reconfiguration and quarantine in response to threat conditions |
JP4341517B2 (ja) | 2004-06-21 | 2009-10-07 | 日本電気株式会社 | セキュリティポリシー管理システム、セキュリティポリシー管理方法およびプログラム |
US7694150B1 (en) | 2004-06-22 | 2010-04-06 | Cisco Technology, Inc | System and methods for integration of behavioral and signature based security |
US20050289538A1 (en) | 2004-06-23 | 2005-12-29 | International Business Machines Corporation | Deploying an application software on a virtual deployment target |
US7203864B2 (en) | 2004-06-25 | 2007-04-10 | Hewlett-Packard Development Company, L.P. | Method and system for clustering computers into peer groups and comparing individual computers to their peers |
US7908653B2 (en) | 2004-06-29 | 2011-03-15 | Intel Corporation | Method of improving computer security through sandboxing |
CN1985489B (zh) | 2004-07-09 | 2012-05-09 | 艾利森电话股份有限公司 | 在多媒体通信系统中提供不同服务的方法和装置 |
US20060015501A1 (en) | 2004-07-19 | 2006-01-19 | International Business Machines Corporation | System, method and program product to determine a time interval at which to check conditions to permit access to a file |
US7937455B2 (en) | 2004-07-28 | 2011-05-03 | Oracle International Corporation | Methods and systems for modifying nodes in a cluster environment |
JP2006059217A (ja) | 2004-08-23 | 2006-03-02 | Mitsubishi Electric Corp | ソフトウェアメモリイメージ生成装置及び組み込み機器ソフトウェア更新システム及びプログラム |
US7703090B2 (en) | 2004-08-31 | 2010-04-20 | Microsoft Corporation | Patch un-installation |
US7873955B1 (en) | 2004-09-07 | 2011-01-18 | Mcafee, Inc. | Solidifying the executable software set of a computer |
US7392374B2 (en) | 2004-09-21 | 2008-06-24 | Hewlett-Packard Development Company, L.P. | Moving kernel configurations |
US7561515B2 (en) | 2004-09-27 | 2009-07-14 | Intel Corporation | Role-based network traffic-flow rate control |
US8146145B2 (en) * | 2004-09-30 | 2012-03-27 | Rockstar Bidco Lp | Method and apparatus for enabling enhanced control of traffic propagation through a network firewall |
US7506364B2 (en) | 2004-10-01 | 2009-03-17 | Microsoft Corporation | Integrated access authorization |
US7685632B2 (en) | 2004-10-01 | 2010-03-23 | Microsoft Corporation | Access authorization having a centralized policy |
US20060080656A1 (en) | 2004-10-12 | 2006-04-13 | Microsoft Corporation | Methods and instructions for patch management |
US9329905B2 (en) | 2004-10-15 | 2016-05-03 | Emc Corporation | Method and apparatus for configuring, monitoring and/or managing resource groups including a virtual machine |
US8099060B2 (en) | 2004-10-29 | 2012-01-17 | Research In Motion Limited | Wireless/wired mobile communication device with option to automatically block wireless communication when connected for wired communication |
US7765538B2 (en) | 2004-10-29 | 2010-07-27 | Hewlett-Packard Development Company, L.P. | Method and apparatus for determining which program patches to recommend for installation |
EP1820099A4 (en) | 2004-11-04 | 2013-06-26 | Tti Inv S C Llc | DETECTING OPERATING CODE IN NETWORK DATA STREAMS |
US20060101277A1 (en) | 2004-11-10 | 2006-05-11 | Meenan Patrick A | Detecting and remedying unauthorized computer programs |
WO2006101549A2 (en) | 2004-12-03 | 2006-09-28 | Whitecell Software, Inc. | Secure system for allowing the execution of authorized computer program code |
US8479193B2 (en) | 2004-12-17 | 2013-07-02 | Intel Corporation | Method, apparatus and system for enhancing the usability of virtual machines |
US7765544B2 (en) | 2004-12-17 | 2010-07-27 | Intel Corporation | Method, apparatus and system for improving security in a virtual machine host |
US7607170B2 (en) | 2004-12-22 | 2009-10-20 | Radware Ltd. | Stateful attack protection |
