H04L 41/5009 - Determining service level performance parameters or violations of service level contracts, e.g. violations of agreed response time or mean time between failures [MTBF]
H04L 41/5003 - Managing SLA; Interaction between SLA and QoS
H04L 43/00 - Arrangements for monitoring or testing data switching networks
2.
SYSTEMS AND METHODS FOR USING A NETWORK ACCESS DEVICE TO SECURE A NETWORK PRIOR TO REQUESTING ACCESS TO THE NETWORK BY THE NETWORK ACCESS DEVICE
Various approaches for securing networks against access from off network devices. In some cases, embodiments discussed relate to systems and methods for identifying potential threats included in a remote network by a network access device prior to requesting access to a known secure network via the remote network.
Dynamic thresholds are derived for each connection phase, using machine learning (e.g., K-means clustering) for an enterprise network. A time interval can be tracked between samples of collected data packets for each phase of connections, including the association phase, the authentication phase and the DHCP phase of connecting. A specific dynamic threshold for one of the connection phases is detected as out-of-range. Responsive to the out-of-range detection, network issues corresponding to the phase of the specific dynamic threshold are checked and automatically remediated.
To activate side nodes, a traversal node is partitioned into deeper traversal nodes and leaf nodes. A limit is set on a number of leaf node policies. Each traversal node above the limit is cut into a deeper level with a new traversal node. Each traversal node at or below the limit is converted to a leaf node populated with a list of policies within the limit. Once reaching a leaf node, during policy tree searching mode, linear searching a policy set corresponding to the leaf node to select a policy, and the selected policy to the data packet is applied
Scan mode is configured in an access point to monitor WLAN conditions. A channel list is progressively scanned using full capabilities available from MIMO transceivers. During a hop period, each MIMO transceiver is configured to a first set of channels from the channel list within an RF band. During a dwell period, an RF analysis is performed for the set of channels to identify conditions on the WLAN.
Responsive to receiving uplink traffic from a specific edge client on the edge client table, in-service monitoring for frame retries and collisions associated with the specific edge client is performed. Responsive to detecting that a rate of frame retries and collisions exceed a threshold, a BSS color change announcement frame is transmitted to the specific edge client comprising a second color. The BSS color change announcement directs the specific edge client to contend for medium access based on preambles observed from a specific overlapping BSS associated with the second BSS color rather than its home BSS. The default color can be restored after the uplink.
During authentication of an SDWAN tunnel, Intent ISAKMP packets authenticate the local SDWAN controller and the remote SDWAN controller with each other, wherein the ISAKMP packets include a notify payload. Configured link costs associated with at least two member paths at the remote SDWAN controller that have heterogeneous physical attributes from the notify payload of the ISAKMP packets are retrieved. The configured link-cost of the at least two member paths is reflective of link physical attributes. One of the at least two member paths is identified based on a lowest link-cost between the at least two member paths, for steering SDWAN network traffic.
Systems and methods for remote monitoring of a Security Operations Center (SOC) via a mobile application are provided. According to one embodiment, a management service retrieves information regarding multiple network elements that are associated with an enterprise network and extracts parameters of the monitored network elements from the retrieved information. The management service prioritizes the monitored network elements by determining a severity level associated with security-related issues of the network elements and generates various monitoring views that summarize in real time various categories of potential security-related issues detected by the SOC. Further, the management service assigns a priority to each monitoring view and displays a video on the display device that cycles through monitoring views in accordance with their respective assigned priorities.
Flow pair values are identified from flow pairs of labeled devices as candidates by comparing individual flows of the unknown device that surpass a candidate threshold by generating a difference flow matrix from the individual flows of the unknown device and the labeled device. Known devices can be identified as device candidates from a sum of flow pair values for each candidate device in relation to the unknown device. A device type can be retrieved for each candidate device, and one of the device types can be selected based on at least a closeness or a frequency of each device type to the unknown device.
A baseline multicast traffic is derived for an SSID from the network traffic statistics using unsupervised machine learning. Responsive to detecting a deterioration in the real-time network traffic statistics for the SSID in relation to the baseline throughput and the baseline multicast traffic, the multicast data rate can be adjusted to match the lowest unicast data rate for the SSID.
A panic button is configured and disposed outside a network gateway, managing integrated OT network devices and IT devices, for access by a user. Responsive to physical activation of the panic button, a 2 factor MFA authorizes the action with an authorized user. Upon authorization, the OT network devices are quarantined from the IT network devices to prevent malicious actions.
Responsive to the request for a security fabric report, an upper-level node transits a request to a lower-level node for a subtree security report. If there are additional network gateways at lower hierarchical levels, the next level down repeats the process. A root level network gateway will transmit the first request, as the high level of the hierarchy, and a last leaf receives the last request, as the lowest level. An overall security fabric report is returned from the root node.
