APPLYING SUBSCRIBER-ID BASED SECURITY, EQUIPMENT-ID BASED SECURITY, AND/OR NETWORK SLICE-ID BASED SECURITY WITH USER-ID AND SYSLOG MESSAGES IN MOBILE NETWORKS
Techniques for applying subscriber-ID based security, equipment-ID based security, and/or network slice-ID based security with user-ID and syslog messages in mobile networks are disclosed. In some embodiments, a system/process/computer program product for applying subscriber-ID based security, equipment-ID based security, and/or network slice-ID based security with user-ID and syslog messages in mobile networks includes monitoring network traffic on a mobile network at a security platform to identify a new session; extracting a plurality of parameters by parsing syslog messages with a user-ID agent at the security platform; and enforcing a security policy on the new session at the security platform based on one or more of the plurality of parameters including one or more of a subscriber-ID, equipment- ID, and network slice-ID to apply context-based security in the mobile network.
Inline package name based supply chain attack detection and prevention is disclosed. An indication that a client device has made a request to a remote server for a package is received. A data appliance then performs an action responsive to the received indication. In an example implementation, the data appliance makes a determination of whether the request for the package is associated with a nonexisting package.
A cloud resource management system detects resource misconfiguration for resources in a cloud including cloud policy misconfigurations and resource vulnerabilities. An attack chain analyzer identifies attack chains from misconfigured resources ordered according to stages in an attack framework that models sequential behavior for malicious attacks. The attack chains are detected according to a depth-first search traversal of adjacent resources that have pairwise exposure according to characteristics indicated in the cloud policy misconfigurations and resource vulnerabilities. The attack chain analyzer generates further diagnostics that inform remediation of resource misconfigurations for malicious attack prevention.
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p.ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
Techniques for Cobalt Strike Beacon HTTP C2 heuristic detection are disclosed. In some embodiments, a system/process/computer program product for Cobalt Strike Beacon HTTP C2 heuristic detection includes monitoring HyperText Transfer Protocol (HTTP) network traffic at a firewall; prefiltering the monitored HTTP network traffic at the firewall to select a subset of the HTTP network traffic to forward to a cloud security service; determining whether the subset of the HTTP network traffic is associated with Cobalt Strike Beacon HTTP C2 traffic activity based on a plurality of heuristics; and performing an action in response to detecting the Cobalt Strike Beacon HTTP C2 traffic activity.
The present application discloses a method, system, and computer system for detecting malicious SQL or command injection strings. The method includes obtaining an SQL or command injection string and determining whether the command injection string is malicious based at least in part on a machine learning model.
In a network control plane, a pattern matching database is built and maintained for identifying an application or application level protocol. In addition, pattern matching databases for predicting a subsequent flow for application layer/level protocols or data protocols are built and maintained. After flow differentiation in network traffic mirrored from a data plane, the network traffic flow is scanned in a first stage and then in a second stage if a signaling protocol message is detected in the first stage scan. For the second stage, one of the application/data protocol pattern databases is selected for scanning based on the signaling protocol message detected in the first stage scanning. If a match is found from the stage 2 scanning, a mapping between the signaling protocol identifier and an identifier for a predicted application traffic flow is created and communicated to the data plane for policy selection and enforcement.
H04L 43/028 - Capture des données de surveillance en filtrant
H04L 45/302 - Détermination de la route basée sur la qualité de service [QoS] demandée
H04L 45/745 - Recherche de table d'adresses; Filtrage d'adresses
H04L 47/2408 - Trafic caractérisé par des attributs spécifiques, p.ex. la priorité ou QoS pour la prise en charge de différents services, p.ex. services du type services différentiés [DiffServ]
H04L 69/22 - Analyse syntaxique ou évaluation d’en-têtes
7.
RENDERING CONTEXTUAL SECURITY INFORMATION DETERMINED IN-BROWSER WITH WEB PAGES OF CLOUD AND SAAS VENDORS
the browser extension matches URLs and/or HTML/XML syntactic patterns of the retrieved web pages to the fingerprints to determine the security information to obtain from backend storage. The type/granularity of information that is retrieved can vary depending on the identified fingerprint match. The browser extension retrieves security information corresponding to fingerprints for which matches are identified, generates security overviews therefrom, and integrates the security overviews into the requested web pages to generate a consolidated, multi-perspective view.