US7752667B2 (en) | 2004-12-28 | 2010-07-06 | Lenovo (Singapore) Pte Ltd. | Rapid virus scan using file signature created during file write |
EP2739014B1 (en) | 2005-01-24 | 2018-08-01 | Citrix Systems, Inc. | Systems and methods for performing caching of dynamically generated objects in a network |
US7302558B2 (en) | 2005-01-25 | 2007-11-27 | Goldman Sachs & Co. | Systems and methods to facilitate the creation and configuration management of computing systems |
US7385938B1 (en) | 2005-02-02 | 2008-06-10 | At&T Corp. | Method and apparatus for adjusting a network device configuration change distribution schedule |
US20130247027A1 (en) | 2005-02-16 | 2013-09-19 | Solidcore Systems, Inc. | Distribution and installation of solidified software on a computer |
US8056138B2 (en) | 2005-02-26 | 2011-11-08 | International Business Machines Corporation | System, method, and service for detecting improper manipulation of an application |
US7836504B2 (en) | 2005-03-01 | 2010-11-16 | Microsoft Corporation | On-access scan of memory for malware |
US7685635B2 (en) | 2005-03-11 | 2010-03-23 | Microsoft Corporation | Systems and methods for multi-level intercept processing in a virtual machine environment |
TW200707417A (en) | 2005-03-18 | 2007-02-16 | Sony Corp | Reproducing apparatus, reproducing method, program, program storage medium, data delivery system, data structure, and manufacturing method of recording medium |
US7552479B1 (en) | 2005-03-22 | 2009-06-23 | Symantec Corporation | Detecting shellcode that modifies IAT entries |
JP2006270894A (ja) | 2005-03-25 | 2006-10-05 | Fuji Xerox Co Ltd | ゲートウェイ装置、端末装置、通信システムおよびプログラム |
US7770151B2 (en) | 2005-04-07 | 2010-08-03 | International Business Machines Corporation | Automatic generation of solution deployment descriptors |
US8590044B2 (en) | 2005-04-14 | 2013-11-19 | International Business Machines Corporation | Selective virus scanning system and method |
US7349931B2 (en) | 2005-04-14 | 2008-03-25 | Webroot Software, Inc. | System and method for scanning obfuscated files for pestware |
US7562385B2 (en) | 2005-04-20 | 2009-07-14 | Fuji Xerox Co., Ltd. | Systems and methods for dynamic authentication using physical keys |
US7603552B1 (en) | 2005-05-04 | 2009-10-13 | Mcafee, Inc. | Piracy prevention using unique module translation |
US7363463B2 (en) | 2005-05-13 | 2008-04-22 | Microsoft Corporation | Method and system for caching address translations from multiple address spaces in virtual machines |
US8001245B2 (en) * | 2005-06-01 | 2011-08-16 | International Business Machines Corporation | System and method for autonomically configurable router |
WO2006137057A2 (en) | 2005-06-21 | 2006-12-28 | Onigma Ltd. | A method and a system for providing comprehensive protection against leakage of sensitive information assets using host based agents, content- meta-data and rules-based policies |
US8839450B2 (en) | 2007-08-02 | 2014-09-16 | Intel Corporation | Secure vault service for software components within an execution environment |
CN101218568A (zh) | 2005-07-11 | 2008-07-09 | 微软公司 | 每-用户和系统粒度的审计策略实现 |
US7739721B2 (en) | 2005-07-11 | 2010-06-15 | Microsoft Corporation | Per-user and system granular audit policy implementation |
US7856661B1 (en) | 2005-07-14 | 2010-12-21 | Mcafee, Inc. | Classification of software on networked systems |
US7983254B2 (en) * | 2005-07-20 | 2011-07-19 | Verizon Business Global Llc | Method and system for securing real-time media streams in support of interdomain traversal |
US7984493B2 (en) | 2005-07-22 | 2011-07-19 | Alcatel-Lucent | DNS based enforcement for confinement and detection of network malicious activities |