Systems and methods for intent-based orchestration of independent automations are provided. Examples described herein alleviate the complexities and technical challenges associated with deploying, provisioning, configuring, and managing configurable endpoints, including network devices, network security systems, cloud-based security services (e.g., provided by or representing a Secure Access Service Edge (SASE) platform), and other infrastructure, on behalf of numerous customers (or tenants). For example, customer intent may be automatically translated into concrete jobs and tasks that operate to make changes to one or more of the configurable endpoints so as to insulate the user from being required to know which configurable endpoint(s) need(s) to change, which vendor supports a given configurable endpoint, and/or vendor specific issues involved in changing the configurable endpoints.
Various approaches for multi-node network cluster systems and methods. In some cases systems and methods for incident detection and/or recovery in multi-node processors are discussed.
H04L 41/0668 - Management of faults, events, alarms or notifications using network fault recovery by dynamic selection of recovery network elements, e.g. replacement by the most appropriate element after failure
H04L 41/0663 - Performing the actions predefined by failover planning, e.g. switching to standby network elements
17.
DETECTING MALICIOUS BEHAVIOR IN A NETWORK USING SECURITY ANALYTICS BY ANALYZING PROCESS INTERACTION RATIOS
Systems and methods for detecting malicious behavior in a network by analyzing process interaction ratios (PIRs) are provided. According to one embodiment, information regarding historical process activity is maintained. The historical process activity includes information regarding various processes hosted by computing devices of a private network. Information regarding process activity within the private network is received for a current observation period. For each process, for each testing time period of a number of testing time periods within the current observation period, a PIR is determined based on (i) a number of unique computing devices that hosted the process and (ii) a number of unique users that executed the process. A particular process is identified as potentially malicious when a measure of deviation of the PIR of the particular process from a historical PIR mean of the particular process exceeds a pre-defined or configurable threshold during a testing time period.
Various embodiments provide systems and methods for automatically defining and enforcing network sessions based upon at least four dimensions of segmentation.
Changes on a chat client, such as one or more edits or retractions, and is characterized relative to an original chat string, and uploaded to a chat server for storage. The chat server combines the message change with at least a second change to the specific chat string uploaded from a different chat client. Responsive to a regeneration of the chat string on the chat client, the chat daemon downloads the combined message change from the chat server. The edits and retractions originating from the chat client and the edits and retractions originating from the second chat client are downloaded and applied to the specific chat string for display in the chat client.
Systems, devices, and methods are discussed for forward testing rule sets at a granularity that is less than all activity on the network. In some cases, the granularity is that of an individual application.
H04L 41/12 - Discovery or management of network topologies
H04L 41/22 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks comprising specially adapted graphical user interfaces [GUI]
A probe request sent from a Wi-Fi 6E wireless client to the legacy access point is received by a Wi-Fi controller. To process, a Wi-Fi 6E access point for connection from the plurality of access points, proximate to the Wi-Fi 6E wireless client is selected for service. Reduced Neighbor Report (RNR) RNR information is collected about the Wi-Fi 6E access point by the access point the Wi-Fi 6E wireless client. The RNR information is transmitted to the legacy access point, wherein the legacy access point forwards the RNR information to the Wi-Fi 6E wireless client as part of a probe response sent responsive to the probe request. A subsequent probe request is detected, sent from the Wi-Fi 6E wireless client to initiate association with the Wi-Fi 6E access point using the RNR information.
A capture group of access points formed from the plurality of access points dedicate at least one radio from each of the access points for capturing data packets. Captured data packets are received by wireless transmission from each of access point of the capture group of access points. The access points of the capture group are preferably geographically dispersed to increase capture range. The captured data packets are analyzed to identify a set of multiuser data packets. To do so, the set of multiuser data packets is checked against a set of rules for multiuser data packets to troubleshoot wireless network issues.
Debug engine receives a capture file over the network interface and initiate playback by executing the capture file with the processor. The capture file comprises real-time local network environment video synchronized with data captured by a local browser at a local station interacting with a local network gateway device over a local network. The capture file is played back, using a mock server including transmitting HTTP requests from the capture file at the developer station to the mock gateway server. Additionally, HTTP responses are received from the capture file at the mock gateway server, in synch with actions in the real-time local network environment video. A GUI engine renders a GUI on the developer computer from real-time GUI code generated from the capture file playback as modified by processing the HTTP responses.
A firewall processing card from a plurality of firewall processing cards coupled to a chassis, is selected by a load balancing engine (or other mechanism) and receives the data packet over the fabric channel. First, if the session match exists to management-type data packets the data packet is returned to the I/O board and if a match exists to user data packets the data packet is sent to a firewall service of the firewall processing card. If no session match exists, the firewall processing card checks for a policy match to the data packet for creating a new session or drops the data packet. The I/O board receives the data packet returned from the processing blade over the base channel and checks for a session matching to the data packet. If a session match exists and the data packet is a management data packet, the data packet is sent to a management service at a user level of the I/O board and if not a management data packet the data packet is dropped. If no session match exists, the I/O board creates a new session or drops the data packet.
