A secure web gateway for a cloud computing environment comprises a data plane component, comprising: a front-end domain name service (DNS) configured to receive an inbound DNS request and map an IP address of the DNS request to a policy identification value corresponding to a customer policy and a plurality of plugin modules utilized by the front-end DNS to process the DNS request according to the mapping of the IP address from which the DNS request originates to the policy identification value. The secure web gateway further comprises a control plane component that provides the customer policy to the front-end DNS and configures the IP address to permit access to a DNS service according to the customer policy.
H04L 61/4511 - Network directoriesName-to-address mapping using standardised directoriesNetwork directoriesName-to-address mapping using standardised directory access protocols using domain name system [DNS]
A kernel driver on an endpoint uses a process cache to provide a stream of events associated with processes on the endpoint to a data recorder. The process cache can usefully provide related information about processes such as a name, type or path for the process to the data recorder through the kernel driver. Where a tamper protection cache or similarly secured repository is available, this secure information may also be provided to the data recorder for use in threat detection, forensic analysis and so forth.
G06F 21/54 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by adding security routines or objects to programs
G06F 12/0813 - Multiuser, multiprocessor or multiprocessing cache systems with a network or matrix configuration
G06F 21/50 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
G06F 21/51 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
G06F 21/55 - Detecting local intrusion or implementing counter-measures
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
H04L 9/30 - Public key, i.e. encryption algorithm being computationally infeasible to invert and users' encryption keys not requiring secrecy
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
A computer-implemented method includes receiving an email for processing. The method further includes prior to delivering the email, providing the email to a set of scanners, wherein one or more of the scanners are associated with a respective type of content and are configured to detect whether the email includes the respective type of content. The method further includes receiving, from the set of scanners, an identification of a plurality of types of content in the email. The method further includes for each type of content in the email providing the email to a user of a particular role, wherein users of the particular role are authorized to review the type of content and receiving, from the user, approval of the email for the type of content. The method further includes responsive to the email being approved for each type of content, delivering the email to a recipient.
A system and method for detecting cold start user activity anomalies in a cloud computing environment comprise an anomaly detection system collecting historical activity data of users of a plurality of endpoint computers arranged in an account. An average user baseline behavior model is trained for the account from the historical activity data of the users arranged in the account. The anomaly detection system applies the average user baseline behavior model to a cold start user activity and detects an anomaly in response to a comparison between the cold start user activity and the average user baseline behavior model. The anomaly detection system displays an alert based on a determination from the comparison that at least one anomaly of the plurality of anomalies is detected by the cold start user activity deviating from the average user baseline behavior model by a predetermined threshold.
A method comprises storing a policy type having a plurality of device settings for a plurality of endpoint computers; assigning a reference key to a device setting of the plurality of device settings, the reference key corresponding to a subset of endpoint computers of the plurality of endpoint computers; notifying the subset of the endpoint computers of the policy type; querying the database for a device setting of the plurality of device settings based on a current attribute of the endpoint computer; and fetching the device setting. Further disclosed are a computer system and computer program product configured to perform the method.
A computer system implemented method includes receiving flow data associated with web traffic from one or more requesters for a website, analyzing the flow data associated with the web traffic for the website, determining whether the flow data associated with the web traffic for the website indicates a likelihood of a malicious enumeration attack, and alerting an administrator of the website of the likelihood of the malicious enumeration attack. Further disclosed is computer systems and computer program products configured to perform the disclosed methods.
An endpoint coupled in a communicating relationship with an enterprise network may include a data recorder configured to store an event stream of data indicating events on the endpoint including types of changes to computing objects, a filter configured to locally process the event stream into a filtered event stream including a subset of types of changes to the computing objects, and a local security agent. The local security agent may be configured to transmit the filtered event stream to a threat management facility, respond to a filter adjustment from the threat management facility by adjusting the filter to modify the subset of types of changes included in the filtered event stream, and respond to a query from the threat management facility by retrieving data stored in the data recorder over a time window before the query and excluded from the filtered event stream.
G06F 11/07 - Responding to the occurrence of a fault, e.g. fault tolerance
G06F 16/955 - Retrieval from the web using information identifiers, e.g. uniform resource locators [URL]
G06F 17/18 - Complex mathematical operations for evaluating statistical data
G06F 18/21 - Design or setup of recognition systems or techniquesExtraction of features in feature spaceBlind source separation
G06F 18/214 - Generating training patternsBootstrap methods, e.g. bagging or boosting
G06F 18/23213 - Non-hierarchical techniques using statistics or function optimisation, e.g. modelling of probability density functions with fixed number of clusters, e.g. K-means clustering
G06F 18/2413 - Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches based on distances to training or reference patterns
G06F 21/55 - Detecting local intrusion or implementing counter-measures
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
A method includes monitoring a plurality of packets received by a network sensor associated with a port of a network, determining a ratio of unicast, multicast or broadcast packets to a total number of packets for the plurality of packets, determining that the ratio is outside the bounds of a threshold range, detecting that a port is misconfigured based on the determination that the ratio is outside the bounds of a threshold range, and automatically notifying a network administrator that the port is misconfigured based on the determination that the ratio is outside the bounds of a threshold range. Further disclosed is a computer system and computer program product configured to perform the method.
H04L 41/0873 - Checking configuration conflicts between network elements
H04L 41/0813 - Configuration setting characterised by the conditions triggering a change of settings
H04L 41/22 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks comprising specially adapted graphical user interfaces [GUI]
11.
METHODS AND APPARATUS FOR VISUALIZATION OF MACHINE LEARNING MALWARE DETECTION MODELS
Embodiments disclosed include methods and apparatus for visualization of data and models (e.g., machine learning models) used to monitor and/or detect malware to ensure data integrity and/or to prevent or detect potential attacks. Embodiments disclosed include receiving information associated with artifacts scored by one or more sources of classification (e.g., models, databases, repositories). The method includes receiving inputs indicating threshold values or criteria associated with a classification of maliciousness of an artifact and for selecting sample artifacts. The method further includes classifying and selecting the artifacts, based on the criteria, to define a sample set, and based on the sample set, generating a ground truth indication of classification of maliciousness for each sample artifact in the sample set. The method further includes using the ground truth indications to evaluate and display, via an interface, a representation of a performance of sources of classification and/or quality of data.
A computer system implemented method for detecting false positive events includes detecting an event that is potentially indicative of a digital threat, defining a neighborhood of a plurality of computer systems in operable communication with the computer system, inquiring to the neighborhood of the plurality of computer systems whether at least one computer system of the plurality of computer systems has had the event, or a related event, occur, receiving responses from one or more of the computer systems of the plurality of computer systems of the neighborhood based on the inquiring, analyzing the received responses from one or more of the computer systems of the plurality of computer systems of the neighborhood to determine a context of the event, classifying the event as a false positive event based on the analyzing and the determined context, and suppressing the event based on the classifying.