CA2617204C (en) | 2005-07-29 | 2016-07-05 | Bit9, Inc. | Network security systems and methods |
US7895651B2 (en) | 2005-07-29 | 2011-02-22 | Bit 9, Inc. | Content tracking in a network security system |
US7962616B2 (en) | 2005-08-11 | 2011-06-14 | Micro Focus (Us), Inc. | Real-time activity monitoring and reporting |
US7340574B2 (en) | 2005-08-30 | 2008-03-04 | Rockwell Automation Technologies, Inc. | Method and apparatus for synchronizing an industrial controller with a redundant controller |
US8327353B2 (en) | 2005-08-30 | 2012-12-04 | Microsoft Corporation | Hierarchical virtualization with a multi-level virtualization mechanism |
US8166474B1 (en) | 2005-09-19 | 2012-04-24 | Vmware, Inc. | System and methods for implementing network traffic management for virtual and physical machines |
US20070074199A1 (en) | 2005-09-27 | 2007-03-29 | Sebastian Schoenberg | Method and apparatus for delivering microcode updates through virtual machine operations |
EP1770915A1 (en) | 2005-09-29 | 2007-04-04 | Matsushita Electric Industrial Co., Ltd. | Policy control in the evolved system architecture |
US7712132B1 (en) | 2005-10-06 | 2010-05-04 | Ogilvie John W | Detecting surreptitious spyware |
US8131825B2 (en) | 2005-10-07 | 2012-03-06 | Citrix Systems, Inc. | Method and a system for responding locally to requests for file metadata associated with files stored remotely |
US7725737B2 (en) | 2005-10-14 | 2010-05-25 | Check Point Software Technologies, Inc. | System and methodology providing secure workspace environment |
US20070169079A1 (en) | 2005-11-08 | 2007-07-19 | Microsoft Corporation | Software update management |
US7836303B2 (en) | 2005-12-09 | 2010-11-16 | University Of Washington | Web browser operating system |
US7856538B2 (en) | 2005-12-12 | 2010-12-21 | Systex, Inc. | Methods, systems and computer readable medium for detecting memory overflow conditions |
US20070143851A1 (en) | 2005-12-21 | 2007-06-21 | Fiberlink | Method and systems for controlling access to computing resources based on known security vulnerabilities |
US8296437B2 (en) * | 2005-12-29 | 2012-10-23 | Logmein, Inc. | Server-mediated setup and maintenance of peer-to-peer client computer communications |
US20070168861A1 (en) | 2006-01-17 | 2007-07-19 | Bell Denise A | Method for indicating completion status of user initiated and system created tasks |
US20070174429A1 (en) | 2006-01-24 | 2007-07-26 | Citrix Systems, Inc. | Methods and servers for establishing a connection between a client system and a virtual machine hosting a requested computing environment |
US7757269B1 (en) | 2006-02-02 | 2010-07-13 | Mcafee, Inc. | Enforcing alignment of approved changes and deployed changes in the software change life-cycle |
WO2007100045A1 (ja) | 2006-03-03 | 2007-09-07 | Nec Corporation | 通信制御装置、通信制御システム、通信制御方法、および通信制御用プログラム |
US8185724B2 (en) | 2006-03-03 | 2012-05-22 | Arm Limited | Monitoring values of signals within an integrated circuit |
US8621433B2 (en) | 2006-03-20 | 2013-12-31 | Microsoft Corporation | Managing version information for software components |
US7895573B1 (en) | 2006-03-27 | 2011-02-22 | Mcafee, Inc. | Execution environment file inventory |
US7752233B2 (en) | 2006-03-29 | 2010-07-06 | Massachusetts Institute Of Technology | Techniques for clustering a set of objects |
KR20070099201A (ko) | 2006-04-03 | 2007-10-09 | 삼성전자주식회사 | 휴대형 무선 기기의 보안 관리 방법 및 이를 이용한 보안관리 장치 |
US7870387B1 (en) | 2006-04-07 | 2011-01-11 | Mcafee, Inc. | Program-based authorization |
US8015563B2 (en) | 2006-04-14 | 2011-09-06 | Microsoft Corporation | Managing virtual machines with system-wide policies |
