Adaptive normal profiles are generated at a hierarchical scope corresponding to a set of endpoints and a process. Abnormal endpoint activity is detected by verifying whether event data tracking activity on the set of endpoints conforms to the adaptive normal profiles. False positives are reduced by verifying alarms correspond to normal endpoint activity. Abnormal event data is forwarded to a causality chain identifier that identifies abnormal chains of processes for the abnormal endpoint activity. A trained threat detection model receives abnormal causality chains from the causality chain identifier and indicates a likelihood of corresponding to a malicious attack that indicates abnormal endpoint behavior.
A cloud resource join query for join operations across cloud resources is parsed to extract join rules and queries to each cloud resource in the cloud resource join query. Results from the individual cloud queries are dynamically indexed based on pairs of cloud resources indicated in the join rules. A search engine applies first order predicates in the join rules using the dynamic indexes to generate pairwise join results corresponding to the query. A result for the cloud resource join query comprises the pairwise join results after merging.
A hierarchical structure constructor constructs a hierarchical structure that comprises nodes associated with feature sets patterns of URLs. Nodes at each depth are labelled as malicious, benign, or mixed for corresponding to URLs that are malicious, benign, or malicious and benign that match the corresponding patterns. Malicious feature set patterns are extracted from malicious nodes in the hierarchical structure. A URL analyzer operates inline by logging traffic sessions, extracting URLs from the logs, and matching the extracted URLs with the malicious feature sets patterns extracted from the hierarchical structure. The hierarchical structure is periodically updated with known malicious/benign URLs to improve quality of malicious URL detection.
Techniques for deploying IPv6 routing are disclosed. A system, process, and/or computer program product for deploying IPv6 routing includes advertising in Border Gateway Protocol (BGP) a new address-family capability in combination with an existing address-family in a network that supports a plurality of address families, and undoing BGP filters to allow BGP routes to be exchanged at a time that a network administrator enables the new address-family capability in the network.
Assigning priority values to applications in advance facilitates later precedence ordering of the application identifiers when processing network traffic. The priority values can be assigned according to defined rules that satisfy a paradigm for application precedence in policy enforcement. When multiple application identifiers are determined from inspecting network traffic of a flow, a control plane process retrieves the assigned priority values and sorts the application identifiers according to the priority values. The control plane then communicates the sorted list of application identifiers to the data plane. The data plane enforces policies set for the applications identified in the list of application identifiers on the corresponding network traffic flow according to the order of precedence conveyed by the sorted list. This allows flexible and accurate policy enforcement on network traffic.
Detection of malicious JavaScript based on automated user interaction emulation is disclosed. A malware sample is executed in an instrumented virtual environment. Dynamic behavior is triggered based on emulated user interactions.
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
Internet of Things (IoT) device application workload capture is disclosed. A target IoT device is selected. A flow associated with the target IoT device is determined and tagged. Packets from the tagged flow are admitted into a ring buffer. An indication is received that an extraction should be performed on a portion of the packets included in the ring buffer.
H04L 41/06 - Management of faults, events, alarms or notifications
H04L 41/0816 - Configuration setting characterised by the conditions triggering a change of settings the condition being an adaptation, e.g. in response to network events
8.
DETECTING BEHAVIORAL CHANGE OF IOT DEVICES USING NOVELTY DETECTION BASED BEHAVIOR TRAFFIC MODELING
An anomalous behavior detector has been designed to detect novel behavioral changes of devices based on network traffic data that likely correlate to anomalous behaviors. The anomalous behavior detector uses the local outlier factor (LOF) algorithm with novelty detection. After initial semi-supervised training with a single class training dataset representing stable device behaviors, the obtained model continues learning frontiers that delimit subspaces of inlier observations with live network traffic data. Instead of traffic variables being used as features, the features that form feature vectors are similarities of network traffic variable values across time intervals. A feature vector for the anomalous behavior detector represents stability or similarity of network traffic variables that have been chosen as device identifiers and behavioral indicators.
An execution environment has been designed that detects likely data exfiltration by using taint tracking and abstract execution. The execution environment is instrumented to monitor for use of functions identified as having functionality for transferring data out of an execution environment. In addition, heuristics-based rules are defined to mark or “taint” objects (e.g., variables) that are likely targets for exfiltration. With taint tracking and control flow analysis, the execution environment tracks the tainted objects through multiple execution paths of a code sample. After comprehensive code coverage, logged use of the monitored functions are examined to determine whether any tainted objects were passed to the monitored functions. If so, the logged use will indicate a destination or sink for the tainted source. Each tainted source-sink association can be examined to verify whether the exfiltration was malicious.
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
10.
APPLYING SUBSCRIBER-ID BASED SECURITY, EQUIPMENT-ID BASED SECURITY, AND/OR NETWORK SLICE-ID BASED SECURITY WITH USER-ID AND SYSLOG MESSAGES IN MOBILE NETWORKS
Techniques for applying subscriber-ID based security, equipment-ID based security, and/or network slice-ID based security with user-ID and syslog messages in mobile networks are disclosed. In some embodiments, a system/process/computer program product for applying subscriber-ID based security, equipment-ID based security, and/or network slice-ID based security with user-ID and syslog messages in mobile networks includes monitoring network traffic on a mobile network at a security platform to identify a new session; extracting a plurality of parameters by parsing syslog messages with a user-ID agent at the security platform; and enforcing a security policy on the new session at the security platform based on one or more of the plurality of parameters including one or more of a subscriber-ID, equipment- ID, and network slice-ID to apply context-based security in the mobile network.
Analysis of samples for maliciousness is disclosed. A sample is executed and one or more network activities associated with executing the sample are recorded. The recorded network activities are compared to a malware profile. The malware profile comprises a set of network activities taken by a known malicious application during execution of the known malicious application. A verdict of “malicious” is assigned to the sample based at least in part on a determination that the recorded network activities match the malware profile.
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
H04W 12/128 - Anti-malware arrangements, e.g. protection against SMS fraud or mobile malware
12.
INLINE PACKAGE NAME BASED SUPPLY CHAIN ATTACK DETECTION AND PREVENTION
Inline package name based supply chain attack detection and prevention is disclosed. An indication that a client device has made a request to a remote server for a package is received. A data appliance then performs an action responsive to the received indication. In an example implementation, the data appliance makes a determination of whether the request for the package is associated with a nonexisting package.
