Detection of malicious JavaScript based on automated user interaction emulation is disclosed. A malware sample is executed in an instrumented virtual environment. Dynamic behavior is triggered based on emulated user interactions.
G06F 21/56 - Détection ou gestion de programmes malveillants, p.ex. dispositions anti-virus
G06F 21/53 - Contrôle des usagers, programmes ou dispositifs de préservation de l’intégrité des plates-formes, p.ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p.ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par exécution dans un environnement restreint, p.ex. "boîte à sable" ou machine virtuelle sécurisée
Internet of Things (IoT) device application workload capture is disclosed. A target IoT device is selected. A flow associated with the target IoT device is determined and tagged. Packets from the tagged flow are admitted into a ring buffer. An indication is received that an extraction should be performed on a portion of the packets included in the ring buffer.
H04L 41/06 - Gestion des fautes, des événements, des alarmes ou des notifications
H04L 41/0816 - Réglages de configuration caractérisés par les conditions déclenchant un changement de paramètres la condition étant une adaptation, p.ex. en réponse aux événements dans le réseau
3.
DETECTING BEHAVIORAL CHANGE OF IOT DEVICES USING NOVELTY DETECTION BASED BEHAVIOR TRAFFIC MODELING
An anomalous behavior detector has been designed to detect novel behavioral changes of devices based on network traffic data that likely correlate to anomalous behaviors. The anomalous behavior detector uses the local outlier factor (LOF) algorithm with novelty detection. After initial semi-supervised training with a single class training dataset representing stable device behaviors, the obtained model continues learning frontiers that delimit subspaces of inlier observations with live network traffic data. Instead of traffic variables being used as features, the features that form feature vectors are similarities of network traffic variable values across time intervals. A feature vector for the anomalous behavior detector represents stability or similarity of network traffic variables that have been chosen as device identifiers and behavioral indicators.
An execution environment has been designed that detects likely data exfiltration by using taint tracking and abstract execution. The execution environment is instrumented to monitor for use of functions identified as having functionality for transferring data out of an execution environment. In addition, heuristics-based rules are defined to mark or “taint” objects (e.g., variables) that are likely targets for exfiltration. With taint tracking and control flow analysis, the execution environment tracks the tainted objects through multiple execution paths of a code sample. After comprehensive code coverage, logged use of the monitored functions are examined to determine whether any tainted objects were passed to the monitored functions. If so, the logged use will indicate a destination or sink for the tainted source. Each tainted source-sink association can be examined to verify whether the exfiltration was malicious.
Computer systems and methods are provided for storing a first path profile. A computing device receives a first request to access a first location of a website, transmits the first request to a server, and receives a first cookie that includes identifying information for the first location. In response to receiving the first cookie, the device stores the identifying information. The device receives a second request to access a second location of the website that is distinct from the first location. The second request includes the identifying information for the first location. The device transmits the second request to the server and receives a second cookie that includes the identifying information for the first location and for the second location. In response to receiving the second cookie, the device stores the first path profile that includes the identifying information for the first location and the second location.
Analysis of samples for maliciousness is disclosed. A sample is executed and one or more network activities associated with executing the sample are recorded. The recorded network activities are compared to a malware profile. The malware profile comprises a set of network activities taken by a known malicious application during execution of the known malicious application. A verdict of “malicious” is assigned to the sample based at least in part on a determination that the recorded network activities match the malware profile.
G06F 21/56 - Détection ou gestion de programmes malveillants, p.ex. dispositions anti-virus
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p.ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
H04W 12/128 - Dispositions anti-programmes malveillants, p.ex. protection contre la fraude par SMS ou les programmes malveillants mobiles
7.
INLINE PACKAGE NAME BASED SUPPLY CHAIN ATTACK DETECTION AND PREVENTION
Inline package name based supply chain attack detection and prevention is disclosed. An indication that a client device has made a request to a remote server for a package is received. A data appliance then performs an action responsive to the received indication. In an example implementation, the data appliance makes a determination of whether the request for the package is associated with a nonexisting package.
APPLYING SUBSCRIBER-ID BASED SECURITY, EQUIPMENT-ID BASED SECURITY, AND/OR NETWORK SLICE-ID BASED SECURITY WITH USER-ID AND SYSLOG MESSAGES IN MOBILE NETWORKS
Techniques for applying subscriber-ID based security, equipment-ID based security, and/or network slice-ID based security with user-ID and syslog messages in mobile networks are disclosed. In some embodiments, a system/process/computer program product for applying subscriber-ID based security, equipment-ID based security, and/or network slice-ID based security with user-ID and syslog messages in mobile networks includes monitoring network traffic on a mobile network at a security platform to identify a new session; extracting a plurality of parameters by parsing syslog messages with a user-ID agent at the security platform; and enforcing a security policy on the new session at the security platform based on one or more of the plurality of parameters including one or more of a subscriber-ID, equipment-ID, and network slice-ID to apply context-based security in the mobile network.
An OCR filter described herein filters non-textual files in scanned customer data from optical character recognition (OCR) and pattern analysis of text generated thereof for sensitive customer data. The OCR filter is trained on files labelled using feature values for features generated from OCR applied to the corresponding files. Moreover, the OCR filter stores internal representations of the files during training to avoid leaking potential sensitive customer data contained therein. Once trained, performance of the OCR filter in filtering files comprising image data without text is evaluated according to false positive rates and false negative rates by comparing classifications of the OCR filter to classifications according to feature values for features generated from OCR. Evaluation of the OCR filter ensures continued model performance and informs model updates.
Techniques for providing innocent until proven guilty (IUPG) solutions for building and using adversary resistant and false positive resistant deep learning models are disclosed. In some embodiments, a system, process, and/or computer program product includes storing a set comprising one or more innocent until proven guilty (IUPG) models for static analysis of a sample; performing a static analysis of content associated with the sample, wherein performing the static analysis includes using at least one stored IUPG model; and determining that the sample is malicious based at least in part on the static analysis of the content associated with the sample, and in response to determining that the sample is malicious, performing an action based on a security policy.
Techniques for supporting overlapping network addresses universally are disclosed. A system, process, and/or computer program product for supporting overlapping network addresses universally includes generating at least two virtual routers for a cloud security service, the at least two virtual routers including a first virtual router and a second virtual router, routing cloud security service packets using the first virtual router, and routing enterprise subscriber packets using the second virtual router.
Exemplary methods, apparatuses, and systems include duplicating a packet within a plurality of packets to be transmitted to a destination computing node as a sequence of packets. The plurality of packets including the duplicate of the packet are transmitted to the destination computing node. Upon receiving a first acknowledgement of the packet from the destination computing node, it is determined that the first acknowledgment is directed to a duplicated packet. In response to determining that the first acknowledgment is directed to a duplicated packet, it is determined that a second acknowledgement has yet to be received for each of one or more packets within the plurality of packets transmitted prior to the packet. In response to determining that the second acknowledgement has yet to be received, the one or more packets are retransmitted to the destination computing node.
H04L 1/1607 - Dispositions pour détecter ou empêcher les erreurs dans l'information reçue en utilisant un canal de retour dans lesquelles le canal de retour transporte des signaux de contrôle, p.ex. répétition de signaux de demande - Détails du signal de contrôle
The technology presented herein enables the use of a clustering algorithm to identify additional malicious domains based on known malicious domains. A domain identifier system identifies a first plurality of domain names associated with a malicious domain campaign and seeding a first clustering algorithm with the first plurality of domain names. After seeding the first clustering algorithm, the domain identifier system uses the first clustering algorithm to process passive domain name system (DNS) records to identify and group a second plurality of domain names associated with the malicious domain campaign.