US7966659B1 (en) | 2006-04-18 | 2011-06-21 | Rockwell Automation Technologies, Inc. | Distributed learn mode for configuring a firewall, security authority, intrusion detection/prevention devices, and the like |
US8352930B1 (en) | 2006-04-24 | 2013-01-08 | Mcafee, Inc. | Software modification by group to minimize breakage |
US8458673B2 (en) | 2006-04-26 | 2013-06-04 | Flexera Software Llc | Computer-implemented method and system for binding digital rights management executable code to a software application |
US7849507B1 (en) | 2006-04-29 | 2010-12-07 | Ironport Systems, Inc. | Apparatus for filtering server responses |
US8555404B1 (en) | 2006-05-18 | 2013-10-08 | Mcafee, Inc. | Connectivity-based authorization |
US20080082662A1 (en) | 2006-05-19 | 2008-04-03 | Richard Dandliker | Method and apparatus for controlling access to network resources based on reputation |
US8291409B2 (en) | 2006-05-22 | 2012-10-16 | Microsoft Corporation | Updating virtual machine with patch on host that does not have network access |
US20070276950A1 (en) | 2006-05-26 | 2007-11-29 | Rajesh Dadhia | Firewall For Dynamically Activated Resources |
US7761912B2 (en) | 2006-06-06 | 2010-07-20 | Microsoft Corporation | Reputation driven firewall |
US7809704B2 (en) | 2006-06-15 | 2010-10-05 | Microsoft Corporation | Combining spectral and probabilistic clustering |
US7831997B2 (en) | 2006-06-22 | 2010-11-09 | Intel Corporation | Secure and automatic provisioning of computer systems having embedded network devices |
US20070300215A1 (en) | 2006-06-26 | 2007-12-27 | Bardsley Jeffrey S | Methods, systems, and computer program products for obtaining and utilizing a score indicative of an overall performance effect of a software update on a software host |
US8009566B2 (en) | 2006-06-26 | 2011-08-30 | Palo Alto Networks, Inc. | Packet classification in a network security device |
US8365294B2 (en) | 2006-06-30 | 2013-01-29 | Intel Corporation | Hardware platform authentication and multi-platform validation |
US7950056B1 (en) | 2006-06-30 | 2011-05-24 | Symantec Corporation | Behavior based processing of a new version or variant of a previously characterized program |
US8468526B2 (en) | 2006-06-30 | 2013-06-18 | Intel Corporation | Concurrent thread execution using user-level asynchronous signaling |
US8495181B2 (en) | 2006-08-03 | 2013-07-23 | Citrix Systems, Inc | Systems and methods for application based interception SSI/VPN traffic |
US8572721B2 (en) | 2006-08-03 | 2013-10-29 | Citrix Systems, Inc. | Methods and systems for routing packets in a VPN-client-to-VPN-client connection via an SSL/VPN network appliance |
US8015388B1 (en) | 2006-08-04 | 2011-09-06 | Vmware, Inc. | Bypassing guest page table walk for shadow page table entries not present in guest page table |
US20080059123A1 (en) | 2006-08-29 | 2008-03-06 | Microsoft Corporation | Management of host compliance evaluation |
EP1901192A1 (en) | 2006-09-14 | 2008-03-19 | British Telecommunications Public Limited Company | Mobile application registration |
US8161475B2 (en) | 2006-09-29 | 2012-04-17 | Microsoft Corporation | Automatic load and balancing for virtual machines to meet resource requirements |
US7769731B2 (en) | 2006-10-04 | 2010-08-03 | International Business Machines Corporation | Using file backup software to generate an alert when a file modification policy is violated |
US8584199B1 (en) | 2006-10-17 | 2013-11-12 | A10 Networks, Inc. | System and method to apply a packet routing policy to an application session |
US9697019B1 (en) | 2006-10-17 | 2017-07-04 | Manageiq, Inc. | Adapt a virtual machine to comply with system enforced policies and derive an optimized variant of the adapted virtual machine |