Systems, devices, and methods are discussed for treating a number of network security devices in a cooperative security fabric using a cloud based root.
An unauthorized access point is identified during a periodic scan on the wireless network and storing a MAC address for the unauthorized access point and monitored for connection attempts. The unauthorized access point, due to having a hidden SSID, is monitored by the MAC address for data packets sent and received. At least one client associated to the unauthorized access point is identified from the data packets by MAC address. The at least one client is monitored, by the MAC address, for a probe request sent to the unauthorized access point. Responsive to detecting the probe request, an SSID of the unauthorized access point is parsed. A security action on the unauthorized access point using the SSID.
Systems, devices, and methods are discussed for treating a number of network security devices in a cooperative security fabric as a unified object for configuration purposes.
Failures in authentication credentials are detected by a user prior to presentation of successful credentials. Responsive to the authentication credentials failure, a geo-location for a new geo-location of the user is checked. Responsive to a new location detection, expiration of a verification link is detected. Responsive to failure of the link verification, a failure of a token OTP verification is detected. Access is granted responsive to successful verification. Access can be granted to a digital asset or a physical asset.
A substrate for the SoC includes one or more OTP modules within the substate and comprising memory that can only be programmed once. A BIOS module loads a special BIOS into flash memory in place of a normal BIOS prior to a reboot of the OTP hardware module. The special BIOS is programmed to identify a status bit to burn corresponding to a revoked key. A first key register stored in the OTP module and comprising a plurality of status bits. Each status bit maps to the individual key of the plurality of OTP keys. A key burn module to burn a status bit on the key register corresponding to the special BIOS after the reboot. The BIOS module reloads the normal BIOS into the flash memory in place of the special BIOS prior to a second reboot. The normal BIOS runs after the second reboot.
H04L 9/32 - Arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system
A new container of a pool of containers is spawned in the operating system of the embedded networking device to execute a firewall separate from an operating system of a host device. Each of the containers is generated by a separate toolchain to include custom runtime libraries. The firewall utilizes the custom libraries rather than the host libraries, and wherein user privileges within a container is different from user privileges for the host. The new container executes a firewall instance to inspect data packets processed by the embedded networking device.
An anomalous behavior is detected at an AI server device based on data communications managed by the wireless controller. In response to the detected behavior, a robot module can be deployed to a location of the anomalous behavior for testing. Once at the location, logs can be collected from testing or troubleshooting at the location and involving a remote access point proximate to the anomalous behavior (e.g., sniff and capture at specific channel or multiple channels in real-time). Solutions are generated from AI analysis concerning the anomalous behavior and priority level, including at least one automatically implemented solution to self-remediate the wireless network.
When a data packet too big frame is received from the access point, activating fragmentation at the station. The data packet too big frame is responsive to a data packet being sent from the station to the access point and then being rejected as too big when sent from the access point to a network device due to the data packet being too large for processing by the network device. The fragmentation activated at the station and configured based on a maximum data packet size allowed by the network device.
In identification training, database of known devices is used to identify unlabeled clusters from statistics concerning parameters, vendors and hostnames of the known devices. Relevant clusters of type, brand and model from are identified from the unlabeled clusters using a threshold and labeling the relevant clusters with a key including type, brand and model of the labeled clusters. In real-time identification, a real time connection of a new device, a type, brand and model of the new device is determined using the parameters, vendors and hostnames and to compare against the keys for identifying the new device.
Responsive to OTP device not being enabled for an SoC, the RAMBOOT bootup authenticated by the key or key hash of an OTP is precluded and a determination is made whether the RAMBOOT bootup has been authenticated by the key or key hash on the virtual OTP. Responsive to not being authenticated, authentication of the RAMBOOT bootup is initiated. Responsive to being authenticated, enablement of the OTP device is initiated by burning an enable bit. Content of the virtual OTP is verified. The verified content can then be transferred from the virtual OTP to the OTP hardware module. Finally, authenticated RAMBOOT bootup is enabled from the OTP hardware module using the verified content prior to enablement of the OTP hardware module. ROMBOOT is read-only.
G06F 21/79 - Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data in semiconductor storage media, e.g. directly-addressable memories
G06F 21/72 - Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in cryptographic circuits
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
An exploit probability value is calculated for each of the plurality of signatures learned from a history of exploits against attributes. The exploit probability value represents a likelihood of a particular signature exploiting one or more attributes of the private network. The exploit probability value is sorted or ranked to prioritize which exploit signatures have the highest probability of occurrence. Only a predetermined number of selected exploit signatures with the highest probabilities are scanned in real-time for signature matching.