Inline package name based supply chain attack detection and prevention is disclosed. An indication that a client device has made a request to a remote server for a package is received. A data appliance then performs an action responsive to the received indication. In an example implementation, the data appliance makes a determination of whether the request for the package is associated with a nonexisting package.
APPLYING SUBSCRIBER-ID BASED SECURITY, EQUIPMENT-ID BASED SECURITY, AND/OR NETWORK SLICE-ID BASED SECURITY WITH USER-ID AND SYSLOG MESSAGES IN MOBILE NETWORKS
Techniques for applying subscriber-ID based security, equipment-ID based security, and/or network slice-ID based security with user-ID and syslog messages in mobile networks are disclosed. In some embodiments, a system/process/computer program product for applying subscriber-ID based security, equipment-ID based security, and/or network slice-ID based security with user-ID and syslog messages in mobile networks includes monitoring network traffic on a mobile network at a security platform to identify a new session; extracting a plurality of parameters by parsing syslog messages with a user-ID agent at the security platform; and enforcing a security policy on the new session at the security platform based on one or more of the plurality of parameters including one or more of a subscriber-ID, equipment-ID, and network slice-ID to apply context-based security in the mobile network.
An OCR filter described herein filters non-textual files in scanned customer data from optical character recognition (OCR) and pattern analysis of text generated thereof for sensitive customer data. The OCR filter is trained on files labelled using feature values for features generated from OCR applied to the corresponding files. Moreover, the OCR filter stores internal representations of the files during training to avoid leaking potential sensitive customer data contained therein. Once trained, performance of the OCR filter in filtering files comprising image data without text is evaluated according to false positive rates and false negative rates by comparing classifications of the OCR filter to classifications according to feature values for features generated from OCR. Evaluation of the OCR filter ensures continued model performance and informs model updates.
Techniques for providing innocent until proven guilty (IUPG) solutions for building and using adversary resistant and false positive resistant deep learning models are disclosed. In some embodiments, a system, process, and/or computer program product includes storing a set comprising one or more innocent until proven guilty (IUPG) models for static analysis of a sample; performing a static analysis of content associated with the sample, wherein performing the static analysis includes using at least one stored IUPG model; and determining that the sample is malicious based at least in part on the static analysis of the content associated with the sample, and in response to determining that the sample is malicious, performing an action based on a security policy.
Techniques for supporting overlapping network addresses universally are disclosed. A system, process, and/or computer program product for supporting overlapping network addresses universally includes generating at least two virtual routers for a cloud security service, the at least two virtual routers including a first virtual router and a second virtual router, routing cloud security service packets using the first virtual router, and routing enterprise subscriber packets using the second virtual router.
Exemplary methods, apparatuses, and systems include duplicating a packet within a plurality of packets to be transmitted to a destination computing node as a sequence of packets. The plurality of packets including the duplicate of the packet are transmitted to the destination computing node. Upon receiving a first acknowledgement of the packet from the destination computing node, it is determined that the first acknowledgment is directed to a duplicated packet. In response to determining that the first acknowledgment is directed to a duplicated packet, it is determined that a second acknowledgement has yet to be received for each of one or more packets within the plurality of packets transmitted prior to the packet. In response to determining that the second acknowledgement has yet to be received, the one or more packets are retransmitted to the destination computing node.
H04L 1/1607 - Arrangements for detecting or preventing errors in the information received by using return channel in which the return channel carries supervisory signals, e.g. repetition request signals - Details of the supervisory signal
The technology presented herein enables the use of a clustering algorithm to identify additional malicious domains based on known malicious domains. A domain identifier system identifies a first plurality of domain names associated with a malicious domain campaign and seeding a first clustering algorithm with the first plurality of domain names. After seeding the first clustering algorithm, the domain identifier system uses the first clustering algorithm to process passive domain name system (DNS) records to identify and group a second plurality of domain names associated with the malicious domain campaign.
For a seamless and robust artificial intelligence-based assistant experience, an intent-based query and response router has been designed to operate as an intelligent layer between a user and multiple backend services that may respond to one or more queries over the course of a conversation with the user. The query router interacts with an intent classification service to obtain an intent classification for a prompt that is based on a user query. The query router uses the intent classification, which is used as an identifier of a backend service, to route the user query to an appropriate one (or more) of the backend services. When a response is detected, the query router determines a corresponding conversation and provides the response for the conversation.
Techniques for sample traffic based self-learning malware detection are disclosed. In some embodiments, a system/process/computer program product for sample traffic based self-learning malware detection includes receiving a plurality of samples for malware detection analysis using a sandbox; executing each of the plurality of samples in the sandbox and monitoring network traffic during execution of each of the plurality of samples in the sandbox; detecting that one or more of the plurality of samples is malware based on automated analysis of the monitored network traffic using a command and control (C2) machine learning (ML) model if there is not a prior match with an intrusion prevention system (LPS) signature; and performing an action in response to detecting that the one or more of the plurality of samples is malware based on the automated analysis of the monitored network traffic using the C2 ML model. In some embodiments, the IPS signatures and C2 ML model are automatically generated and trained.
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
An API response field classification service obtains API documentation published by a vendor and defined security policies and matches the response fields represented in the security policies to their descriptions in the API documentation. The service generates labelled training data that comprise the identified response field descriptions with labels indicating that their corresponding response field is security related. Additional labelled training data for security unrelated response fields comprises descriptions of response fields that are known not to be represented with any security policies. The service trains a text classifier on the labelled training data. The trained text classifier accepts inputs comprising descriptions of unknown response fields and outputs predicted classes indicating whether the corresponding response fields are predicted to be security related. Subsequent creation of security policies can be focused on these response fields predicted to be security related.
The present application discloses a method, system, and computer system for automatically detecting protocol compliance of applications. The method includes determining a URL of a webpage for a software-as-a-service (SaaS) product, extracting body text from the webpage, and using a classifier to determine whether the SaaS product is compliant with one or more protocols.
Techniques for probing for Cobalt Strike TeamServer detection are disclosed. In some embodiments, a system/process/computer program product for probing for Cobalt Strike TeamServer detection includes monitoring HyperText Transfer Protocol (HTTP), HTTPS, and/or Domain Name System (DNS) network traffic at a firewall; prefiltering the monitored HTTP, HTTPS, and/or DNS network traffic at the firewall to select a subset of the HTTP, HTTPS, and/or DNS network traffic to forward to a cloud security service; performing HTTP, HTTPS, and/or DNS probing of a target to detect whether the target is a Cobalt Strike TeamServer; and performing an action in response to detecting that the target is the Cobalt Strike TeamServer.