In one embodiment, techniques are provided to guide a user to configure a switch stack. A recommendation and guidance facility may identify one or more network switches to be added to the switch stack. It may further identify any existing connections among ports. Using this information, the recommendation and guidance facility may build a set of configurations for the switch stack. The recommendation and guidance facility may calculate a resiliency score, select a configuration based on the configuration's respective resiliency score, and display one or more stack connection recommendations that are implementable by a user to achieve the selected configuration and the possible resiliency score.
A zero trust network access (ZTNA) system provides secure access to applications hosted on a customer premises. The ZTNA system is modified to facilitate distributed and/or cloud-based deployments of components for a control plane and a data plane that cooperate to support a network-accessible front end for the customer's locally hosted applications. A customer-side connector can be further simplified for deployment by moving ZTNA components for, e.g., secure tunneling, authorization, and authentication into the cloud-based infrastructure, and by managing deployment and configuration of the connector through a threat management facility for the customer premises.
In order to efficiently manage a secure tunnel between a zero trust network access (ZTNA) connector (on the customer premises hosting a ZTNA application) and a cloud-based ZTNA data plane, tunnel components such as a WebSocket server can be run on the cloud platform that is hosting the data plane. As a significant advantage, this can simplify customer ZTNA deployments by permitting a reduction in the size and complexity of the ZTNA connector that is deployed to the customer premises.
In a cloud-based data plane for a zero trust network access system, a service proxy manages incoming user requests for access to ZTNA applications. A load balancer may be configured to retrieve connection information from the data plane such as connection counts, tunnel distributions, and so forth, and to use this information to provide load balancing information to the service proxy, so that the service proxy can specify a route to the customer premises through the data plane. Secure tunnels to a customer premises can also be scaled according to traffic using tunnel information available within the data plane. In one aspect, tunnels can be scaled up by checking for connections and only adding a new tunnel when existing tunnels are full. In another aspect, tunnels can be scaled down by removing existing connections as they are taken down by users, and timing out connections that exceed a timeout window.
Systems and methods for processing an electronic communication. The method may include receiving an electronic message including a first location indicator of a network resource, wherein the first location indicator has a first length and includes an identifier of a recipient of the electronic message, wherein the identifier indicates an action allowed to be performed by the recipient, and transforming the first location indicator into a second location indicator of the network resource, wherein the second location indicator has a second length that is less than the first length. The method may further include storing the first location indicator in a network accessible storage location and forwarding the second location indicator of the resource to a recipient to allow the recipient to automatically access the network resource and perform the allowed action upon providing an input with respect to the second location indicator.
Systems and methods for updating a network appliance. The method includes receiving an update request from a network appliance, wherein the update request includes at least one self-signed certificate; executing an authentication procedure to authenticate the network appliance; providing the network appliance with at least one updated certificate associated with a controller device; enabling communication between the appliance and a controller device; and providing to the appliance a network resource location indicator of a firmware repository including an updated firmware version to allow the appliance to obtain the updated firmware version.
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
09 - Scientific and electric apparatus and instruments
41 - Education, entertainment, sporting and cultural services
42 - Scientific, technological and industrial services, research and design
Goods & Services
Computer software; Artificial intelligence software; machine learning software; threat detection software; computer anti-adware software; computer anti-malware software; computer anti-spam software; computer anti-spyware software; computer software for encryption; downloadable computer data-security programs; computer e-commerce software for dealing with non-fungible token (NFTs); computer software for use in Internet content filtering, secure Internet content management, Internet content-checking, and data content checking; network monitoring hardware and software; computer software for use in threat-reduction scanning of data, e-mails, electronic files, instant messages, web sites, software, programs, computer systems, and endpoints; computer compliance software; computer software, computer programs, and downloadable mobile applications for use in managing, monitoring, protecting, authenticating, and securing data, endpoints, computer systems, computer networks, servers, the Internet and mobile devices; computer software, computer programs, and downloadable mobile applications for enforcing data policies; computer anti-virus software; downloadable computer software for managing, configuring, installing, and uninstalling software applications and data; downloadable computer software for managing, monitoring, protecting, authenticating, and securing data, endpoints, network security devices, computer systems, computer networks, servers, the Internet, and mobile devices; downloadable computer software for managing on-line scanning, detecting, quarantining and eliminating of viruses, worms, Trojans, spyware, adware, malware and unauthorized data and programs on computers and electronic devices; downloadable software for IT infrastructure and cybersecurity automation; AI software; augmented reality software; computer software relating to the handling of financial transactions; computer software enabling the generation of cryptographic keys for use in online virtual environments and the metaverse; downloadable cryptographic keys for receiving and sending crypto assets; security tokens [encryption devices]; computer software for blockchain technology; computer software for cross-blockchain transmission and blockchain solutions; computer software for managing cryptocurrency transactions using blockchain technology; computer software for metaverse services; digital file management software; cloud network monitoring software; cloud computing software; cloud server software; secure access service edge (SASE) software; virtual reality software; downloadable digital files authenticated by non-fungible tokens; downloadable digital metaverse goods, namely, computer software, computer hardware, electronic publications, recorded content, downloadable music files, downloadable movies and films, downloadable images, artistic objects, databases, information technology devices, audio-visual devices, multimedia devices, photographic devices, devices for the transmission of information, mobile phones, smartphones, smart watches, electronic wallets, journals, blogs, magazines, news articles, tokens of value, coins, books, stationery, paintings, sculptures, tickets, maps, educational supplies, cards, bags, luggage, wallets, purses, cups and glasses, digital clothing, footwear, headgear, fashion accessories, games, toys, novelty items, sporting articles, bicycle accessories, foodstuffs, drinks; downloadable virtual goods namely computer software, computer hardware, electronic publications, recorded content, downloadable music files, downloadable movies and films, downloadable images, artistic objects, databases, information technology devices, audio-visual devices, multimedia devices, photographic devices, devices for the transmission of information, mobile phones, smartphones, smart watches, electronic wallets, journals, blogs, magazines, news articles, tokens of value, coins, books, stationery, paintings, sculptures, tickets, maps, educational supplies, cards, bags, luggage, wallets, purses, cups and glasses, digital clothing, footwear, headgear, fashion accessories, games, toys, novelty items, sporting articles, bicycle accessories, foodstuffs, drinks; downloadable multimedia files; downloadable digital video recordings; downloadable image files; downloadable electronic publications; downloadable electronic publications, articles, documents and data in the field of data security and security of endpoints, computer systems, computer networks, servers, the Internet and mobile devices; downloadable electronic data files featuring documentation, operational data, alerts, and news updates in the field of data security and security of endpoints, network security devices, computer systems, computer networks, servers, the Internet, and mobile devices; downloadable software, namely, publications, recorded content, downloadable music files, downloadable movies and films, downloadable images, artistic objects, databases, information technology devices, audio-visual devices, multimedia devices , photographic devices, devices for the transmission of information, mobile phones, smartphones, smart watches, electronic wallets, journals, blogs, magazines, news articles, tokens of value, coins, books, stationery, paintings, sculptures, tickets, maps, educational supplies, cards, bags, luggage, wallets, purses, cups and glasses, digital clothing, footwear, headgear, fashion accessories, games, toys, novelty items, sporting articles, bicycle