A processing blade is assigned from the plurality of processing blades to a session of data packets. The load balancing engine manages a session table and an IPsec routing table by updating the session table with a particular security engine card assigned to the session and by updating the IPsec routing table for storing a remote IP address for a particular session. Outbound raw data packets of a particular session are parsed for matching cleartext tuple information prior to IPsec encryption, and inbound encrypted data packets of the particular session are parsed for matching cipher tuple information prior to IPsec decryption. Inbound data packets assigned to the processing blade from the session table are parsed and forwarded to the station.
H04L 47/125 - Avoiding congestion; Recovering from congestion by balancing the load, e.g. traffic engineering
42.
SYSTEM & METHODS FOR REDUCING DELAY IN BSS FAST TRANSITIONS BETWEEN ACCESS POINTS ON WI-FI WIRELESS NETWORKS USING OPPORTUNISTIC KEY GENERATION TO PREVENT KEY FAILURE
A station initiates fast BSS transition by a station from the source access point to the target access point. The target access point detects a failure by the Wi-Fi controller to retrieve a PMK-RO key for a requested PMKROName is detected. The PMKROName is parsed from an authentication request of the station. The failure can result in requiring a fresh BSS connection by the station. Responsive to the failure detection, a PMK-RO key is generated in cooperation with the Wi-Fi controller, to prevent requiring the fresh BSS connection. The PMK-R0 key further helps to support fast transition between access points.
Systems, devices, and methods are discussed for identifying security policies applicable to a received information packet based upon a dual bitmap scheme accounting for bit position mergers and/or policies common to multiple bit positions.
H04L 41/5009 - Determining service level performance parameters or violations of service level contracts, e.g. violations of agreed response time or mean time between failures [MTBF]
H04L 41/5003 - Managing SLA; Interaction between SLA and QoS
H04L 43/00 - Arrangements for monitoring or testing data switching networks
45.
SYSTEMS AND METHODS FOR SECURITY POLICY ORGANIZATION USING A DUAL BITMAP
Systems, devices, and methods are discussed for classifying a number of security policies in relation to criteria for applying those security policies to yield a dual bitmap scheme representing a correlation between security policies and one or more criteria.
The present invention relates to a method for managing IoT devices by a security fabric. A method is provided for managing IoT devices comprises collecting, by analyzing tier, data of Internet of Things (IoT) devices from a plurality of data sources, abstracting, by analyzing tier, profiled element baselines (PEBs) of IoT devices from the data, wherein each PEB includes characteristics of IoT devices; retrieving, by executing tier, the PEBs from the analyzing tier, wherein the executing tier is configured to control network traffic of IoT devices of a private network; generating, by the executing tier, security policies for IoT devices from PEBs of the IoT devices; and controlling, by the executing tier, network traffic of the IoT devices of the private network to comply with the security policies
H04L 67/12 - Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
Systems, devices, and methods are discussed for leveraging SD-WAN's property of redundant independent paths to enable out of band key exchange using the collection of available paths, dynamically managing link failures to keep the separation whenever possible, and/or signaling availability of quantum-safe data transfer to SD-WAN to enable quantum-safety to be used in SD-WAN policy decisions.
During high-speed network policy searching for data packets, an upper limit and a lower limit for a policy count are predefined for a ratio of the policy count to the sum of the policy count and the range count. A policy tree builder generates a policy tree image from a set of recursive operations on the raw policy set including an on-the-fly determination of whether a specific node is a leaf based on a leaf policy count limit, wherein for a selected dimension, the specific node is converted to the leaf if the policy count does not exceed the leaf policy count limit and the range count for the selected dimension does not exceed a product of the leaf policy count limit and a range count limit coefficient, and otherwise the specific node is converted to two or more child nodes. A network processor configures at least one set of registers, at least one set of tables, and at least one sequence of instructions according to the policy tree image.
In one embodiment, a similarity index is calculated from characteristics of a suspected phishing web page to a database of known phishing web pages. The characteristics derive from both HTML tags of the suspected phishing web page and a screenshot of the suspected phishing web page. With machine learning using the similarity index as an input, a probability is estimated that the suspected web page comprises a known phishing web page from the database of known phishing web pages. A known phishing web page is selected from one or more candidates known phishing web pages, based on having a highest probability.
An ML (machine learning) training logs are parsed for generating a set of heterogenous graphs having embedded nodes connected with edges determined with link prediction and denoting a hierarchical relationship between nodes. Each graph represents benign behavior from executing one of the files of a training database in the sandbox, wherein the nodes are embedded in the graph using GCN (graph convolution network) to calculate a real-valued vector with fixed dimension. A runtime module to receive an untagged file in real-time for analysis from a network component, and generates a graph of runtime behavior from sandbox of the suspicious file for comparison against the training graphs.