US8055904B1 (en) | 2006-10-19 | 2011-11-08 | United Services Automobile Assocation (USAA) | Systems and methods for software application security management |
US7979749B2 (en) | 2006-11-15 | 2011-07-12 | International Business Machines Corporation | Method and infrastructure for detecting and/or servicing a failing/failed operating system instance |
US7689817B2 (en) | 2006-11-16 | 2010-03-30 | Intel Corporation | Methods and apparatus for defeating malware |
US8091127B2 (en) | 2006-12-11 | 2012-01-03 | International Business Machines Corporation | Heuristic malware detection |
US20080155336A1 (en) | 2006-12-20 | 2008-06-26 | International Business Machines Corporation | Method, system and program product for dynamically identifying components contributing to service degradation |
US8336046B2 (en) | 2006-12-29 | 2012-12-18 | Intel Corporation | Dynamic VM cloning on request from application based on mapping of virtual hardware configuration to the identified physical hardware resources |
US7996836B1 (en) | 2006-12-29 | 2011-08-09 | Symantec Corporation | Using a hypervisor to provide computer security |
US8381209B2 (en) | 2007-01-03 | 2013-02-19 | International Business Machines Corporation | Moveable access control list (ACL) mechanisms for hypervisors and virtual machines and virtual port firewalls |
US8254568B2 (en) | 2007-01-07 | 2012-08-28 | Apple Inc. | Secure booting a computing device |
US8332929B1 (en) | 2007-01-10 | 2012-12-11 | Mcafee, Inc. | Method and apparatus for process enforced configuration management |
US9424154B2 (en) | 2007-01-10 | 2016-08-23 | Mcafee, Inc. | Method of and system for computer system state checks |
US20080178278A1 (en) * | 2007-01-22 | 2008-07-24 | Doron Grinstein | Providing A Generic Gateway For Accessing Protected Resources |
US8380987B2 (en) | 2007-01-25 | 2013-02-19 | Microsoft Corporation | Protection agents and privilege modes |
JP4715774B2 (ja) | 2007-03-02 | 2011-07-06 | 日本電気株式会社 | レプリケーション方法、レプリケーションシステム、ストレージ装置、プログラム |
US8276201B2 (en) | 2007-03-22 | 2012-09-25 | International Business Machines Corporation | Integrity protection in data processing systems |
US20080282080A1 (en) | 2007-05-11 | 2008-11-13 | Nortel Networks Limited | Method and apparatus for adapting a communication network according to information provided by a trusted client |
US7930327B2 (en) | 2007-05-21 | 2011-04-19 | International Business Machines Corporation | Method and apparatus for obtaining the absolute path name of an open file system object from its file descriptor |
US20080295173A1 (en) | 2007-05-21 | 2008-11-27 | Tsvetomir Iliev Tsvetanov | Pattern-based network defense mechanism |
US20080301770A1 (en) | 2007-05-31 | 2008-12-04 | Kinder Nathan G | Identity based virtual machine selector |
US20090007100A1 (en) | 2007-06-28 | 2009-01-01 | Microsoft Corporation | Suspending a Running Operating System to Enable Security Scanning |
US8763115B2 (en) | 2007-08-08 | 2014-06-24 | Vmware, Inc. | Impeding progress of malicious guest software |
CN101370004A (zh) * | 2007-08-16 | 2009-02-18 | 华为技术有限公司 | 一种组播会话安全策略的分发方法及组播装置 |
US20090049172A1 (en) | 2007-08-16 | 2009-02-19 | Robert Miller | Concurrent Node Self-Start in a Peer Cluster |
US20090064287A1 (en) * | 2007-08-28 | 2009-03-05 | Rohati Systems, Inc. | Application protection architecture with triangulated authorization |
WO2009032710A2 (en) | 2007-08-29 | 2009-03-12 | Nirvanix, Inc. | Filing system and method for data files stored in a distributed communications network |
US8250641B2 (en) | 2007-09-17 | 2012-08-21 | Intel Corporation | Method and apparatus for dynamic switching and real time security control on virtualized systems |