accessories, foodstuffs, drinks, authenticated by non-fungible tokens [NFTs]; metaverse content operating software; metaverse software; software enabling the storage of non-fungible tokens registered on a blockchain network; computer software enabling the generation of non-fungible tokens for use in online virtual environments and metaverses; utility, security and cryptography software; financial management software; currency authentication apparatus and equipment; e-commerce and e-payment software; computer hardware; intelligent edge devices; edge computing and storage devices; SASE (Secure Access Service Edge); industrial SASE; SASE hardware and software for network security functions with wide area networking (WAN) capabilities; WAN [wide area network] hardware; WAN [wide area network] operating software; virtual reality computer hardware; WAN [wide area network] routers; virtual reality glasses; virtual reality headsets; smartglasses; 3D spectacles; 3D viewer apparatus; 3D projection equipment; mouse pads, webcam covers, USB hardware, mobile phone battery chargers, mobile phone cases; wireless access points; parts, fittings and accessories for all of the aforesaid goods. Education; providing of training; educational services; conducting educational technical demonstrations, presentations, workshops, and training seminars; entertainment services; providing goods and services in online virtual worlds; entertainment services, namely provision of non-downloadable virtual publications , recorded content, downloadable music files, downloadable movies and films, downloadable images, artistic objects, databases, information technology devices, audio-visual devices, multimedia devices, photographic devices, devices for the transmission of information, mobile phones, smartphones, smart watches, electronic wallets, journals, blogs, magazines, news articles, tokens of value, coins, books, stationery , paintings, sculptures, tickets, maps, educational supplies, cards, bags, luggage, wallets, purses, cups and glasses, digital clothing, footwear , headgear, fashion accessories, games, toys, novelty items, sporting articles, bicycle accessories, foodstuffs, drinks for use in virtual worlds; providing virtual goods, namely, computer software, computer hardware, electronic publications, recorded content, downloadable music files, downloadable movies and films, downloadable images, artistic objects, databases, information technology devices, audio-visual devices, multimedia devices, photographic devices, devices for the transmission of information, mobile phones, smartphones, smart watches, electronic wallets, journals, blogs, magazines, news articles, tokens of value, coins, books, stationery, paintings, sculptures, tickets, maps, educational supplies, cards, bags, luggage, wallets, purses, cups and glasses, clothing, footwear, headgear, fashion accessories, games, toys, novelty items, sporting articles, bicycle accessories, foodstuffs, drinks, for entertainment services; information, consultancy and advisory services relating to all of the aforesaid services. Software authoring; computer services for the protection of software; data security services; computer software technical support services; troubleshooting of computer software problems; technical advice related to computer and network security; installation, maintenance and repair of computer software; computer security consultancy; computer and information technology consultancy services; computer consulting services; computer software, hardware, firmware, network, and computer security consulting services; providing on-line, non-downloadable software for use in managing, monitoring, protecting, authenticating, and securing data, endpoints, computer systems, computer networks, servers, the Internet, and mobile devices; providing non-downloadable software on data networks; providing on-line, non-downloadable software for enforcing data policies; design, configuration, integration and development of computer hardware, computer networks, computer systems and virtual private network (VPN) services; providing on-line, non-downloadable software for encryption; provision of security services for computer networks, using routers, routing switches, remote entry point control apparatus, access control devices, multiplexers and networking devices provided as a service provision of security services for computer networks, using SASE hardware and software for network security functions with wide area networking (WAN) capabilities; providing on-line, non-downloadable computer compliance software; providing on-line, non-downloadable software for use in Internet content filtering, secure Internet content management, Internet content-checking, and data content checking; Software as a service [SaaS]; software as a service (SAAS) services featuring software for use in managing, monitoring, protecting, authenticating, and securing data, endpoints, computer systems, computer networks, servers, the Internet, and mobile devices; software as a service (SAAS) services featuring software for providing security and compliance reports about users, security policies, computer systems, and computer networks; software as a service (SAAS) services featuring software for network asset inventory management; Software as a service [platforms for artificial intelligence]; anti-spamming services; artificial intelligence consultancy; research in the field of artificial intelligence technology, deep learning and machine learning technology; research relating to the development of computer programs, software and hardware; computer virus protection services and fraud detection (using AI technology); Connectivity as a Service (CaaS); Hardware as a Service (HaaS); platform as a service [PaaS]; platform as a service (PAAS) services featuring software for use in managing, monitoring, protecting, authenticating, and securing data, endpoints, computer systems, computer networks, servers, the Internet, and mobile devices; software rental; cloud computing featuring software for use in managing, monitoring, protecting, authenticating, and securing data, endpoints, computer systems, computer networks, servers, the Internet, and mobile devices; computer development services; computer programming services; computer virus protection services; computer security services by way of notification of unauthorized electronic messages and related computer attacks; computer security services; computer security services in the nature of enforcing, restricting and controlling access privileges of users of computing resources for cloud, mobile or network resources based on assigned credentials; providing information on data security, and computer security; technical advice related to computer and computer network security; monitoring of computer systems for security purposes; computer services, namely, hosting an interactive web site that allows businesses to design, build, manage, modify, test, run, and publish IT infrastructure and cybersecurity automation; software as a service (SAAS) services featuring software for businesses to design, build, manage, modify, test run, and publish system installation and configuration automation; technology consulting services in the field of cloud computing; technology consulting services in the field of cybersecurity; technology consulting services in the field of IT infrastructure and cybersecurity automation; providing a website featuring information in the field of data and computer security; hosting a website used to place on-line commercial orders in the field of computer hardware and computer software; tracking, monitoring, and reporting for purposes of protecting against data theft, identity theft and fraud; leasing and hiring of computer hardware and/or computer software; data authentication via blockchain; data storage via blockchain; blockchain as a Service [BaaS]; certification of data via blockchain; user authentication services using blockchain technology; electronic and cloud storage and hosting of digital files, documents, databases, audio recordings, photos and videos; non-downloadable virtual software services for the metaverse; design and development of application software for metaverse and virtual realities; monitoring of computer systems for cybersecurity; 24/7 monitoring of network systems, servers and web and database applications and notification of related events and alerts; 24/7 monitoring of servers and web and database applications and notification of related events and alerts; remote and on-site services for monitoring, administration and management of public and private cloud computing and application computing systems; remote and on-site infrastructure management services for monitoring, administration and management of public and private cloud computing IT and application systems; monitoring technological functions of computer network systems; providing temporary use of non-downloadable software enabling the collection of non-fungible tokens registered on a blockchain network; providing temporary use of non-downloadable software enabling the exchange, purchase, sale of non-fungible tokens on a blockchain network; providing temporary use of non-downloadable software enabling access to digital assets; design of communication systems between users; metaverse services, namely design and development of computer hardware and software, scientific and technological services and research and design relating thereto, industrial analysis, industrial research and industrial design services, quality control and authentication, software and hardware services, encryption services, cybersecurity services, data security services, network security services, provision of information, maintenance and repair of computer hardware, computer services, computer technical support services; design and development of computer software for an online virtual community enabling users to participate in a live social network on the Internet; information, consultancy and advisory services relating to all of the aforesaid services.
