H04L 41/5009 - Détermination des paramètres de rendement du niveau de service ou violations des contrats de niveau de service, p.ex. violations du temps de réponse convenu ou du temps moyen entre l’échec [MTBF]
H04L 41/5003 - Gestion des accords de niveau de service [SLA]; Interaction entre l'accord de niveau de service et la qualité de service [QoS]
H04L 43/00 - Dispositions pour la surveillance ou le test de réseaux de commutation de données
2.
SYSTEMS AND METHODS FOR USING A NETWORK ACCESS DEVICE TO SECURE A NETWORK PRIOR TO REQUESTING ACCESS TO THE NETWORK BY THE NETWORK ACCESS DEVICE
Various approaches for securing networks against access from off network devices. In some cases, embodiments discussed relate to systems and methods for identifying potential threats included in a remote network by a network access device prior to requesting access to a known secure network via the remote network.
Dynamic thresholds are derived for each connection phase, using machine learning (e.g., K-means clustering) for an enterprise network. A time interval can be tracked between samples of collected data packets for each phase of connections, including the association phase, the authentication phase and the DHCP phase of connecting. A specific dynamic threshold for one of the connection phases is detected as out-of-range. Responsive to the out-of-range detection, network issues corresponding to the phase of the specific dynamic threshold are checked and automatically remediated.
To activate side nodes, a traversal node is partitioned into deeper traversal nodes and leaf nodes. A limit is set on a number of leaf node policies. Each traversal node above the limit is cut into a deeper level with a new traversal node. Each traversal node at or below the limit is converted to a leaf node populated with a list of policies within the limit. Once reaching a leaf node, during policy tree searching mode, linear searching a policy set corresponding to the leaf node to select a policy, and the selected policy to the data packet is applied
Scan mode is configured in an access point to monitor WLAN conditions. A channel list is progressively scanned using full capabilities available from MIMO transceivers. During a hop period, each MIMO transceiver is configured to a first set of channels from the channel list within an RF band. During a dwell period, an RF analysis is performed for the set of channels to identify conditions on the WLAN.
Responsive to receiving uplink traffic from a specific edge client on the edge client table, in-service monitoring for frame retries and collisions associated with the specific edge client is performed. Responsive to detecting that a rate of frame retries and collisions exceed a threshold, a BSS color change announcement frame is transmitted to the specific edge client comprising a second color. The BSS color change announcement directs the specific edge client to contend for medium access based on preambles observed from a specific overlapping BSS associated with the second BSS color rather than its home BSS. The default color can be restored after the uplink.
During authentication of an SDWAN tunnel, Intent ISAKMP packets authenticate the local SDWAN controller and the remote SDWAN controller with each other, wherein the ISAKMP packets include a notify payload. Configured link costs associated with at least two member paths at the remote SDWAN controller that have heterogeneous physical attributes from the notify payload of the ISAKMP packets are retrieved. The configured link-cost of the at least two member paths is reflective of link physical attributes. One of the at least two member paths is identified based on a lowest link-cost between the at least two member paths, for steering SDWAN network traffic.
H04W 40/12 - Sélection d'itinéraire ou de voie de communication, p.ex. routage basé sur l'énergie disponible ou le chemin le plus court sur la base de la qualité d'émission ou de la qualité des canaux
H04W 40/30 - Gestion d'informations sur la connectabilité, p.ex. exploration de connectabilité ou mise à jour de connectabilité pour acheminement proactif
8.
REMOTE MONITORING OF A SECURITY OPERATIONS CENTER (SOC)
Systems and methods for remote monitoring of a Security Operations Center (SOC) via a mobile application are provided. According to one embodiment, a management service retrieves information regarding multiple network elements that are associated with an enterprise network and extracts parameters of the monitored network elements from the retrieved information. The management service prioritizes the monitored network elements by determining a severity level associated with security-related issues of the network elements and generates various monitoring views that summarize in real time various categories of potential security-related issues detected by the SOC. Further, the management service assigns a priority to each monitoring view and displays a video on the display device that cycles through monitoring views in accordance with their respective assigned priorities.
Flow pair values are identified from flow pairs of labeled devices as candidates by comparing individual flows of the unknown device that surpass a candidate threshold by generating a difference flow matrix from the individual flows of the unknown device and the labeled device. Known devices can be identified as device candidates from a sum of flow pair values for each candidate device in relation to the unknown device. A device type can be retrieved for each candidate device, and one of the device types can be selected based on at least a closeness or a frequency of each device type to the unknown device.
A baseline multicast traffic is derived for an SSID from the network traffic statistics using unsupervised machine learning. Responsive to detecting a deterioration in the real-time network traffic statistics for the SSID in relation to the baseline throughput and the baseline multicast traffic, the multicast data rate can be adjusted to match the lowest unicast data rate for the SSID.
A panic button is configured and disposed outside a network gateway, managing integrated OT network devices and IT devices, for access by a user. Responsive to physical activation of the panic button, a 2 factor MFA authorizes the action with an authorized user. Upon authorization, the OT network devices are quarantined from the IT network devices to prevent malicious actions.
Responsive to the request for a security fabric report, an upper-level node transits a request to a lower-level node for a subtree security report. If there are additional network gateways at lower hierarchical levels, the next level down repeats the process. A root level network gateway will transmit the first request, as the high level of the hierarchy, and a last leaf receives the last request, as the lowest level. An overall security fabric report is returned from the root node.
H04L 41/08 - Gestion de la configuration des réseaux ou des éléments de réseau
H04L 12/28 - Réseaux de données à commutation caractérisés par la configuration des liaisons, p.ex. réseaux locaux [LAN Local Area Networks] ou réseaux étendus [WAN Wide Area Networks]
H04L 41/0806 - Réglages de configuration pour la configuration initiale ou l’approvisionnement, p.ex. prêt à l’emploi [plug-and-play]
15.