H04L 61/4511 - Répertoires de réseau; Correspondance nom-adresse en utilisant des protocoles normalisés d'accès aux répertoires en utilisant le système de noms de domaine [DNS]
14.
Intent-based query and response routing between users and backend services
For a seamless and robust artificial intelligence-based assistant experience, an intent-based query and response router has been designed to operate as an intelligent layer between a user and multiple backend services that may respond to one or more queries over the course of a conversation with the user. The query router interacts with an intent classification service to obtain an intent classification for a prompt that is based on a user query. The query router uses the intent classification, which is used as an identifier of a backend service, to route the user query to an appropriate one (or more) of the backend services. When a response is detected, the query router determines a corresponding conversation and provides the response for the conversation.
An API response field classification service obtains API documentation published by a vendor and defined security policies and matches the response fields represented in the security policies to their descriptions in the API documentation. The service generates labelled training data that comprise the identified response field descriptions with labels indicating that their corresponding response field is security related. Additional labelled training data for security unrelated response fields comprises descriptions of response fields that are known not to be represented with any security policies. The service trains a text classifier on the labelled training data. The trained text classifier accepts inputs comprising descriptions of unknown response fields and outputs predicted classes indicating whether the corresponding response fields are predicted to be security related. Subsequent creation of security policies can be focused on these response fields predicted to be security related.
The present application discloses a method, system, and computer system for automatically detecting protocol compliance of applications. The method includes determining a URL of a webpage for a software-as-a-service (SaaS) product, extracting body text from the webpage, and using a classifier to determine whether the SaaS product is compliant with one or more protocols.
G06F 16/951 - Indexation; Techniques d’exploration du Web
G06F 16/955 - Recherche dans le Web utilisant des identifiants d’information, p.ex. des localisateurs uniformisés de ressources [uniform resource locators - URL]
G06F 16/954 - Navigation, p.ex. en utilisant la navigation par catégories
Techniques for probing for Cobalt Strike TeamServer detection are disclosed. In some embodiments, a system/process/computer program product for probing for Cobalt Strike TeamServer detection includes monitoring HyperText Transfer Protocol (HTTP), HTTPS, and/or Domain Name System (DNS) network traffic at a firewall; prefiltering the monitored HTTP, HTTPS, and/or DNS network traffic at the firewall to select a subset of the HTTP, HTTPS, and/or DNS network traffic to forward to a cloud security service; performing HTTP, HTTPS, and/or DNS probing of a target to detect whether the target is a Cobalt Strike TeamServer; and performing an action in response to detecting that the target is the Cobalt Strike TeamServer.
Techniques for beacon and threat intelligence based Advanced Persistent Threat (APT) detection are disclosed. In some embodiments, a system/process/computer program product for beacon and threat intelligence based APT detection includes collecting firewall log data from monitored network traffic; analyzing the firewall log data at a cloud security service to identify beacon traffic based on a plurality of heuristics; performing a risk evaluation of the beacon traffic to detect malicious beacon traffic; and performing an action in response to detecting the malicious beacon traffic.
A method and system for detecting shadowed domains is provided. New hostnames are collected for a predetermined period of time. Candidate shadowed domains are selected from the new hostnames. Classification of the candidate shadowed domains is performed based on a plurality of features relating to the candidate shadowed domains to output a set of identified shadowed domains. An action is performed based on the set of identified shadowed domains.
H04L 41/16 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p.ex. des réseaux de commutation de paquets en utilisant l'apprentissage automatique ou l'intelligence artificielle
20.
SAMPLE TRAFFIC BASED SELF-LEARNING MALWARE DETECTION
Techniques for sample traffic based self-learning malware detection are disclosed. In some embodiments, a system/process/computer program product for sample traffic based self-learning malware detection includes receiving a plurality of samples for malware detection analysis using a sandbox; executing each of the plurality of samples in the sandbox and monitoring network traffic during execution of each of the plurality of samples in the sandbox; detecting that one or more of the plurality of samples is malware based on automated analysis of the monitored network traffic using a command and control (C2) machine learning (ML) model if there is not a prior match with an intrusion prevention system (LPS) signature; and performing an action in response to detecting that the one or more of the plurality of samples is malware based on the automated analysis of the monitored network traffic using the C2 ML model. In some embodiments, the IPS signatures and C2 ML model are automatically generated and trained.
G06F 21/56 - Détection ou gestion de programmes malveillants, p.ex. dispositions anti-virus
G06F 21/53 - Contrôle des usagers, programmes ou dispositifs de préservation de l’intégrité des plates-formes, p.ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p.ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par exécution dans un environnement restreint, p.ex. "boîte à sable" ou machine virtuelle sécurisée
G06N 5/022 - Ingénierie de la connaissance; Acquisition de la connaissance
Techniques for Cobalt Strike Beacon HTTP C2 heuristic detection are disclosed. In some embodiments, a system/process/computer program product for Cobalt Strike Beacon HTTP C2 heuristic detection includes monitoring HyperText Transfer Protocol (HTTP) network traffic at a firewall; prefiltering the monitored HTTP network traffic at the firewall to select a subset of the HTTP network traffic to forward to a cloud security service; determining whether the subset of the HTTP network traffic is associated with Cobalt Strike Beacon HTTP C2 traffic activity based on a plurality of heuristics; and performing an action in response to detecting the Cobalt Strike Beacon HTTP C2 traffic activity.
A cloud resource management system detects resource misconfiguration for resources in a cloud including cloud policy misconfigurations and resource vulnerabilities. An attack chain analyzer identifies attack chains from misconfigured resources ordered according to stages in an attack framework that models sequential behavior for malicious attacks. The attack chains are detected according to a depth-first search traversal of adjacent resources that have pairwise exposure according to characteristics indicated in the cloud policy misconfigurations and resource vulnerabilities. The attack chain analyzer generates further diagnostics that inform remediation of resource misconfigurations for malicious attack prevention.
The present application discloses a method, system, and computer system for detecting parked domains. The method includes obtaining, by one or more processors, a set of webpages corresponding to a plurality of domains, extracting a plurality of features based on the set of webpages, detecting parked domains based on the plurality of features using a machine learning model, and periodically applying automatic signature generation to detect a new pattern of parked domains without retraining the machine learning model.
G06F 16/958 - Organisation ou gestion de contenu de sites Web, p.ex. publication, conservation de pages ou liens automatiques
G06F 16/955 - Recherche dans le Web utilisant des identifiants d’information, p.ex. des localisateurs uniformisés de ressources [uniform resource locators - URL]
G06F 16/953 - Requêtes, p.ex. en utilisant des moteurs de recherche du Web
Techniques for Cobalt Strike Beacon HTTPS C2 heuristic detection are disclosed. In some embodiments, a system/process/computer program product for Cobalt Strike Beacon HTTPS C2 heuristic detection includes monitoring HyperText Transfer Protocol Secure (HTTPS) network traffic at a firewall; prefiltering the monitored HTTPS network traffic at the firewall to select a subset of the HTTPS network traffic to forward to a cloud security service; determining whether the subset of the HTTPS network traffic is associated with Cobalt Strike Beacon HTTPS C2 traffic activity based on a plurality of heuristics; and performing an action in response to detecting the Cobalt Strike Beacon HTTPS C2 traffic activity.