Techniques for beacon and threat intelligence based Advanced Persistent Threat (APT) detection are disclosed. In some embodiments, a system/process/computer program product for beacon and threat intelligence based APT detection includes collecting firewall log data from monitored network traffic; analyzing the firewall log data at a cloud security service to identify beacon traffic based on a plurality of heuristics; performing a risk evaluation of the beacon traffic to detect malicious beacon traffic; and performing an action in response to detecting the malicious beacon traffic.
A method and system for detecting shadowed domains is provided. New hostnames are collected for a predetermined period of time. Candidate shadowed domains are selected from the new hostnames. Classification of the candidate shadowed domains is performed based on a plurality of features relating to the candidate shadowed domains to output a set of identified shadowed domains. An action is performed based on the set of identified shadowed domains.
H04L 41/16 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence
27.
ATTACK CHAIN IDENTIFICATION VIA MISCONFIGURATIONS IN CLOUD RESOURCES
A cloud resource management system detects resource misconfiguration for resources in a cloud including cloud policy misconfigurations and resource vulnerabilities. An attack chain analyzer identifies attack chains from misconfigured resources ordered according to stages in an attack framework that models sequential behavior for malicious attacks. The attack chains are detected according to a depth-first search traversal of adjacent resources that have pairwise exposure according to characteristics indicated in the cloud policy misconfigurations and resource vulnerabilities. The attack chain analyzer generates further diagnostics that inform remediation of resource misconfigurations for malicious attack prevention.
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
Techniques for Cobalt Strike Beacon HTTP C2 heuristic detection are disclosed. In some embodiments, a system/process/computer program product for Cobalt Strike Beacon HTTP C2 heuristic detection includes monitoring HyperText Transfer Protocol (HTTP) network traffic at a firewall; prefiltering the monitored HTTP network traffic at the firewall to select a subset of the HTTP network traffic to forward to a cloud security service; determining whether the subset of the HTTP network traffic is associated with Cobalt Strike Beacon HTTP C2 traffic activity based on a plurality of heuristics; and performing an action in response to detecting the Cobalt Strike Beacon HTTP C2 traffic activity.
Techniques for Cobalt Strike Beacon HTTP C2 heuristic detection are disclosed. In some embodiments, a system/process/computer program product for Cobalt Strike Beacon HTTP C2 heuristic detection includes monitoring HyperText Transfer Protocol (HTTP) network traffic at a firewall; prefiltering the monitored HTTP network traffic at the firewall to select a subset of the HTTP network traffic to forward to a cloud security service; determining whether the subset of the HTTP network traffic is associated with Cobalt Strike Beacon HTTP C2 traffic activity based on a plurality of heuristics; and performing an action in response to detecting the Cobalt Strike Beacon HTTP C2 traffic activity.
Dynamic partitioning of a search space of queries is implemented for flexible, heuristic database querying. Search space partitioning refers to dividing the search space for a submitted query into smaller parts by augmenting the queries to append thereto an additional predicate comprising a dynamic partition key and a value(s) selected based on heuristics (e.g., recency and/or relevancy of the value(s)). A plurality of candidate augmentations of the query and corresponding query plans are generated and evaluated based on additional heuristics to determine which can be executed to yield the best results in terms of result quality and latency. This query plan is selected and executed for retrieval of results that satisfy the query, with pagination utilized for presentation of the results. The procedure of generating candidate query plans, selecting one of the candidates for execution, and paginating results is repeated until a search termination criterion is satisfied.
A cloud resource management system detects resource misconfiguration for resources in a cloud including cloud policy misconfigurations and resource vulnerabilities. An attack chain analyzer identifies attack chains from misconfigured resources ordered according to stages in an attack framework that models sequential behavior for malicious attacks. The attack chains are detected according to a depth-first search traversal of adjacent resources that have pairwise exposure according to characteristics indicated in the cloud policy misconfigurations and resource vulnerabilities. The attack chain analyzer generates further diagnostics that inform remediation of resource misconfigurations for malicious attack prevention.
The present application discloses a method, system, and computer system for detecting parked domains. The method includes obtaining, by one or more processors, a set of webpages corresponding to a plurality of domains, extracting a plurality of features based on the set of webpages, detecting parked domains based on the plurality of features using a machine learning model, and periodically applying automatic signature generation to detect a new pattern of parked domains without retraining the machine learning model.
Techniques for Cobalt Strike Beacon HTTPS C2 heuristic detection are disclosed. In some embodiments, a system/process/computer program product for Cobalt Strike Beacon HTTPS C2 heuristic detection includes monitoring HyperText Transfer Protocol Secure (HTTPS) network traffic at a firewall; prefiltering the monitored HTTPS network traffic at the firewall to select a subset of the HTTPS network traffic to forward to a cloud security service; determining whether the subset of the HTTPS network traffic is associated with Cobalt Strike Beacon HTTPS C2 traffic activity based on a plurality of heuristics; and performing an action in response to detecting the Cobalt Strike Beacon HTTPS C2 traffic activity.
Techniques for providing consistent monitoring and analytics for security insights for network and security functions for a security service are disclosed. In some embodiments, a system/process/computer program product for providing consistent monitoring and analytics for security insights for network and security functions for a security service includes receiving a flow at a software-defined wide area network (SD-WAN) device; inspecting the flow to determine whether the flow is associated with a split tunnel; and monitoring the flow at the SD-WAN device to collect security information associated with the flow for reporting to a security service.
Techniques for generating actionable indicators of compromise (IOCs) are disclosed. A set of potential sources for IOCs are received. One or more candidate IOCs are extracted from at least one source included in the set of potential sources. An actionable IOC is automatically identified from the one or more candidate IOCs. The actionable IOC is provided to a security enforcement service.
Techniques for packet classification for network routing are disclosed. In some embodiments, packet classification for network routing includes receiving packets associated with a new flow at a security controller from a network device, in which the network device performs packet forwarding; classifying the flow; and determining an action for the flow based on a policy (e.g., a security policy). In some embodiments, the network device is a Software Defined Network (SDN) network device (e.g., a packet forwarding device that supports the OpenFlow protocol or another protocol).