INTENT-BASED ORCHESTRATION OF INDEPENDENT AUTOMATIONS
Systems and methods for intent-based orchestration of independent automations are provided. Examples described herein alleviate the complexities and technical challenges associated with deploying, provisioning, configuring, and managing configurable endpoints, including network devices, network security systems, cloud-based security services (e.g., provided by or representing a Secure Access Service Edge (SASE) platform), and other infrastructure, on behalf of numerous customers (or tenants). For example, customer intent may be automatically translated into concrete jobs and tasks that operate to make changes to one or more of the configurable endpoints so as to insulate the user from being required to know which configurable endpoint(s) need(s) to change, which vendor supports a given configurable endpoint, and/or vendor specific issues involved in changing the configurable endpoints.
Various approaches for multi-node network cluster systems and methods. In some cases systems and methods for incident detection and/or recovery in multi-node processors are discussed.
H04L 41/0668 - Gestion des fautes, des événements, des alarmes ou des notifications en utilisant la reprise sur incident de réseau par sélection dynamique des éléments du réseau de récupération, p.ex. le remplacement par l’élément le plus approprié après une défaillance
H04L 41/0663 - Gestion des fautes, des événements, des alarmes ou des notifications en utilisant la reprise sur incident de réseau en réalisant des actions prédéfinies par la planification du basculement, p.ex. en passant à des éléments de réseau de secours
17.
DETECTING MALICIOUS BEHAVIOR IN A NETWORK USING SECURITY ANALYTICS BY ANALYZING PROCESS INTERACTION RATIOS
Systems and methods for detecting malicious behavior in a network by analyzing process interaction ratios (PIRs) are provided. According to one embodiment, information regarding historical process activity is maintained. The historical process activity includes information regarding various processes hosted by computing devices of a private network. Information regarding process activity within the private network is received for a current observation period. For each process, for each testing time period of a number of testing time periods within the current observation period, a PIR is determined based on (i) a number of unique computing devices that hosted the process and (ii) a number of unique users that executed the process. A particular process is identified as potentially malicious when a measure of deviation of the PIR of the particular process from a historical PIR mean of the particular process exceeds a pre-defined or configurable threshold during a testing time period.
Various embodiments provide systems and methods for automatically defining and enforcing network sessions based upon at least four dimensions of segmentation.
Changes on a chat client, such as one or more edits or retractions, and is characterized relative to an original chat string, and uploaded to a chat server for storage. The chat server combines the message change with at least a second change to the specific chat string uploaded from a different chat client. Responsive to a regeneration of the chat string on the chat client, the chat daemon downloads the combined message change from the chat server. The edits and retractions originating from the chat client and the edits and retractions originating from the second chat client are downloaded and applied to the specific chat string for display in the chat client.
Systems, devices, and methods are discussed for forward testing rule sets at a granularity that is less than all activity on the network. In some cases, the granularity is that of an individual application.
H04L 41/12 - Découverte ou gestion des topologies de réseau
H04L 41/22 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p.ex. des réseaux de commutation de paquets comprenant des interfaces utilisateur graphiques spécialement adaptées [GUI]
A probe request sent from a Wi-Fi 6E wireless client to the legacy access point is received by a Wi-Fi controller. To process, a Wi-Fi 6E access point for connection from the plurality of access points, proximate to the Wi-Fi 6E wireless client is selected for service. Reduced Neighbor Report (RNR) RNR information is collected about the Wi-Fi 6E access point by the access point the Wi-Fi 6E wireless client. The RNR information is transmitted to the legacy access point, wherein the legacy access point forwards the RNR information to the Wi-Fi 6E wireless client as part of a probe response sent responsive to the probe request. A subsequent probe request is detected, sent from the Wi-Fi 6E wireless client to initiate association with the Wi-Fi 6E access point using the RNR information.
A capture group of access points formed from the plurality of access points dedicate at least one radio from each of the access points for capturing data packets. Captured data packets are received by wireless transmission from each of access point of the capture group of access points. The access points of the capture group are preferably geographically dispersed to increase capture range. The captured data packets are analyzed to identify a set of multiuser data packets. To do so, the set of multiuser data packets is checked against a set of rules for multiuser data packets to troubleshoot wireless network issues.
Debug engine receives a capture file over the network interface and initiate playback by executing the capture file with the processor. The capture file comprises real-time local network environment video synchronized with data captured by a local browser at a local station interacting with a local network gateway device over a local network. The capture file is played back, using a mock server including transmitting HTTP requests from the capture file at the developer station to the mock gateway server. Additionally, HTTP responses are received from the capture file at the mock gateway server, in synch with actions in the real-time local network environment video. A GUI engine renders a GUI on the developer computer from real-time GUI code generated from the capture file playback as modified by processing the HTTP responses.
A firewall processing card from a plurality of firewall processing cards coupled to a chassis, is selected by a load balancing engine (or other mechanism) and receives the data packet over the fabric channel. First, if the session match exists to management-type data packets the data packet is returned to the I/O board and if a match exists to user data packets the data packet is sent to a firewall service of the firewall processing card. If no session match exists, the firewall processing card checks for a policy match to the data packet for creating a new session or drops the data packet. The I/O board receives the data packet returned from the processing blade over the base channel and checks for a session matching to the data packet. If a session match exists and the data packet is a management data packet, the data packet is sent to a management service at a user level of the I/O board and if not a management data packet the data packet is dropped. If no session match exists, the I/O board creates a new session or drops the data packet.
Systems, devices, and methods are discussed for treating a number of network security devices in a cooperative security fabric using a cloud based root.