Dynamic partitioning of a search space of queries is implemented for flexible, heuristic database querying. Search space partitioning refers to dividing the search space for a submitted query into smaller parts by augmenting the queries to append thereto an additional predicate comprising a dynamic partition key and a value(s) selected based on heuristics (e.g., recency and/or relevancy of the value(s)). A plurality of candidate augmentations of the query and corresponding query plans are generated and evaluated based on additional heuristics to determine which can be executed to yield the best results in terms of result quality and latency. This query plan is selected and executed for retrieval of results that satisfy the query, with pagination utilized for presentation of the results. The procedure of generating candidate query plans, selecting one of the candidates for execution, and paginating results is repeated until a search termination criterion is satisfied.
Techniques for providing consistent monitoring and analytics for security insights for network and security functions for a security service are disclosed. In some embodiments, a system/process/computer program product for providing consistent monitoring and analytics for security insights for network and security functions for a security service includes receiving a flow at a software-defined wide area network (SD-WAN) device; inspecting the flow to determine whether the flow is associated with a split tunnel; and monitoring the flow at the SD-WAN device to collect security information associated with the flow for reporting to a security service.
Techniques for generating actionable indicators of compromise (IOCs) are disclosed. A set of potential sources for IOCs are received. One or more candidate IOCs are extracted from at least one source included in the set of potential sources. An actionable IOC is automatically identified from the one or more candidate IOCs. The actionable IOC is provided to a security enforcement service.
Techniques for packet classification for network routing are disclosed. In some embodiments, packet classification for network routing includes receiving packets associated with a new flow at a security controller from a network device, in which the network device performs packet forwarding; classifying the flow; and determining an action for the flow based on a policy (e.g., a security policy). In some embodiments, the network device is a Software Defined Network (SDN) network device (e.g., a packet forwarding device that supports the OpenFlow protocol or another protocol).
H04L 47/2441 - Trafic caractérisé par des attributs spécifiques, p.ex. la priorité ou QoS en s'appuyant sur la classification des flux, p.ex. en utilisant des services intégrés [IntServ]
H04L 67/63 - Ordonnancement ou organisation du service des demandes d'application, p.ex. demandes de transmission de données d'application en utilisant l'analyse et l'optimisation des ressources réseau requises en acheminant une demande de service en fonction du contenu ou du contexte de la demande
H04L 45/00 - Routage ou recherche de routes de paquets dans les réseaux de commutation de données
H04L 45/64 - Routage ou recherche de routes de paquets dans les réseaux de commutation de données à l'aide d'une couche de routage superposée
H04L 69/22 - Analyse syntaxique ou évaluation d’en-têtes
29.
SECURITY APPLIANCE TO MONITOR NETWORKED COMPUTING ENVIRONMENT
A security appliance samples data about software defined infrastructures (SDIs) of a cloud computing environment to incrementally build models that map resource attributes indicated in fields to data types. The security appliance uses the model(s) to provide context sensitive help in policy rule constructions.
An asset attribution model attributes assets to organizations according to metadata about the assets retrieved by a network scanner and other metadata in association with the assets that is retrieved and stored in a repository. A data slice rules interface applies logical rules to query the repository to retrieve metadata for assets satisfying each logical rule to generate data slices. Each logical rule is constructed so that assets satisfying the rule have attributions to known organizations. The asset attribution model is evaluated for accuracy in predicting known attributed organizations along each data slice. Depending on the resulting accuracies, the asset attribution model either updates its architecture and is retrained or is deployed for asset attribution.
The present application discloses a method, system, and computer system for detecting malicious SQL or command injection strings. The method includes obtaining an SQL or command injection string and determining whether the command injection string is malicious based at least in part on a machine learning model.
The present application discloses a method, system, and computer system for detecting malicious files. The method includes obtaining network traffic, pre-filtering the network traffic based at least in part on a first set of features for traffic reduction, and using a detection model in connection with determining whether the filtered network traffic comprises malicious traffic, the detection model being based at least in part on a second set of features for malware detection.
H04L 41/16 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p.ex. des réseaux de commutation de paquets en utilisant l'apprentissage automatique ou l'intelligence artificielle
33.
HIGH AVAILABILITY OF CLOUD-BASED SERIVCES WITH ADDRESS TRANSLATION
Described herein are systems, methods, and software to enhance failover operations in a cloud computing environment. In one implementation, a method of operating a first service instance in a cloud computing environment includes obtaining a communication from a computing asset, wherein the communication comprises a first destination address. The method further provides replacing the first destination address with a second destination address in the communication, wherein the second destination address comprises a shared address for failover from a second service instance. After replacing the address, the method determines whether the communication is permitted based on the second destination address, and if permitted, processes the communication in accordance with a service executing on the service instance.
H04L 61/2517 - Traduction d'adresses de protocole Internet [IP] en utilisant des numéros de port
G06F 9/455 - Dispositions pour exécuter des programmes spécifiques Émulation; Interprétation; Simulation de logiciel, p.ex. virtualisation ou émulation des moteurs d’exécution d’applications ou de systèmes d’exploitation
H04L 67/10 - Protocoles dans lesquels une application est distribuée parmi les nœuds du réseau
H04L 69/40 - Dispositions, protocoles ou services de réseau indépendants de la charge utile de l'application et non couverts dans un des autres groupes de la présente sous-classe pour se remettre d'une défaillance d'une instance de protocole ou d'une entité, p.ex. protocoles de redondance de service, état de redondance de protocole ou redirection de service de protocole
G06F 11/20 - Détection ou correction d'erreur dans une donnée par redondance dans le matériel en utilisant un masquage actif du défaut, p.ex. en déconnectant les éléments défaillants ou en insérant des éléments de rechange
34.
Inline package name based supply chain attack detection and prevention
Inline package name based supply chain attack detection and prevention is disclosed. An indication that a client device has made a request to a remote server for a package is received. A data appliance then performs an action responsive to the received indication. In an example implementation, the data appliance makes a determination of whether the request for the package is associated with a nonexisting package.
In a network control plane, a pattern matching database is built and maintained for identifying an application or application level protocol. In addition, pattern matching databases for predicting a subsequent flow for application layer/level protocols or data protocols are built and maintained. After flow differentiation in network traffic mirrored from a data plane, the network traffic flow is scanned in a first stage and then in a second stage if a signaling protocol message is detected in the first stage scan. For the second stage, one of the application/data protocol pattern databases is selected for scanning based on the signaling protocol message detected in the first stage scanning. If a match is found from the stage 2 scanning, a mapping between the signaling protocol identifier and an identifier for a predicted application traffic flow is created and communicated to the data plane for policy selection and enforcement.
Techniques for 5G LAN security in mobile networks are disclosed. In some embodiments, a system/process/computer program product for 5G LAN security in mobile networks includes monitoring network traffic on a mobile network at a security platform to identify a new session; extracting a plurality of 5G LAN related parameters using an application programming interface (API) at the security platform; and enforcing a security policy on the new session at the security platform based on one or more of the plurality of 5G LAN related parameters to apply 5G LAN security in the mobile network.
At least initially blocking client download of certain content and injecting a user verification step for such downloads is disclosed. In some embodiments, a notification page with an option to accept a response from a server is provided to a client, an indication of user selection of the option to accept in the notification page is received from the client, and requested content received from the server is provided to the client. Injecting a user verification step via the notification page before providing requested content facilitates protecting the client from security threats.