US8819676B2 (en) | 2007-10-30 | 2014-08-26 | Vmware, Inc. | Transparent memory-mapped emulation of I/O calls |
US8195931B1 (en) | 2007-10-31 | 2012-06-05 | Mcafee, Inc. | Application change control |
JP5238235B2 (ja) | 2007-12-07 | 2013-07-17 | 株式会社日立製作所 | 管理装置及び管理方法 |
US8701189B2 (en) | 2008-01-31 | 2014-04-15 | Mcafee, Inc. | Method of and system for computer system denial-of-service protection |
US8788805B2 (en) | 2008-02-29 | 2014-07-22 | Cisco Technology, Inc. | Application-level service access to encrypted data streams |
US8146147B2 (en) | 2008-03-27 | 2012-03-27 | Juniper Networks, Inc. | Combined firewalls |
US8321931B2 (en) | 2008-03-31 | 2012-11-27 | Intel Corporation | Method and apparatus for sequential hypervisor invocation |
US8615502B2 (en) | 2008-04-18 | 2013-12-24 | Mcafee, Inc. | Method of and system for reverse mapping vnode pointers |
US8234709B2 (en) | 2008-06-20 | 2012-07-31 | Symantec Operating Corporation | Streaming malware definition updates |
US8352240B2 (en) | 2008-06-20 | 2013-01-08 | Vmware, Inc. | Decoupling dynamic program analysis from execution across heterogeneous systems |
US8132091B2 (en) | 2008-08-07 | 2012-03-06 | Serge Nabutovsky | Link exchange system and method |
US8065714B2 (en) | 2008-09-12 | 2011-11-22 | Hytrust, Inc. | Methods and systems for securely managing virtualization platform |
US8726391B1 (en) | 2008-10-10 | 2014-05-13 | Symantec Corporation | Scheduling malware signature updates in relation to threat awareness and environmental safety |
US9141381B2 (en) | 2008-10-27 | 2015-09-22 | Vmware, Inc. | Version control environment for virtual machines |
CN101741820B (zh) * | 2008-11-13 | 2013-12-18 | 华为技术有限公司 | Cga公钥识别和cga公钥确定的方法、系统及装置 |
JP4770921B2 (ja) | 2008-12-01 | 2011-09-14 | 日本電気株式会社 | ゲートウェイサーバ、ファイル管理システム、ファイル管理方法とプログラム |
US8544003B1 (en) | 2008-12-11 | 2013-09-24 | Mcafee, Inc. | System and method for managing virtual machine configurations |
US8274895B2 (en) | 2009-01-26 | 2012-09-25 | Telefonaktiebolaget L M Ericsson (Publ) | Dynamic management of network flows |
US8904520B1 (en) | 2009-03-19 | 2014-12-02 | Symantec Corporation | Communication-based reputation system |
US8387046B1 (en) | 2009-03-26 | 2013-02-26 | Symantec Corporation | Security driver for hypervisors and operating systems of virtualized datacenters |
US8060722B2 (en) | 2009-03-27 | 2011-11-15 | Vmware, Inc. | Hardware assistance for shadow page table coherence with guest page mappings |
US20100299277A1 (en) | 2009-05-19 | 2010-11-25 | Randy Emelo | System and method for creating and enhancing mentoring relationships |
US8205035B2 (en) * | 2009-06-22 | 2012-06-19 | Citrix Systems, Inc. | Systems and methods for integration between application firewall and caching |
US8359422B2 (en) | 2009-06-26 | 2013-01-22 | Vmware, Inc. | System and method to reduce trace faults in software MMU virtualization |
GB2471716A (en) | 2009-07-10 | 2011-01-12 | F Secure Oyj | Anti-virus scan management using intermediate results |
JP2010016834A (ja) | 2009-07-16 | 2010-01-21 | Nippon Telegr & Teleph Corp <Ntt> | フィルタリング方法 |
US8381284B2 (en) | 2009-08-21 | 2013-02-19 | Mcafee, Inc. | System and method for enforcing security policies in a virtual environment |
US8341627B2 (en) | 2009-08-21 | 2012-12-25 | Mcafee, Inc. | Method and system for providing user space address protection from writable memory area in a virtual environment |
US8572695B2 (en) | 2009-09-08 | 2013-10-29 | Ricoh Co., Ltd | Method for applying a physical seal authorization to documents in electronic workflows |