An unauthorized access point is identified during a periodic scan on the wireless network and storing a MAC address for the unauthorized access point and monitored for connection attempts. The unauthorized access point, due to having a hidden SSID, is monitored by the MAC address for data packets sent and received. At least one client associated to the unauthorized access point is identified from the data packets by MAC address. The at least one client is monitored, by the MAC address, for a probe request sent to the unauthorized access point. Responsive to detecting the probe request, an SSID of the unauthorized access point is parsed. A security action on the unauthorized access point using the SSID.
Systems, devices, and methods are discussed for treating a number of network security devices in a cooperative security fabric as a unified object for configuration purposes.
Failures in authentication credentials are detected by a user prior to presentation of successful credentials. Responsive to the authentication credentials failure, a geo-location for a new geo-location of the user is checked. Responsive to a new location detection, expiration of a verification link is detected. Responsive to failure of the link verification, a failure of a token OTP verification is detected. Access is granted responsive to successful verification. Access can be granted to a digital asset or a physical asset.
A substrate for the SoC includes one or more OTP modules within the substate and comprising memory that can only be programmed once. A BIOS module loads a special BIOS into flash memory in place of a normal BIOS prior to a reboot of the OTP hardware module. The special BIOS is programmed to identify a status bit to burn corresponding to a revoked key. A first key register stored in the OTP module and comprising a plurality of status bits. Each status bit maps to the individual key of the plurality of OTP keys. A key burn module to burn a status bit on the key register corresponding to the special BIOS after the reboot. The BIOS module reloads the normal BIOS into the flash memory in place of the special BIOS prior to a second reboot. The normal BIOS runs after the second reboot.
H04L 9/32 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
A new container of a pool of containers is spawned in the operating system of the embedded networking device to execute a firewall separate from an operating system of a host device. Each of the containers is generated by a separate toolchain to include custom runtime libraries. The firewall utilizes the custom libraries rather than the host libraries, and wherein user privileges within a container is different from user privileges for the host. The new container executes a firewall instance to inspect data packets processed by the embedded networking device.
An anomalous behavior is detected at an AI server device based on data communications managed by the wireless controller. In response to the detected behavior, a robot module can be deployed to a location of the anomalous behavior for testing. Once at the location, logs can be collected from testing or troubleshooting at the location and involving a remote access point proximate to the anomalous behavior (e.g., sniff and capture at specific channel or multiple channels in real-time). Solutions are generated from AI analysis concerning the anomalous behavior and priority level, including at least one automatically implemented solution to self-remediate the wireless network.
When a data packet too big frame is received from the access point, activating fragmentation at the station. The data packet too big frame is responsive to a data packet being sent from the station to the access point and then being rejected as too big when sent from the access point to a network device due to the data packet being too large for processing by the network device. The fragmentation activated at the station and configured based on a maximum data packet size allowed by the network device.
In identification training, database of known devices is used to identify unlabeled clusters from statistics concerning parameters, vendors and hostnames of the known devices. Relevant clusters of type, brand and model from are identified from the unlabeled clusters using a threshold and labeling the relevant clusters with a key including type, brand and model of the labeled clusters. In real-time identification, a real time connection of a new device, a type, brand and model of the new device is determined using the parameters, vendors and hostnames and to compare against the keys for identifying the new device.
Responsive to OTP device not being enabled for an SoC, the RAMBOOT bootup authenticated by the key or key hash of an OTP is precluded and a determination is made whether the RAMBOOT bootup has been authenticated by the key or key hash on the virtual OTP. Responsive to not being authenticated, authentication of the RAMBOOT bootup is initiated. Responsive to being authenticated, enablement of the OTP device is initiated by burning an enable bit. Content of the virtual OTP is verified. The verified content can then be transferred from the virtual OTP to the OTP hardware module. Finally, authenticated RAMBOOT bootup is enabled from the OTP hardware module using the verified content prior to enablement of the OTP hardware module. ROMBOOT is read-only.
G06F 21/79 - Protection de composants spécifiques internes ou périphériques, où la protection d'un composant mène à la protection de tout le calculateur pour assurer la sécurité du stockage de données dans les supports de stockage à semi-conducteurs, p.ex. les mémoires adressables directement
G06F 21/72 - Protection de composants spécifiques internes ou périphériques, où la protection d'un composant mène à la protection de tout le calculateur pour assurer la sécurité du calcul ou du traitement de l’information dans les circuits de cryptographie
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p.ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
H04L 45/02 - Mise à jour ou découverte de topologie
H04L 67/1008 - Sélection du serveur pour la répartition de charge basée sur les paramètres des serveurs, p.ex. la mémoire disponible ou la charge de travail
40.
EXPLOIT PREDICTIVE INTRUSION PROTECTION SYSTEM (EP-IPS) FOR DATA PACKET TRAFFIC ON DATA COMMUNICATION NETWORKS
An exploit probability value is calculated for each of the plurality of signatures learned from a history of exploits against attributes. The exploit probability value represents a likelihood of a particular signature exploiting one or more attributes of the private network. The exploit probability value is sorted or ranked to prioritize which exploit signatures have the highest probability of occurrence. Only a predetermined number of selected exploit signatures with the highest probabilities are scanned in real-time for signature matching.
SYSTEM & METHODS FOR REDUCING DELAY IN BSS FAST TRANSITIONS BETWEEN ACCESS POINTS ON WI-FI WIRELESS NETWORKS USING OPPORTUNISTIC KEY GENERATION TO PREVENT KEY FAILURE
A station initiates fast BSS transition by a station from the source access point to the target access point. The target access point detects a failure by the Wi-Fi controller to retrieve a PMK-RO key for a requested PMKROName is detected. The PMKROName is parsed from an authentication request of the station. The failure can result in requiring a fresh BSS connection by the station. Responsive to the failure detection, a PMK-RO key is generated in cooperation with the Wi-Fi controller, to prevent requiring the fresh BSS connection. The PMK-R0 key further helps to support fast transition between access points.