H04L 47/2441 - Traffic characterised by specific attributes, e.g. priority or QoS relying on flow classification, e.g. using integrated services [IntServ]
H04L 67/63 - Routing a service request depending on the request content or context
H04L 45/00 - Routing or path finding of packets in data switching networks
H04L 45/64 - Routing or path finding of packets in data switching networks using an overlay routing layer
A security appliance samples data about software defined infrastructures (SDIs) of a cloud computing environment to incrementally build models that map resource attributes indicated in fields to data types. The security appliance uses the model(s) to provide context sensitive help in policy rule constructions.
An asset attribution model attributes assets to organizations according to metadata about the assets retrieved by a network scanner and other metadata in association with the assets that is retrieved and stored in a repository. A data slice rules interface applies logical rules to query the repository to retrieve metadata for assets satisfying each logical rule to generate data slices. Each logical rule is constructed so that assets satisfying the rule have attributions to known organizations. The asset attribution model is evaluated for accuracy in predicting known attributed organizations along each data slice. Depending on the resulting accuracies, the asset attribution model either updates its architecture and is retrained or is deployed for asset attribution.
The present application discloses a method, system, and computer system for detecting malicious SQL or command injection strings. The method includes obtaining an SQL or command injection string and determining whether the command injection string is malicious based at least in part on a machine learning model.
The present application discloses a method, system, and computer system for detecting malicious files. The method includes obtaining network traffic, pre-filtering the network traffic based at least in part on a first set of features for traffic reduction, and using a detection model in connection with determining whether the filtered network traffic comprises malicious traffic, the detection model being based at least in part on a second set of features for malware detection.
H04L 41/16 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence
41.
NETWORK ATTACK DETECTION WITH TARGETED FEATURE EXTRACTION FROM EXPLOIT TOOLS
The present application discloses a method, system, and computer system for detecting malicious SQL or command injection strings. The method includes obtaining an SQL or command injection string and determining whether the command injection string is malicious based at least in part on a machine learning model.
Described herein are systems, methods, and software to enhance failover operations in a cloud computing environment. In one implementation, a method of operating a first service instance in a cloud computing environment includes obtaining a communication from a computing asset, wherein the communication comprises a first destination address. The method further provides replacing the first destination address with a second destination address in the communication, wherein the second destination address comprises a shared address for failover from a second service instance. After replacing the address, the method determines whether the communication is permitted based on the second destination address, and if permitted, processes the communication in accordance with a service executing on the service instance.
H04L 61/2517 - Translation of Internet protocol [IP] addresses using port numbers
G06F 9/455 - Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
H04L 67/10 - Protocols in which an application is distributed across nodes in the network
H04L 69/40 - Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass for recovering from a failure of a protocol instance or entity, e.g. service redundancy protocols, protocol state redundancy or protocol service redirection
G06F 11/20 - Error detection or correction of the data by redundancy in hardware using active fault-masking, e.g. by switching out faulty elements or by switching in spare elements
43.
Inline package name based supply chain attack detection and prevention
Inline package name based supply chain attack detection and prevention is disclosed. An indication that a client device has made a request to a remote server for a package is received. A data appliance then performs an action responsive to the received indication. In an example implementation, the data appliance makes a determination of whether the request for the package is associated with a nonexisting package.
In a network control plane, a pattern matching database is built and maintained for identifying an application or application level protocol. In addition, pattern matching databases for predicting a subsequent flow for application layer/level protocols or data protocols are built and maintained. After flow differentiation in network traffic mirrored from a data plane, the network traffic flow is scanned in a first stage and then in a second stage if a signaling protocol message is detected in the first stage scan. For the second stage, one of the application/data protocol pattern databases is selected for scanning based on the signaling protocol message detected in the first stage scanning. If a match is found from the stage 2 scanning, a mapping between the signaling protocol identifier and an identifier for a predicted application traffic flow is created and communicated to the data plane for policy selection and enforcement.
H04L 47/2408 - Traffic characterised by specific attributes, e.g. priority or QoS for supporting different services, e.g. a differentiated services [DiffServ] type of service
In a network control plane, a pattern matching database is built and maintained for identifying an application or application level protocol. In addition, pattern matching databases for predicting a subsequent flow for application layer/level protocols or data protocols are built and maintained. After flow differentiation in network traffic mirrored from a data plane, the network traffic flow is scanned in a first stage and then in a second stage if a signaling protocol message is detected in the first stage scan. For the second stage, one of the application/data protocol pattern databases is selected for scanning based on the signaling protocol message detected in the first stage scanning. If a match is found from the stage 2 scanning, a mapping between the signaling protocol identifier and an identifier for a predicted application traffic flow is created and communicated to the data plane for policy selection and enforcement.
Techniques for 5G LAN security in mobile networks are disclosed. In some embodiments, a system/process/computer program product for 5G LAN security in mobile networks includes monitoring network traffic on a mobile network at a security platform to identify a new session; extracting a plurality of 5G LAN related parameters using an application programming interface (API) at the security platform; and enforcing a security policy on the new session at the security platform based on one or more of the plurality of 5G LAN related parameters to apply 5G LAN security in the mobile network.
At least initially blocking client download of certain content and injecting a user verification step for such downloads is disclosed. In some embodiments, a notification page with an option to accept a response from a server is provided to a client, an indication of user selection of the option to accept in the notification page is received from the client, and requested content received from the server is provided to the client. Injecting a user verification step via the notification page before providing requested content facilitates protecting the client from security threats.
Techniques for securing control and user plane separation in mobile networks (e.g., service provider networks for mobile subscribers, such as for 4G/5G networks) are disclosed. In some embodiments, a system/process/computer program product for securing control and user plane separation in mobile networks in accordance with some embodiments includes monitoring network traffic on a mobile network at a security platform to identify an Packet Forwarding Control Protocol (PFCP) message associated with a new session, in which the mobile network includes a 4G network or a 5G network; extracting a plurality of parameters from the PFCP message at the security platform; and enforcing a security policy at the security platform on the new session based on one or more of the plurality of parameters to secure control and user plane separation in the mobile network.