A stream of events is received at a local security agent running on an endpoint at an enterprise network. The local security agent may detect an event of a first event type and may generate an aggregate event with subsequent events of the first event type in the stream. The local security agent may then transmit the aggregate event to a security resource for detecting security threats.
A threat management facility receives data from a variety of sources such as compute instances within an enterprise network, cloud service providers supporting the enterprise network, and third-party data providers such as geolocation services. In order to facilitate prompt notification of potential risks, the threat management facility may incrementally update data for use in threat assessments as the data becomes available from these different sources, and create suitable alerts or notifications whenever the currently accumulated data provides an indication of threat meeting a predetermined threshold.
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
A threat management facility for an enterprise network integrates native threat management capabilities with threat data from a cloud service provider used by the enterprise. By properly authenticating to the cloud service and mapping data feeds from the cloud service to a native threat management environment, the threat management facility can extend threat detection and management capabilities beyond endpoint-centric techniques.
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
23.
TECHNIQUES FOR MONITORING USAGE OF A DYNAMICALLY BOUND METHOD OF A SOFTWARE OBJECT
In example embodiments, techniques are provided to monitor usage of a dynamically bound method (e.g., COM interface) of a software object (e.g., COM object). A copy of a virtual method table for the software object is created, wherein the virtual method table includes a method pointer to the dynamically bound method. The virtual method table is then modified to change the method pointer to an address of a hook function. In response to a call to the dynamically bound method, the hook function is called using the changed method pointer in the modified virtual method table. The hook function determines an address of the software object using a reference variable, uses the address of the software object to access the saved copy of the virtual method table, and calls the dynamically bound method using the method pointer from the saved copy of the virtual method table.
Systems and methods for configuring a network security device. The methods include deploying a network security device on a network, wherein the network security device includes a network security device interface; accessing, via the network security device interface, a first cloud-based computing platform configured to request from a first library metadata associated with a first network resource on the first cloud-based computing platform; receiving at the network security device interface the metadata associated with the first network resource; and configuring the network security device in accord with the metadata associated with the first network resource.
An endpoint in an enterprise network is instrumented with sensors to detect security-related events occurring on the endpoint. Event data from these sensors is augmented with contextual information about, e.g., a source of each event in order to facilitate improved correlation, analysis, and visualization at a threat management facility for the enterprise network.
Malware attacks seek to identify vulnerabilities that can be exploited by enumerating currently-executing processes in the operating system of a target device for injection of a malicious payload. By detecting process enumeration events occurring at the kernel level, known or suspected malware enumeration activity can be identified and mitigated.
A computer-implemented method includes identifying one or more software processes that execute on the endpoint device and that perform at least one file operation including opening a file, reading the file, writing the file, or transmitting the file over a network. The method further includes storing for each software process of the one or more software processes identification information about the file. The method further includes responsive to determining that a triggering event has occurred, performing one or more actions including: preventing deletion of the file, determining one or more attributes of a suspicious process that accessed the file, requesting that a separate component analyze event journal records in relation to a time interval that overlaps with when the suspicious process accessed the file, or transmitting a cryptographic hash of the file to a server.
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
Various aspects related to methods, systems, and computer readable media for detection and blocking of security threats for network-accessible devices. Methods can include monitoring network traffic on a computer network, detecting an indication of a security threat to at least one endpoint, determining that the device threat type is a threat type that requires elevated security measures, responsive to the determining that the device threat type requires elevated security measures, updating a network-access policy for the plurality of endpoints with the threat type, and after the updating, automatically remediating the security threat on the at least one endpoint within a first time period.
Various aspects related to methods, systems, and computer readable media for detection and blocking of security threats for network-accessible devices. Methods may include monitoring a plurality of processes executing on the user device to identify a pre-execution flag associated with at least one process of the plurality of processes, and, responsive to identifying the pre-execution flag: receiving an indication of a security threat to the user device, the indication of security threat associated with the at least one process and a device threat type, responsive to the receiving the indication of the security threat, elevating security measures associated with the user device for a first time period, and after the elevating, automatically remediating the security threat on the user device within the first time period.
G06F 21/52 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure
30.
STREAMING AND FILTERING EVENT OBJECTS INTO A DATA LAKE
An asynchronous stream of security events is added to a data lake for enterprise security by identifying groups of related events related to a security threat, and creating rules to fold these related events into a single security event along with metadata. The folding rules may then be applied to security events in the event stream to compress data in the data lake and improve detection efficiency.
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
31.
ELEVATED SECURITY EXECUTION MODE FOR NETWORK-ACCESSIBLE DEVICES
Various aspects related to methods, systems, and computer readable media for detection and blocking of security threats for network-accessible devices. Methods may include receiving an indication of a security threat to a user device of the plurality of user devices, the indication of security threat associated with a device threat type, determining that the device threat type is a threat type that requires elevated security measures, responsive to the determining that the device threat type requires elevated security measures, elevating security measures associated with the user device for a first time period, and, after the elevating, automatically remediating the security threat on the user device within the first time period.
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
G06F 21/52 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure
32.
ELEVATED SECURITY EXECUTION MODE FOR NETWORK-ACCESSIBLE DEVICES
Various aspects related to methods, systems, and computer readable media for detection and blocking of security threats for network-accessible devices. Methods may include receiving an indication of a security threat to the user device, the indication of security threat associated with a device threat type, determining that the device threat type is a threat type that requires elevated security measures, responsive to the determining that the device threat type requires elevated security measures, restricting execution of a subset of software available on the user device for a first time period, and, after the elevating, automatically remediating the security threat on the user device within the first time period.
