A cloud computing platform provides zero trust network access as a service to customers that maintain applications on-premises, and a zero trust network access appliance at the customer premises that couples the on-premises applications to the cloud computing platform. A customer may host multiple instances of the appliance in order to support scalable access, where each instance creates a separate secure tunnel to the cloud computing platform. In this context, when a new appliance authenticates a new secure tunnel, information such as a connector name, customer, and port for the tunnel may be shared on a control plane for the computing platform to facilitate programmatic load balancing within the cloud computing platform.
A zero trust network access appliance deployed at a customer premises can support gateway and cloud modes. In a gateway mode, the appliance operates as a zero trust network access gateway, and provides zero trust network access to applications hosted at the customer premises, using a firewall at the customer premises for network security. In the cloud mode, the appliance initiates a secure connection with a remote, cloud computing platform that provides a front end for zero trust network access. A threat management facility for the customer provides a control plane for managing zero trust network access provided through the cloud computing platform.
A cloud computing platform provides zero trust network access as a service to customers that maintain applications on-premises. In this context, the cloud computing platform may associate customers and/or applications with specific service proxies, and add an abstraction layer for network access that maps an alias domain for each customer and/or application to a network load balancer associated with the specific service proxies associated with the corresponding application(s). This approach advantageously simplifies the configuration of service proxies at the cloud computing platform by permitting dedicated relationships among network load balancers, specific service proxies, and specific applications, while concurrently reducing or avoiding the administrative burden on customers of updating network pointers when the clusters of service proxies are periodically reconfigured to adjust to varying user traffic.
H04L 41/12 - Discovery or management of network topologies
H04L 67/1036 - Load balancing of requests to servers for services different from user content provisioning, e.g. load balancing across domain name servers
4.
DOMAIN OWNERSHIP VERIFICATION FOR A ZTNA SERVICE PLATFORM
A cloud computing platform provides zero trust network access as a service to a customer that maintains an application on-premises. In this context, the customer may be required to demonstrate ownership of a domain before the cloud computing platform will provide access to the on-premises application via the domain.
A cloud-based platform for zero trust network access (ZTNA) services provides zero trust network access as a service for multiple customers in a multi-tenant architecture. In this context, the configuration for a new ZTNA application is validated with a service proxy in a sandbox or similar environment before release by the cloud-based platform for access through a public network. As a significant advantage, this approach mitigates inadvertent conflicts or instability in a service proxy that supports other applications and customers.
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
G06F 21/64 - Protecting data integrity, e.g. using checksums, certificates or signatures
Infrastructure for zero trust network access (ZTNA) is deployed as a cloud-based service remotely from a customer premises where user applications are hosted. By connecting an appliance on the customer premises to the cloud-based service through a secure tunnel or the like, an application hosted on the customer premises can then be accessed externally as a ZTNA application without the customer premises opening a firewall to public networks or otherwise exposing potential attack surfaces to the customer premises.
A cloud computing platform provides zero trust network access as a service to customers that maintain applications on-premises, and a zero trust network access appliance at the customer premises that couples the on-premises applications to the cloud computing platform. In this context, the number of secure tunnels maintained for an application between the customer premises and the cloud computing platform may be dynamically managed to support variations in user demand for the application.
A system for conducting a security recognition task, the system comprising a memory configured to store a model and training data including auxiliary information that will not be available as input to the model when the model is used as a security recognition task model for the security recognition task. The system further comprising one or more processors communicably linked to the memory and comprising a training unit and a prediction unit. The training unit is configured to receive the training data and the model from the memory and subsequently provide the training data to the model, and train the model, as the security recognition task model, using the training data to predict the auxiliary information as well as to perform the security recognition task, thereby improving performance of the security recognition task. The prediction unit is configured to use the security recognition task model output to perform the security recognition task while ignoring the auxiliary attributes in the model output.
An apparatus for detecting malicious files includes a memory and a processor communicatively coupled to the memory. The processor receives multiple potentially malicious files. A first potentially malicious file has a first file format, and a second potentially malicious file has a second file format different than the first file format. The processor extracts a first set of strings from the first potentially malicious file, and extracts a second set of strings from the second potentially malicious file. First and second feature vectors are defined based on lengths of each string from the associated set of strings. The processor provides the first feature vector as an input to a machine learning model to produce a maliciousness classification of the first potentially malicious file, and provides the second feature vector as an input to the machine learning model to produce a maliciousness classification of the second potentially malicious file.
In one or more embodiments, an apparatus includes one or more memories and one or more processors operatively coupled to the one or more memories. The one or more processors is configured to receive a policy bundle associated with at least one tenant from a plurality of tenants, determine a policy change associated with a change between the policy bundle and a tenant policy, the policy change associated with a load value, subscribe an administration client to an administration layer server based on the tenant policy, transmit the policy change to the administration layer client, implement the policy change into an agent associated with the administration layer client, determine a system load status based on a plurality of administration layer clients and the load value, and responsive to determining the system load status exceeds a predetermined threshold, generate at least one agent associated with the at least one tenant.
Adapting automatic software update behavior for virtual desktop infrastructure deployed endpoints includes detecting a request for services of a threat management facility for an enterprise network that originates from a compute instance embodied as a virtual machine instantiated from a versioned software template, and updating software on the compute instance based on a determination of availability of updated software for the compute instance and an update pause parameter indicating that updating software for virtual machines instantiated from the versioned software template is permitted for the compute instance.
In a threat management platform, a number of endpoints log events in an event data recorder. A local agent filters this data and feeds a filtered data stream to a central threat management facility. The central threat management facility can locally or globally tune filtering by local agents based on the current data stream, and can query local event data recorders for additional information where necessary or helpful in threat detection or forensic analysis. The central threat management facility also stores and deploys a number of security tools such as a web-based user interface supported by machine learning models to identify potential threats requiring human intervention and other models to provide human-readable context for evaluating potential threats.