Techniques for fast policy matching with runtime signature update are disclosed. In some embodiments, a system/process/computer program product for fast policy matching with runtime signature update includes receiving a plurality of rules for malware signatures; compiling the plurality of rules for a fast policy matching engine that detects malware using the malware signatures; and executing the compiled plurality of rules using the fast policy matching engine to detect malware using at least one of the malware signatures.
the browser extension matches URLs and/or HTML/XML syntactic patterns of the retrieved web pages to the fingerprints to determine the security information to obtain from backend storage. The type/granularity of information that is retrieved can vary depending on the identified fingerprint match. The browser extension retrieves security information corresponding to fingerprints for which matches are identified, generates security overviews therefrom, and integrates the security overviews into the requested web pages to generate a consolidated, multi-perspective view.
G06F 21/55 - Detecting local intrusion or implementing counter-measures
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
Each tenant of a secure web gateway (SWG) is issued a secret key. A user accesses a unique secret key derived from the tenant's secret key and loads the secret key into an application which generates time-based one time passwords (TOTPs). When the SWG receives a connection request from a client and cannot decrypt the network traffic, the SWG challenges the client request and indicates an authentication scheme to be used. The client obtains user credentials, constructs a response to the challenge based on the authentication scheme, and issues a connection request to the SWG which indicates the response. The SWG determines an expected response based on a locally generated TOTP and the secret key of the corresponding tenant. If the expected response matches the provided response, the SWG authenticates the user, allows the connection request, and whitelists the client for a period longer than the lifetime of the TOTP.
H04L 9/32 - Arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system
H04L 67/02 - Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
A browser extension produces a single view comprising content of web pages of a target vendor requested by a customer and corresponding security information for the target vendor maintained for the customer. Fingerprints of the target vendor's web page URLs and web page elements corresponding to resources, respectively, are determined. As the web browser retrieves web pages and the customer selects web page elements that identify resources, the browser extension matches URLs and/or HTML/XML syntactic patterns of the retrieved web pages to the fingerprints to determine the security information to obtain from backend storage. The type/granularity of information that is retrieved can vary depending on the identified fingerprint match. The browser extension retrieves security information corresponding to fingerprints for which matches are identified, generates security overviews therefrom, and integrates the security overviews into the requested web pages to generate a consolidated, multi-perspective view.
Embodiments of the present application relate to a method for policy enforcement, a system for policy enforcement, and a computer program product for policy enforcement. A method for policy enforcement is provided. The method includes receiving a host information profile report from a client device, and enforcing a security policy for network access based on the host information profile report. The host information profile report includes device profile information associated with the client device.
The disclosure describes various aspects of crowdsourcing traffic data for automatic and dynamic benchmarking of applications. In an aspect, an intelligence layer, communicatively coupled to a data collection layer and a visualization layer, is configured to receive traffic data from data sources (e.g., physical appliances, probes) in the data collection layer, the data sources being associated with multiple customers, and the traffic data being associated with at least one application (e.g., word processing, video streaming) used by the multiple customers. The intelligence layer is a cloud-based layer further configured to process the traffic data to determine performance thresholds for the at least one application, and may send one or more of the performance thresholds to a data source for a different customer to be used for benchmarking the at least one application for the different customer.
A system has been designed that examines details of a security advisory against informal vulnerability records. The system generates a vulnerability match confidence value based on comparison of different details in the security advisory against the informal vulnerability records. Based on the comparisons, the system determines similarity of different details between the security advisory and the informal vulnerability records and cumulatively updates a vulnerability match confidence value with various detail similarity weights according to the determined similarities. Based on the vulnerability match confidence value, the system can classify or designate a security advisory for automatic merging or for manual examination. This reduces the burden on cybersecurity personnel and allows cybersecurity personnel to focus their limited resources on analyzing new vulnerabilities.
Techniques for automatically detecting unknown packers are disclosed. In some embodiments, a system/process/computer program product for automatically detecting unknown packers includes receiving a plurality of samples for malware packer detection analysis; performing a packer filter to determine whether each of the plurality of samples is packed; emulating each of the packed samples to extract a plurality of features; and clustering the packed samples based on the extracted features.
A resource database which stores structured data describing resources from a diverse array of origins (e.g., an application or cloud environment) is built and maintained to support querying, policy enforcement, and remediation of resources from any origin. Structured data representing resources are obtained from any origin for insertion and categorized based on their type and/or origin. Resources within a category have a shared set of potential object paths as defined by the hierarchical tree structure of their structured data. Resources may be correlated across categories based on having values at different object paths in common. Queries and rules/policies can thus reference resources of any category and also resources across different categories based on correlations between the resources, thereby extending rule/policy enforcement and incident remediation across multiple different origins of resources.
Techniques for automatically detecting unknown packers are disclosed. In some embodiments, a system/process/computer program product for automatically detecting unknown packers includes receiving a plurality of samples for malware packer detection analysis; performing a packer filter to determine whether each of the plurality of samples is packed; emulating each of the packed samples to extract a plurality of features; and clustering the packed samples based on the extracted features.
Dynamic content tags are generated as content is received by a dynamic content tagging system. A natural language processor (NLP) tokenizes the content and extracts contextual N-grams based on local or global context for the tokens in each document in the content. The contextual N-grams are used as input to a generative model that computes a weighted vector of likelihood values that each contextual N-gram corresponds to one of a set of unlabeled topics. A tag is generated for each unlabeled topic comprising the contextual N-gram having a highest likelihood to correspond to that unlabeled topic. Topic-based deep learning models having tag predictions below a threshold confidence level are retrained using the generated tags, and the retrained topic-based deep learning models dynamically tag the content.
Techniques for identifying and blocking domains used for NXNS-based distributed denial of service (DDos) attacks are disclosed. An analysis of DNS data is performed to identify a candidate attack domain associated with an NXNS attack. The candidate attack domain is confirmed as a confirmed attack domain based at least in part on a validation.
A pseudo-active/active firewall configuration handles firewall switchover events with minimized session disconnection. A passive firewall is set to an active state, and an active firewall is switched to a pseudo-active state wherein it continues to process ingress and egress traffic according to traffic handling protocols for its active state. During updating of a corresponding Network Address Translation (NAT) table to route traffic to the now-active firewall, the pseudo-active firewall enters a forwarding state wherein it forwards ingress network sessions to the now-active firewall and processes the ingress network sessions according to its active state. The now-active firewall receives the ingress network sessions and records session states prior to discarding them. After updating the NAT table, when traffic is routed to the now-active firewall, the recorded session states are used to maintain active sessions.
Techniques for providing Internet of Things (IoT) security are disclosed. An applicable system includes profiling IoT devices to limit the number of network signatures applicable to the IoT devices and performing pattern matching using a pattern that is appropriate for the profile of a given IoT device.