US8234408B2 (en) | 2009-09-10 | 2012-07-31 | Cloudshield Technologies, Inc. | Differentiating unique systems sharing a common address |
US20110072129A1 (en) * | 2009-09-21 | 2011-03-24 | At&T Intellectual Property I, L.P. | Icmp proxy device |
US9552497B2 (en) | 2009-11-10 | 2017-01-24 | Mcafee, Inc. | System and method for preventing data loss using virtual machine wrapped applications |
US9390263B2 (en) | 2010-03-31 | 2016-07-12 | Sophos Limited | Use of an application controller to monitor and control software file and application environments |
US8875292B1 (en) | 2010-04-05 | 2014-10-28 | Symantec Corporation | Systems and methods for managing malware signatures |
US8813209B2 (en) * | 2010-06-03 | 2014-08-19 | International Business Machines Corporation | Automating network reconfiguration during migrations |
US8938800B2 (en) | 2010-07-28 | 2015-01-20 | Mcafee, Inc. | System and method for network level protection against malicious software |
US8925101B2 (en) | 2010-07-28 | 2014-12-30 | Mcafee, Inc. | System and method for local protection against malicious software |
US8549003B1 (en) | 2010-09-12 | 2013-10-01 | Mcafee, Inc. | System and method for clustering host inventories |
CN103154961A (zh) | 2010-09-30 | 2013-06-12 | 惠普发展公司,有限责任合伙企业 | 用于病毒扫描的虚拟机 |
US9075993B2 (en) | 2011-01-24 | 2015-07-07 | Mcafee, Inc. | System and method for selectively grouping and managing program files |
US9112830B2 (en) | 2011-02-23 | 2015-08-18 | Mcafee, Inc. | System and method for interlocking a host and a gateway |
US20130247192A1 (en) | 2011-03-01 | 2013-09-19 | Sven Krasser | System and method for botnet detection by comprehensive email behavioral analysis |
US9015709B2 (en) | 2011-03-08 | 2015-04-21 | Rackspace Us, Inc. | Hypervisor-agnostic method of configuring a virtual machine |
US9122877B2 (en) | 2011-03-21 | 2015-09-01 | Mcafee, Inc. | System and method for malware and network reputation correlation |
US8776234B2 (en) | 2011-04-20 | 2014-07-08 | Kaspersky Lab, Zao | System and method for dynamic generation of anti-virus databases |
US9594881B2 (en) | 2011-09-09 | 2017-03-14 | Mcafee, Inc. | System and method for passive threat detection using virtual memory inspection |
US8694738B2 (en) | 2011-10-11 | 2014-04-08 | Mcafee, Inc. | System and method for critical address space protection in a hypervisor environment |
US9069586B2 (en) | 2011-10-13 | 2015-06-30 | Mcafee, Inc. | System and method for kernel rootkit protection in a hypervisor environment |
US8973144B2 (en) | 2011-10-13 | 2015-03-03 | Mcafee, Inc. | System and method for kernel rootkit protection in a hypervisor environment |
US8713668B2 (en) | 2011-10-17 | 2014-04-29 | Mcafee, Inc. | System and method for redirected firewall discovery in a network environment |
US8800024B2 (en) | 2011-10-17 | 2014-08-05 | Mcafee, Inc. | System and method for host-initiated firewall discovery in a network environment |
US8713684B2 (en) | 2012-02-24 | 2014-04-29 | Appthority, Inc. | Quantifying the risks of applications for mobile devices |
US8793489B2 (en) | 2012-03-01 | 2014-07-29 | Humanconcepts, Llc | Method and system for controlling data access to organizational data maintained in hierarchical |
US8739272B1 (en) | 2012-04-02 | 2014-05-27 | Mcafee, Inc. | System and method for interlocking a host and a gateway |
US8931043B2 (en) | 2012-04-10 | 2015-01-06 | Mcafee Inc. | System and method for determining and using local reputations of users and hosts to protect information in a network environment |
US9292688B2 (en) | 2012-09-26 | 2016-03-22 | Northrop Grumman Systems Corporation | System and method for automated machine-learning, zero-day malware detection |