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
G06F 21/56 - Détection ou gestion de programmes malveillants, p.ex. dispositions anti-virus
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p.ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
Techniques for automatically detecting unknown packers are disclosed. In some embodiments, a system/process/computer program product for automatically detecting unknown packers includes receiving a plurality of samples for malware packer detection analysis; performing a packer filter to determine whether each of the plurality of samples is packed; emulating each of the packed samples to extract a plurality of features; and clustering the packed samples based on the extracted features.
Techniques for application identification for phishing detection are disclosed. In some embodiments, a system/process/computer program product for application identification for phishing detection includes monitoring network activity associated with a session to detect a request to access a site; determining advanced application identification associated with the site; and identifying the site as a phishing site based on the advanced application identification.
G06F 16/955 - Recherche dans le Web utilisant des identifiants d’information, p.ex. des localisateurs uniformisés de ressources [uniform resource locators - URL]
10.
ENFORCING A DYNAMICALLY MODIFIABLE GEOFENCE BASED ON CONDITIONS OF A CELLULAR NETWORK
A geofencing service establishes an initial geofence for monitoring devices connected to a cellular network. Upon receipt of a notification generated and transmitted by a device that crossed the geofence, the service determines a difference in location of the device at the times of notification generation and transmission based on coordinates included in the notification. A difference in location that satisfies a criterion indicates that the geofence corresponds to a geographic location with poor cellular network connectivity. The service modifies the geofence radius based on available signal strength data and enforces the resulting modified geofence. After this first radius modification, the service determines quality of network connectivity at geographic locations corresponding to internally tracked "shadow" geofences and modifies the geofence radius if device coordinates indicate that a shadow geofence corresponds to an area with sufficient connectivity. Geofence radius modification is ongoing until the geofence is returned to its initial configuration.
Techniques for applying context-based security over interfaces in O-RAN environments in mobile networks are disclosed. In some embodiments, a system/process/computer program product for applying context-based security over interfaces in O-RAN environments in mobile networks includes monitoring network traffic on a mobile network at a security platform to identify a GTP-U tunnel session setup message associated with a new session; extracting a plurality of parameters from the GTP-U tunnel session setup message and from F1AP traffic to extract contextual information at the security platform; and enforcing a security policy at the security platform on the new session based on one or more of the plurality of parameters to apply context-based security to the network traffic transported between O-RAN Distributed Unit (O-DU) and O-RAN Centralized Unit Control Plane (O-CU- CP) nodes in an O-RAN environment in the mobile network. Techniques for applying context-based security over interfaces in NG-RAN environments in mobile networks are also disclosed. In some embodiments, a system/process/computer program product for applying context-based security over interfaces in NG-RAN environments in mobile networks includes monitoring network traffic on a mobile network at a security platform to identify a GTP-U tunnel session setup message associated with a new session; extracting a plurality of parameters from the GTP-U tunnel session setup message and from XnAP traffic to extract contextual information at the security platform; and enforcing a security policy at the security platform on the new session based on one or more of the plurality of parameters to apply context-based security to the network traffic transported between NG-RAN nodes in an NG-RAN environment in the mobile network.
Detection of an exploit including shellcode is disclosed. Memory blocks are monitored during dynamic analysis of a sample to identify a memory block including suspicious shellcode. The memory block is dumped in memory to identify a candidate shellcode entry point associated with the suspicious shellcode. The suspicious shellcode is executed based on the candidate shellcode entry point to determine whether the suspicious shellcode is malicious. A verdict is generated regarding the sample based on results of executing the suspicious shellcode.
G06F 21/56 - Détection ou gestion de programmes malveillants, p.ex. dispositions anti-virus
G06F 21/53 - Contrôle des usagers, programmes ou dispositifs de préservation de l’intégrité des plates-formes, p.ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p.ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par exécution dans un environnement restreint, p.ex. "boîte à sable" ou machine virtuelle sécurisée
13.
DEEP LEARNING PIPELINE TO DETECT MALICIOUS COMMAND AND CONTROL TRAFFIC
Detection of command and control malware is disclosed. A network traffic session is monitored. Automatic feature identification for real-time malicious command and control traffic detection based on a request header of the monitored network traffic session using a deep learning model is performed.
The present application discloses a method, system, and computer system for detecting malicious files. The method includes receiving a sample that comprises a.NET file, obtaining imported API function names based at least in part on a.NET header of the.NET file, determining a hash of a list of unmanaged imported API function names, and determining whether the sample is malware based at least in part on the hash of the list of unmanaged imported API function names.