Techniques for securing control and user plane separation in mobile networks (e.g., service provider networks for mobile subscribers, such as for 4G/5G networks) are disclosed. In some embodiments, a system/process/computer program product for securing control and user plane separation in mobile networks in accordance with some embodiments includes monitoring network traffic on a mobile network at a security platform to identify an Packet Forwarding Control Protocol (PFCP) message associated with a new session, in which the mobile network includes a 4G network or a 5G network; extracting a plurality of parameters from the PFCP message at the security platform; and enforcing a security policy at the security platform on the new session based on one or more of the plurality of parameters to secure control and user plane separation in the mobile network.
Techniques for fast policy matching with runtime signature update are disclosed. In some embodiments, a system/process/computer program product for fast policy matching with runtime signature update includes receiving a plurality of rules for malware signatures; compiling the plurality of rules for a fast policy matching engine that detects malware using the malware signatures; and executing the compiled plurality of rules using the fast policy matching engine to detect malware using at least one of the malware signatures.
Each tenant of a secure web gateway (SWG) is issued a secret key. A user accesses a unique secret key derived from the tenant's secret key and loads the secret key into an application which generates time-based one time passwords (TOTPs). When the SWG receives a connection request from a client and cannot decrypt the network traffic, the SWG challenges the client request and indicates an authentication scheme to be used. The client obtains user credentials, constructs a response to the challenge based on the authentication scheme, and issues a connection request to the SWG which indicates the response. The SWG determines an expected response based on a locally generated TOTP and the secret key of the corresponding tenant. If the expected response matches the provided response, the SWG authenticates the user, allows the connection request, and whitelists the client for a period longer than the lifetime of the TOTP.
H04L 9/32 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
H04L 67/02 - Protocoles basés sur la technologie du Web, p.ex. protocole de transfert hypertexte [HTTP]
A browser extension produces a single view comprising content of web pages of a target vendor requested by a customer and corresponding security information for the target vendor maintained for the customer. Fingerprints of the target vendor's web page URLs and web page elements corresponding to resources, respectively, are determined. As the web browser retrieves web pages and the customer selects web page elements that identify resources, the browser extension matches URLs and/or HTML/XML syntactic patterns of the retrieved web pages to the fingerprints to determine the security information to obtain from backend storage. The type/granularity of information that is retrieved can vary depending on the identified fingerprint match. The browser extension retrieves security information corresponding to fingerprints for which matches are identified, generates security overviews therefrom, and integrates the security overviews into the requested web pages to generate a consolidated, multi-perspective view.
Computer systems and methods are provided for storing a first path profile. A computing device receives a first request to access a first location of a website, transmits the first request to a server, and receives a first cookie that includes identifying information for the first location. In response to receiving the first cookie, the device stores the identifying information. The device receives a second request to access a second location of the website that is distinct from the first location. The second request includes the identifying information for the first location. The device transmits the second request to the server and receives a second cookie that includes the identifying information for the first location and for the second location. In response to receiving the second cookie, the device stores the first path profile that includes the identifying information for the first location and the second location.
A system has been designed that examines details of a security advisory against informal vulnerability records. The system generates a vulnerability match confidence value based on comparison of different details in the security advisory against the informal vulnerability records. Based on the comparisons, the system determines similarity of different details between the security advisory and the informal vulnerability records and cumulatively updates a vulnerability match confidence value with various detail similarity weights according to the determined similarities. Based on the vulnerability match confidence value, the system can classify or designate a security advisory for automatic merging or for manual examination. This reduces the burden on cybersecurity personnel and allows cybersecurity personnel to focus their limited resources on analyzing new vulnerabilities.
Embodiments of the present application relate to a method for policy enforcement, a system for policy enforcement, and a computer program product for policy enforcement. A method for policy enforcement is provided. The method includes receiving a host information profile report from a client device, and enforcing a security policy for network access based on the host information profile report. The host information profile report includes device profile information associated with the client device.
The disclosure describes various aspects of crowdsourcing traffic data for automatic and dynamic benchmarking of applications. In an aspect, an intelligence layer, communicatively coupled to a data collection layer and a visualization layer, is configured to receive traffic data from data sources (e.g., physical appliances, probes) in the data collection layer, the data sources being associated with multiple customers, and the traffic data being associated with at least one application (e.g., word processing, video streaming) used by the multiple customers. The intelligence layer is a cloud-based layer further configured to process the traffic data to determine performance thresholds for the at least one application, and may send one or more of the performance thresholds to a data source for a different customer to be used for benchmarking the at least one application for the different customer.
A resource database which stores structured data describing resources from a diverse array of origins (e.g., an application or cloud environment) is built and maintained to support querying, policy enforcement, and remediation of resources from any origin. Structured data representing resources are obtained from any origin for insertion and categorized based on their type and/or origin. Resources within a category have a shared set of potential object paths as defined by the hierarchical tree structure of their structured data. Resources may be correlated across categories based on having values at different object paths in common. Queries and rules/policies can thus reference resources of any category and also resources across different categories based on correlations between the resources, thereby extending rule/policy enforcement and incident remediation across multiple different origins of resources.
Techniques for automatically detecting unknown packers are disclosed. In some embodiments, a system/process/computer program product for automatically detecting unknown packers includes receiving a plurality of samples for malware packer detection analysis; performing a packer filter to determine whether each of the plurality of samples is packed; emulating each of the packed samples to extract a plurality of features; and clustering the packed samples based on the extracted features.
Dynamic content tags are generated as content is received by a dynamic content tagging system. A natural language processor (NLP) tokenizes the content and extracts contextual N-grams based on local or global context for the tokens in each document in the content. The contextual N-grams are used as input to a generative model that computes a weighted vector of likelihood values that each contextual N-gram corresponds to one of a set of unlabeled topics. A tag is generated for each unlabeled topic comprising the contextual N-gram having a highest likelihood to correspond to that unlabeled topic. Topic-based deep learning models having tag predictions below a threshold confidence level are retrained using the generated tags, and the retrained topic-based deep learning models dynamically tag the content.
Techniques for identifying and blocking domains used for NXNS-based distributed denial of service (DDos) attacks are disclosed. An analysis of DNS data is performed to identify a candidate attack domain associated with an NXNS attack. The candidate attack domain is confirmed as a confirmed attack domain based at least in part on a validation.
A pseudo-active/active firewall configuration handles firewall switchover events with minimized session disconnection. A passive firewall is set to an active state, and an active firewall is switched to a pseudo-active state wherein it continues to process ingress and egress traffic according to traffic handling protocols for its active state. During updating of a corresponding Network Address Translation (NAT) table to route traffic to the now-active firewall, the pseudo-active firewall enters a forwarding state wherein it forwards ingress network sessions to the now-active firewall and processes the ingress network sessions according to its active state. The now-active firewall receives the ingress network sessions and records session states prior to discarding them. After updating the NAT table, when traffic is routed to the now-active firewall, the recorded session states are used to maintain active sessions.
Techniques for providing Internet of Things (IoT) security are disclosed. An applicable system includes profiling IoT devices to limit the number of network signatures applicable to the IoT devices and performing pattern matching using a pattern that is appropriate for the profile of a given IoT device.
A pseudo-active/active firewall configuration handles firewall switchover events without traffic disruption. A passive firewall is set to an active state, and an active firewall is switched to a pseudo-active state wherein it continues to process ingress and egress traffic according to traffic handling protocols for its active state. An Internet protocol address binding linking the now pseudo-active firewall to an Internet gateway that forwards traffic to the firewalls is updated in a network address translation (NAT) table to route traffic to the newly active firewall. Once a pseudo-active timer expires and the binding is successfully updated to route traffic to the newly active firewall, the pseudo-active firewall is set to a passive state.