09 - Scientific and electric apparatus and instruments
25 - Clothing; footwear; headgear
35 - Advertising and business services
38 - Telecommunications services
41 - Education, entertainment, sporting and cultural services
42 - Scientific, technological and industrial services, research and design
Goods & Services
Computer software; computer anti-adware software; computer anti-malware software; computer anti-spam software; computer anti-spyware software; computer software for encryption; downloadable computer data-security programs; computer e-commerce software for dealing with non-fungible token (NFTs); computer software for use in Internet content filtering, secure Internet content management, Internet content-checking, and data content checking; network monitoring hardware and software; computer software for use in threat-reduction scanning of data, e-mails, electronic files, instant messages, web sites, software, programs, computer systems, and endpoints; computer compliance software; computer software, computer programs, and downloadable mobile applications for use in managing, monitoring, protecting, authenticating, and securing data, endpoints, computer systems, computer networks, servers, the Internet and mobile devices; computer software, computer programs, and downloadable mobile applications for enforcing data policies; computer anti-virus software; downloadable computer software for managing, configuring, installing, and uninstalling software applications and data; downloadable computer software for managing, monitoring, protecting, authenticating, and securing data, endpoints, network security devices, computer systems, computer networks, servers, the Internet, and mobile devices; downloadable computer software for managing on-line scanning, detecting, quarantining and eliminating of viruses, worms, Trojans, spyware, adware, malware and unauthorized data and programs on computers and electronic devices; downloadable software for IT infrastructure and cybersecurity automation; AI software; augmented reality software; computer software relating to the handling of financial transactions; computer software enabling the generation of cryptographic keys for use in online virtual environments and the metaverse; downloadable cryptographic keys for receiving and sending crypto assets; security tokens [encryption devices]; computer software for blockchain technology; computer software for cross-blockchain transmission and blockchain solutions; computer software for managing cryptocurrency transactions using blockchain technology; computer software for metaverse services; digital file management software; cloud network monitoring software; cloud computing software; cloud server software; secure access service edge (SASE) software; virtual reality software; downloadable digital files authenticated by non-fungible tokens; downloadable digital metaverse goods, namely, computer software, computer hardware, electronic publications, recorded content, downloadable music files, downloadable movies and films, downloadable images, artistic objects, databases, information technology devices, audio-visual devices, multimedia devices, photographic devices, devices for the transmission of information, mobile phones, smartphones, smart watches, electronic wallets, journals, blogs, magazines, news articles, tokens of value, coins, books, stationery, paintings, sculptures, tickets, maps, educational supplies, cards, bags, luggage, wallets, purses, cups and glasses, digital clothing, footwear, headgear, fashion accessories, games, toys, novelty items, sporting articles, bicycle accessories, foodstuffs, drinks; downloadable virtual goods namely computer software, computer hardware, electronic publications, recorded content, downloadable music files, downloadable movies and films, downloadable images, artistic objects, databases, information technology devices, audio-visual devices, multimedia devices, photographic devices, devices for the transmission of information, mobile phones, smartphones, smart watches, electronic wallets, journals, blogs, magazines, news articles, tokens of value, coins, books, stationery, paintings, sculptures, tickets, maps, educational supplies, cards, bags, luggage, wallets, purses, cups and glasses, digital clothing, footwear, headgear, fashion accessories, games, toys, novelty items, sporting articles, bicycle accessories, foodstuffs, drinks; downloadable multimedia files; downloadable digital video recordings; downloadable image files; downloadable electronic publications; downloadable electronic publications, articles, documents and data in the field of data security and security of endpoints, computer systems, computer networks, servers, the Internet and mobile devices; downloadable electronic data files featuring documentation, operational data, alerts, and news updates in the field of data security and security of endpoints, network security devices, computer systems, computer networks, servers, the Internet, and mobile devices; downloadable software, namely, publications, recorded content, downloadable music files, downloadable movies and films, downloadable images, artistic objects, databases, information technology devices, audio-visual devices, multimedia devices, photographic devices, devices for the transmission of information, mobile phones, smartphones, smart watches, electronic wallets, journals, blogs, magazines, news articles, tokens of value, coins, books, stationery, paintings, sculptures, tickets, maps, educational supplies, cards, bags, luggage, wallets, purses, cups and glasses, digital clothing, footwear, headgear, fashion accessories, games, toys, novelty items, sporting articles, bicycle accessories, foodstuffs, drinks, authenticated by non-fungible tokens [NFTs]; metaverse content operating software; metaverse software; software enabling the storage of non-fungible tokens registered on a blockchain network; computer software enabling the generation of non-fungible tokens for use in online virtual environments and metaverses; utility, security and cryptography software; financial management software; currency authentication apparatus and equipment; e-commerce and e-payment software; computer hardware; intelligent edge devices; edge computing and storage devices; SASE (Secure Access Service Edge); industrial SASE; SASE hardware and software for network security functions with wide area networking (WAN) capabilities; WAN [wide area network] hardware; WAN [wide area network] operating software; virtual reality computer hardware; WAN [wide area network] routers; virtual reality glasses; virtual reality headsets; smartglasses; 3D spectacles; 3D viewer apparatus; 3D projection equipment; mouse pads, webcam covers, USB hardware, mobile phone battery chargers, mobile phone cases; wireless access points; parts, fittings and accessories for all of the aforesaid goods. Clothing; footwear; headgear; parts, fittings, and accessories for all of the aforesaid goods. Business management services; business information services, business advice relating to advertising and marketing; administration of a program for enabling participants to receive expedited services in the field of data security, computer security, and network security; business administration services; customer service management for others; promoting the use of the security assurance best practices of others in the field of cloud computing; value-added reseller services; Retail services connected with the sale of computer hardware and computer software via a distributorship; database management; wholesale services connected with the sale of computer hardware and computer software via a distributorship; information, consultancy and advisory services relating to all of the aforesaid services. Telecommunication access services; telecommunications services; providing virtual private network (VPN) services; private and secure electronic communications over a private or public computer network; secure telecommunication services; providing access to computer networks over telecommunications networks; providing access between computers and computer networks over telecommunications networks; providing access between computer networks and servers over telecommunications networks; providing access between computers and servers over telecommunications networks; communications by computer terminals; transmission of messages and images by computers; electronic transmission of data over telecommunications networks; information, consultancy and advisory services relating to all of the aforesaid services. Education; providing of training; educational services; conducting educational technical demonstrations, presentations, workshops, and training seminars, all in the fields of information technology, computers, data security, computer security, and network security and distribution of training materials in connection therewith; providing goods and services in online virtual worlds; entertainment services, namely provision of non-downloadable virtual publications , recorded content, downloadable music files, downloadable movies and films, downloadable images, artistic objects, databases, information technology devices, audio-visual devices, multimedia devices, photographic devices, devices for the transmission of information, mobile phones, smartphones, smart watches, electronic wallets, journals, blogs, magazines, news articles, tokens of value, coins, books, stationery , paintings, sculptures, tickets, maps, educational supplies, cards, bags, luggage, wallets, purses, cups and glasses, digital clothing, footwear , headgear, fashion accessories, games, toys, novelty items, sporting articles, bicycle accessories, foodstuffs, drinks for use in virtual worlds; information, consultancy and advisory services relating to all of the aforesaid services. Software authoring; computer services for the protection of software; data security services; troubleshooting of computer software problems; technical advice related to computer and network security; installation, maintenance and repair of computer software; computer security consultancy; computer and information technology consultancy services; computer consulting services; computer software, hardware, firmware, network, and computer security consulting services; providing on-line, non-downloadable software for use in managing, monitoring, protecting, authenticating, and securing data, endpoints, computer systems, computer networks, servers, the Internet, and mobile devices; providing non-downloadable software on data networks; providing on-line, non-downloadable software for enforcing data policies; design, configuration, integration and development of computer hardware, computer networks, computer systems and virtual private network (VPN) services; providing on-line, non-downloadable software for encryption; provision of security services for