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
An initial provisioning by a management plane of the SD-WAN is received from a centralized SD-WAN gateway with static path overlay between the network edge device on a local LAN and the centralized SD-WAN gateway. At runtime, intelligent decision are made about which overlay path to select and when for the new flow over a control plane of the SD-WAN, based on the topology of the remote network edge and the local SDWAN policy, and to build the selected overlay path.
H04L 41/0806 - Configuration setting for initial configuration or provisioning, e.g. plug-and-play
H04L 41/12 - Discovery or management of network topologies
H04L 45/64 - Routing or path finding of packets in data switching networks using an overlay routing layer
53.
FILE SHARING FRAMEWORK IN NETWORK SECURITY SYSTEMS TO SYNCHRONIZE DATA AND CONFIGURATION FILES ACROSS VIRTUAL MACHINE CLUSTERS INDEPENDENT OF FILE SHARING TECHNOLOGIES
A source node from the cluster of nodes, responsive to receiving the file sharing command from other applications on the same node (e.g., on a virtual machine in the cluster of nodes), copies the shared file to a source workspace directory and compress, and then copy the compressed file to the file sync database. The command comprises a configuration template with file retrieval information. A target node from the cluster of nodes, listens for commands from other nodes in the cluster of nodes. Responsive to receiving the file sharing command, the compressed file is copied from the file sync database to a target workspace directory and decompress, and then copy the shared file to node.
Each of the plurality of network assets on the private network is identified and categorized according to a CPE for storage in a device inventory database, and to generate an asset profile for each of the plurality of network assets. Attacks on the plurality of assets related to each of the identified CPEs are identified and monitored according to a CVE (common vulnerabilities exposures) format, and determine whether the CVE is relevant against the asset profile. Responsive to detecting a relevant CVE notification including CVE-id, impact on one or more network assets affected by the CVE based on the asset profiles is determined. The impact is either low impact, high impact and blocked, or high impact and unblocked.
Redundant upstream mesh links are formed with a gateway access point for each of the radio capabilities. A resource load is measured across each of the redundant upstream mesh links. During runtime, a packet is received for upstream (or downstream) transmission from a specific client from the plurality of clients. An upstream link is selected for transmission of the packet from the redundant upstream mesh links for transmission of the packet and packets of the packet session, based on a highest link quality available from the plurality of mesh links according to the resource load measurement.
Responsive to matching a site prefix to IPv6 network traffic from clients, the traffic as intended, and responsive to not matching the site prefix, classifying the corresponding traffic as unintended. An initial rate of packet occurrence and predict load caused by intended traffic and predicting load caused by unintended traffic is calculated, based on an initial rate of packet occurrence. The predicted traffic loads are fed back by configuring behavior of network modules according to the predictions of intended traffic load and unintended traffic load. Packet processing traffic at the network modules is based on traffic classification from the outcome of the AI-neuron.
Various embodiments discussed generally relate to network security, and more particularly to systems and methods for using biometric data to enhance security in network access authorization.
Systems and methods for improving security event classification by leveraging user-behavior analytics are provided. According to an embodiment, a UEBA-based security event classification service of a cloud-based security platform maintains information regarding historical user behavior of various users of an enterprise network. An endpoint protection platform running on an endpoint device that is part of the enterprise network performs an initial classification of the event, based on which the endpoint protection platform blocks activity by the process. The endpoint production platform requests input from the cloud-based security platform which causes the cloud-based security platform performs a reclassification of the event based on contextual information, multiple data feeds and the UEBA-based security event classification service. Based on the reclassification of the event, the cloud-based security platform causes the endpoint protection platform to allow the process to proceed by providing the resulting security event classification to the endpoint protection platform.
Various embodiments discussed generally relate to securing applications that work across networks, and more particularly to systems and methods for mitigating malicious behavior integrated within an application that directly calls a separate cloud based malicious behavior mitigation system.
G06F 21/54 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by adding security routines or objects to programs
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
61.
ADJUSTING BEHAVIOR OF AN ENDPOINT SECURITY AGENT BASED ON NETWORK LOCATION
Systems and methods for adjusting the behavior of an endpoint security agent based on a network location are provided. According to an embodiment, an agent of an endpoint device identifies whether a security service of a cloud-based security service is not reachable or is unresponsive. The security service is associated with a particular security function implemented by the agent. When the security service is not reachable or is unresponsive, the agent further determines whether the endpoint device is within a trusted network of multiple trusted networks that have been previously registered with the cloud-based security service by querying a trusted network determination service associated with the cloud-based security service. When the determination is affirmative, the particular security feature is configured for operating inside a trusted network. When the determination is negative, the particular security feature is configured for operating outside a trusted network.