G06F 21/56 - Détection ou gestion de programmes malveillants, p.ex. dispositions anti-virus
G06F 21/00 - Dispositions de sécurité pour protéger les calculateurs, leurs composants, les programmes ou les données contre une activité non autorisée
H04L 9/00 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité
Techniques for providing a networking and security split architecture are disclosed. In some embodiments, a system, process, and/or computer program product for providing a networking and security split architecture includes receiving a flow at a security service; processing the flow at a network layer of the security service to perform one or more networking functions; and offloading the flow to a security layer of the security service to perform security enforcement based on a policy.
H04L 47/2441 - Trafic caractérisé par des attributs spécifiques, p.ex. la priorité ou QoS en s'appuyant sur la classification des flux, p.ex. en utilisant des services intégrés [IntServ]
The present application discloses a method, system, and computer system for identifying dangling records. The method includes obtaining a set of domains, determining whether a record associated with a domain comprised in the set of domains is dangling, and in response to determining that the record associated with the domain is dangling, providing, to a registrant, a notification that the record is dangling.
H04L 61/4511 - Répertoires de réseau; Correspondance nom-adresse en utilisant des protocoles normalisés d'accès aux répertoires en utilisant le système de noms de domaine [DNS]
17.
PREDICTIVE DNS CACHE TO IMPROVE SECURITY AND PERFORMANCE
The present application discloses a method, system, and computer system for predicting responses to DNS queries. The method includes receiving a DNS query comprising a subdomain portion and a root domain portion from a client device, determining whether to obtain target address information corresponding to the DNS from a predictive cache, in response to determining to obtain the target address information from the predictive cache, obtaining the target address information from the predictive cache, and providing the target address information to the client device.
H04L 61/4511 - Répertoires de réseau; Correspondance nom-adresse en utilisant des protocoles normalisés d'accès aux répertoires en utilisant le système de noms de domaine [DNS]
H04L 61/58 - Mise en antémémoire d'adresses ou de noms
G06F 12/02 - Adressage ou affectation; Réadressage
Identifying Internet of Things (loT) devices with packet flow behavior including by using machine learning models is disclosed. Information associated with a network communication of an loT device is received. A determination of whether the loT device has previously been classified is made. In response to determining that the loT device has not previously been classified, a determination is made that a probability match for the loT device against a behavior signature exceeds a threshold. Based at least in part on the probability match, a classification of the loT device is provided to a security appliance configured to apply a policy to the loT device.
Techniques for enforcing policies on Internet of Things (loT) device communications are disclosed. Information associated with a network communication of an loT device is received. The received information is used to determine a device profile, including a device type, to associate with the loT device. A recommended security policy to be applied to the loT device by a security appliance is generated.
H04W 8/02 - Traitement de données de mobilité, p.ex. enregistrement d'informations dans un registre de localisation nominal [HLR Home Location Register] ou de visiteurs [VLR Visitor Location Register]; Transfert de données de mobilité, p.ex. entre HLR, VLR ou réseaux externes
G06F 21/35 - Authentification de l’utilisateur impliquant l’utilisation de dispositifs externes supplémentaires, p.ex. clés électroniques ou cartes à puce intelligentes communiquant sans fils
Techniques for securing containerized applications are disclosed, In some embodiments, a system, process, and/or computer program product for securing containerized applications includes detecting a new application container (e.g., an application pod); deploying a security entity (e.g., a firewall) to the application container; and monitoring all traffic to and from the application container (e.g., all layer-7 ingress, egress, and east-west traffic associated with the application container) using the security entity to enforce a policy.
A cloud-based traffic classification engine maintains a catalog of application-based traffic classes which have been developed based on known applications, and a local traffic classification engine maintains a subset of these classes. Network traffic intercepted by the firewall which cannot be classified by the local engine is forwarded to the cloud-based engine for classification. Upon determination of a class of the traffic, the cloud-based engine forwards the determined class and corresponding signature to the local engine. The firewall maintains a cache which is updated with the signatures corresponding to the class communicated by the cloud-based engine. Subsequent network traffic sent from the application can be determined to correspond to the application and classified according locally at the firewall based on the cached signatures. Localization of the cache to the firewall reduces latency of traffic classification operations as the catalog of classification information stored in the cloud scales.