A system and method for locating DGA compromised IP addresses is provided. A domain name system (DNS) stream is received. The DNS stream is classified into DGA generated domains using a machine learning classifier to generate a classification output. User behavior profiling is performed to enhance the classification output. A verdict is generated based on the user behavior profiling of the classification output including identifying a compromised source IP address associated with a detected DGA malware attack.
An inline and offline machine learning pipeline for detection of phishing attacks with a holistic, easily upgradeable framework is presented herein. A packet analyzer records capture logs of network traffic between an endpoint device and a firewall. A parser extracts inputs from the capture logs inline that it communicates to one of an inline model and an offline model for phishing detection. The inline model and offline model are neural networks with parallelizable network architectures that do not depend on handcrafted inputs. The inline model operates inline with the packet analyzer and parser and makes fast phishing attack classifications based on inputs generated from capture logs. The offline model uses additional inputs such as inputs generated from network logs to make phishing attack classifications.
A URL categorization query is received. The URL categorization query includes at least one URL. The URL is used to determine a set of data distribution keys. A distributed key-value data store is queried using at least one data distribution key included in the determined set of data distribution keys. Categorization information is returned. The returned URL categorization information can be used to enforce policies.
G06F 16/955 - Recherche dans le Web utilisant des identifiants d’information, p.ex. des localisateurs uniformisés de ressources [uniform resource locators - URL]
G06F 16/9035 - Filtrage basé sur des données supplémentaires, p.ex. sur des profils d'utilisateurs ou de groupes
G06F 16/9038 - Présentation des résultats des requêtes
Adaptive pooling layers for compressing variably sized inputs use window sizes and stride lengths specific to variable input size and fixed output size at the pooling layer. A naïve and an optimal adaptive pooling algorithm disclosed herein determine window size and stride length for variable sized inputs while minimizing window size and ensuring no padding is used in the output representation. These adaptive pooling algorithms are implemented in a pipeline for text document classification involving a natural language processor that generates embedding vectors for variably sized text documents and at least one of the adaptive pooling algorithms at a first adaptive pooling layer of a classification neural network to process the embedding vectors.
The detection of phishing Portable Document Format (PDF) files using an image-based deep learning approach is disclosed. A PDF document that includes a Universal Resource Locator is received. A likelihood that the received PDF document represents a phishing threat is determined, at least in part, by using an image based model. A verdict for the PDF document is provided as output based at least in part on the determined likelihood.
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p.ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
58.
MALWARE DETECTION FOR DOCUMENTS WITH DEEP MUTUAL LEARNING
The detection of malicious documents using deep mutual learning is disclosed. A document is received for maliciousness determination. A likelihood that the received document represents a threat is determined. The determination is made, at least in part, using a raw bytes model that was trained, at least in part, using a mutual learning process in conjunction with training an image based model. A verdict for the document is provided as output based at least in part on the determined likelihood.
Low variance clustering models and high variance clustering models comprising low and high variance features of user Software as a Service application traffic detect anomalous user behavior and, when risk thresholds are exceeded, trigger behavioral alerts. The low and high variance clustering models are trained with feature vectors that are dimension reduced using principal component analysis and clusters therein are classified as normal, benign, or malicious. Models are trained repeatedly in a sliding time window of training data to detect recent and potentially malicious user behavior. Behavioral alerts are triggered according to criterion specific to each of the low and high variance clustering models that account for increased risk associated with anomalous changes in low variance features.
Techniques for application identification for phishing detection are disclosed. In some embodiments, a system/process/computer program product for application identification for phishing detection includes monitoring network activity associated with a session to detect a request to access a site; determining advanced application identification associated with the site; and identifying the site as a phishing site based on the advanced application identification.
The present application discloses a method, system, and computer system for detecting malicious .NET files. The method includes receiving a sample that comprises a .NET file, obtaining information pertaining to common language runtime (CLR) metadata and streams associated with the .NET file, and determining whether the sample is malware based at least in part on (i) a classifier, and (ii) the information pertaining to the CLR metadata and streams.
Execution of an application in an application-level sandbox is disclosed. A request to launch an application is received by an operating system executing on a device. A determination is made that a stored copy of the application should be executed within an application-level sandbox. The stored copy of the application is executed in the application-level sandbox.
G06F 21/53 - Contrôle des usagers, programmes ou dispositifs de préservation de l’intégrité des plates-formes, p.ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p.ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par exécution dans un environnement restreint, p.ex. "boîte à sable" ou machine virtuelle sécurisée
G06F 21/14 - Protection des logiciels exécutables contre l’analyse de logiciel ou l'ingénierie inverse, p.ex. par masquage
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
G06F 21/56 - Détection ou gestion de programmes malveillants, p.ex. dispositions anti-virus
63.
COMBINATION RULE MINING FOR MALWARE SIGNATURE GENERATION
Malware signature generation through combination rule mining is disclosed. A set of properties associated, collectively, with a plurality of data samples is received. A first data sample has a first set of properties and a second data sample has a second set of properties. A combination signature comprising at least a first property included in the first set of properties and a second property included in the second set of properties is generated.
An auto scale monitoring service performs load balancing on a cloud firewall with minimized traffic disruption using eager and lazy load balancing protocols. The auto scale monitoring service operates through an orchestrator that initializes a new firewall and sends forwarding instructions to the new firewall for rerouting excess traffic. The auto scale monitoring service additionally operates through a software defined wide area network controller that sends routing instructions to a local branch of network devices to reroute to the new firewall from an overloaded current firewall. The eager protocol immediately tears down a tunneling session from the local branch to the current firewall and the lazy protocols gradually tears down this tunneling session. Both protocols properly inform firewalls how to forward ongoing traffic in each case and establish updated traffic flow through a tunneling session from the local branch to the new firewall.
The detection of malicious documents using knowledge distillation assisted learning is disclosed. A document is received for maliciousness determination. A likelihood that the received document represents a threat is determined. The determination is made, at least in part, using a raw bytes model that was trained, at least in part, using image model prediction probabilities. A verdict for the document is provided as output based at least in part on the determined likelihood.
A system and method for detecting dictionary-based DGA traffic is provided. A domain name system (DNS) stream is received. The DNS stream is classified using a per domain dictionary domain generation algorithm (DGA) classifier to generate candidate dictionary DGA domains with cluster information. The candidate dictionary DGA domains are filtered to generate a set of dictionary DGA domains. An action is performed based on a match with a monitored domain name of a monitored DNS request and a dictionary DGA domain of the set of dictionary DGA domains.
Detection of algorithmically generated domains is disclosed. A DNS query is received. Markov Chain analysis is performed on a domain included in the received query. A determination of whether the received query implicates an algorithmically generated domain is made based at least in part on a result of the Markov Chain analysis.
H04L 61/3015 - Enregistrement, génération ou allocation de nom
H04L 61/4511 - Répertoires de réseau; Correspondance nom-adresse en utilisant des protocoles normalisés d'accès aux répertoires en utilisant le système de noms de domaine [DNS]
G06F 16/955 - Recherche dans le Web utilisant des identifiants d’information, p.ex. des localisateurs uniformisés de ressources [uniform resource locators - URL]
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
Domain Name System (DNS) security using process information is provided. An application accessing an internet service using a domain name is determined. Process information associated with the application along with an associated DNS query to identify an IP address associated with the domain name are identified. The process information and the associated DNS query to a DNS security service are sent. An action based on a response from the DNS security service is performed.