G06F 11/07 - Responding to the occurrence of a fault, e.g. fault tolerance
G06F 16/955 - Retrieval from the web using information identifiers, e.g. uniform resource locators [URL]
G06F 17/18 - Complex mathematical operations for evaluating statistical data
G06F 18/21 - Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
G06F 18/214 - Generating training patterns; Bootstrap methods, e.g. bagging or boosting
G06F 18/23213 - Non-hierarchical techniques using statistics or function optimisation, e.g. modelling of probability density functions with fixed number of clusters, e.g. K-means clustering
G06F 18/2413 - Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches based on distances to training or reference patterns
G06F 21/55 - Detecting local intrusion or implementing counter-measures
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
Secure hashing of large files to verify file identity. In some implementations, a method includes determining a size of a particular file received by an endpoint device, and searching for a record indexed in a data structure based on the size. In response to finding the record, a sequence of multiple records is accessed in the data structure. For each record of the sequence, a particular data portion is hashed that has a location in the particular file that corresponds to a location in the record to obtain a particular hash result. In response to the particular hash result matching a corresponding previous hash result stored in the record based on an associated data portion in an associated file, the particular file is determined to be the same as the associated file, and characteristics of the particular file are determined using file information for the associated file.
H04L 9/32 - Arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system
Methods, systems, and computer readable media for network security are described. In some implementations, security tasks and roles can be allocated between an endpoint device and a firewall device based on tag information sent from the endpoint, the tag information including one or more characteristics of a traffic flow, information of resource availability, and/or reputation of a process associated with a traffic flow.
A cluster of network flows is formed on the basis of a particular entity-to-entity relationship, and individual network flows within the cluster are further identified on an application-by-application basis to better characterize communications between two compute instances connected through a data network. By individually scoring network flows for each application with a variety of tools, and aggregating these individual scores into a composite score for the cluster of network flows, more accurate threat detections can be supported based on an increase in relevant threat data and a more complete view of risk factors.
A catalog of pipelines for modular coding integrates resources for consistent use and verification of individual pipeline components. The platform may incorporate tools and metadata for version control, verification, and licensing in order to support a user when creating and deploying applications using resources from the catalog.
G06F 9/06 - Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
A catalog of pipelines for modular coding integrates resources for security compliance. The platform may incorporate tools and metadata for selecting suitable compliance standards and verifying security compliance for existing pipelines within the catalog as well as new pipelines created from existing pipelines.
G06F 21/52 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure
18.
CYBERSECURITY CONFIGURATION IN A CLOUD ENVIRONMENT
The present teachings include automatically determining the recommended security configuration of a first cloud service within a cloud computing network. This may include detecting a change in the cloud computing network relating to a second cloud service being deployed within the cloud computing network, and in response, obtaining contextual information related to the configuration and operation of the first cloud service, the contextual information including information related to the second cloud service. The contextual information may be provided to a prediction model operable to identify a security posture from input contextual information for obtaining a recommended security posture from the prediction model based on the contextual information provided thereto. Aspects may further include determining a security recommendation for the first cloud service based on a comparison of a current security posture of the first cloud service and the recommended security posture.
H04L 41/16 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence
A kernel driver on an endpoint uses a process cache to provide a stream of events associated with processes on the endpoint to a data recorder. The process cache can usefully provide related information about processes such as a name, type or path for the process to the data recorder through the kernel driver. Where a tamper protection cache or similarly secured repository is available, this secure information may also be provided to the data recorder for use in threat detection, forensic analysis and so forth.
G06F 21/50 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
G06F 21/51 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
G06F 21/54 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by adding security routines or objects to programs
G06F 21/55 - Detecting local intrusion or implementing counter-measures
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
H04L 9/32 - Arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system
A method for mitigating outbound electronic message spam includes determining whether an outbound electronic message to a recipient sent from an electronic messaging account of a sender has at least a predetermined number of indicators of compromise. The outbound electronic message is sent to the recipient using an IP address from a first pool of service delivery IP addresses based on a determination that the message has less than the predetermined number of indicators of compromise. The outbound electronic message is sent to the recipient using an IP address from a second pool of service delivery IP addresses based on a determination that the message has at least the predetermined number of indicators of compromise. The method may further include providing a notification of a possible compromise of the electronic messaging account and the notification may include a request to modify a security feature of the electronic messaging account.
An automated system attempts to characterize code as safe or unsafe. For intermediate code samples not placed with sufficient confidence in either category, human-readable analysis is automatically generated to assist a human reviewer in reaching a final disposition. For example, a random forest over human-interpretable features may be created and used to identify suspicious features in a manner that is understandable to, and actionable by, a human reviewer. Similarly, a k-nearest neighbor algorithm may be used to identify similar samples of known safe and unsafe code based on a model for, e.g., a file path, a URL, an executable, and so forth. Similar code may then be displayed (with other information) to a user for evaluation in a user interface. This comparative information can improve the speed and accuracy of human interventions by providing richer context for human review of potential threats.
G06V 20/52 - Surveillance or monitoring of activities, e.g. for recognising suspicious objects
G06F 18/214 - Generating training patterns; Bootstrap methods, e.g. bagging or boosting
G06F 18/21 - Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
G06F 18/23213 - Non-hierarchical techniques using statistics or function optimisation, e.g. modelling of probability density functions with fixed number of clusters, e.g. K-means clustering
G06F 18/2413 - Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches based on distances to training or reference patterns
In example embodiments, techniques are provided to detect LOLBin attacks using a trained machine learning model that classifies command lines as benign or malicious. The machine learning model may be trained using a dataset of command line data that describes executed binary executable files, sourced from the log of events of compute instances. The dataset may be sampled using an approximate content-based logarithmic sampling algorithm (e.g., an algorithm that employs logarithmic sampling based on a locality sensitive hash, for example, a MinHash). The dataset may be labeled and featurized. The featurized labeled dataset may be used to train the machine learning model, which is then deployed to detect LOLBin attacks on a compute instance. In response to detection of a LOLBin attack, a remedial action may be performed on the compute instance.
Methods and systems are described for developing a malicious content detector to identify new malicious text content, such as phishing messages, malicious documents, and/or malicious web content. A computing device is used to generate input data which contains an instruction, examples of content, and content to be analyzed. The examples include malicious and benign content samples, designed to recognize similar malicious content. The computing device feeds this input into a generative language model, which produces text labels that indicate the maliciousness of the content to be analyzed. The methods and systems enable rapid development of security protection by leveraging a small number of malicious samples, instead of training with a large dataset of new training samples.