A processing blade is assigned from the plurality of processing blades to a session of data packets. The load balancing engine manages a session table and an IPsec routing table by updating the session table with a particular security engine card assigned to the session and by updating the IPsec routing table for storing a remote IP address for a particular session. Outbound raw data packets of a particular session are parsed for matching cleartext tuple information prior to IPsec encryption, and inbound encrypted data packets of the particular session are parsed for matching cipher tuple information prior to IPsec decryption. Inbound data packets assigned to the processing blade from the session table are parsed and forwarded to the station.
Systems, devices, and methods are discussed for identifying security policies applicable to a received information packet based upon a dual bitmap scheme accounting for bit position mergers and/or policies common to multiple bit positions.
H04L 41/5009 - Détermination des paramètres de rendement du niveau de service ou violations des contrats de niveau de service, p.ex. violations du temps de réponse convenu ou du temps moyen entre l’échec [MTBF]
H04L 41/5003 - Gestion des accords de niveau de service [SLA]; Interaction entre l'accord de niveau de service et la qualité de service [QoS]
H04L 43/00 - Dispositions pour la surveillance ou le test de réseaux de commutation de données
45.
SYSTEMS AND METHODS FOR SECURITY POLICY ORGANIZATION USING A DUAL BITMAP
Systems, devices, and methods are discussed for classifying a number of security policies in relation to criteria for applying those security policies to yield a dual bitmap scheme representing a correlation between security policies and one or more criteria.
The present invention relates to a method for managing IoT devices by a security fabric. A method is provided for managing IoT devices comprises collecting, by analyzing tier, data of Internet of Things (IoT) devices from a plurality of data sources, abstracting, by analyzing tier, profiled element baselines (PEBs) of IoT devices from the data, wherein each PEB includes characteristics of IoT devices; retrieving, by executing tier, the PEBs from the analyzing tier, wherein the executing tier is configured to control network traffic of IoT devices of a private network; generating, by the executing tier, security policies for IoT devices from PEBs of the IoT devices; and controlling, by the executing tier, network traffic of the IoT devices of the private network to comply with the security policies
H04L 67/12 - Protocoles spécialement adaptés aux environnements propriétaires ou de mise en réseau pour un usage spécial, p.ex. les réseaux médicaux, les réseaux de capteurs, les réseaux dans les véhicules ou les réseaux de mesure à distance
Systems, devices, and methods are discussed for leveraging SD-WAN's property of redundant independent paths to enable out of band key exchange using the collection of available paths, dynamically managing link failures to keep the separation whenever possible, and/or signaling availability of quantum-safe data transfer to SD-WAN to enable quantum-safety to be used in SD-WAN policy decisions.
During high-speed network policy searching for data packets, an upper limit and a lower limit for a policy count are predefined for a ratio of the policy count to the sum of the policy count and the range count. A policy tree builder generates a policy tree image from a set of recursive operations on the raw policy set including an on-the-fly determination of whether a specific node is a leaf based on a leaf policy count limit, wherein for a selected dimension, the specific node is converted to the leaf if the policy count does not exceed the leaf policy count limit and the range count for the selected dimension does not exceed a product of the leaf policy count limit and a range count limit coefficient, and otherwise the specific node is converted to two or more child nodes. A network processor configures at least one set of registers, at least one set of tables, and at least one sequence of instructions according to the policy tree image.
In one embodiment, a similarity index is calculated from characteristics of a suspected phishing web page to a database of known phishing web pages. The characteristics derive from both HTML tags of the suspected phishing web page and a screenshot of the suspected phishing web page. With machine learning using the similarity index as an input, a probability is estimated that the suspected web page comprises a known phishing web page from the database of known phishing web pages. A known phishing web page is selected from one or more candidates known phishing web pages, based on having a highest probability.
An ML (machine learning) training logs are parsed for generating a set of heterogenous graphs having embedded nodes connected with edges determined with link prediction and denoting a hierarchical relationship between nodes. Each graph represents benign behavior from executing one of the files of a training database in the sandbox, wherein the nodes are embedded in the graph using GCN (graph convolution network) to calculate a real-valued vector with fixed dimension. A runtime module to receive an untagged file in real-time for analysis from a network component, and generates a graph of runtime behavior from sandbox of the suspicious file for comparison against the training graphs.
G06F 21/53 - Contrôle des usagers, programmes ou dispositifs de préservation de l’intégrité des plates-formes, p.ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p.ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par exécution dans un environnement restreint, p.ex. "boîte à sable" ou machine virtuelle sécurisée
G06F 21/56 - Détection ou gestion de programmes malveillants, p.ex. dispositions anti-virus
An initial provisioning by a management plane of the SD-WAN is received from a centralized SD-WAN gateway with static path overlay between the network edge device on a local LAN and the centralized SD-WAN gateway. At runtime, intelligent decision are made about which overlay path to select and when for the new flow over a control plane of the SD-WAN, based on the topology of the remote network edge and the local SDWAN policy, and to build the selected overlay path.
H04L 41/0806 - Réglages de configuration pour la configuration initiale ou l’approvisionnement, p.ex. prêt à l’emploi [plug-and-play]
H04L 41/12 - Découverte ou gestion des topologies de réseau
H04L 45/64 - Routage ou recherche de routes de paquets dans les réseaux de commutation de données à l'aide d'une couche de routage superposée
53.