Systems and methods for detecting access points proximate to a mobile computing device to facilitate wireless network troubleshooting and management of the access points are provided. According to an embodiment, a mobile application, running on a mobile device that is operating within a physical environment, discovers a subset of wireless access points (APs) of various managed APs of a private network that are proximate to the mobile device by receiving short-range beacons originated by the subset of APs. The mobile application presents a list of the subset of APs within a user interface of the mobile application and bridges the physical environment and a network environment containing information regarding the private network. The mobile application facilitates management of a particular AP of the subset of APs by presenting configuration information or operating information for the particular AP within the user interface.
H04L 41/12 - Discovery or management of network topologies
H04W 4/80 - Services using short range communication, e.g. near-field communication [NFC], radio-frequency identification [RFID] or low energy communication
H04B 17/27 - Monitoring; Testing of receivers for locating or positioning the transmitter
H04L 41/22 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks comprising specially adapted graphical user interfaces [GUI]
63.
Machine-learning based approach for dynamically generating incident-specific playbooks for a security orchestration, automation and response (SOAR) platform
Systems and methods for a machine-learning based approach for dynamically generating incident-specific playbooks for a security orchestration and automated response (SOAR) platform are provided. The SOAR platform captures information regarding execution of a sequence of actions performed by analysts responsive to a first incident of a first type. The captured information is fed into a machine-learning model. When a second incident, observed by the SOAR platform, is similar in nature to the first incident or the first type a recommended sequence of actions is generated based on the machine-learning model for use by an analyst in connection with responding to the second incident. In response to rejection of the recommended sequence by the analyst, revising the recommended sequence based on input provided by the analyst and storing the revised recommendation sequence in a form of a revised playbook for response to subsequent incidents that are similar to the second incident.
Systems, devices, and methods are discussed that provide for discovering protected data from a code. Such detection provides an ability to discover potentially malicious code and/or datasets obfuscated within a code prior to full execution of the code.
An access point has a housing with at least one connector for at least one external antenna and at least one connector for at least one internal antenna. An RF controller detects whether the at least one external antenna is connected to the at least one connector for the at least one external antenna when an open circuit is closed. Responsive to detecting that the at least one external antenna is connected, a first mode in which the at least one internal antenna supports RF capabilities switches to a second mode wherein the at least one external antenna supports RF capabilities.
Systems, devices, and methods are discussed that provide for discovering protected data from a code. Such detection provides an ability to discover potentially malicious code and/or datasets obfuscated within a code prior to full execution of the code.
Systems, devices, and methods are discussed that provide for discovering protected data from a code. Such detection provides an ability to discover potentially malicious code and/or datasets obfuscated within a code prior to full execution of the code.
A health check is generated for at least two member paths between the local SDWAN controller and a remote SDWAN controller, with a set health check probe packets for transmission by the network interface to remote SDWAN controllers. A link cost is determined for each member path from a set of health check response packets received by the network interface. SDWAN network traffic is prioritized for each member path between the local SDWAN controller and the remote SDWAN controller based at least in part on the link cost.
A file is received from external to the gateway device and, prior to runtime, the received file is detected as being compressed. Also before runtime, a compression type of the received file is differentiated as packed, protected, and/or archived. Identification of a specific packer, a specific protector or a specific archiver corresponding to the compression type is attempted. Responsive to successful identification, the received file is decompressed and a static type of malware analysis is selected for the received file. Responsive to unsuccessful identification, decompress the received file is attempted with a general unpacker, a general unprotector or a general unarchiver, and responsive to successful decompression, the static type of malware analysis is selected for the received file. Responsive to unsuccessful decompression, a dynamic type of malware analysis on the received file is selected.
Systems and methods for adaptively provisioning a distributed event data store of a multi-tenant architecture are provided. According to one embodiment, a managed security service provider (MSSP) maintains a distributed event data store on behalf of each tenant of the MSSP. For each tenant, the MSSP periodically determines a provisioning status for a current active partition of the distributed event data store of the tenant. Further, when the determining indicates an under-provisioning condition exits, the MSSP dynamically increases number of resource provision units (RPUs) to be used for a new partition to be added to the partitions for the tenant by a first adjustment ratio. While, when the determining indicates an over-provisioning condition exists, the MSSP dynamically decreases the number of RPUs to be used for subsequent partitions added to the partitions for the tenant by a second adjustment ratio.
G06F 16/27 - Replication, distribution or synchronisation of data between databases or within a distributed database system; Distributed database system architectures therefor
71.
SYSTEMS AND METHODS FOR PROCESSING MULTIPLE IP PACKET TYPES IN A NETWORK ENVIRONMENT
Systems, devices, and methods are discussed for receiving a first packet type and outputting a second packet type based upon knowledge of a source device and a recipient device.