Systems and methods for detecting malicious activity. The methods include receiving at an interface at least one feature of a digital certificate; detecting, using one or more processors executing instructions stored on memory, an anomaly in the at least one feature of the digital certificate; identifying, using the one or more processors, at least one process or file associated with the digital certificate upon detecting the anomaly in the at least one feature; and analyzing, using the one or more processors, at least one property associated with the at least one identified process or file. The methods further include identifying, using the one or more processors, the at least one process or file as malicious based on the analysis of the at least one property associated with the at least one process or file and the identification of the anomaly in the at least one feature of the digital certificate; and executing at least one remedial action upon identifying the at least one process or file as malicious.
An endpoint coupled in a communicating relationship with an enterprise network may include a data recorder configured to store an event stream of data indicating events on the endpoint including types of changes to computing objects, a filter configured to locally process the event stream into a filtered event stream including a subset of types of changes to the computing objects, and a local security agent. The local security agent may be configured to transmit the filtered event stream to a threat management facility, respond to a filter adjustment from the threat management facility by adjusting the filter to modify the subset of types of changes included in the filtered event stream, and respond to a query from the threat management facility by retrieving data stored in the data recorder over a time window before the query and excluded from the filtered event stream.
G06V 20/52 - Surveillance or monitoring of activities, e.g. for recognising suspicious objects
G06F 18/214 - Generating training patterns; Bootstrap methods, e.g. bagging or boosting
G06F 18/21 - Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
G06F 18/23213 - Non-hierarchical techniques using statistics or function optimisation, e.g. modelling of probability density functions with fixed number of clusters, e.g. K-means clustering
G06F 18/2413 - Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches based on distances to training or reference patterns
Systems and methods for assigning a persistent internet protocol (IP) address to a virtual private network (VPN) client. The method includes receiving, at a first server, a request for access from a first VPN client, the request including access credentials and the first server having a routing table; sending, from the first server, the access credentials to an access server; receiving, from the access server at the first server, a first static IP address to be assigned to the first VPN client, wherein the first static IP address is selected from a plurality of available static IP addresses; assigning the first static IP address to the first VPN client; and adding the first static IP address to a static routing path in the routing table, the static routing path specifying an interface to which traffic associated with the first VPN client is to be routed. The static routing path is configured to be referenced to enable traffic associated with the first VPN client to be directed through the interface.
Threat management devices and methods. The methods include receiving, at an interface of a threat management device, contextual data associated with a first endpoint device that is in operable connectivity with the threat management device, wherein the threat management device is configured to execute at least one subsystem to scan network traffic. The methods further include determining at least a first signature from a plurality of signatures to use in scanning the network traffic based on the received contextual data and instructing the at least one subsystem to scan network traffic using at least the first determined signature.
A threat management facility for an enterprise provides security services to a number of virtual compute instances executing on a remote cloud computing platform. In order to prevent or reduce an accumulation of records for abandoned compute instances, each new virtual compute instance is explicitly identified by a user (and optionally a template), and then compared to existing records to identify possible redundancies, which can be deleted or otherwise managed.
A variety of techniques are disclosed for detection of advanced persistent threats and similar malware. In one aspect, the detection of certain network traffic at a gateway is used to trigger a query of an originating endpoint, which can use internal logs to identify a local process that is sourcing the network traffic. In another aspect, an endpoint is configured to periodically generate and transmit a secure heartbeat, so that an interruption of the heartbeat can be used to signal the possible presence of malware. In another aspect, other information such as local and global reputation information is used to provide context for more accurate malware detection.
A potentially malicious command including a plurality of features is received. Additionally, a plurality of nodes included in a decision tree are traversed, based on the plurality of features, to identify a leaf node included in the plurality of nodes. The leaf node is associated with (1) a first set of similar commands, each similar command from the first set of similar commands including the plurality of features, and (2) a second set of similar commands from the first set of similar commands and that were previously detected. Additionally, a probability that the potentially malicious command will be escalated as potentially malicious is determined based on the first set of similar commands and the second set of similar commands. Additionally, a first indication quantifying the first set of similar commands, a second indication quantifying the second set of similar commands, and the probability are caused to be displayed.
A threat management system provides a collection of queries for investigating security issues within an enterprise. Useful inferences are drawn about the value of different queries, and about the security posture of the enterprise, by monitoring contextual activity such as the popularity and context of query usage, patterns of end user modification to queries, and post-query activity.
A method for prioritizing security events comprises receiving a security event that includes security event data having been generated by an endpoint agent based on a detected activity, wherein the security event data includes one or more features; applying a first computing model to the security event data to automatically determine which of the one or more features are one or more input features to a machine learning system; applying a second computing model to historical data related to the security event data to determine time pattern information of the security event data as an input to the machine learning system; combining the one or more input features from the first computing model and the input from the second computing model to generate a computed feature result; and generating an updated security level value of the security event from the computed feature result.
In general, in one aspect, a method for machine learning recognition of portable executable files as malware includes providing training data comprising features of portable executable files and a descriptive information for the portable executable files, the descriptive information comprising a family or type of malware. The method may include training a model using the training data to detect malware. The method may include using the trained model to recognize malware by providing features of a portable executable file as input and providing a threat score and descriptive information as output.
A computer-implemented method includes training a machine-learning model, using a training dataset that distinguishes between critical systems and non-critical systems, to classify a particular computer system as critical or non-critical, wherein a label is applied to the particular computer system during the training that identifies the particular computer system as critical or non-critical, and wherein parameters that describe the critical systems or non-critical systems are used as features during the training. The method further includes receiving an input dataset that describes a plurality of computer systems in the enterprise environment. The method further includes outputting, using the trained machine-learning model, an identification of one or more critical systems of the plurality of computer systems within the enterprise environment and an identification of one or more non-critical systems of the plurality of computer systems within the enterprise environment, wherein each identification is associated with a confidence level.