H04L 47/2441 - Trafic caractérisé par des attributs spécifiques, p.ex. la priorité ou QoS en s'appuyant sur la classification des flux, p.ex. en utilisant des services intégrés [IntServ]
Internet of Things (loT) device application workload capture is disclosed. A target loT device is selected. A flow associated with the target device is determined and tagged. Packets from the tagged flow are admitted into a ring buffer. An indication is received that an extraction should be performed on a portion of the packets included in the ring buffer.
A report generated from analysis of a software sample is obtained and parsed. A root node of a causality tree is determined based on source-target relationships and a primary malware instance indicated in the report. Actions, behaviors, and additional malware instances are identified based on the report. Additional relationships among the data which are not explicitly represented are extracted from further parsing and processing of the report by tracing the relationships in the report data starting from the data of the entity represented by the root node, with child nodes added for processes and files discovered from the tracing. For each entity for which a node is added to the causality tree, counts of the related behaviors and actions are determined and associated with the node along with the corresponding details. A GUI depiction of the resulting causality tree is generated and displayed for visualizing and navigating the causality tree.
Techniques for generating actionable indicators of compromise (IOCs) are disclosed. A set of potential sources for IOCs are received. One or more candidate IOCs are extracted from at least one source included in the set of potential sources. An actionable IOC is automatically identified from the one or more candidate IOCs. The actionable IOC is provided to a security enforcement service.
G06F 21/00 - Dispositions de sécurité pour protéger les calculateurs, leurs composants, les programmes ou les données contre une activité non autorisée
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
25.
JOINING JAVASCRIPT OBJECT NOTATION (JSON) QUERIES ACROSS CLOUD RESOURCES
A cloud resource join query for join operations across cloud resources is parsed to extract join rules and queries to each cloud resource in the cloud resource join query. Results from the individual cloud queries are dynamically indexed based on pairs of cloud resources indicated in the join rules. A search engine applies first order predicates in the join rules using the dynamic indexes to generate pairwise join results corresponding to the query. A result for the cloud resource join query comprises the pairwise join results after merging.
A configuration of a cloud application exposed via a public IP address is duplicated with modifications to include a private IP address to expose the application internally. The original configuration is updated so that external network traffic sent to the application is redirected to and distributed across agents running on nodes of a cloud cluster by which web application firewalls (WAFs) are implemented. A set of agents for which the respective WAFs should inspect the redirected network traffic are selected based on cluster metrics, such as network and resource utilization metrics. The redirected network traffic targets a port allocated to the agents that is unique to the application, where ports are allocated on a per-application basis so each of the agents can support WAF protection for multiple applications. Network traffic which a WAF allows to pass is directed from the agent to the application via its private IP address.
H04W 12/088 - Sécurité d'accès utilisant des filtres ou des pare-feu
H04L 41/0893 - Affectation de groupes logiques aux éléments de réseau
H04L 41/0896 - Gestion de la bande passante ou de la capacité des réseaux, c. à d. augmentation ou diminution automatique des capacités
H04L 61/5007 - Adresses de protocole Internet [IP]
H04L 67/1001 - Protocoles dans lesquels une application est distribuée parmi les nœuds du réseau pour accéder à un serveur parmi une pluralité de serveurs répliqués
27.
ENHANCED SD-WAN PATH QUALITY MEASUREMENT AND SELECTION
Techniques for enhanced Software-Defined Wide Area Network (SD-WAN) path quality measurement and selection are disclosed, In some embodiments, a system/method/computer program product for enhanced SD-WAN path quality measurement and selection includes periodically performing a network path measurement for each of a plurality of network paths at a Software-Defined Wide Area Network (SD-WAN) interface; updating a version if the network path measurement exceeds a threshold for one or more of the plurality of network paths; and selecting one of the plurality of network paths for a session based on the version according to an application policy.
An anomaly detection model is trained to detect malicious traffic sessions with a low rate of false positives. A sample feature extractor extracts tokens corresponding to human-readable substrings of incoming unstructured payloads in a traffic session. The tokens are correlated with a list of malicious traffic features and frequent malicious traffic features across the traffic session are aggregated into a feature vector of malicious traffic feature frequencies. An anomaly detection model trained on feature vectors for unstructured malicious traffic samples predicts the traffic session as malicious or unclassified. The anomaly detection model is trained and updated based on its' ongoing false positive rate and malicious traffic features in the list of malicious traffic features that result in a high false positive rate are removed.