A pseudo-active/active firewall configuration handles firewall switchover events without traffic disruption. A passive firewall is set to an active state, and an active firewall is switched to a pseudo-active state wherein it continues to process ingress and egress traffic according to traffic handling protocols for its active state. An Internet protocol address binding linking the now pseudo-active firewall to an Internet gateway that forwards traffic to the firewalls is updated in a network address translation (NAT) table to route traffic to the newly active firewall. Once a pseudo-active timer expires and the binding is successfully updated to route traffic to the newly active firewall, the pseudo-active firewall is set to a passive state.
A system and method for locating DGA compromised IP addresses is provided. A domain name system (DNS) stream is received. The DNS stream is classified into DGA generated domains using a machine learning classifier to generate a classification output. User behavior profiling is performed to enhance the classification output. A verdict is generated based on the user behavior profiling of the classification output including identifying a compromised source IP address associated with a detected DGA malware attack.
42 - Scientific, technological and industrial services, research and design
Goods & Services
Software as a service (SAAS) services featuring software using artificial intelligence for the monitoring of computer systems for security purposes, namely, for detecting, analyzing, preventing, and responding to threats of unauthorized access, data breaches, security violations, phishing attacks, ransomware, security vulnerabilities, and malware
66.
CONTENT-BASED DEEP LEARNING FOR INLINE PHISHING DETECTION
An inline and offline machine learning pipeline for detection of phishing attacks with a holistic, easily upgradeable framework is presented herein. A packet analyzer records capture logs of network traffic between an endpoint device and a firewall. A parser extracts inputs from the capture logs inline that it communicates to one of an inline model and an offline model for phishing detection. The inline model and offline model are neural networks with parallelizable network architectures that do not depend on handcrafted inputs. The inline model operates inline with the packet analyzer and parser and makes fast phishing attack classifications based on inputs generated from capture logs. The offline model uses additional inputs such as inputs generated from network logs to make phishing attack classifications.
Techniques for application identification for phishing detection are disclosed. In some embodiments, a system/process/computer program product for application identification for phishing detection includes monitoring network activity associated with a session to detect a request to access a site; determining advanced application identification associated with the site; and identifying the site as a phishing site based on the advanced application identification.
A URL categorization query is received. The URL categorization query includes at least one URL. The URL is used to determine a set of data distribution keys. A distributed key-value data store is queried using at least one data distribution key included in the determined set of data distribution keys. Categorization information is returned. The returned URL categorization information can be used to enforce policies.
Adaptive pooling layers for compressing variably sized inputs use window sizes and stride lengths specific to variable input size and fixed output size at the pooling layer. A naïve and an optimal adaptive pooling algorithm disclosed herein determine window size and stride length for variable sized inputs while minimizing window size and ensuring no padding is used in the output representation. These adaptive pooling algorithms are implemented in a pipeline for text document classification involving a natural language processor that generates embedding vectors for variably sized text documents and at least one of the adaptive pooling algorithms at a first adaptive pooling layer of a classification neural network to process the embedding vectors.
Execution of an application in an application-level sandbox is disclosed. A request to launch an application is received by an operating system executing on a device. A determination is made that a stored copy of the application should be executed within an application-level sandbox. The stored copy of the application is executed in the application-level sandbox.
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
G06F 21/14 - Protecting executable software against software analysis or reverse engineering, e.g. by obfuscation
G06F 21/55 - Detecting local intrusion or implementing counter-measures
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
Techniques for application identification for phishing detection are disclosed. In some embodiments, a system/process/computer program product for application identification for phishing detection includes monitoring network activity associated with a session to detect a request to access a site; determining advanced application identification associated with the site; and identifying the site as a phishing site based on the advanced application identification.
The present application discloses a method, system, and computer system for detecting malicious .NET files. The method includes receiving a sample that comprises a .NET file, obtaining information pertaining to common language runtime (CLR) metadata and streams associated with the .NET file, and determining whether the sample is malware based at least in part on (i) a classifier, and (ii) the information pertaining to the CLR metadata and streams.
The detection of phishing Portable Document Format (PDF) files using an image-based deep learning approach is disclosed. A PDF document that includes a Universal Resource Locator is received. A likelihood that the received PDF document represents a phishing threat is determined, at least in part, by using an image based model. A verdict for the PDF document is provided as output based at least in part on the determined likelihood.
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
74.
MALWARE DETECTION FOR DOCUMENTS WITH DEEP MUTUAL LEARNING
The detection of malicious documents using deep mutual learning is disclosed. A document is received for maliciousness determination. A likelihood that the received document represents a threat is determined. The determination is made, at least in part, using a raw bytes model that was trained, at least in part, using a mutual learning process in conjunction with training an image based model. A verdict for the document is provided as output based at least in part on the determined likelihood.
Low variance clustering models and high variance clustering models comprising low and high variance features of user Software as a Service application traffic detect anomalous user behavior and, when risk thresholds are exceeded, trigger behavioral alerts. The low and high variance clustering models are trained with feature vectors that are dimension reduced using principal component analysis and clusters therein are classified as normal, benign, or malicious. Models are trained repeatedly in a sliding time window of training data to detect recent and potentially malicious user behavior. Behavioral alerts are triggered according to criterion specific to each of the low and high variance clustering models that account for increased risk associated with anomalous changes in low variance features.
Malware signature generation through combination rule mining is disclosed. A set of properties associated, collectively, with a plurality of data samples is received. A first data sample has a first set of properties and a second data sample has a second set of properties. A combination signature comprising at least a first property included in the first set of properties and a second property included in the second set of properties is generated.
The detection of malicious documents using knowledge distillation assisted learning is disclosed. A document is received for maliciousness determination. A likelihood that the received document represents a threat is determined. The determination is made, at least in part, using a raw bytes model that was trained, at least in part, using image model prediction probabilities. A verdict for the document is provided as output based at least in part on the determined likelihood.
An auto scale monitoring service performs load balancing on a cloud firewall with minimized traffic disruption using eager and lazy load balancing protocols. The auto scale monitoring service operates through an orchestrator that initializes a new firewall and sends forwarding instructions to the new firewall for rerouting excess traffic. The auto scale monitoring service additionally operates through a software defined wide area network controller that sends routing instructions to a local branch of network devices to reroute to the new firewall from an overloaded current firewall. The eager protocol immediately tears down a tunneling session from the local branch to the current firewall and the lazy protocols gradually tears down this tunneling session. Both protocols properly inform firewalls how to forward ongoing traffic in each case and establish updated traffic flow through a tunneling session from the local branch to the new firewall.