computer networks, using routers, routing switches, remote entry point control apparatus, access control devices, multiplexers and networking devices provided as a service provision of security services for computer networks, using SASE hardware and software for network security functions with wide area networking (WAN) capabilities; providing on-line, non-downloadable computer compliance software; providing on-line, non-downloadable software for use in Internet content filtering, secure Internet content management, Internet content-checking, and data content checking; Software as a service [SaaS]; software as a service (SAAS) services featuring software for use in managing, monitoring, protecting, authenticating, and securing data, endpoints, computer systems, computer networks, servers, the Internet, and mobile devices; software as a service (SAAS) services featuring software for providing security and compliance reports about users, security policies, computer systems, and computer networks; software as a service (SAAS) services featuring software for network asset inventory management; Connectivity as a Service (CaaS); Hardware as a Service (HaaS); platform as a service [PaaS]; platform as a service (PAAS) services featuring software for use in managing, monitoring, protecting, authenticating, and securing data, endpoints, computer systems, computer networks, servers, the Internet, and mobile devices; software rental; cloud computing featuring software for use in managing, monitoring, protecting, authenticating, and securing data, endpoints, computer systems, computer networks, servers, the Internet, and mobile devices; computer development services; computer programming services; computer virus protection services; computer security services by way of notification of unauthorized electronic messages and related computer attacks; computer security services; computer security services in the nature of enforcing, restricting and controlling access privileges of users of computing resources for cloud, mobile or network resources based on assigned credentials; providing information on data security, and computer security; technical advice related to computer and computer network security; computer software technical support services; monitoring of computer systems for security purposes; computer services, namely, hosting an interactive web site that allows businesses to design, build, manage, modify, test, run, and publish IT infrastructure and cybersecurity automation; software as a service (SAAS) services featuring software for businesses to design, build, manage, modify, test run, and publish system installation and configuration automation; technology consulting services in the field of cloud computing; technology consulting services in the field of cybersecurity; technology consulting services in the field of IT infrastructure and cybersecurity automation; providing a website featuring information in the field of security; providing a website used to place on-line commercial orders in the field of computer hardware and computer software; tracking, monitoring, and reporting for purposes of protecting against data theft, identity theft and fraud; leasing and hiring of computer hardware and/or computer software; data authentication via blockchain; data storage via blockchain; blockchain as a Service [BaaS]; certification of data via blockchain; user authentication services using blockchain technology; digital asset management; non-downloadable virtual software services for the metaverse; services of providing non-downloadable virtual goods; design and development of application software for metaverse and virtual realities; monitoring of computer systems for cybersecurity; 24/7 monitoring of network systems, servers and web and database applications and notification of related events and alerts; 24/7 monitoring of servers and web and database applications and notification of related events and alerts; remote and on-site services for monitoring, administration and management of public and private cloud computing and application computing systems; remote and on-site infrastructure management services for monitoring, administration and management of public and private cloud computing IT and application systems; monitoring technological functions of computer network systems; providing temporary use of non-downloadable software enabling the collection of non-fungible tokens registered on a blockchain network; providing temporary use of non-downloadable software enabling the exchange, purchase, sale of non-fungible tokens on a blockchain network; providing temporary use of non-downloadable software enabling access to digital assets; design of communication systems between users; metaverse services, namely design and development of computer hardware and software, scientific and technological services and research and design relating thereto, industrial analysis, industrial research and industrial design services, quality control and authentication, software and hardware services, encryption services, cybersecurity services, data security services, network security services, provision of information, maintenance and repair of computer hardware, computer services, computer technical support services; design and development of computer software for an online virtual community enabling users to participate in a live social network on the Internet; information, consultancy and advisory services relating to all of the aforesaid services.
09 - Scientific and electric apparatus and instruments
41 - Education, entertainment, sporting and cultural services
42 - Scientific, technological and industrial services, research and design
Goods & Services
Footwear; Gloves; Pants; Shirts; Socks; Vests; Baseball caps and hats; Cyclists' jerseys; Leg warmers; Outer jackets; Visors being headwear; Clothing, namely, arm warmers Business administration services; Business services, namely, administration of a program for enabling participants to receive expedited services in the field of data security, computer security and network security; Customer service management for others; Database management; Promoting the use of the security assurance best practices of others in the field of cloud computing; Providing a website used to place on-line commercial orders in the field of computer hardware and computer software; Value-added reseller services, namely, distributorship services featuring computer security and information technology products; Wholesale services through direct solicitation by distributors directed to end-users featuring computer hardware and computer software Communication by computer terminals; Information transmission via electronic communications networks; Providing telecommunications connections to a global computer network; Providing virtual private network (VPN) services, namely, private and secure electronic communications over a private or public computer network; Telecommunication access services Battery chargers for mobile phones; Cases for mobile phones; Computer hardware; Computer hardware, namely, wireless access point (WAP) devices; Downloadable computer anti-virus software; Downloadable computer software for encryption; Downloadable computer software for managing, configuring, installing, and uninstalling software applications and data; Downloadable electronic publications in the nature of manuals, technical documentation, brochures, and newsletters in the field of data security and security of endpoints, computer systems, computer networks, servers, the Internet and mobile devices; Downloadable software for ensuring the security of electronic mail; Downloadable software for automation of IT infrastructure and cybersecurity; Downloadable software for cybersecurity, namely, for scanning, detecting, blocking, quarantining and eliminating of viruses, worms, trojans, spyware, adware, spam, malware, vulnerabilities, intrusions, and unauthorized data and programs on computers and electronic devices; Downloadable software for managing, monitoring, protecting, authenticating, and securing data, endpoints, computer systems, computer networks, servers, the Internet, and mobile devices; Mouse pads; USB computer security key Computer education training; Educational services, namely, conducting educational technical demonstrations, presentations, workshops, and training seminars for others in the field of cybersecurity; Providing information relating to education services Cloud computing featuring software for use in managing, monitoring, protecting, authenticating, and securing data, endpoints, computer systems, computer networks, servers, the Internet, and mobile devices; Computer security consultancy; Computer security services, namely, enforcing, restricting and controlling access privileges of users of computing resources for cloud, mobile or network resources based on assigned credentials; Computer services, namely, hosting an interactive web site that allows businesses to design, build, manage, modify, test, run, and publish IT infrastructure and cybersecurity automation; Computer services, namely, on-line scanning, detecting, quarantining and eliminating of viruses, worms, trojans, spyware, adware, malware and unauthorized data and programs on computers and electronic devices; Computer software development; Computer virus protection services; Consultation services relating to computer software; Installation, maintenance and repair of computer software; Software as a service (SAAS) services featuring software for use in managing, monitoring, protecting, authenticating, and securing data, endpoints, computer systems, computer networks, servers, the Internet, and mobile devices; Software as a service (SAAS) services featuring software for businesses to design, build, manage, modify, test run, and publish software system installation and configuration automation; Software authoring; Technical support services, namely, troubleshooting of computer software problems; Technology consultation in the field of cybersecurity
A large language model (LLM) is trained to classify Uniform Resource Locator (URL) requests using a data that has been labeled with a domain-to-category database of corresponding, suitable categories for web content. This model can then be distilled using a student model trained to reproduce the behavior of the tuned large language model. The resulting student model can be deployed inline as a content filter for, e.g., content-based filtering of web requests from endpoints behind a firewall or other network device. While this disclosure emphasizes filtering of outbound URL's from network endpoints, it will be understood that the techniques described herein may also or instead be used to create inbound content filters using similarly derived student models that have been trained to identify content based on metadata, text content, image content, and so forth.