H04L 41/16 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence
Various aspects related to methods, systems, and computer readable media for centralized management of policies for network-accessible devices. An example method for deploying network policies to one or more computing devices or services can include receiving a request to analyze a network-accessible item for malicious activity, determining that the analyzed network-accessible item is associated with the malicious activity, presenting, at a client device, a listing of selectable devices and services responsive to the determination, wherein the listing is populated based on identifying data of the user, receiving at least one selection from the listing of selectable devices and services, creating at least one network access policy based on the at least one selection, and, deploying the at least one network access policy to a device or service associated with the at least one selection.
Various aspects related to methods, systems, and computer readable media for restricting processes being executed on a user device. A method can include, for example, receiving an indication of a security threat from a security threat indication service being executed by a user device, wherein the indication of the security threat has been initiated by the user, presenting, at the user device, one or more questions based on the indication of the security threat, receiving one or more responses to the one or more questions from the user, and, automatically remediating the security threat on the user device based upon the received one or more responses.
Various aspects related to methods, systems, and computer readable media for restricting processes being executed on a user device. A method can include, for example, receiving an indication of a security threat to a user device associated with a user, identifying a first plurality of processes being executed on the user device, identifying a second plurality of trusted processes from the first plurality of processes, receiving, from a remote device in operative communication with the user device, a command to terminate or suspend one or more processes from the first plurality of processes that are not in the second plurality of trusted processes, and, after the terminating or suspending, remediating the security threat on the user device.
G06F 21/54 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by adding security routines or objects to programs
G06F 21/64 - Protecting data integrity, e.g. using checksums, certificates or signatures
Various aspects related to threat management are disclosed. An example method includes monitoring network traffic on a computer network that includes a plurality of endpoints, identifying a software application executing on at least one endpoint from one or more of the sent data or the received data, where execution of the software application is associated with a startup time window and a post-startup time window, determining a security status score for the at least one endpoint based on a comparison of the sent data and the received data with a known pattern of network activity associated with the software application, wherein the known pattern of network activity is based upon the startup time window of the software application, determining a threat status for the at least one endpoint based on the security status score, and, generating an indication of the threat status for the at least one endpoint.
A computer-implemented method includes generating behavior patterns based on historical behavior of a plurality of emails. The method further includes receiving an email message from a sender, wherein the email message is withheld from delivery to a recipient. The method further includes extracting a plurality of features from the email message. The method further includes determining whether content of the email message matches at least one criterion for suspicious content. The method further includes determining a reputation score associated with the sender based on a comparison of the extracted features with the behavior patterns, wherein the extracted features include an identity of the sender. The method further includes responsive to the content of the email message not matching the at least one criterion for suspicious content and the reputation score meeting a reputation threshold, delivering the email message to the recipient.
In one or more embodiments, a command is repeatedly input a predetermined number of times into a machine learning model to generate a plurality of different natural language (NL) descriptions. The plurality of different NL descriptions are input into the machine learning model to generate a plurality of different check commands. A plurality of similarity metrics are determined by comparing each check command from the plurality of different check commands to the command. A check command from the plurality of different check commands that is most similar to the command is identified based on the plurality of similarity metrics. An NL description from the plurality of different NL descriptions is caused to be displayed, the NL description previously input into the machine learning model to generate the check command.
Embodiments disclosed include methods and apparatus for visualization of data and models (e.g., machine learning models) used to monitor and/or detect malware to ensure data integrity and/or to prevent or detect potential attacks. Embodiments disclosed include receiving information associated with artifacts scored by one or more sources of classification (e.g., models, databases, repositories). The method includes receiving inputs indicating threshold values or criteria associated with a classification of maliciousness of an artifact and for selecting sample artifacts. The method further includes classifying and selecting the artifacts, based on the criteria, to define a sample set, and based on the sample set, generating a ground truth indication of classification of maliciousness for each sample artifact in the sample set. The method further includes using the ground truth indications to evaluate and display, via an interface, a representation of a performance of sources of classification and/or quality of data.
In some embodiments, a processor receives, via an interface, natural language data associated with a user request for performing an identified computational task associated with a cybersecurity management system. The processor is configured to provide the natural language data as input to a machine learning (ML) model. The ML model is configured to automatically infer a template query based on the natural language data. The processor is further configured to cause the template query to be displayed, via the interface. The processor is further configured to receive, via the interface, user input indicating a finalized query associated with the identified computational task, and to provide the finalized query as input to a system configured to perform the identified computational task. The processor is further configured to modify a security setting in the cybersecurity management system based on the performance of the identified computational task.
In some embodiments, a processor receives natural language data for performing an identified cybersecurity task. The processor can provide the natural language data to a first machine learning (ML) model. The first ML model can automatically infer a template query based on the natural language data. The processor can receive user input indicating a finalized query and to provide the finalized query as input to a system configured to perform the identified computational task. The processor can provide the finalized query as a reference phrase to a second ML model, the second ML model configured to generate a set of natural language phrases similar to the reference phrase. The processor can generate supplemental training data using the set of natural language phrases similar to the reference phrase to augment training data used to improve performance of the first ML model and/or the second ML model.
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
Methods and systems for detecting threats using threat signatures loaded in a computing device. The methods include receiving a first plurality of threat signatures at a computing device, at least one threat signature of the first plurality of threat signatures having been assigned a score based on at least one metadata attribute having been added to the at least one threat signature; receiving a selection of a second plurality of threat signatures from the first plurality of threat signatures to load into random access memory (RAM) of the computing device, wherein at least one threat signature of the selected plurality of threat signatures is selected based on its assigned score; scanning network traffic accessible by the computing device using the at least one threat signature of the selected plurality of threat signatures; detecting a threat in the network traffic based on the scanning using the at least one threat signature of the selected plurality of threat signatures; and performing a remedial action upon detecting the threat in the network traffic.