Detection of algorithmically generated domains is disclosed. A DNS query is received. Markov Chain analysis is performed on a domain included in the received query. A determination of whether the received query implicates an algorithmically generated domain is made based at least in part on a result of the Markov Chain analysis.
A system and method for detecting dictionary-based DGA traffic is provided. A domain name system (DNS) stream is received. The DNS stream is classified using a per domain dictionary domain generation algorithm (DGA) classifier to generate candidate dictionary DGA domains with cluster information. The candidate dictionary DGA domains are filtered to generate a set of dictionary DGA domains. An action is performed based on a match with a monitored domain name of a monitored DNS request and a dictionary DGA domain of the set of dictionary DGA domains.
Domain Name System (DNS) security using process information is provided. An application accessing an internet service using a domain name is determined. Process information associated with the application along with an associated DNS query to identify an IP address associated with the domain name are identified. The process information and the associated DNS query to a DNS security service are sent. An action based on a response from the DNS security service is performed.
The present application discloses a method, system, and computer system for detecting malicious files. The method includes executing a sample in a virtual environment, and determining whether the sample is malware based at least in part on memory-use artifacts obtained in connection with execution of the sample in the virtual environment.
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
83.
Preventing ransomware from encrypting files on a target machine
Techniques for preventing ransomware from encrypting files on a target machine are disclosed. In some embodiments, a system/process/computer program product for preventing ransomware from encrypting files on a target machine includes monitoring file system activities on a computing device; detecting an unauthorized activity associated with a honeypot file or honeypot folder; and performing an action based on a policy in response to the unauthorized activity associated with the honeypot file or honeypot folder.
A geofencing service establishes an initial geofence for monitoring devices connected to a cellular network. Upon receipt of a notification generated and transmitted by a device that crossed the geofence, the service determines a difference in location of the device at the times of notification generation and transmission based on coordinates included in the notification. A difference in location that satisfies a criterion indicates that the geofence corresponds to a geographic location with poor cellular network connectivity. The service modifies the geofence radius based on available signal strength data and enforces the resulting modified geofence. After this first radius modification, the service determines quality of network connectivity at geographic locations corresponding to internally tracked "shadow" geofences and modifies the geofence radius if device coordinates indicate that a shadow geofence corresponds to an area with sufficient connectivity. Geofence radius modification is ongoing until the geofence is returned to its initial configuration.
Automatic generation of a malware signature is disclosed. Code of a sample including packages and function names is parsed. Standard type packages and vendor type packages are filtered from the code of the sample to obtain main type packages. A signature using a fuzzy hash for the sample is generated based on the main type packages. A determination of whether the sample is malware is performed using the signature and a similarity score threshold.
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
Techniques for Cobalt Strike Beacon HTTP C2 heuristic detection are disclosed. In some embodiments, a system/process/computer program product for Cobalt Strike Beacon HTTP C2 heuristic detection includes monitoring HyperText Transfer Protocol (HTTP) network traffic at a firewall; prefiltering the monitored HTTP network traffic at the firewall to select a subset of the HTTP network traffic to forward to a cloud security service; determining whether the subset of the HTTP network traffic is associated with Cobalt Strike Beacon HTTP C2 traffic activity based on a plurality of heuristics; and performing an action in response to detecting the Cobalt Strike Beacon HTTP C2 traffic activity.
G06F 9/00 - Arrangements for program control, e.g. control units
G06F 15/16 - Combinations of two or more digital computers each having at least an arithmetic unit, a program unit and a register, e.g. for a simultaneous processing of several programs
G06F 17/00 - Digital computing or data processing equipment or methods, specially adapted for specific functions
A geofencing service establishes an initial geofence for monitoring devices connected to a cellular network. Upon receipt of a notification generated and transmitted by a device that crossed the geofence, the service determines a difference in location of the device at the times of notification generation and transmission based on coordinates included in the notification. A difference in location that satisfies a criterion indicates that the geofence corresponds to a geographic location with poor cellular network connectivity. The service modifies the geofence radius based on available signal strength data and enforces the resulting modified geofence. After this first radius modification, the service determines quality of network connectivity at geographic locations corresponding to internally tracked “shadow” geofences and modifies the geofence radius if device coordinates indicate that a shadow geofence corresponds to an area with sufficient connectivity. Geofence radius modification is ongoing until the geofence is returned to its initial configuration.
G01S 5/00 - Position-fixing by co-ordinating two or more direction or position-line determinations; Position-fixing by co-ordinating two or more distance determinations
88.
Securely publishing applications from private networks
A controller can securely publish an application of a tenant by securely extending a network fabric into the networks of the tenant with virtual private networks and NAT. After a tenant deploys an application into one or more networks of the tenant, the tenant can indicate select applications to publish. The network controller assigns a network address from the routable address space of the network fabric to the application and a network address aggregate to each application connector that will front an instance of the application, which securely extends the network fabric into the tenant network. The network controller configures NAT rules in the network fabric and on the application connector to create a route for traffic of the application through the network fabric to the application instance using a fully qualified domain name assigned to the application without exposing a private network address of the application instance and preserving security of other resource on the tenant network.
42 - Scientific, technological and industrial services, research and design
Goods & Services
Cloud-native application protection platform for an early threat detection and prevention system to ensure security, visibility, and control throughout the entire application life cycle process, including securing code, infrastructure, workloads, data, networks, cloud identities, web applications, and application programming interfaces across cloud-native environments, under a single unified user interface
90.
Context-based security over interfaces in O-RAN environments in mobile networks
Techniques for applying context-based security over interfaces in O-RAN environments in mobile networks are disclosed. In some embodiments, a system/process/computer program product for applying context-based security over interfaces in O-RAN environments in mobile networks includes monitoring network traffic on a mobile network at a security platform to identify a GTP-U tunnel session setup message associated with a new session; extracting a plurality of parameters from the GTP-U tunnel session setup message and from F1AP traffic to extract contextual information at the security platform; and enforcing a security policy at the security platform on the new session based on one or more of the plurality of parameters to apply context-based security to the network traffic transported between O-RAN Distributed Unit (O-DU) and O-RAN Centralized Unit Control Plane (O-CU-CP) nodes in an O-RAN environment in the mobile network.