Once a new session of data packets is detected, whether to proxy encrypt the data packets, on behalf of a specific headless endpoint device from the plurality of headless endpoint devices for a session, is determined based on analysis of payload data of a data packet from a session. Responsive to a determination to proxy encrypt data packets, encryption attributes are set up between a local data port on the network device and a remote data port on a remote network device as parsed from a header of the data packet. Outbound and inbound data packets of the session secure OSI layers 4 to 7 of the outbound data packets of the session are encrypted, according to the encryption attributes, without interference to OSI layers 1 to 3.
A low number of available IP addresses is detected in an IP pool that available for lease from the DHCP server. A neighbor table from a gateway device behind a firewall that blocks ICMP echo requests from the DHCP server. The gateway device is triggered to broadcast an ARP request to network devices of the neighbor table behind the firewall to determine whether a specific IP address is in use. Responsive to an ARP response not being received, the control module releasing a lease for the specific IP thereby returning to the IP pool available for lease in the DHCP server.
A process being initiated for exposure to an operating system of the computer device is detected. A control module can then check whether the process has been whitelisted, and if not, activate an artificial virtual machine to test the process prior to direct exposure to an operating system of the real computing environment. The control module can detect when the process responds to the presumed virtual environment preventing execution. A security action can then be taken on the process including preventing the process from being exposed to the operating system.
new link requests are received and an application making the request is identified. SD-WAN parameters are retrieved from an application control database. A first parameter is a JLP loss requirement for the application, and can be either low JLP, medium JLP, or high JLP SLA level. A second parameter a downstream/upstream bandwidth capability requirement. Links are determined from the pool of available links that meet the JLP requirement. One of the links is selected for the new link request, from the pool of available links that meet the JLP requirement, based on a downstream and an upstream bandwidth capability. The best link is automatically activated for the new link request
A transmission type is determined for a specific station on a Wi-Fi network. A transmission type of OFDMA is selected responsive to the mobility value for the specific station meeting a mobility threshold. A transmission type of MU-MIMO is selected responsive to the similarity value for the specific station meeting a similarity threshold. A transmission type of SU-MIMO is selected responsive to the specific station not meeting the similarity threshold. The network interface transmits data packets to stations using OFDMA, SU-MIMO or MU-MIMO as selected.
Systems and methods are for securing link aggregation are provided. According to an embodiment, a network device in a secure domain discovers device information associated with a peer network device in an untrusted domain that is connected through a first link directly connecting a first interface of the network device to a first interface of the peer network device, and authenticates the peer while allowing at least some network traffic to continue to be transmitted through the first interface. The network device establishes a secure session between the network device and the peer over the first link when the peer network device is successfully authenticated. The network device then allows the first link to operate as part of a single aggregated logical link, including a second link coupling a second interface of the network device to a second interface of the peer network device.
Access credentials for a user of each of the plurality of stations connecting to the Wi-Fi network are forwarded to a RADIUS server. In response to the forwarded access credentials, priority-token values derived from the access credentials of the connecting users for storage in association with a MAC address of each of the plurality of stations, are received from the RADIUS and stored. Priority-token values responsive to detecting multiple users of at least two different priorities needing to access the Wi-Fi network. Available subcarriers are allocated based on the priority-token values for data transmissions.
A specific container is spawned by a docker module responsive to Kebernetes control instruction. Network connectivity is provided for the specific container to a data communication network through a networking bridge and a security policy is configured. After configuration, inbound or outbound data packets concerning the specific container are received and forwarded to a security policy KVM for scanning against security policies. Those that pass security scanning are forwarded to containers and external destinations.
A SSH (secure shell) public key is received from a client device 120 120 on the enterprise network, and an EMS device 140 is queried based on the SSH public key. Responsive to confirmation of registration from the EMS server, an authentication certificate based on a user and the client device 120 120 is generated. An SSH session is initiated on behalf of the client device 120 120 including submitting the certificate and the SSH public key from the client device 120 120 to the external server.
An e-mail is detected as being sent or received. The e-mail can be identified as a customer interaction. The e-mail is scanned to determine a sentimental value using artificial intelligence. Responsive to the sentimental value exceeding a sentimental threshold, a network security audit or other action can be performed on the user and the user device using the sentimental value as a factor in determining a security action.
H04L 41/0853 - Retrieval of network configuration; Tracking network configuration history by actively collecting configuration information or by backing up configuration information
H04L 41/22 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks comprising specially adapted graphical user interfaces [GUI]
H04L 41/5041 - Network service management, e.g. ensuring proper service fulfilment according to agreements characterised by the time relationship between creation and deployment of a service
H04L 41/40 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using virtualisation of network functions or resources, e.g. SDN or NFV entities
H04L 41/5054 - Automatic deployment of services triggered by the service manager, e.g. service implementation by automatic configuration of network components
83.