Threat management devices and methods for a containerized firewall. The methods may include receiving instructions to configure a web application firewall being executed within a first container-based architecture, wherein the received instructions include changes to a previous network traffic policy; storing the received instructions as a changelog that indicates an updated network traffic policy to be implemented by the web application firewall; and communicating the updated network traffic policy to a first object store associated with the first container-based architecture and to a proxy service associated with the web application firewall. The methods may further include configuring the web application firewall based on the updated network traffic policy communicated to the proxy service; monitoring, using the web application firewall, first network traffic originating within the first container-based architecture and second network traffic originating external to the first container-based architecture; and processing the first network traffic or the second network traffic in accord with the updated network traffic policy.
Systems and methods for scanning network activity. The methods include receiving at an interface connection data regarding a plurality of network connections, wherein the connection data includes a signature used to classify each of the plurality of network connections; determining, using one or more processors executing instructions stored on memory to provide a signature analysis engine configured to analyze the connection data, the signature is prohibitively prone to misclassifying network activity as malicious, wherein the determination is based on the analysis of the connection data; and implementing a signature policy to prevent the signature from misclassifying network activity as malicious.
A method for processing electronic messages including unsubscribe links comprises receiving a plurality of electronic messages directed from a sender to an intended recipient, wherein at least one electronic message from the plurality of electronic messages includes an unsubscribe link that is associated with an instruction that instructs the sender to discontinue sending electronic messages to the intended recipient, parsing the electronic messages to identify unsubscribe links from the plurality of electronic messages, for each identified unsubscribe link, creating a record associated with the identified unsubscribe link in a database, generating an aggregate of the identified unsubscribe links based on the records in the database, and transmitting the aggregate of the identified unsubscribe links to the intended recipient.
An example method can include, obtaining information about a machine learning (ML) model configured to detect malicious activity on a computer system, wherein the information includes one or more of a model type of the ML model, an output type of the ML model, or a type of malicious activity that the model is trained to detect, receiving a training dataset, wherein the training dataset includes a plurality of unlabeled examples, generating an additional dataset based on the training dataset using a generative model, wherein the additional dataset includes a plurality of additional unlabeled examples, and, training the machine learning model to generate labels for each example in the training dataset and the additional dataset, using a combination of the training dataset and the additional dataset, wherein the training includes adjusting one or more parameters of the machine learning model based on accuracy of the generated labels.
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
H04L 41/16 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence
49.
ADMISSION CONTROL IN A CONTAINERIZED COMPUTING ENVIRONMENT
A method for performing admission control in a containerized computing environment includes deploying, by one or more processors of a computer system, the containerized computing environment, receiving, by the containerized computing environment, constraints associated with admission control for containers, the constraints related to container security and receiving, by the containerized computing environment, a request for creating a container. The method includes determining, by an admission controller of the containerized computing environment, a quality metric of the container associated with the received request, performing, by the admission controller of the containerized computing environment, admission control prior to the creating of the container by applying the constraints using the determined quality metric, and allowing or disallowing, by the admission controller of the containerized computing environment, creation of the container based on the performing the admission control.
A method comprises monitoring a computing environment including a plurality of containers, determining, for one of the containers, a service type and an IP address, assigning the IP address of the container having the determined service type to a first list of IP addresses, assigning an IP address of each of the containers to a second list of IP addresses, applying a first security policy for a first source of network traffic for processing by the container having the determined service type and the IP address assigned to the first list of IP addresses, and applying a second security policy for a second source of network traffic for processing by the containers having the IP addresses assigned to the second list of IP addresses.
Methods and systems for generating a plurality of threat signatures. In one embodiment, the method includes receiving at an interface a first plurality of threat signatures; adding, using one or more processors executing instructions stored on memory, at least one metadata attribute to each of the first plurality of threat signatures, wherein the at least one added metadata attribute is a cost associated with the threat signature that is obtained by determining a difference in performance between an execution of an inspection engine against a test case without the threat signature and an execution of the inspection engine against the test case with the threat signature; adding, using the one or more processors, a signature score to each of the first plurality of threat signatures calculated utilizing the at least one added metadata attribute; and transmitting the plurality of threat signatures including signature scores to a computing device configured for scanning network activity.
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
Systems and methods for operating a container-based architecture. The methods include executing, using one or more processors, instructions stored on memory to provide a Domain Name Service (DNS) proxy service, wherein the DNS proxy service is executed in a container-based architecture; and receiving at the DNS proxy service a domain name service (DNS) request, wherein the DNS request is received from an application service executing in the container-based architecture and the DNS request is directed to a DNS service being executed in the same container-based architecture as the DNS proxy service. The methods further include analyzing, at the DNS proxy service, the received DNS request to determine whether the DNS request is intended for a malign network; assigning a classification to the DNS request using the DNS proxy service, wherein the assigned classification is based on the analysis of the received DNS request to determine whether the DNS request is intended for a malign network location; and processing the DNS request based on the assigned classification of the DNS request.
A method includes receiving, by a computer system, information related to device health of an electronic device, determining, by the computer system, a health status of the electronic device based at least in part on the received information related to the device health of the electronic device, requesting, by a switch having a port connected to the electronic device, the health status of the electronic device from the computer system, receiving, by the computer system, the request for the health status of the electronic device from the switch, transmitting, by the computer system, the health status of the electronic device to the switch, evaluating, by the switch, the transmitted health status of the electronic device using network access rules associated corresponding to health statuses, and applying, by the switch, a network access control configuration to the port of the switch based on the evaluating the transmitted health status.
A method includes storing an employment status module associated with an entity and associating a plurality of employment statuses with respective security settings for a plurality of users associated with the entity, receiving information indicating a change in an employment status of a user of the plurality of users, determining a change to security settings for the user based on the change in the employment status of the user, applying the change to the security settings for the user in a security management system of the threat management facility, and restricting use of at least one data processing electronic device activity on an electronic device of the user based on the change to the security settings for the user.
When security-related behavior is detected on an endpoint, e.g., through a local security agent executing on the endpoint, a threat management facility associated with the endpoint can interact with a user via a second local security agent on a second endpoint in order to solicit verification, authorization, authentication or the like related to the behavior. In one aspect, an administrator for an enterprise managed by the threat management facility may verify, authorize, or otherwise approve the detected behavior using this technique. In another aspect, a user of the device may use this infrastructure to approve of a potentially risky behavior on one device by using a verification procedure on a second device associated with the user.