FILE SHARING FRAMEWORK IN NETWORK SECURITY SYSTEMS TO SYNCHRONIZE DATA AND CONFIGURATION FILES ACROSS VIRTUAL MACHINE CLUSTERS INDEPENDENT OF FILE SHARING TECHNOLOGIES
A source node from the cluster of nodes, responsive to receiving the file sharing command from other applications on the same node (e.g., on a virtual machine in the cluster of nodes), copies the shared file to a source workspace directory and compress, and then copy the compressed file to the file sync database. The command comprises a configuration template with file retrieval information. A target node from the cluster of nodes, listens for commands from other nodes in the cluster of nodes. Responsive to receiving the file sharing command, the compressed file is copied from the file sync database to a target workspace directory and decompress, and then copy the shared file to node.
H04L 67/1095 - Réplication ou mise en miroir des données, p.ex. l’ordonnancement ou le transport pour la synchronisation des données entre les nœuds du réseau
Each of the plurality of network assets on the private network is identified and categorized according to a CPE for storage in a device inventory database, and to generate an asset profile for each of the plurality of network assets. Attacks on the plurality of assets related to each of the identified CPEs are identified and monitored according to a CVE (common vulnerabilities exposures) format, and determine whether the CVE is relevant against the asset profile. Responsive to detecting a relevant CVE notification including CVE-id, impact on one or more network assets affected by the CVE based on the asset profiles is determined. The impact is either low impact, high impact and blocked, or high impact and unblocked.
Redundant upstream mesh links are formed with a gateway access point for each of the radio capabilities. A resource load is measured across each of the redundant upstream mesh links. During runtime, a packet is received for upstream (or downstream) transmission from a specific client from the plurality of clients. An upstream link is selected for transmission of the packet from the redundant upstream mesh links for transmission of the packet and packets of the packet session, based on a highest link quality available from the plurality of mesh links according to the resource load measurement.
H04W 28/02 - Gestion du trafic, p.ex. régulation de flux ou d'encombrement
H04W 72/21 - Canaux de commande ou signalisation pour la gestion des ressources dans le sens ascendant de la liaison sans fil, c. à d. en direction du réseau
H04W 72/542 - Critères d’affectation ou de planification des ressources sans fil sur la base de critères de qualité en utilisant la qualité mesurée ou perçue
56.
EMBEDDING AN ARTIFICIALLY INTELLIGENT NEURON CAPABLE OF PACKET INSPECTION AND SYSTEM OPTIMIZATION IN IPV6 ENABLED WLAN NETWORKS
Responsive to matching a site prefix to IPv6 network traffic from clients, the traffic as intended, and responsive to not matching the site prefix, classifying the corresponding traffic as unintended. An initial rate of packet occurrence and predict load caused by intended traffic and predicting load caused by unintended traffic is calculated, based on an initial rate of packet occurrence. The predicted traffic loads are fed back by configuring behavior of network modules according to the predictions of intended traffic load and unintended traffic load. Packet processing traffic at the network modules is based on traffic classification from the outcome of the AI-neuron.
Various embodiments discussed generally relate to network security, and more particularly to systems and methods for using biometric data to enhance security in network access authorization.
Systems and methods for improving security event classification by leveraging user-behavior analytics are provided. According to an embodiment, a UEBA-based security event classification service of a cloud-based security platform maintains information regarding historical user behavior of various users of an enterprise network. An endpoint protection platform running on an endpoint device that is part of the enterprise network performs an initial classification of the event, based on which the endpoint protection platform blocks activity by the process. The endpoint production platform requests input from the cloud-based security platform which causes the cloud-based security platform performs a reclassification of the event based on contextual information, multiple data feeds and the UEBA-based security event classification service. Based on the reclassification of the event, the cloud-based security platform causes the endpoint protection platform to allow the process to proceed by providing the resulting security event classification to the endpoint protection platform.
Various embodiments discussed generally relate to securing applications that work across networks, and more particularly to systems and methods for mitigating malicious behavior integrated within an application that directly calls a separate cloud based malicious behavior mitigation system.
G06F 21/54 - Contrôle des usagers, programmes ou dispositifs de préservation de l’intégrité des plates-formes, p.ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p.ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par ajout de routines ou d’objets de sécurité aux programmes
G06F 21/53 - Contrôle des usagers, programmes ou dispositifs de préservation de l’intégrité des plates-formes, p.ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p.ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par exécution dans un environnement restreint, p.ex. "boîte à sable" ou machine virtuelle sécurisée
G06F 21/56 - Détection ou gestion de programmes malveillants, p.ex. dispositions anti-virus
61.
ADJUSTING BEHAVIOR OF AN ENDPOINT SECURITY AGENT BASED ON NETWORK LOCATION
Systems and methods for adjusting the behavior of an endpoint security agent based on a network location are provided. According to an embodiment, an agent of an endpoint device identifies whether a security service of a cloud-based security service is not reachable or is unresponsive. The security service is associated with a particular security function implemented by the agent. When the security service is not reachable or is unresponsive, the agent further determines whether the endpoint device is within a trusted network of multiple trusted networks that have been previously registered with the cloud-based security service by querying a trusted network determination service associated with the cloud-based security service. When the determination is affirmative, the particular security feature is configured for operating inside a trusted network. When the determination is negative, the particular security feature is configured for operating outside a trusted network.
Systems and methods for detecting access points proximate to a mobile computing device to facilitate wireless network troubleshooting and management of the access points are provided. According to an embodiment, a mobile application, running on a mobile device that is operating within a physical environment, discovers a subset of wireless access points (APs) of various managed APs of a private network that are proximate to the mobile device by receiving short-range beacons originated by the subset of APs. The mobile application presents a list of the subset of APs within a user interface of the mobile application and bridges the physical environment and a network environment containing information regarding the private network. The mobile application facilitates management of a particular AP of the subset of APs by presenting configuration information or operating information for the particular AP within the user interface.