To perform pattern-based detection of malicious URLs, patterns are first generated from known URLs to build a pattern repository. A URL is first normalized and parsed, and keywords are extracted and stored in an additional repository of keywords. Tokens are then determined from the parsed URL and tags are associated with the parsed substrings. Substring text may also be replaced with general identifying information. Patterns generated from known malicious and benign URLs satisfying certain criteria are published to a pattern repository of which can be accessed during subsequent detection operations. During detection, upon identifying a request which indicates an unknown URL, the URL is parsed and tokenized to generate a pattern. The repository of malicious URL patterns is queried to determine if a matching malicious URL pattern can be identified. If a matching malicious URL pattern is identified, the URL is detected as malicious.
To leverage the higher detection rate of a supplemental model and manage the higher false positive rate of that model, an activation range is tuned for the candidate model to operate in conjunction with an incumbent model. The activation range is a range of output values for the incumbent model that activates the supplemental model. Inputs having benign output values from the incumbent model that are within the activation range are fed into the supplemental model. Thus, the lower threshold of the activation range corresponds to the malware detection threshold of the incumbent model and the upper threshold determines how many benign classified outputs from the incumbent model activate the supplemental model. This conjoining of models with a tuned activation range manages overall false positive rate of the conjoined detection models while the malware detection rate increases over the incumbent detection model alone.
A set of virtual machines (VMs) with different guest operating systems installed is initially booted and prepared to facilitate rapid creation, or "forking," of a child VM(s) for malware analysis of a software sample. Because malicious code may be packaged for a specific operating system version, subsets of the VMs may have different versions of the same guest operating system installed. Upon detection of a sample indicated for malware analysis, a child VM(s) running the appropriate guest operating system is created based on a corresponding one(s) of the set of VMs. A process in which the corresponding VM(s) has been booted is forked to create a child process. A child VM which is a copy of the VM booted in the parent process is then created in the child process. The sample is then sandboxed in the child VM for analysis to determine if the sample comprises malware.
G06F 21/53 - Contrôle des usagers, programmes ou dispositifs de préservation de l’intégrité des plates-formes, p.ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p.ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par exécution dans un environnement restreint, p.ex. "boîte à sable" ou machine virtuelle sécurisée
G06F 21/56 - Détection ou gestion de programmes malveillants, p.ex. dispositions anti-virus
32.
SECURING CONTROL AND USER PLANE SEPARATION IN MOBILE NETWORKS
Techniques for securing control and user plane separation in mobile networks (e.g., service provider networks for mobile subscribers, such as for 4G/5G networks) are disclosed. In some embodiments, a system/process/computer program product for securing control and user plane separation in mobile networks in accordance with some embodiments includes monitoring network traffic on a mobile network at a security platform to identify a Packet Forwarding Control Protocol (PFCP) message associated with a new session, in which the mobile network includes a 4G network or a 5G network; extracting a plurality of parameters from the PFCP message at the security platform; and enforcing a security policy at the security platform on the new session based on one or more of the plurality of parameters to secure control and user plane separation in the mobile network.
Internet of Things (IoT) device classification is disclosed. A byte frequency pattern associated with network traffic of an IoT device is received. The received pattern is used to determine a classification for the IoT device. The classification is provided to a security appliance. The security appliance is configured to apply a policy to the IoT device based at least in part on the classification.
Techniques for providing innocent until proven guilty (IUPG) solutions for building and using adversary resistant and false positive resistant deep learning models are disclosed. In some embodiments, a system, process, and/or computer program product includes storing a set comprising one or more innocent until proven guilty (IUPG) models for static analysis of a sample; performing a static analysis of content associated with the sample, wherein performing the static analysis includes using at least one stored IUPG model; and determining that the sample is malicious based at least in part on the static analysis of the content associated with the sample, and in response to determining that the sample is malicious, performing an action based on a security policy.
Techniques for performing Internet of Things (IoT) device identification are disclosed. Information associated with a network communication of an IoT device is received. A determination of whether the IoT device has been classified has been made. In response to determining that the IoT device has not been classified, a two-part classification process is performed, where a first portion includes an inline classification, and a second portion includes a subsequent verification of the inline classification. A result of the classification process is provided to a security appliance configured to apply a policy to the IoT device.
H04W 8/00 - Gestion de données relatives au réseau
H04W 8/18 - Traitement de données utilisateur ou abonné, p.ex. services faisant l'objet d'un abonnement, préférences utilisateur ou profils utilisateur; Transfert de données utilisateur ou abonné
36.