US8973146B2 (en) | 2012-12-27 | 2015-03-03 | Mcafee, Inc. | Herd based scan avoidance system in a network environment |
US9311480B2 (en) | 2013-03-15 | 2016-04-12 | Mcafee, Inc. | Server-assisted anti-malware client |
US9614865B2 (en) | 2013-03-15 | 2017-04-04 | Mcafee, Inc. | Server-assisted anti-malware client |
EP3061030A4 (en) | 2013-10-24 | 2017-04-19 | McAfee, Inc. | Agent assisted malicious application blocking in a network environment |
-
2011
- 2011-10-17 US US13/275,249 patent/US8713668B2/en active Active
-
2012
- 2012-09-26 CN CN201280053580.XA patent/CN103907330B/zh active Active
- 2012-09-26 WO PCT/US2012/057312 patent/WO2013058944A1/en active Application Filing
- 2012-09-26 EP EP12842144.3A patent/EP2769509B1/en active Active
-
2014
- 2014-04-28 US US14/263,164 patent/US9356909B2/en active Active
-
2016
- 2016-05-28 US US15/168,004 patent/US9882876B2/en active Active
-
2017
- 2017-08-24 US US15/686,059 patent/US10652210B2/en active Active
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1383295A (zh) * | 2001-04-25 | 2002-12-04 | 数位联合电信股份有限公司 | 可重行导向的连接上网系统 |
Also Published As
Publication number | Publication date |
---|---|
EP2769509A4 (en) | 2015-03-11 |
EP2769509B1 (en) | 2018-08-08 |
US20130097658A1 (en) | 2013-04-18 |
US9882876B2 (en) | 2018-01-30 |
US9356909B2 (en) | 2016-05-31 |
CN103907330A (zh) | 2014-07-02 |
US20140237584A1 (en) | 2014-08-21 |
WO2013058944A1 (en) | 2013-04-25 |
US20170374030A1 (en) | 2017-12-28 |
US8713668B2 (en) | 2014-04-29 |
US10652210B2 (en) | 2020-05-12 |
EP2769509A1 (en) | 2014-08-27 |
US20160352683A1 (en) | 2016-12-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN103907330B (zh) | 在网络环境中用于重定向的防火墙发现的系统和方法 | |
CN103875226B (zh) | 用于网络环境中主机发起的防火墙发现的系统和方法 | |
US7552323B2 (en) | System, apparatuses, methods, and computer-readable media using identification data in packet communications | |
Degraaf et al. | Improved port knocking with strong authentication | |
US11297070B2 (en) | Communication apparatus, system, method, and non-transitory medium | |
JP2014511616A (ja) | 論理装置、処理方法及び処理装置 | |
Skowyra et al. | Have no phear: Networks without identifiers | |
AU2003294304B2 (en) | Systems and apparatuses using identification data in network communication | |
Munir et al. | Multipath TCP traffic diversion attacks and countermeasures | |
Tennekoon et al. | Prototype implementation of fast and secure traceability service over public networks | |
Walker | Internet security | |
Kwon et al. | Mondrian: Comprehensive Inter-domain Network Zoning Architecture. | |
Wang et al. | Using web-referral architectures to mitigate denial-of-service threats | |
EP1290852A2 (en) | Distributed firewall system and method | |
Pappas et al. | Network transparency for better internet security | |
KR20110010050A (ko) | 플로우별 동적인 접근제어 시스템 및 방법 | |
Wu et al. | Identity-Based Authentication Protocol for Trustworthy IP Address | |
Hähni | Mondrian: A Comprehensive Inter-Domain Network Zoning Architecture | |
Zave et al. | 1 Security provided by endpoints | |
Perrig et al. | Security Analysis | |
Khalid et al. | Security Issue of BGP in complex Peering and Transit Networks | |
Tiamiyu | Algorithmization, requirements analysis and architectural challenges of TraConDa | |
Bob | Internet Technology | |
Wang | A deployable IP spoofing defence system | |
Zúquete | Protection of LAN-wide, P2P interactions: a holistic approach |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CP03 | Change of name, title or address |
Address after: American California Patentee after: McAfee limited liability company Address before: American California Patentee before: Mcafee Inc |
|
CP03 | Change of name, title or address |