A Transport Layer Security (TLS) handshake can be terminated early—i.e., before certificate validation—to reduce server-side demand, which can be particularly advantageous in counteracting Denial-of-Service (DOS) attacks and the like. To this end, an endpoint may provide a one-time password (OTP) in the client hello message during the initial steps of a TLS handshake or similar connection protocol. A gateway, upon receiving the client hello message, may generate its own OTP for comparison with the OTP in the client hello message. The endpoint and gateway may advantageously generate the OTP based on a secret provided by a threat management facility with a preexisting secure connection to the two entities. If the OTP provided in the client hello message and the OTP generated on the gateway are the same, then the TLS handshake may continue; otherwise, the Transmission Control Protocol (TCP) connection will be terminated by the gateway.
A stream of events is received at a local security agent running on an endpoint at an enterprise network. The local security agent may detect an event of a first event type and may generate an aggregate event with subsequent events of the first event type in the stream. The local security agent may then transmit the aggregate event to a security resource for detecting security threats.
Malware detections are received from a plurality of endpoints in one or more enterprise networks. A first and second set of indicators of breach may be identified from the malware detections and, where appropriate, grouped by specific customers. The pattern of progressive deployment of malware directed toward a customer can then be used as a basis for identifying generalized targeting of the customer, or extended staging for a specific attack on the customer such as a ransomware attack.
In some embodiments, a method includes processing at least a portion of a received file into a first set of fragments and analyzing each fragment from the first set of fragments using a machine learning model to identify within each fragment first information potentially relevant to whether the file is malicious. The method includes forming a second set of fragments by combining adjacent fragments from the first set of fragments and analyzing each fragment from the second set of fragments using the machine learning model to identify second information potentially relevant to whether the file is malicious. The method includes identifying the file as malicious based on the first information within at least one fragment from the first set of fragments and the second information within at least one fragment from the second set of fragments. The method includes performing a remedial action based on identifying the file as malicious.
Possible Denial of Service (DoS) activity is detected and remediated based on an initial heartbeat failure from a network asset, followed by externally directed network traffic from the network asset. In general, an interruption of the heartbeat can signal the possible presence of malware on the network asset, and the externally directed network traffic, and particularly certain patterns of traffic such as a high volume of traffic toward an address with a known, good reputation, can signal the possible presence of a DoS bot on the network asset that is sourcing the network traffic.
In embodiments of the present teachings, improved capabilities are described for detecting restricted content associated with retrieved content. The method and system may include receiving a client request for content, saving contextual information from the client request, and presenting the contextual information from the client request, and retrieved content, to a scanning facility. The scanning facility may use the contextual information and the retrieved content to initiate a remedial action on the client.
An authentication model dynamically adjusts authentication factors required for access to a remote resource based on changes to a risk score for a user, a device, or some combination of these. For example, the authentication model may conditionally specify the number and type of authentication factors required by a user/device pair, and may dynamically alter authentication requirements based on changes to a current risk assessment for the user/device while the remote resource is in use.
H04L 9/32 - Arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system
H04L 41/00 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
H04L 41/22 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks comprising specially adapted graphical user interfaces [GUI]
63.
EXTENDING EXPIRATION OF USER SESSIONS WITH AUTHENTICATION REFRESH
A gateway performs silent authentication refreshes with an identity management platform in order to extend the expiration of a cookie provided to an endpoint that accesses network applications through the gateway.
H04L 9/32 - Arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system
A computer-implemented method includes training a machine-learning model, using a training dataset that distinguishes between critical systems and non-critical systems, to classify a particular computer system as critical or non-critical, wherein a label is applied to the particular computer system during the training that identifies the particular computer system as critical or non-critical, and wherein parameters that describe the critical systems or non-critical systems are used as features during the training. The method further includes receiving an input dataset that describes a plurality of computer systems in the enterprise environment. The method further includes outputting, using the trained machine-learning model, an identification of one or more critical systems of the plurality of computer systems within the enterprise environment and an identification of one or more non-critical systems of the plurality of computer systems within the enterprise environment, wherein each identification is associated with a confidence level.
H04L 41/16 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence
Disclosed are various embodiments of method and system for network access control. The method may involve traffic monitoring and vulnerability detection using process information. The system may analyze the vulnerability as a process malfunctioning where preventive action focuses on process blocking as opposed to host blocking, which can lead to improved performance and productivity of a network. Techniques may use process related information, connection information, and network packet information for network control. The information may be used to identify and detect a known vulnerability in network activities. Techniques may further transmit, in response to the detection, an authorization decision regarding allowing or blocking the process running on the host.
Disclosed herein is a technique for detecting potential phishing attacks by monitoring outbound web traffic from an endpoint, along with inbound electronic mail traffic addressed to a user of the endpoint. With this information, a search can be performed for possible sources in the web traffic of a request for a hyperlink located in the inbound mail traffic, and when no source is located, phishing remediation can be performed, including restrictions on access to the hyperlink at an endpoint operated by the user.
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
H04L 51/212 - Monitoring or handling of messages using filtering or selective blocking
G06F 21/64 - Protecting data integrity, e.g. using checksums, certificates or signatures
H04L 41/142 - Network analysis or design using statistical or mathematical methods
H04L 43/10 - Active monitoring, e.g. heartbeat, ping or trace-route
G06F 21/45 - Structures or tools for the administration of authentication
G06F 21/40 - User authentication by quorum, i.e. whereby two or more security principals are required
G06F 21/43 - User authentication using separate channels for security data wireless channels
H04L 9/32 - Arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system
H04L 41/0631 - Management of faults, events, alarms or notifications using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
A threat management facility stores a number of entity models that characterize reportable events from one or more entities. A stream of events from compute instances within an enterprise network can then be analyzed using these entity models to detect behavior that is inconsistent or anomalous for one or more of the entities that are currently active within the enterprise network.
G06F 16/28 - Databases characterised by their database models, e.g. relational or object models
G06F 16/13 - File access structures, e.g. distributed indices
G06F 21/64 - Protecting data integrity, e.g. using checksums, certificates or signatures
H04L 9/32 - Arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system
H04L 41/00 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
H04L 41/22 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks comprising specially adapted graphical user interfaces [GUI]
68.