The present application discloses a method, system, and computer system for detecting malicious files. The method includes executing a sample in a virtual environment, and determining whether the sample is malware based at least in part on memory-use artifacts obtained in connection with execution of the sample in the virtual environment.
G06F 21/56 - Détection ou gestion de programmes malveillants, p.ex. dispositions anti-virus
G06F 21/53 - Contrôle des usagers, programmes ou dispositifs de préservation de l’intégrité des plates-formes, p.ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p.ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par exécution dans un environnement restreint, p.ex. "boîte à sable" ou machine virtuelle sécurisée
70.
PREVENTING RANSOMWARE FROM ENCRYPTING FILES ON A TARGET MACHINE
Techniques for preventing ransomware from encrypting files on a target machine are disclosed. In some embodiments, a system/process/computer program product for preventing ransomware from encrypting files on a target machine includes monitoring file system activities on a computing device; detecting an unauthorized activity associated with a honeypot file or honeypot folder; and performing an action based on a policy in response to the unauthorized activity associated with the honeypot file or honeypot folder.
Automatic generation of a malware signature is disclosed. Code of a sample including packages and function names is parsed. Standard type packages and vendor type packages are filtered from the code of the sample to obtain main type packages. A signature using a fuzzy hash for the sample is generated based on the main type packages. A determination of whether the sample is malware is performed using the signature and a similarity score threshold.
G06F 21/56 - Détection ou gestion de programmes malveillants, p.ex. dispositions anti-virus
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p.ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
Techniques for Cobalt Strike Beacon HTTP C2 heuristic detection are disclosed. In some embodiments, a system/process/computer program product for Cobalt Strike Beacon HTTP C2 heuristic detection includes monitoring HyperText Transfer Protocol (HTTP) network traffic at a firewall; prefiltering the monitored HTTP network traffic at the firewall to select a subset of the HTTP network traffic to forward to a cloud security service; determining whether the subset of the HTTP network traffic is associated with Cobalt Strike Beacon HTTP C2 traffic activity based on a plurality of heuristics; and performing an action in response to detecting the Cobalt Strike Beacon HTTP C2 traffic activity.
G06F 9/00 - Dispositions pour la commande par programme, p.ex. unités de commande
G06F 15/16 - Associations de plusieurs calculateurs numériques comportant chacun au moins une unité arithmétique, une unité programme et un registre, p.ex. pour le traitement simultané de plusieurs programmes
G06F 17/00 - TRAITEMENT ÉLECTRIQUE DE DONNÉES NUMÉRIQUES Équipement ou méthodes de traitement de données ou de calcul numérique, spécialement adaptés à des fonctions spécifiques
A geofencing service establishes an initial geofence for monitoring devices connected to a cellular network. Upon receipt of a notification generated and transmitted by a device that crossed the geofence, the service determines a difference in location of the device at the times of notification generation and transmission based on coordinates included in the notification. A difference in location that satisfies a criterion indicates that the geofence corresponds to a geographic location with poor cellular network connectivity. The service modifies the geofence radius based on available signal strength data and enforces the resulting modified geofence. After this first radius modification, the service determines quality of network connectivity at geographic locations corresponding to internally tracked “shadow” geofences and modifies the geofence radius if device coordinates indicate that a shadow geofence corresponds to an area with sufficient connectivity. Geofence radius modification is ongoing until the geofence is returned to its initial configuration.
G01S 5/00 - Localisation par coordination de plusieurs déterminations de direction ou de ligne de position; Localisation par coordination de plusieurs déterminations de distance
74.
Securely publishing applications from private networks
A controller can securely publish an application of a tenant by securely extending a network fabric into the networks of the tenant with virtual private networks and NAT. After a tenant deploys an application into one or more networks of the tenant, the tenant can indicate select applications to publish. The network controller assigns a network address from the routable address space of the network fabric to the application and a network address aggregate to each application connector that will front an instance of the application, which securely extends the network fabric into the tenant network. The network controller configures NAT rules in the network fabric and on the application connector to create a route for traffic of the application through the network fabric to the application instance using a fully qualified domain name assigned to the application without exposing a private network address of the application instance and preserving security of other resource on the tenant network.
H04L 61/2592 - Traduction d'adresses de protocole Internet [IP] en utilisant la tunnelisation ou l'encapsulation
H04L 61/4511 - Répertoires de réseau; Correspondance nom-adresse en utilisant des protocoles normalisés d'accès aux répertoires en utilisant le système de noms de domaine [DNS]
H04L 101/618 - Types d'adresses de réseau - Détails d’adresses de réseau
75.
DETECTING MALICIOUS ACTIVITY ON AN ENDPOINT BASED ON REAL-TIME SYSTEM EVENTS
Techniques for detecting malicious activity on an endpoint based on real-time system events are disclosed. In some embodiments, a system/process/computer program product for detecting malicious activity on an endpoint based on real-time system events includes monitoring an endpoint for malicious activity using an endpoint agent, in which the endpoint comprises a local device; detecting malicious activity associated with an application on the endpoint based on real-time system events using the endpoint agent based on a set of rules; and in response to detecting malicious activity on the endpoint based on real-time system events using the endpoint agent, performing a security response based on a security policy.
Techniques for enforcing policy on multiple levels are disclosed. A multi-level policy includes at least one policy at a low level of abstraction and at least one policy at a high level of abstraction. An Internet of Things (IoT) device is discovered on a network. The IoT device is classified. The set of multi-level policies is applied to the IoT device based on the classification of the IoT device.
H04L 41/0631 - Gestion des fautes, des événements, des alarmes ou des notifications en utilisant l’analyse de la corrélation entre les notifications, les alarmes ou les événements en fonction de critères de décision, p.ex. la hiérarchie ou l’analyse temporelle ou arborescente
H04L 41/22 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p.ex. des réseaux de commutation de paquets comprenant des interfaces utilisateur graphiques spécialement adaptées [GUI]
77.
Context-based security over interfaces in O-RAN environments in mobile networks
Techniques for applying context-based security over interfaces in O-RAN environments in mobile networks are disclosed. In some embodiments, a system/process/computer program product for applying context-based security over interfaces in O-RAN environments in mobile networks includes monitoring network traffic on a mobile network at a security platform to identify a GTP-U tunnel session setup message associated with a new session; extracting a plurality of parameters from the GTP-U tunnel session setup message and from F1AP traffic to extract contextual information at the security platform; and enforcing a security policy at the security platform on the new session based on one or more of the plurality of parameters to apply context-based security to the network traffic transported between O-RAN Distributed Unit (O-DU) and O-RAN Centralized Unit Control Plane (O-CU-CP) nodes in an O-RAN environment in the mobile network.
Techniques for applying context-based security over interfaces in NG-RAN environments in mobile networks are disclosed. In some embodiments, a system/process/computer program product for applying context-based security over interfaces in NG-RAN environments in mobile networks includes monitoring network traffic on a mobile network at a security platform to identify a GTP-U tunnel session setup message associated with a new session; extracting a plurality of parameters from the GTP-U tunnel session setup message and from XnAP traffic to extract contextual information at the security platform; and enforcing a security policy at the security platform on the new session based on one or more of the plurality of parameters to apply context-based security to the network traffic transported between NG-RAN nodes in an NG-RAN environment in the mobile network.
A set of metadata associated with a plurality of samples is received. The samples are clustered. For members of a first cluster, a set of similarities shared among at least a portion of the members of the first cluster is determined. A cluster member is identified within the first cluster, and in response, additional analysis is caused to be performed on the outlier cluster member.