H04L 41/12 - Découverte ou gestion des topologies de réseau
H04W 4/80 - Services utilisant la communication de courte portée, p.ex. la communication en champ proche, l'identification par radiofréquence ou la communication à faible consommation d’énergie
H04B 17/27 - Surveillance; Tests de récepteurs pour localiser ou positionner l’émetteur
H04L 41/22 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p.ex. des réseaux de commutation de paquets comprenant des interfaces utilisateur graphiques spécialement adaptées [GUI]
63.
Machine-learning based approach for dynamically generating incident-specific playbooks for a security orchestration, automation and response (SOAR) platform
Systems and methods for a machine-learning based approach for dynamically generating incident-specific playbooks for a security orchestration and automated response (SOAR) platform are provided. The SOAR platform captures information regarding execution of a sequence of actions performed by analysts responsive to a first incident of a first type. The captured information is fed into a machine-learning model. When a second incident, observed by the SOAR platform, is similar in nature to the first incident or the first type a recommended sequence of actions is generated based on the machine-learning model for use by an analyst in connection with responding to the second incident. In response to rejection of the recommended sequence by the analyst, revising the recommended sequence based on input provided by the analyst and storing the revised recommendation sequence in a form of a revised playbook for response to subsequent incidents that are similar to the second incident.
Systems, devices, and methods are discussed that provide for discovering protected data from a code. Such detection provides an ability to discover potentially malicious code and/or datasets obfuscated within a code prior to full execution of the code.
An access point has a housing with at least one connector for at least one external antenna and at least one connector for at least one internal antenna. An RF controller detects whether the at least one external antenna is connected to the at least one connector for the at least one external antenna when an open circuit is closed. Responsive to detecting that the at least one external antenna is connected, a first mode in which the at least one internal antenna supports RF capabilities switches to a second mode wherein the at least one external antenna supports RF capabilities.
Systems, devices, and methods are discussed that provide for discovering protected data from a code. Such detection provides an ability to discover potentially malicious code and/or datasets obfuscated within a code prior to full execution of the code.
Systems, devices, and methods are discussed that provide for discovering protected data from a code. Such detection provides an ability to discover potentially malicious code and/or datasets obfuscated within a code prior to full execution of the code.
A health check is generated for at least two member paths between the local SDWAN controller and a remote SDWAN controller, with a set health check probe packets for transmission by the network interface to remote SDWAN controllers. A link cost is determined for each member path from a set of health check response packets received by the network interface. SDWAN network traffic is prioritized for each member path between the local SDWAN controller and the remote SDWAN controller based at least in part on the link cost.
Systems and methods for adaptively provisioning a distributed event data store of a multi-tenant architecture are provided. According to one embodiment, a managed security service provider (MSSP) maintains a distributed event data store on behalf of each tenant of the MSSP. For each tenant, the MSSP periodically determines a provisioning status for a current active partition of the distributed event data store of the tenant. Further, when the determining indicates an under-provisioning condition exits, the MSSP dynamically increases number of resource provision units (RPUs) to be used for a new partition to be added to the partitions for the tenant by a first adjustment ratio. While, when the determining indicates an over-provisioning condition exists, the MSSP dynamically decreases the number of RPUs to be used for subsequent partitions added to the partitions for the tenant by a second adjustment ratio.
G06F 16/27 - Réplication, distribution ou synchronisation de données entre bases de données ou dans un système de bases de données distribuées; Architectures de systèmes de bases de données distribuées à cet effet
70.
Selectively applying dynamic malware analysis to software files based on compression type in a software security system
A file is received from external to the gateway device and, prior to runtime, the received file is detected as being compressed. Also before runtime, a compression type of the received file is differentiated as packed, protected, and/or archived. Identification of a specific packer, a specific protector or a specific archiver corresponding to the compression type is attempted. Responsive to successful identification, the received file is decompressed and a static type of malware analysis is selected for the received file. Responsive to unsuccessful identification, decompress the received file is attempted with a general unpacker, a general unprotector or a general unarchiver, and responsive to successful decompression, the static type of malware analysis is selected for the received file. Responsive to unsuccessful decompression, a dynamic type of malware analysis on the received file is selected.
Systems, devices, and methods are discussed for receiving a first packet type and outputting a second packet type based upon knowledge of a source device and a recipient device.
Once a new session of data packets is detected, whether to proxy encrypt the data packets, on behalf of a specific headless endpoint device from the plurality of headless endpoint devices for a session, is determined based on analysis of payload data of a data packet from a session. Responsive to a determination to proxy encrypt data packets, encryption attributes are set up between a local data port on the network device and a remote data port on a remote network device as parsed from a header of the data packet. Outbound and inbound data packets of the session secure OSI layers 4 to 7 of the outbound data packets of the session are encrypted, according to the encryption attributes, without interference to OSI layers 1 to 3.
A low number of available IP addresses is detected in an IP pool that available for lease from the DHCP server. A neighbor table from a gateway device behind a firewall that blocks ICMP echo requests from the DHCP server. The gateway device is triggered to broadcast an ARP request to network devices of the neighbor table behind the firewall to determine whether a specific IP address is in use. Responsive to an ARP response not being received, the control module releasing a lease for the specific IP thereby returning to the IP pool available for lease in the DHCP server.
A process being initiated for exposure to an operating system of the computer device is detected. A control module can then check whether the process has been whitelisted, and if not, activate an artificial virtual machine to test the process prior to direct exposure to an operating system of the real computing environment. The control module can detect when the process responds to the presumed virtual environment preventing execution. A security action can then be taken on the process including preventing the process from being exposed to the operating system.