Malware mitigation based on runtime memory allocation
A compute instance is instrumented to detect certain kernel memory allocation functions, in particular functions that allocate heap memory and/or make allocated memory executable. Dynamic shell code exploits can then be detected when code executing from heap memory allocates additional heap memory and makes that additional heap memory executable.
G06F 21/71 - Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
69.
TRACKING MALICIOUS SOFTWARE MOVEMENT WITH AN EVENT GRAPH
A multi-endpoint event graph causally relates a sequence of events among a number of computing objects at a number of logical locations including multiple endpoints in an enterprise network. The multi-endpoint event graph is used to detect malware based on malicious software moving through the enterprise network.
An administrator can initiate an automatic software update to a network appliance that is configured as a cluster of nodes. The update is performed sequentially on a node-by-node basis in order to maintain availability and performance of the network appliance during the update.
In order to use zero trust network resources distributed across multiple gateways, an agent is deployed on an endpoint of an enterprise network. The agent maps requests for specific applications to corresponding gateways. The agent may also multiplex or otherwise aggregate communications among different network applications and gateways in order to provide seamless, transparent access to the distributed resources at a single endpoint, and/or within a single interface.
In a cluster of network devices using a consensus protocol for cluster synchronization, a full software rollback is performed by backing up a cluster state on a primary instance for the cluster, and then restarting all devices at the same time from a prior partition. The primary instance can then start a cluster management service and other devices can join the cluster using the consensus state stored by the primary instance.
G06F 11/14 - Error detection or correction of the data by redundancy in operation, e.g. by using different operation sequences leading to the same result
73.
Extending expiration of user sessions with authentication refresh
A gateway performs silent authentication refreshes with an identity management platform in order to extend the expiration of a cookie provided to an endpoint that accesses network applications through the gateway.
H04L 9/32 - Arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system
H04L 67/146 - Markers for unambiguous identification of a particular session, e.g. session cookie or URL-encoding
A policy created through an administrative user interface is converted into an intermediate representation that can be compiled for execution by a gateway or converted into a human-readable form for modifications by the administrator.
A cluster of nodes are sequentially updated with new network configuration settings in order to maintain availability of the cluster during the update. In the sequential update, each node conditionally updates network configuration settings, tests connectivity, and retains an update to the configuration only if the node is able to restore connectivity suitable for operation in the cluster.
H04L 41/082 - Configuration setting characterised by the conditions triggering a change of settings the condition being updates or upgrades of network functionality
H04L 43/0811 - Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability by checking connectivity
76.
STREAMING AND FILTERING EVENT OBJECTS INTO A DATA LAKE
An asynchronous stream of security events is added to a data lake for enterprise security by identifying groups of related events related to a security threat, and creating rules to fold these related events into a single security event along with metadata. The folding rules may then be applied to security events in the event stream to compress data in the data lake and improve detection efficiency.
A platform for threat investigation in an enterprise network receives threat data from managed endpoints, and is augmented with data from cloud computing platforms and other third-party resources. The resulting merged data set can be incrementally updated and used to automatically launch investigations at appropriate times.
A threat management facility receives data from a variety of sources such as compute instances within an enterprise network, cloud service providers supporting the enterprise network, and third-party data providers such as geolocation services. In order to facilitate prompt notification of potential risks, the threat management facility may incrementally update data for use in threat assessments as the data becomes available from these different sources, and create suitable alerts or notifications whenever the currently accumulated data provides an indication of threat meeting a predetermined threshold.
A platform for managing threat data integrates threat data from a variety of sources including internal threat data from instrumented compute instances associated with an enterprise network and threat data from one or more independent, external resources. Threat assessments are incrementally revised as this threat data is asynchronously received from various sources, and a threat intervention container is automatically created and presented to an investigator when a composite threat score for one or more of the compute instances meets a predetermined threshold.
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
80.
AUGMENTED THREAT DETECTION USING AN ATTACK MATRIX AND DATA LAKE QUERIES
A threat management system stores an attack matrix characterizing tactics and techniques, and provides threat detection based on patterns of traversal of the attack matrix. Where the threat management system provides a data lake of security events and a query interface for using the data lake to investigate security issues, useful inferences may also be drawn by comparing query activity in the query interface with the patterns of traversal of the attack matrix, such as by using a malicious pattern of traversal to identify a concurrent chain of queries indicative of a threat, or by presenting separate threat scores to an analyst based on query activity and patterns of traversal.
A threat management facility for an enterprise network integrates native threat management capabilities with threat data from a cloud service provider used by the enterprise. By properly authenticating to the cloud service and mapping data feeds from the cloud service to a native threat management environment, the threat management facility can extend threat detection and management capabilities beyond endpoint-centric techniques.
A threat management facility calculates a composite threat score based on risk data from various sources, and automatically launches an investigation container for interactive threat investigation when the composite threat score meets a predetermined threshold.
Various aspects related to methods, systems, and computer readable media for automatic fuzz testing. An example method of automatic software fuzz testing can include, receiving a description of a target software application, determining, based on the description, a type of fuzzing, identifying one or more fuzzers based on the type of fuzzing, executing the one or more fuzzers on the target software application, extracting prioritized results of the executing of the one or more fuzzers, and, presenting the prioritized results.
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
G06N 7/02 - Computing arrangements based on specific mathematical models using fuzzy logic
G06F 11/36 - Preventing errors by testing or debugging of software
G06F 16/2458 - Special types of queries, e.g. statistical queries, fuzzy queries or distributed queries
G06F 16/2457 - Query processing with adaptation to user needs
Implementations generally relate methods, systems, and computer readable media for providing automatic access point registration. In some implementations, a method includes receiving an indication of automatic device onboarding activation. The method further includes receiving a selection of one or more reference devices. The method further includes determining one or more detectable devices of the one or more candidate devices to be onboarded that are detectable by at least one of the one or more reference devices. The method further includes obtaining one or more automatic configuration parameters from one or more of the reference devices. The method further includes configuring one or more of the detectable devices to be onboarded with the one or more automatic configuration parameters.