REDUCING MEMORY FOOTPRINT AFTER TLS CONNECTION ESTABLISHMENT
For connection establishment, a system allocates memory that will be occupied by the data and handshake sub-protocol infrastructure that facilitates establishing a TLS connection. After connection establishment, the system allocates memory space for the data and record sub-protocol infrastructure that facilitates the asynchronous communication of application traffic. The memory space for the TLS session (i.e., the communication information separate from the handshake) has a substantially smaller footprint than the memory space for the TLS handshake. The TLS handshake memory space can be released and recycled for other connections while application communications use the smaller memory space allocated and populated with the TLS session data and infrastructure.
Dynamic content tags are generated as content is received by a dynamic content tagging system. A natural language processor (NLP) tokenizes the content and extracts contextual N-grams based on local or global context for the tokens in each document in the content. The contextual N-grams are used as input to a generative model that computes a weighted vector of likelihood values that each contextual N-gram corresponds to one of a set of unlabeled topics. A tag is generated for each unlabeled topic comprising the contextual N-gram having a highest likelihood to correspond to that unlabeled topic. Topic-based deep learning models having tag predictions below a threshold confidence level are retrained using the generated tags, and the retrained topic-based deep learning models dynamically tag the content.
Web sites are crawled using multiple browser profiles to avoid malicious cloaking. Based on web page content returned from HTTP requests using the multiple browser profiles, web sites returning substantively different content to HTTP requests for different browser profiles are identified. Web sites are further filtered by common cloaking behavior, and redirect scripts are extracted from web page content that performed cloaking. Signatures comprising tokenized versions of the redirect scripts are generated and compared to a database of known cloaking signatures. URLs corresponding to signatures having approximate matches with signatures in the database are flagged for recrawling. Recrawled URLs are verified for malicious cloaking again using HTTP requests from multiple browser profiles.
Detection of algorithmically generated domains is disclosed. A DNS query is received. Markov Chain analysis is performed on a domain included in the received query. A determination of whether the received query implicates an algorithmically generated domain is made based at least in part on a result of the Markov Chain analysis.
Adaptive normal profiles are generated at a hierarchical scope corresponding to a set of endpoints and a process. Abnormal endpoint activity is detected by verifying whether event data tracking activity on the set of endpoints conforms to the adaptive normal profiles. False positives are reduced by verifying alarms correspond to normal endpoint activity. Abnormal event data is forwarded to a causality chain identifier that identifies abnormal chains of processes for the abnormal endpoint activity. A trained threat detection model receives abnormal causality chains from the causality chain identifier and indicates a likelihood of corresponding to a malicious attack that indicates abnormal endpoint behavior.
A flexible security system has been created that allows for fluid security operations that adapt to the dynamic nature of user behavior while also allowing the security related operations themselves to be dynamic. This flexible system includes ongoing collection and/or updating of multi-perspective "security contexts" per actor and facilitating consumption of these multi-perspective security contexts for security related operations on the users. These security related operations can include policy-based security enforcement and inspection. A security platform component or security entity uses a multi-perspective security context for a user or actor. Aggregating and maintaining behavioral information into a data structure for an actor over time from different sources allows a security platform component or entity to have historical context for an actor from one or more security perspectives. Descriptors that form a security context can originate from various sources having visibility of user behavior and/or user attributes.
H04L 29/06 - Commande de la communication; Traitement de la communication caractérisés par un protocole
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p.ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
Detection of malicious files is disclosed. A set comprising one or more sample classification models is stored on a networked device. N-gram analysis is performed on a sequence of received packets associated with a received file. Performing the n-gram analysis includes using at least one stored sample classification model. A determination is made that the received file is malicious based at least in part on the n-gram analysis of the sequence of received packets. In response to determining that the file is malicious, propagation of the received file is prevented.
Some network architectures include perimeter or edge devices which perform network address translation or otherwise modify data in a network traffic packet header, such as the source address. The modification of the source address prevents downstream devices from knowing the true or original source address from which the traffic originated. To address this issue, perimeter devices can insert the original source address in an X-F orwarded-F or field of the packet header. Firewalls and related security services can be programmed to record the original source address in the XFF field in addition to the other packet information and to consider the original source address during security analysis. Using the original source address in the XFF field, services can determine additional characteristics about the traffic, such as geographic origin or associated user accounts, and use these characteristics to identify applicable rules or policies.