Techniques for detecting malicious activity on an endpoint based on real-time system events are disclosed. In some embodiments, a system/process/computer program product for detecting malicious activity on an endpoint based on real-time system events includes monitoring an endpoint for malicious activity using an endpoint agent, in which the endpoint comprises a local device; detecting malicious activity associated with an application on the endpoint based on real-time system events using the endpoint agent based on a set of rules; and in response to detecting malicious activity on the endpoint based on real-time system events using the endpoint agent, performing a security response based on a security policy.
Techniques for enforcing policy on multiple levels are disclosed. A multi-level policy includes at least one policy at a low level of abstraction and at least one policy at a high level of abstraction. An Internet of Things (IoT) device is discovered on a network. The IoT device is classified. The set of multi-level policies is applied to the IoT device based on the classification of the IoT device.
H04L 41/0631 - Management of faults, events, alarms or notifications using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
H04L 41/22 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks comprising specially adapted graphical user interfaces [GUI]
93.
Context-based security over interfaces in NG-RAN environments in mobile networks
Techniques for applying context-based security over interfaces in NG-RAN environments in mobile networks are disclosed. In some embodiments, a system/process/computer program product for applying context-based security over interfaces in NG-RAN environments in mobile networks includes monitoring network traffic on a mobile network at a security platform to identify a GTP-U tunnel session setup message associated with a new session; extracting a plurality of parameters from the GTP-U tunnel session setup message and from XnAP traffic to extract contextual information at the security platform; and enforcing a security policy at the security platform on the new session based on one or more of the plurality of parameters to apply context-based security to the network traffic transported between NG-RAN nodes in an NG-RAN environment in the mobile network.
Techniques for applying context-based security over interfaces in O-RAN environments in mobile networks are disclosed. In some embodiments, a system/process/computer program product for applying context-based security over interfaces in O-RAN environments in mobile networks includes monitoring network traffic on a mobile network at a security platform to identify a GTP-U tunnel session setup message associated with a new session; extracting a plurality of parameters from the GTP-U tunnel session setup message and from F1AP traffic to extract contextual information at the security platform; and enforcing a security policy at the security platform on the new session based on one or more of the plurality of parameters to apply context-based security to the network traffic transported between O-RAN Distributed Unit (O-DU) and O-RAN Centralized Unit Control Plane (O-CU- CP) nodes in an O-RAN environment in the mobile network. Techniques for applying context-based security over interfaces in NG-RAN environments in mobile networks are also disclosed. In some embodiments, a system/process/computer program product for applying context-based security over interfaces in NG-RAN environments in mobile networks includes monitoring network traffic on a mobile network at a security platform to identify a GTP-U tunnel session setup message associated with a new session; extracting a plurality of parameters from the GTP-U tunnel session setup message and from XnAP traffic to extract contextual information at the security platform; and enforcing a security policy at the security platform on the new session based on one or more of the plurality of parameters to apply context-based security to the network traffic transported between NG-RAN nodes in an NG-RAN environment in the mobile network.
A set of metadata associated with a plurality of samples is received. The samples are clustered. For members of a first cluster, a set of similarities shared among at least a portion of the members of the first cluster is determined. A cluster member is identified within the first cluster, and in response, additional analysis is caused to be performed on the outlier cluster member.
A service prevents attacks carried out through container escape for silo-based containers. A callback is registered for a function(s) that may be invoked from inside a container and returns an object handle(s). The callback, when triggered by invocation of the function(s), executes for determination of whether requests for access to objects via their handles are issued by suspicious processes. Access to CExecSvc.exe is restricted for processes that request a handle for CExecSvc.exe and are determined to be associated with a container themselves. Processes that escape their container through a technique that evades detection are also blocked from accessing the host system. When a process requests access to an object via invocation of a function that returns a handle, the callback executes for determination of whether the process but not the requested object is associated with a container, in which case the service restricts the process' access to the host system.
G06F 21/55 - Detecting local intrusion or implementing counter-measures
G06F 21/52 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure
97.
AUTOMATED GENERATION OF BEHAVIORAL SIGNATURES FOR MALICIOUS WEB CAMPAIGNS
Techniques for automated generation of behavioral signatures for malicious web campaigns are disclosed. In some embodiments, a system/process/computer program product for automated generation of behavioral signatures for malicious web campaigns includes crawling a plurality of web sites associated with a malware campaign; determining discriminating repeating attributes (e.g., behavior related attributes, which can be determined using dynamic analysis, and static related attributes, which can be determined using static analysis) as malware campaign related footprint patterns, wherein the discriminating repeating attributes are not associated with benign web sites; and automatically generating a human-interpretable malware campaign signature based on the malware campaign related footprint patterns.
Techniques for process privilege escalation protection in a computing environment are disclosed. For example, the disclosure describes a system/process/computer program product for process privilege escalation protection in a computing environment that includes monitoring a process executed on a computing device, detecting an unauthorized change in a token value associated with the process, and performing an action based on a policy (e.g., a kernel protection security policy/rule(s), which can include a whitelisted set of processes and/or configured actions/responses to perform for other/non-whitelisted processes) in response to an unauthorized change in the token value associated with the process.
G06F 21/54 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by adding security routines or objects to programs
Techniques for distributed offload leveraging different offload devices are disclosed. In some embodiments, a system, process, and/or computer program product for distributed offload leveraging different offload devices includes receiving a flow at a firewall of a security service (e.g., a cloud-based security service); inspecting the flow at the firewall to determine meta information associated with the flow; and offloading the flow to an offload entity (e.g., a SmartNIC, software executed on a Network Interface Card (NIC), and/or a network device, such as a network router and/or network switch) based on the meta information associated with the flow (e.g., an application identification associated with the flow determined using deep packet inspection) and based on a policy.
An access point service configures and manages a multi-enterprise wireless network in public settings. During network profile setup for a client connecting to an enterprise-issued access point (e.g., in a home environment), the service determines network information unique to the client and an authentication server associated with the enterprise to which the client is to authenticate for 802.1X authentication and stores the client network information and an indication of the authentication server in a cloud database. For access points in a public setting, upon detection of an association request by a client, the service determines network information that identifies the client and performs a lookup of the cloud database with the network information to determine to which of the recognized authentication servers to forward authentication messages transmitted by the client. If the result of the lookup does not indicate an authentication server, the connection is terminated.