H04L 41/0806 - Configuration setting for initial configuration or provisioning, e.g. plug-and-play
H04L 41/0853 - Retrieval of network configuration; Tracking network configuration history by actively collecting configuration information or by backing up configuration information
H04L 41/08 - Configuration management of networks or network elements
A virtualized gateway for applications in a zero trust network access environment is managed from a cloud-based threat management facility for an enterprise network. In order to facilitate creation of a new, centrally managed gateway, a one-time passcode for registration of the gateway to the threat management facility is encoded onto a virtual disk and distributed to a host platform along with a base gateway image for the gateway. This advantageously permits the new gateway to boot and securely register with the threat management facility without further administrative intervention.
Certain edge networking devices such as application gateways may report status to a cloud-based threat management platform using a persistent network connection between the gateway and the cloud platform. Where a cloud computing platform for an edge networking device or the treat management platform imposes periodic timeouts, the threat management platform may monitor connects and disconnects for edge devices and asynchronously evaluate connection status of edge devices independently of a heartbeat or other signal through the persistent connection in order to distinguish periodic timeouts imposed by the cloud computing platform from networking devices that are compromised or malfunctioning.
An event handler implements a state machine or similar construct for processing of complex event chains as incremental events are detected. This approach advantageously limits processing to monitoring for and responding to a next event in a sequence of events, and supports complex event detection in a manner that scales efficiently in time and computation.
A compute instance is instrumented to detect certain kernel memory allocation functions, in particular functions that allocate heap memory and/or make allocated memory executable. Dynamic shell code exploits can then be detected when code executing from heap memory allocates additional heap memory and makes that additional heap memory executable.
G06F 21/71 - Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
Various aspects related to methods, systems, and computer readable media for using network traffic to determine security states on an enterprise network. Network traffic may be monitored and scrutinized to identify potential security threats. The potential security threats may be ranked and presented to a network administrator for further examination of each endpoint, or, automatic remedial actions may be taken based on a security status score of each endpoint.
A firewall host uses a shared memory to pass arguments to, and receive results from, a remote procedure executing on a locally coupled network processing unit that offloads processing for the firewall.
G06F 9/48 - Program initiating; Program switching, e.g. by interrupt
G06F 13/16 - Handling requests for interconnection or transfer for access to memory bus
G06F 13/28 - Handling requests for interconnection or transfer for access to input/output bus using burst mode transfer, e.g. direct memory access, cycle steal
G06F 13/42 - Bus transfer protocol, e.g. handshake; Synchronisation
A variety of techniques are disclosed for detection of advanced persistent threats and similar malware. In one aspect, the detection of certain network traffic at a gateway is used to trigger a query of an originating endpoint, which can use internal logs to identify a local process that is sourcing the network traffic. In another aspect, an endpoint is configured to periodically generate and transmit a secure heartbeat, so that an interruption of the heartbeat can be used to signal the possible presence of malware. In another aspect, other information such as local and global reputation information is used to provide context for more accurate malware detection.
An enterprise security system is improved by taking remedial actions responsive to detecting attempts at tampering with computing resources. When a tamper detection instrument detects an attempt at tampering, information about the attempt at tampering may be used to identify one or more candidate types of threats and/or candidate threats. One or more remedial actions associated with the threat or type of threat can be identified and applied in ten enterprise network environment.
Embodiments disclosed include methods and apparatus for detecting a reputation of infrastructure associated with potentially malicious content. In some embodiments, an apparatus includes a memory and a processor. The processor is configured to identify an Internet Protocol (IP) address associated with potentially malicious content and define each row of a matrix by applying a different subnet mask from a plurality of subnet masks to a binary representation of the IP address to define that row of the matrix. The processor is further configured to provide the matrix as an input to a machine learning model, and receive, from the machine learning model, a score associated with a maliciousness of the IP address.
A firewall system provides two network paths for network flows: one path through a firewall on a host device and another path through an alternative hardware or software system that handles network flows that have been analyzed and allowed by the firewall. The firewall system can then transfer network flows between the two paths according to the status of each network flow.
Secrets such as secure session cookies for a web browser can be protected on a compute instance with multiple layers of encryption, such as by encrypting key material that in turn controls cryptographic access to the secret. A compute instance can be instrumented to detect when a process attempts to decrypt this key material so that the process requesting decryption can be compared to authorized or legitimate users of the secret.
Methods, systems, and computer readable media for providing and managing security rules and policies are described. In some implementations, a method may include receiving, at a crowdsourcing security policy server, a security policy from a first user account, and providing a crowdsourced security policy user interface including a section corresponding to the security policy configured to make the security policy available for use by other user accounts. The method may also include receiving from one or more of the other user accounts, a security policy rating corresponding to the security policy, and receiving, from one or more of the other user accounts, a user account rating corresponding to the first user account.
Methods, systems, and computer readable media for providing and managing security rules and policies are described. In some implementations, a method may include receiving network information corresponding to a first network, and programmatically analyzing the network information. The method may also include programmatically determining one or more security policies from a library of security policies, the programmatically determining based on a result of programmatically analyzing the network information. The method may further include providing a recommendation to a user, wherein the recommendation includes at least one of the one or more security policies.
A threat management facility detects a device on an enterprise network and determines whether the device is one of a set of managed devices for the enterprise network. When the device is not one of the set of managed devices, the threat management facility may selectively direct the device to a portal that provides support to the user of the device while the device awaits admission to the enterprise network. As the user interacts with the portal, the portal may manage admission of unrecognized devices onto the enterprise network while making efficient use of network administrator resources.
Certain edge networking devices such as application gateways may report status to a cloud-based threat management platform using a persistent network connection between the gateway and the cloud platform. Where a cloud computing platform for an edge networking device or the treat management platform imposes periodic timeouts, the threat management platform may monitor connects and disconnects for edge devices and asynchronously evaluate connection status of edge devices independently of a heartbeat or other signal through the persistent connection in order to distinguish periodic timeouts imposed by the cloud computing platform from networking devices that are compromised or malfunctioning.
patents