The disclosure relates to deploying policy management rules to a first managed endpoint, comprising obtaining a layered data structure with a plurality of layers, wherein each layer comprises one or more nodes. For a first node, it is determined whether a stop criterion is met, wherein the stop criterion is associated with whether the first managed endpoint satisfies conditional expressions of a node. In the event the stop criterion is met, an identifier associated with the first node is assigned to the first managed endpoint. In the event the stop criterion is not met, a subsequent node in the layered data structure is traversed to until the stop criterion is met. The identifier associated with the subsequent node is then assigned to the first managed endpoint. Deployment of executable policy instructions to the first managed endpoint is based on the assigned identifier.
A computer-implemented method includes sending email scan requests to an email scanner. The method further includes receiving, from the email scanner, a verdict of suspicion and one or more data fragments. The method further includes storing the one or more data fragments for each email of the plurality of emails in a datastore. The method further includes receiving a new email. The method further includes deriving one or more new keys for the new email. The method further includes retrieving one or more matching data fragments from the datastore by matching the one or more new keys with the one or more keys stored in the datastore. The method further includes providing, to the email scanner, the new email and the one or more matching data fragments. The method further includes receiving a new verdict of suspicion and one or more new data fragments.
Malware attacks seek to exploit target computing systems and avoid detection by terminating security, antivirus, or other application process threads in the operating system. Methods and systems for detecting kernel-based thread termination activity enable the detection of thread termination events occurring at the kernel level, in order to identify and mitigate known or suspected malware activity.
A method for redirecting data packets includes receiving, by a first virtual ethernet device pair of a computer system having one or more computer processors, at least one data packet, intercepting, by a packet filter deployed by the first virtual ethernet device pair, the at least one data packet, redirecting, by the first virtual ethernet device pair based on the intercepting, the at least one data packet to a second virtual ethernet device pair, executing, by the second virtual ethernet device pair, an express data path data security program on the at least one data packet, and after the express data path security program has been executed on the at least one data packet, redirecting the at least one data packet back to the first virtual ethernet pair. Further disclosed is a computer system and computer program product configured to perform the method.
A method for redirecting data packets includes receiving, by a computer system, at least one data packet, attaching, by an express data path program of the one or more processors of the computer system, a metadata structure to each of the at least one data packet, populating, by the express data path program, the metadata structure with metadata information, redirecting, by the computer system based on the metadata information, the at least one data packet from a network stack path to at least one data security program, executing, by the computer system, the at least one data security program on the at least one data packet including interpreting at least a portion of the metadata information, and after the at least one data security program has been executed on the at least one data packet, redirecting the at least one data packet back to the network stack path.
Possible Denial of Service (DOS) activity is detected and remediated based on an initial heartbeat failure from a network asset, followed by externally directed network traffic from the network asset. In general, an interruption of the heartbeat can signal the possible presence of malware on the network asset, and the externally directed network traffic, and particularly certain patterns of traffic such as a high volume of traffic toward an address with a known, good reputation, can signal the possible presence of a DoS bot on the network asset that is sourcing the network traffic.
A threat management facility stores a number of entity models that characterize reportable events from one or more entities. A stream of events from compute instances within an enterprise network can then be analyzed using these entity models to detect behavior that is inconsistent or anomalous for one or more of the entities that are currently active within the enterprise network.
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
H04L 41/00 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
H04L 41/22 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks comprising specially adapted graphical user interfaces [GUI]
Remote services, such as security services, are onboarded for a tenant in a multi-tenant environment, such as a cloud-based electronic mail tenant, by configuring the tenant to permit remote access to local resources used at the tenant to facilitate the remote security services. As a significant advantage, this permits use of the remote security services with cloud-based enterprise resources hosted on the tenant, e.g., an enterprise mail server handling inbound and/or outbound electronic mail traffic, without requiring changes to the tenant's network configuration. As an additional advantage, security risks associated with the remote access may be confined to the specific tenant in the multi-tenant environment by creating a unique key for exchanging data between the tenant and the remote security services.
A mock server is configured to mimic the operation of one or more microservices used in enterprise software. When a new microservice is completed for use in the enterprise software, the new microservice and the mock server can be deployed in a pre-production environment for testing. One or more test cases are created and then executed in the pre-production environment, causing the new microservice to access various other microservices represented by the mock server with one or more predetermined requests. In this manner, the new microservice may be tested in a simulated production environment before other microservices in the enterprise software design have been fully implemented.
Remote services, such as security services, are onboarded for a tenant in a multi-tenant environment, such as a cloud-based electronic mail tenant, by configuring the tenant to permit remote access to local resources used at the tenant to facilitate the remote security services. Mail flow rules associated with the multi-tenant environment govern how electronic mail is handled in the environment. For example, mail flow rules may be used to divert inbound and/or outbound electronic mail through a mail security service. Changes to the mail flow rules are monitored and analyzed to determine whether such changes are valid (e.g., not unsafe or tampered with) to support secure management of electronic mail traffic. If a change to a mail flow rule is determined to not be valid, an action may be performed, such as deleting, disabling, or reverting the change.
In an embodiment, an apparatus includes one or more processors configured to receive at least one command line interface command, generate a push notification associated with the at least one command line interface command, send the push notification to at least one managed device, responsive to the at least one managed device receiving the push notification, receive a pull request from the at least one managed device, responsive to receiving the pull request, send the at least one command line interface command to a device-specific adaptor of the at least one managed device such that the device-specific adaptor converts the at least one command line interface command to a device-specific command associated with the at least one managed device, and receive an execution status from the at least one managed device in response to the device-specific command being executed by the at least one managed device.
Systems and methods for monitoring network activity. The methods include causing a display of a user interface to a user, wherein the user interface configured to present to the user a classification of a signature, wherein the classification of the signature is made by a firewall, and receive an input from the user to report that the firewall misclassified the signature. The methods also include receiving a report indicating that the firewall misclassified the signature based on the input received from the user; and modifying, using one or more processors executing instructions stored on memory, at least one of the signature and the firewall so that the firewall does not subsequently misclassify the signature.
A compute instance is instrumented to detect certain kernel memory allocation functions, in particular functions that allocate heap memory and/or make allocated memory executable. Dynamic shell code exploits can then be detected when code executing from heap memory allocates additional heap memory and makes that additional heap memory executable.
G06F 21/71 - Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
Secrets such as secure session cookies for a web browser can be protected on a compute instance with multiple layers of encryption, such as by encrypting key material that in turn controls cryptographic access to the secret. A compute instance can be instrumented to detect when a process attempts to decrypt this key material so that the process requesting decryption can be compared to authorized or legitimate users of the secret.
A firewall uses information about an application that originates a network request to determine whether and how to forward the request over a network. The firewall may more generally rely on the identity of the originating application, the security state of the originating application, the security state of the endpoint, and any other information that might provide an indication of malicious activity, to make routing and forwarding decisions for endpoint-originated network traffic.