H04L 29/06 - Commande de la communication; Traitement de la communication caractérisés par un protocole
G06F 9/455 - Dispositions pour exécuter des programmes spécifiques Émulation; Interprétation; Simulation de logiciel, p.ex. virtualisation ou émulation des moteurs d’exécution d’applications ou de systèmes d’exploitation
new link requests are received and an application making the request is identified. SD-WAN parameters are retrieved from an application control database. A first parameter is a JLP loss requirement for the application, and can be either low JLP, medium JLP, or high JLP SLA level. A second parameter a downstream/upstream bandwidth capability requirement. Links are determined from the pool of available links that meet the JLP requirement. One of the links is selected for the new link request, from the pool of available links that meet the JLP requirement, based on a downstream and an upstream bandwidth capability. The best link is automatically activated for the new link request
A transmission type is determined for a specific station on a Wi-Fi network. A transmission type of OFDMA is selected responsive to the mobility value for the specific station meeting a mobility threshold. A transmission type of MU-MIMO is selected responsive to the similarity value for the specific station meeting a similarity threshold. A transmission type of SU-MIMO is selected responsive to the specific station not meeting the similarity threshold. The network interface transmits data packets to stations using OFDMA, SU-MIMO or MU-MIMO as selected.
H04L 23/02 - Appareils ou circuits locaux pour systèmes télégraphiques autres que ceux couverts par les groupes adaptés pour la signalisation orthogonale
H04B 7/0452 - Systèmes MIMO à plusieurs utilisateurs
H04L 5/00 - Dispositions destinées à permettre l'usage multiple de la voie de transmission
Systems and methods are for securing link aggregation are provided. According to an embodiment, a network device in a secure domain discovers device information associated with a peer network device in an untrusted domain that is connected through a first link directly connecting a first interface of the network device to a first interface of the peer network device, and authenticates the peer while allowing at least some network traffic to continue to be transmitted through the first interface. The network device establishes a secure session between the network device and the peer over the first link when the peer network device is successfully authenticated. The network device then allows the first link to operate as part of a single aggregated logical link, including a second link coupling a second interface of the network device to a second interface of the peer network device.
Access credentials for a user of each of the plurality of stations connecting to the Wi-Fi network are forwarded to a RADIUS server. In response to the forwarded access credentials, priority-token values derived from the access credentials of the connecting users for storage in association with a MAC address of each of the plurality of stations, are received from the RADIUS and stored. Priority-token values responsive to detecting multiple users of at least two different priorities needing to access the Wi-Fi network. Available subcarriers are allocated based on the priority-token values for data transmissions.
A specific container is spawned by a docker module responsive to Kebernetes control instruction. Network connectivity is provided for the specific container to a data communication network through a networking bridge and a security policy is configured. After configuration, inbound or outbound data packets concerning the specific container are received and forwarded to a security policy KVM for scanning against security policies. Those that pass security scanning are forwarded to containers and external destinations.
A SSH (secure shell) public key is received from a client device 120 120 on the enterprise network, and an EMS device 140 is queried based on the SSH public key. Responsive to confirmation of registration from the EMS server, an authentication certificate based on a user and the client device 120 120 is generated. An SSH session is initiated on behalf of the client device 120 120 including submitting the certificate and the SSH public key from the client device 120 120 to the external server.
An e-mail is detected as being sent or received. The e-mail can be identified as a customer interaction. The e-mail is scanned to determine a sentimental value using artificial intelligence. Responsive to the sentimental value exceeding a sentimental threshold, a network security audit or other action can be performed on the user and the user device using the sentimental value as a factor in determining a security action.
H04L 41/0853 - Récupération de la configuration du réseau; Suivi de l’historique de configuration du réseau en recueillant activement des informations de configuration ou en sauvegardant les informations de configuration
H04L 41/22 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p.ex. des réseaux de commutation de paquets comprenant des interfaces utilisateur graphiques spécialement adaptées [GUI]
H04L 41/5041 - Gestion des services réseau, p.ex. en assurant une bonne réalisation du service conformément aux accords caractérisée par la relation temporelle entre la création et le déploiement d’un service
H04L 41/40 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p.ex. des réseaux de commutation de paquets en utilisant la virtualisation des fonctions réseau ou ressources, p.ex. entités SDN ou NFV
H04L 41/5054 - Déploiement automatique des services déclenchés par le gestionnaire de service, p.ex. la mise en œuvre du service par configuration automatique des composants réseau
83.
Systems and methods for incorporating passive wireless monitoring with video surveillance
Various systems and methods for surveillance using a combination of video image capture and passive wireless detection are described. In some cases, the methods include receiving a device identification information from a first wireless access point at a first location and corresponding to a first time, and receiving the device identification from a second wireless access point at a second location and corresponding to a second time. A video from a camera is received, and a travel path is assembled including a portion of the video.
G08B 13/196 - Déclenchement influencé par la chaleur, la lumière, ou les radiations de longueur d'onde plus courte; Déclenchement par introduction de sources de chaleur, de lumière, ou de radiations de longueur d'onde plus courte utilisant des systèmes détecteurs de radiations passifs utilisant des systèmes de balayage et de comparaison d'image utilisant des caméras de télévision
H04N 7/18 - Systèmes de télévision en circuit fermé [CCTV], c. à d. systèmes dans lesquels le signal vidéo n'est pas diffusé
84.
SYSTEMS AND METHODS FOR RAPID NATURAL LANGUAGE BASED MESSAGE CATEGORIZATION
Systems, devices, and methods are disclosed in relation to a system for natural language based message categorization designed to identify text from a particular topic from a potentially inexhaustible set of potential topics. In one of many possible implementations, a vector space model is first used to translate text into a vector representation. This vector is used to determine if the text can be recreated by swapping words and phrases from a training corpus of documents. This is done by determining if the vector is within the conical span of the vector representations of the text in the training corpus of documents. Span composition is evaluated by a two vector boolean comparison, enabling great computational complexity and short-circuiting enabling fast real-time topic determination.