Techniques for providing multi-access distributed edge security in mobile networks (e.g., service provider networks for mobile subscribers, such as for 5G networks) are disclosed. In some embodiments, a system/process/computer program product for multi- access distributed edge security in mobile networks in accordance with some embodiments includes monitoring network traffic on a service provider network at a security platform to identify a new session, wherein the service provider network includes a 5G network or a converged 5G network; extracting subscription and/or equipment identifier information for user traffic associated with the new session at the security platform; and determining a security policy to apply at the security platform to the new session based on the subscription and/or equipment identifier information.
A method and system for processing datasets having a number of data points are described. A portion of the dataset is received and processed in parallel. A view on a display is updated to include a first section of the portion of the dataset after the first section completes processing but before a remainder of the portion of the dataset completes processing. In some aspects, the portion of the dataset can include up to one million or more data points. In some aspects, if a change from the view to a second view is received before processing has completed, an unusable part of the dataset is discarded and/or a reusable part of the dataset that has completed processing is reused for the second view. In some aspects, columns of different dataset may be correlated and/or processed data is provided such that the processed data may be rapidly rendered.
Techniques for providing network slice-based security in mobile networks (e.g., service provider networks for mobile subscribers) are disclosed. In some embodiments, a system/process/computer program product for network slice-based security in mobile networks in accordance with some embodiments includes monitoring network traffic on a service provider network at a security platform to identify a new session, wherein the service provider network includes a 5G network or a converged 5G network; extracting network slice information for user traffic associated with the new session at the security platform; and determining a security policy to apply at the security platform to the new session based on the network slice information.
Techniques for transport layer signaling security with next generation firewall are disclosed. In some embodiments, a system/process/computer program product for transport layer signaling with next generation firewall includes monitoring transport layer signaling traffic on a service provider network at a security platform; and filtering the transport layer signaling traffic at the security platform based on a security policy. Techniques for application layer signaling security with next generation firewall are also disclosed. In some embodiments, a system/process/computer program product for application layer signaling security with next generation firewall includes monitoring application layer signaling traffic on a service provider network at a security platform; and filtering the application layer signaling traffic at the security platform based on a security policy. Techniques for network layer signaling security with next generation firewall are also disclosed. In some embodiments, a system/process/computer program product for network layer signaling security with next generation firewall includes monitoring a network layer signaling protocol traffic on a service provider network at a security platform; and filtering the network layer signaling protocol traffic at the security platform based on a security policy. Techniques for Diameter security with next generation firewall are also disclosed. In some embodiments, a system/process/computer program product for Diameter security with next generation firewall includes monitoring Diameter protocol traffic on a service provider network at a security platform; and filtering the Diameter protocol traffic at the security platform based on a security policy.
Analysis of samples for maliciousness is disclosed. A sample is executed and one or more network activities associated with executing the sample are recorded. The recorded network activities are compared to a malware profile. The malware profile comprises a set of network activities associated with executing a copy of a known malicious application. A verdict of "malicious" is assigned to the sample based at least in part on a determination that the recorded network activities match the malware profile. Also disclosed is use of a malware profile to determine whether a host has been compromised. For example, a set of log entries can be analyzed to locate entries that correspond to the malware profile. Based at least in part on identifying the set of entries matching the malware profile, a determination is made that a host was compromised.
G06F 21/56 - Détection ou gestion de programmes malveillants, p.ex. dispositions anti-virus
G06F 21/00 - Dispositions de sécurité pour protéger les calculateurs, leurs composants, les programmes ou les données contre une activité non autorisée
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
H04L 29/06 - Commande de la communication; Traitement de la communication caractérisés par un protocole
49.
FINE-GRAINED FIREWALL POLICY ENFORCEMENT USING SESSION APP ID AND ENDPOINT PROCESS ID CORRELATION
Techniques for fine-grained firewall policy enforcement using session APP ID and endpoint process ID correlation are disclosed. In some embodiments, a system/process/computer program product for fine-grained firewall policy enforcement using session APP ID and endpoint process ID correlation includes receiving, at a network device on an enterprise network, process identification (ID) information from an endpoint (EP) agent executed on an EP device, in which the process identification information identifies a process that is initiating a network session from the EP device on the enterprise network; monitoring network communications associated with the network session at the network device to identify an application identification (APP ID) for the network session; and performing an action based on a security policy using the process ID information and the APP ID.