A service prevents attacks carried out through container escape for silo-based containers. A callback is registered for a function(s) that may be invoked from inside a container and returns an object handle(s). The callback, when triggered by invocation of the function(s), executes for determination of whether requests for access to objects via their handles are issued by suspicious processes. Access to CExecSvc.exe is restricted for processes that request a handle for CExecSvc.exe and are determined to be associated with a container themselves. Processes that escape their container through a technique that evades detection are also blocked from accessing the host system. When a process requests access to an object via invocation of a function that returns a handle, the callback executes for determination of whether the process but not the requested object is associated with a container, in which case the service restricts the process' access to the host system.
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
G06F 21/52 - Contrôle des usagers, programmes ou dispositifs de préservation de l’intégrité des plates-formes, p.ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p.ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données
81.
AUTOMATED GENERATION OF BEHAVIORAL SIGNATURES FOR MALICIOUS WEB CAMPAIGNS
Techniques for automated generation of behavioral signatures for malicious web campaigns are disclosed. In some embodiments, a system/process/computer program product for automated generation of behavioral signatures for malicious web campaigns includes crawling a plurality of web sites associated with a malware campaign; determining discriminating repeating attributes (e.g., behavior related attributes, which can be determined using dynamic analysis, and static related attributes, which can be determined using static analysis) as malware campaign related footprint patterns, wherein the discriminating repeating attributes are not associated with benign web sites; and automatically generating a human-interpretable malware campaign signature based on the malware campaign related footprint patterns.
Techniques for process privilege escalation protection in a computing environment are disclosed. For example, the disclosure describes a system/process/computer program product for process privilege escalation protection in a computing environment that includes monitoring a process executed on a computing device, detecting an unauthorized change in a token value associated with the process, and performing an action based on a policy (e.g., a kernel protection security policy/rule(s), which can include a whitelisted set of processes and/or configured actions/responses to perform for other/non-whitelisted processes) in response to an unauthorized change in the token value associated with the process.
G06F 21/54 - Contrôle des usagers, programmes ou dispositifs de préservation de l’intégrité des plates-formes, p.ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p.ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par ajout de routines ou d’objets de sécurité aux programmes
G06F 21/44 - Authentification de programme ou de dispositif
An access point service configures and manages a multi-enterprise wireless network in public settings. During network profile setup for a client connecting to an enterprise-issued access point (e.g., in a home environment), the service determines network information unique to the client and an authentication server associated with the enterprise to which the client is to authenticate for 802.1X authentication and stores the client network information and an indication of the authentication server in a cloud database. For access points in a public setting, upon detection of an association request by a client, the service determines network information that identifies the client and performs a lookup of the cloud database with the network information to determine to which of the recognized authentication servers to forward authentication messages transmitted by the client. If the result of the lookup does not indicate an authentication server, the connection is terminated.
Techniques for distributed offload leveraging different offload devices are disclosed. In some embodiments, a system, process, and/or computer program product for distributed offload leveraging different offload devices includes receiving a flow at a firewall of a security service (e.g., a cloud-based security service); inspecting the flow at the firewall to determine meta information associated with the flow; and offloading the flow to an offload entity (e.g., a SmartNIC, software executed on a Network Interface Card (NIC), and/or a network device, such as a network router and/or network switch) based on the meta information associated with the flow (e.g., an application identification associated with the flow determined using deep packet inspection) and based on a policy.
Detection of an exploit including shellcode is disclosed. Memory blocks are monitored during dynamic analysis of a sample to identify a memory block including suspicious shellcode. The memory block is dumped in memory to identify a candidate shellcode entry point associated with the suspicious shellcode. The suspicious shellcode is executed based on the candidate shellcode entry point to determine whether the suspicious shellcode is malicious. A verdict is generated regarding the sample based on results of executing the suspicious shellcode.
G06F 21/56 - Détection ou gestion de programmes malveillants, p.ex. dispositions anti-virus
G06F 21/53 - Contrôle des usagers, programmes ou dispositifs de préservation de l’intégrité des plates-formes, p.ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p.ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par exécution dans un environnement restreint, p.ex. "boîte à sable" ou machine virtuelle sécurisée
86.
Detecting behavioral change of IoT devices using novelty detection based behavior traffic modeling
An anomalous behavior detector has been designed to detect novel behavioral changes of devices based on network traffic data that likely correlate to anomalous behaviors. The anomalous behavior detector uses the local outlier factor (LOF) algorithm with novelty detection. After initial semi-supervised training with a single class training dataset representing stable device behaviors, the obtained model continues learning frontiers that delimit subspaces of inlier observations with live network traffic data. Instead of traffic variables being used as features, the features that form feature vectors are similarities of network traffic variable values across time intervals. A feature vector for the anomalous behavior detector represents stability or similarity of network traffic variables that have been chosen as device identifiers and behavioral indicators.
Techniques for sample traffic based self-learning malware detection are disclosed. In some embodiments, a system/process/computer program product for sample traffic based self-learning malware detection includes receiving a plurality of samples for malware detection analysis using a sandbox; executing each of the plurality of samples in the sandbox and monitoring network traffic during execution of each of the plurality of samples in the sandbox; detecting that one or more of the plurality of samples is malware based on automated analysis of the monitored network traffic using a command and control (C2) machine learning (ML) model if there is not a prior match with an intrusion prevention system (IPS) signature; and performing an action in response to detecting that the one or more of the plurality of samples is malware based on the automated analysis of the monitored network traffic using the C2 ML model. In some embodiments, the IPS signatures and C2 ML model are automatically generated and trained.
G06F 21/56 - Détection ou gestion de programmes malveillants, p.ex. dispositions anti-virus
G06F 21/53 - Contrôle des usagers, programmes ou dispositifs de préservation de l’intégrité des plates-formes, p.ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p.ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par exécution dans un environnement restreint, p.ex. "boîte à sable" ou machine virtuelle sécurisée
G06N 5/022 - Ingénierie de la connaissance; Acquisition de la connaissance
88.
PROACTIVE CONDITIONED PREFETCHING AND ORIGIN FLOODING MITIGATION FOR CONTENT DELIVERY
A method of delivering content includes, at a node in a network, receiving a first file, from a server, for rendering a first webpage. The method also includes transmitting the first file to a client computer system. The method also includes extracting a first hyperlink to a second webpage from the first file. The method also includes prefetching a second file for rendering the second webpage. The method also includes receiving a request to access a third webpage from the client computer system. The method also includes, in accordance with a determination that the second file can be used for rendering the third webpage, transmitting the second file to the client computer system.
A cloud-based traffic classification engine maintains a catalog of application-based traffic classes which have been developed based on known applications, and a local traffic classification engine maintains a subset of these classes. Network traffic intercepted by the firewall which cannot be classified by the local engine is forwarded to the cloud-based engine for classification. Upon determination of a class of the traffic, the cloud-based engine forwards the determined class and corresponding signature to the local engine. The firewall maintains a cache which is updated with the signatures corresponding to the class communicated by the cloud-based engine. Subsequent network traffic sent from the application can be determined to correspond to the application and classified according locally at the firewall based on the cached signatures. Localization of the cache to the firewall reduces latency of traffic classification operations as the catalog of classification information stored in the cloud scales.