H04L 41/0233 - Techniques orientées objet, pour la représentation des données de gestion de réseau, p.ex. l’architecture commune de répartition des requêtes d’objets [CORBA]
G06F 21/71 - Protection de composants spécifiques internes ou périphériques, où la protection d'un composant mène à la protection de tout le calculateur pour assurer la sécurité du calcul ou du traitement de l’information
Systems, devices, and methods are discussed for automatically determining a risk-based focus in determining zero trust network access policy on one or more network elements.
Systems, devices, and methods are disclosed in relation to a vector space model that may be used to characterize a category of messages. In one of many possible implementations, the frequency of words found within a piece of text is determined. These frequencies are compared against the frequencies of words within a given corpus like the Oxford English Corpus by first converting the frequencies to probabilities via the inverse cumulative distribution function assuming a normal distribution of frequencies then via taking the absolute difference in frequencies. A small difference reduces the weight of the given word whereas a large weight increases the weight of the word, leading to excellent word ranking for automated feature selection filtering without the need for a negative corpus.
Systems, devices, and methods are disclosed for encoding behavioral information into an image format to facilitate image based behavioral identification.
G06K 9/62 - Méthodes ou dispositions pour la reconnaissance utilisant des moyens électroniques
H04L 43/045 - Traitement des données de surveillance capturées, p.ex. pour la génération de fichiers journaux pour la visualisation graphique des données de surveillance
90.
SYSTEMS AND METHODS FOR DETECTING INSIDER ATTACKS ON A COMMUNICATION NETWORK
Systems, methods, devices, and apparatus are discussed for detecting relatively rare attacks in a communication network, and in some cases for detecting insider attacks on a communication network.
Systems, devices, and methods are disclosed for encoding behavioral information into an image format to facilitate image based behavioral identification.
G06V 10/764 - Dispositions pour la reconnaissance ou la compréhension d’images ou de vidéos utilisant la reconnaissance de formes ou l’apprentissage automatique utilisant la classification, p.ex. des objets vidéo
G06V 10/776 - Dispositions pour la reconnaissance ou la compréhension d’images ou de vidéos utilisant la reconnaissance de formes ou l’apprentissage automatique utilisant l’intégration et la réduction de données, p.ex. analyse en composantes principales [PCA] ou analyse en composantes indépendantes [ ICA] ou cartes auto-organisatrices [SOM]; Séparation aveugle de source Évaluation des performances
93.
SYSTEMS AND METHODS FOR QUANTIFYING FILE ACCESS RISK EXPOSURE BY AN ENDPOINT IN A NETWORK ENVIRONMENT
Systems, devices, and methods are discussed for identifying possible improper file accesses by an endpoint device. In some cases an agent is placed on each system to be surveilled that records the absolute paths for each file accessed for each user. This information may be accumulated and sent to a central server or computer for analysis of all such file accesses on a user basis. In some cases, a file access tree is created, and in some implementations be pruned of branches and leaves if deemed to be duplicates or very similar to other branched and leaves via a Levenshtein distance threshold. The resulting tree's edges may be scaled in particular implementations based on the deviation of a user's file accesses from their sphere of permissions. A variance metric may be computed from the final tree's form to capture the user's access patterns.
G06V 40/16 - Visages humains, p.ex. parties du visage, croquis ou expressions
G06V 10/75 - Appariement de motifs d’image ou de vidéo; Mesures de proximité dans les espaces de caractéristiques utilisant l’analyse de contexte; Sélection des dictionnaires
G06V 20/52 - Activités de surveillance ou de suivi, p.ex. pour la reconnaissance d’objets suspects
95.
Systems and methods for governing VPN access using a remote device in proximity to a VPN endpoint
H04L 9/32 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
H04L 29/06 - Commande de la communication; Traitement de la communication caractérisés par un protocole
97.
Machine Learning Systems and Methods for API Discovery and Protection by URL Clustering With Schema Awareness
Systems and methods for performing multi-feed classification of security events to facilitate automated IR orchestration are provided. According to one embodiment a cloud-based security service protecting a private network provides a plurality of data feeds, wherein each data feed of the plurality of data feeds independently classify a given security event and produce a classification result. In response to an event associated with a process of an endpoint device that is part of the private network an endpoint protection platform running on the endpoint device performs an initial classification of the event and transmits the classification result to the cloud-based security service for final classification.
Recommendations are made for granular traffic thresholds for a plurality of DDoS attack mitigation appliances that act as a set appliances. The set of appliances can be those commonly found in highly available networks, active-active or active-passive appliances, disaster recovery data centers, backup appliances, etc.
An aggregate port selection is received from user to bundle at least two individual data ports of the network device for single channel data transfer. The lowest common denominators of physical capabilities (speed and duplex) of selected ports on the network device is determined through an operating system. Downgraded physical capabilities of at least one of the at least two data ports are committed to match lowest common denominators of the at least two data ports. Data exchanges are conducted over the at least two ports of the network device according to LACP.
H04L 12/709 - Prévention ou récupération du défaut de routage, p.ex. reroutage, redondance de route "virtual router redundancy protocol" [VRRP] ou "hot standby router protocol" [HSRP] par redondance des chemins d’accès par chemins actifs parallèles M + N
H04L 12/751 - Mise à jour ou découverte de la topologie
H04L 12/721 - Procédures de routage, p.ex. routage par le chemin le plus court, routage par la source, routage à état de lien ou routage par vecteur de distance
H04L 12/725 - Sélection d’un chemin de qualité de service [QoS] adéquate