Techniques for location based security in service provider networks (e.g., service provider networks for mobile subscribers) are disclosed. In some embodiments, a system/process/computer program product for location based security in service provider networks includes monitoring network traffic on a service provider network at a security platform to identify a location for a new session; associating the location with the new session at the security platform; and determining a security policy to apply at the security platform to the new session based on the location.
Techniques for multifactor authentication as a network service are disclosed. In some embodiments, a system, process, and/or computer program product for multifactor authentication as a network service includes monitoring a session at a firewall, applying an authentication profile based on the new session, and performing an action based on the authentication profile.
G06F 1/00 - TRAITEMENT ÉLECTRIQUE DE DONNÉES NUMÉRIQUES - Détails non couverts par les groupes et
G06F 15/16 - Associations de plusieurs calculateurs numériques comportant chacun au moins une unité arithmétique, une unité programme et un registre, p.ex. pour le traitement simultané de plusieurs programmes
G06F 21/00 - Dispositions de sécurité pour protéger les calculateurs, leurs composants, les programmes ou les données contre une activité non autorisée
H04L 29/06 - Commande de la communication; Traitement de la communication caractérisés par un protocole
H04L 29/08 - Procédure de commande de la transmission, p.ex. procédure de commande du niveau de la liaison
Techniques for automatically grouping malware based on artifacts are disclosed. In some embodiments, a system, process, and/or computer program product for automatically grouping malware based on artifacts includes receiving a plurality of samples for performing automated malware analysis to generate log files based on the automated malware analysis; processing the log files to extract features associated with malware; clustering the plurality of samples based on the extracted features; and performing an action based on the clustering output.
Techniques for packet classification for network routing are disclosed. In some embodiments, packet classification for network routing includes receiving packets associated with a new flow at a security controller from a network device, in which the network device performs packet forwarding; classifying the flow; and determining an action for the flow based on a policy (e.g., a security policy). In some embodiments, the network device is a Software Defined Network (SDN) network device (e.g., a packet forwarding device that supports the OpenFlow protocol or another protocol).
A security device for processing network flows includes a predict flow table containing predict flow entries mapping predicted network flows to packet processor ownership assignments. The predict key includes multiple data fields identifying a predicted network flow where one or more of the data fields have a wildcard value. In another embodiment, a security device for processing network flows includes a packet processing manager configured to assign ownership of network flows to the one or more packet processors where the packet processing manager includes a global flow table containing entries mapping network flows to packet processor ownership assignments. In another embodiment, a security device for processing network flows includes packet processing cards with packet processors formed thereon where each packet processing card stores local counter values for one or more events and a packet processing manager including global event counters to maintain event statistics for events in the security device.
Using DNS communications to filter domain names is disclosed. A domain name is extracted from a received DNS request. The received DNS request is blocked in response to determining based on a policy that access to the domain name of the DNS request is not permitted. In some cases, such a DNS request is responded to with a spoofed DNS response.
In some embodiments, a malware analysis system includes receiving a potential malware sample from a firewall; analyzing the potential malware sample using a virtual machine to determine if the potential malware sample is malware; and automatically generating a signature if the potential malware sample is determined to be malware. In some embodiments, the potential malware sample does not match a preexisting signature, and the malware is a zero-day attack.
Methods and apparatus for processing data packets in a computer network are described. One general method includes receiving a data packet; examining the data packet to classify the data packet including classifying the data packet as a L2 or L3 packet and including determining at least one zone associated with the packet; processing the packet in accordance with one or more policies associated with the zone; determining forwarding information associated with the data packet; and if one or more policies permit, forwarding the data packet toward an intended destination using the forwarding information.
H04L 12/28 - Réseaux de données à commutation caractérisés par la configuration des liaisons, p.ex. réseaux locaux [LAN Local Area Networks] ou réseaux étendus [WAN Wide Area Networks]
H04L 12/26 - Dispositions de surveillance; Dispositions de test
58.
PACKET CLASSIFICATION IN A NETWORK SECURITY DEVICE
Methods and apparatuses are described for inspecting data packets in a computer network. One or more data packets through the network have associated header data and content. One method includes receiving a data packet, examining the data packet to classify the data packet including classifying the data packet using information included in the header and content, determining flow instructions for processing the packet based on both the header information and the content and processing of the packet using the flow instructions.
brevets