H04L 47/2441 - Trafic caractérisé par des attributs spécifiques, p.ex. la priorité ou QoS en s'appuyant sur la classification des flux, p.ex. en utilisant des services intégrés [IntServ]
A flexible security system has been created that allows for fluid security operations that adapt to the dynamic nature of user behavior while also allowing the security related operations themselves to be dynamic. This flexible system includes ongoing collection and/or updating of multi-perspective “security contexts” per actor and facilitating consumption of these multi-perspective security contexts for security related operations on the users. These security related operations can include policy-based security enforcement and inspection. A security platform component or security entity uses a multi-perspective security context for a user or actor. Aggregating and maintaining behavioral information into a data structure for an actor over time from different sources allows a security platform component or entity to have historical context for an actor from one or more security perspectives. Descriptors that form a security context can originate from various sources having visibility of user behavior and/or user attributes.
Detection of command and control malware is disclosed. A network traffic session is monitored. Automatic feature identification for real-time malicious command and control traffic detection based on a request header of the monitored network traffic session using a deep learning model is performed.
Identifying Internet of Things (IoT) devices with packet flow behavior including by using machine learning models is disclosed. Information associated with a network communication of an IoT device is received. A determination of whether the IoT device has previously been classified is made. In response to determining that the IoT device has not previously been classified, a determination is made that a probability match for the IoT device against a behavior signature exceeds a threshold. The behavior signature includes at least one time series feature for an application used by the IoT device. Based at least in part on the probability match, a classification of the IoT device is provided to a security appliance configured to apply a policy to the IoT device.
A system and method are provided for provisioning code snippets for programming a content delivery network. The method includes receiving a first client code snippet from a first client. The first client code snippet includes identity information of origin servers, standard responses for network requests, and configuration parameters to configure programmable content delivery nodes to respond to the one or more network requests. The method also includes publishing the first client code snippet to a snippet library, and indexing the first client code snippet in the snippet library. The method also includes receiving, from a second client, a request for a second client code snippet. The method also includes selecting a subset of client code snippets stored in the snippet library. The method also includes rendering identification information for the subset of client code snippets, and outputting a selected client code snippet from the subset of client code snippets.
H04L 67/1001 - Protocoles dans lesquels une application est distribuée parmi les nœuds du réseau pour accéder à un serveur parmi une pluralité de serveurs répliqués
H04L 67/63 - Ordonnancement ou organisation du service des demandes d'application, p.ex. demandes de transmission de données d'application en utilisant l'analyse et l'optimisation des ressources réseau requises en acheminant une demande de service en fonction du contenu ou du contexte de la demande
94.
AUTO GENERATING BUILD TIME POLICIES FROM RUN TIME POLICIES FOR SHIFT LEFT SECURITY
Comprehensive matching allows for automated conversion from runtime policy rules to build time rules that can be applied to an IaC configuration file(s). API specifications of a CSP and resource models defined in an IaC configuration file(s) are parsed and tokenized. The tokenized API specifications are evaluated to identify, for each resource model, a most appropriate API specification for mapping fields. Based on the evaluation and token matching, tokens of the API specifications are mapped to the tokens of the IaC resource models to form a mapping model. In an implementation phase, a runtime policy rule converter replaces tokens of a runtime security policy rule query with IaC tokens based on the mapping index to convert the runtime security policy rule query into a buildtime security policy rule query that can be applied against the IaC configuration files.
A customer analytics ecosystem has been created that identifies factors in customer/account data that have correlations with customer churn based on statistical analysis, uses those factors to then predict likelihood of customer churn for customers, and generates recommendations to retain those customers identified as likely to attrite. Statistical analysis performed on customer data to yield correlation coefficients that provide insight into which variables/factors in customer data have correlations with customer churn. The identified churn factors are used as features to train a churn prediction model. The churn prediction model is trained to predict churn outcome for a customer based on at least some of the churn factors. Causal inference models are run for customer retention solutions (“treatments”) to obtain an estimated effect of each treatment on the churn outcome. The set of treatments can be ranked and presented as recommendations to retain the identified customer.
G06Q 10/06 - Ressources, gestion de tâches, des ressources humaines ou de projets; Planification d’entreprise ou d’organisation; Modélisation d’entreprise ou d’organisation
G06Q 30/02 - Marketing; Estimation ou détermination des prix; Collecte de fonds
G06N 5/04 - Modèles d’inférence ou de raisonnement
96.
OUTBOUND/INBOUND LATERAL TRAFFIC PUNTING BASED ON PROCESS RISK
Techniques for outbound/inbound lateral traffic punting based upon process risk are disclosed. In some embodiments, a system/process/computer program product for outbound/inbound lateral traffic punting based upon process risk includes receiving, at a network device on an enterprise network, process identification (ID) information from an endpoint (EP) agent executed on an EP device, in which the process ID information identifies a process that is associated with an outbound or inbound network session on the EP device on the enterprise network, and the EP agent selected the network session for punting to the network device for inspection; monitoring network communications associated with the network session at the network device to identify an application identification (APP ID) for the network session; and performing an action based on a security policy using the process ID information and the APP ID.
An initial test is executed to determine an end-to-end latency of a path between a source and a destination. Subsequent tests incrementally target each node of the path for measurement of metric values indicative of delay of the nodes (e.g., latency, jitter, and packet loss). As tests are performed incrementally for each node, the maximum observed latency is tracked and used for calculating timeout thresholds. For the first hop, the timeout threshold is determined relative to the end-to-end latency; for subsequent hops, the timeout threshold is determined relative to the maximum non-timeout latency measured for a previous hop. Each test is performed N times to obtain additional values of delay metrics for each node. Upon completion of the N passes through the path, the resulting delay metric values determined for each test set are aggregated to yield a single, comprehensive result set.
H04L 43/10 - Surveillance active, p.ex. battement de cœur, utilitaire Ping ou trace-route
H04L 43/106 - Surveillance active, p.ex. battement de cœur, utilitaire Ping ou trace-route en utilisant des informations liées au temps dans des paquets, p.ex. en ajoutant des horodatages
The present application discloses a method, system, and computer system for detecting malicious files. The method includes receiving a sample that comprises a .NET file, obtaining imported API function names based at least in part on a .NET header of the .NET file, determining a hash of a list of unmanaged imported API function names, and determining whether the sample is malware based at least in part on the hash of the list of unmanaged imported API function names.
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
G06F 21/53 - Contrôle des usagers, programmes ou dispositifs de préservation de l’intégrité des plates-formes, p.ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p.ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par exécution dans un environnement restreint, p.ex. "boîte à sable" ou machine virtuelle sécurisée
99.
TRAFFIC PATTERN-BASED PREDICTION OF CLOUD FIREWALL COSTS FOR OPTIMAL CLOUD FIREWALL DEPLOYMENT
Traffic log data generated by cloud firewalls executing in a cloud environment during a time period that indicate classes and corresponding amounts of network traffic detected across sessions as well as usage cost data recorded for the cloud firewalls during the time period are obtained. The traffic log data are preprocessed to generate training data comprising feature vectors indicating the aggregate amount of network traffic detected for each traffic class during a corresponding time interval within the time period and are labeled with the associated usage cost. A machine learning model is trained on the labeled traffic log data to learn the impact each traffic class has on the accumulated usage costs. The trained model generates predicted usage costs based on distributions of detected network traffic across traffic classes that are analyzed to correlate traffic patterns with usage costs to determine the optimal size(s) of cloud firewalls to deploy.
Techniques for providing a networking and security split architecture are disclosed. In some embodiments, a system, process, and/or computer program product for providing a networking and security split architecture includes receiving a flow at a security service; processing the flow at a network layer of the security service to perform one or more networking functions; and offloading the flow to a security layer of the security service to perform security enforcement based on a policy.