Systems and methods for incorporating passive wireless monitoring with video surveillance
Various systems and methods for surveillance using a combination of video image capture and passive wireless detection are described. In some cases, the methods include receiving a device identification information from a first wireless access point at a first location and corresponding to a first time, and receiving the device identification from a second wireless access point at a second location and corresponding to a second time. A video from a camera is received, and a travel path is assembled including a portion of the video.
G08B 13/196 - Actuation by interference with heat, light, or radiation of shorter wavelength; Actuation by intruding sources of heat, light, or radiation of shorter wavelength using passive radiation detection systems using image scanning and comparing systems using television cameras
H04N 7/18 - Closed-circuit television [CCTV] systems, i.e. systems in which the video signal is not broadcast
84.
SYSTEMS AND METHODS FOR RAPID NATURAL LANGUAGE BASED MESSAGE CATEGORIZATION
Systems, devices, and methods are disclosed in relation to a system for natural language based message categorization designed to identify text from a particular topic from a potentially inexhaustible set of potential topics. In one of many possible implementations, a vector space model is first used to translate text into a vector representation. This vector is used to determine if the text can be recreated by swapping words and phrases from a training corpus of documents. This is done by determining if the vector is within the conical span of the vector representations of the text in the training corpus of documents. Span composition is evaluated by a two vector boolean comparison, enabling great computational complexity and short-circuiting enabling fast real-time topic determination.
H04L 41/0233 - Object-oriented techniques, for representation of network management data, e.g. common object request broker architecture [CORBA]
G06F 21/71 - Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
Systems, devices, and methods are discussed for automatically determining a risk-based focus in determining zero trust network access policy on one or more network elements.
Systems, devices, and methods are disclosed for encoding behavioral information into an image format to facilitate image based behavioral identification.
Systems, methods, devices, and apparatus are discussed for detecting relatively rare attacks in a communication network, and in some cases for detecting insider attacks on a communication network.
Systems, devices, and methods are disclosed in relation to a vector space model that may be used to characterize a category of messages. In one of many possible implementations, the frequency of words found within a piece of text is determined. These frequencies are compared against the frequencies of words within a given corpus like the Oxford English Corpus by first converting the frequencies to probabilities via the inverse cumulative distribution function assuming a normal distribution of frequencies then via taking the absolute difference in frequencies. A small difference reduces the weight of the given word whereas a large weight increases the weight of the word, leading to excellent word ranking for automated feature selection filtering without the need for a negative corpus.
Systems, devices, and methods are discussed for identifying possible improper file accesses by an endpoint device. In some cases an agent is placed on each system to be surveilled that records the absolute paths for each file accessed for each user. This information may be accumulated and sent to a central server or computer for analysis of all such file accesses on a user basis. In some cases, a file access tree is created, and in some implementations be pruned of branches and leaves if deemed to be duplicates or very similar to other branched and leaves via a Levenshtein distance threshold. The resulting tree's edges may be scaled in particular implementations based on the deviation of a user's file accesses from their sphere of permissions. A variance metric may be computed from the final tree's form to capture the user's access patterns.
Systems, devices, and methods are disclosed for encoding behavioral information into an image format to facilitate image based behavioral identification.
G06V 10/764 - Arrangements for image or video recognition or understanding using pattern recognition or machine learning using classification, e.g. of video objects
H04L 9/32 - Arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system
H04L 29/06 - Communication control; Communication processing characterised by a protocol
97.
Machine Learning Systems and Methods for API Discovery and Protection by URL Clustering With Schema Awareness
Systems and methods for performing multi-feed classification of security events to facilitate automated IR orchestration are provided. According to one embodiment a cloud-based security service protecting a private network provides a plurality of data feeds, wherein each data feed of the plurality of data feeds independently classify a given security event and produce a classification result. In response to an event associated with a process of an endpoint device that is part of the private network an endpoint protection platform running on the endpoint device performs an initial classification of the event and transmits the classification result to the cloud-based security service for final classification.
Recommendations are made for granular traffic thresholds for a plurality of DDoS attack mitigation appliances that act as a set appliances. The set of appliances can be those commonly found in highly available networks, active-active or active-passive appliances, disaster recovery data centers, backup appliances, etc.
An aggregate port selection is received from user to bundle at least two individual data ports of the network device for single channel data transfer. The lowest common denominators of physical capabilities (speed and duplex) of selected ports on the network device is determined through an operating system. Downgraded physical capabilities of at least one of the at least two data ports are committed to match lowest common denominators of the at least two data ports. Data exchanges are conducted over the at least two ports of the network device according to LACP.
H04L 12/709 - Route fault prevention or recovery, e.g. rerouting, route redundancy, virtual router redundancy protocol [VRRP] or hot standby router protocol [HSRP] using path redundancy using M+N parallel active paths