G06F 21/45 - Structures or tools for the administration of authentication
G06F 21/55 - Detecting local intrusion or implementing counter-measures
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
G06F 21/64 - Protecting data integrity, e.g. using checksums, certificates or signatures
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
H04L 29/06 - Communication control; Communication processing characterised by a protocol
H04L 41/0631 - Management of faults, events, alarms or notifications using root cause analysisManagement of faults, events, alarms or notifications using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
H04L 41/142 - Network analysis or design using statistical or mathematical methods
H04L 43/10 - Active monitoring, e.g. heartbeat, ping or trace-route
H04L 51/212 - Monitoring or handling of messages using filtering or selective blocking
Embodiments disclosed herein include an apparatus with a processor configured to receive an indication of a function call to an identified shared library and configured to perform an identified function. The processor is configured to insert a function hook in the shared library. The function hook is configured to pause the execution of the shared library when called. In response to the function hook, the processor is configured to identify a source location in one or more memories associated with an origin of the function call to the shared library. The processor is configured to scan a range of memory addresses associated with the source location in the one or more memories, and identify, based on the scanning, a potentially malicious process within the range of memory addresses.
The present disclosure relates to a computer-implemented method for orchestration of remote browser isolation requests at a server. The method comprises receiving a first remote browser isolation (RBI) request associated with a first request to access a first network content at a first user device. A threat level associated with the first RBI request is determined and a container pool is assigned to the first RBI request based on the determined threat level. Using a first RBI container within the assigned container pool, a non-executable representation of the first network content is generated and returned for access at the first user device.
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
Systems and methods for methods network activity. The methods include receiving at an interface connection data associated with a request from a first device to download an application from a source, downloading the application to a second device based on the request, and executing, using one or more processors executing instructions stored on memory, the downloaded application to obtain behavioral data of the application. The methods further include assigning, using the one or more processors, a risk score to the application based on the behavioral data of the application to determine whether the application is malicious before the application is downloaded by the first device, and implementing, using the one or more processors, a download decision for the first device based on the assigned risk score, wherein the download decision indicates at least whether the first device is able to download the application associated with the request.
A computer-implemented method includes detecting, by a computing device, a request from a macro included in a document file that is open in a software application executing on the computing device, where the macro comprises executable code and where the document file further includes non-executable document content. The method further includes determining if the request includes simulation of a physical keystroke based on detecting that the request includes a function call to a function that synthesizes keystrokes. The method further includes responsive to determining that the request includes simulation of the physical keystroke, preventing the request from being satisfied.
G06F 21/51 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
G06F 21/54 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by adding security routines or objects to programs
A method includes monitoring a plurality of packets received by a network sensor associated with a port of a network, determining a ratio of unicast, multicast or broadcast packets to a total number of packets for the plurality of packets, determining that the ratio is outside the bounds of a threshold range, detecting that a port is misconfigured based on the determination that the ratio is outside the bounds of a threshold range, and automatically notifying a network administrator that the port is misconfigured based on the determination that the ratio is outside the bounds of a threshold range. Further disclosed is a computer system and computer program product configured to perform the method.
H04L 41/0604 - Management of faults, events, alarms or notifications using filtering, e.g. reduction of information by using priority, element types, position or time
H04L 41/0659 - Management of faults, events, alarms or notifications using network fault recovery by isolating or reconfiguring faulty entities
In a system and method for processing computer system events asynchronously for software security operations, a computer memory is configured for a read operation by a computer process. The computer process loads, based on a first event occurring during the read operation, at least one file in the computer memory. At least one thread of the computer process is generated. An execution of the at least one thread of the computer process is delayed based on a second event occurring after the first event. A security operation is performed on the process contemporaneously with the loading of the file in the computer memory and the blocking of the execution of the at least one thread of the computer process. The process is either un-delayed on completion of the previous security operation or other security operations performed on that process.
G06F 21/54 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by adding security routines or objects to programs
G06F 21/55 - Detecting local intrusion or implementing counter-measures
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
A collection of documents or other files and the like within an enterprise network are labelled according to an enterprise document classification scheme, and then a recognition model such as a neural network or other machine learning model can be used to automatically label other files throughout the enterprise network. In this manner, documents and the like throughout an enterprise can be automatically identified and managed according to features such as confidentiality, sensitivity, security risk, business value, and so forth.
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
H04L 41/00 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
H04L 41/22 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks comprising specially adapted graphical user interfaces [GUI]
58.
VARIABLE TIMEOUTS BETWEEN OPERATING MODES OF A COMPUTER FOR DETECTING MALICIOUS SOFTWARE
A method for detecting malicious activity of a computing device comprises detecting, by a software driver executing within a kernel mode of an operating system being executed by the computing device, an operation performed at the computing device; intercepting the operation; receiving, by a security application executing within a user mode of the operating system, a request from the software driver for an instruction for the software driver for an action to block or allow the operation according to a first timeout value; generating a second timeout value based on an amount of time determined by the security application; transmitting a reply to the request that includes the second timeout value to the software driver; transmitting the instruction to the software driver in compliance with the second timeout value; and executing, by the software driver, the action in response to the instruction.
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
G06F 21/51 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
Systems and methods for monitoring network activity. The methods include receiving at an interface a first logging parameter for a first network device, wherein the first logging parameter specifies how the first network device is to record data associated with the first network device; communicating the first logging parameter to the first network device; and indicating to the first network device a first network-accessible location to where the first network device is to transmit its recorded data, wherein the first network device is configured to record data in accord with the first logging parameter and transmit the recorded data to the first network-accessible location.
Systems and methods to scan for malware on devices based on process identification. In some implementations, a computer-implemented method includes intercepting an event initiated by a particular process that executes on a system, which pauses the event. It is determined whether to perform a security scan for the event based on a comparison of a type of the event with stored event classification information associated with the particular process. If performing the security scan, a scan of the intercepted event is performed (e.g., sent to a user mode service that executes on the system), and based on the scan, the intercepted event is allowed to proceed or a security operation is performed associated with the intercepted event. If not performing the security scan, the intercepted event is allowed to proceed.
In embodiments, a framework for an extensible, file-based security system is described for determining an appropriate application, application environment, and/or access or security control measure based at least in part on a file's reputation.
A data set can be analyzed for the presence of sensitive data using type-specific validation mechanisms to test data within the data set that superficially matches a corresponding data type format. In general, a type-specific validation mechanism may be applied to data segments within the data set when they match the data type format, and used to cumulatively build a statistical inference about whether the data set contains the corresponding data type. This technique may usefully be applied in a range of security contexts, such as characterizing data at rest or detecting leakage of sensitive data during a data transmission.
An endpoint device uses hardware-based security to authenticate to an enterprise network. For example, an endpoint device such as network hardware or an end user device can request authentication in order to join an enterprise network that is managed by a computing platform such as a threat management facility. In one aspect, an authenticator at the computing platform sends a challenge payload in response to the request from the endpoint device. The endpoint device may then sign the challenge payload with a hardware-based security system that was bound to the endpoint device at manufacture, and return a response to the authenticator that includes the signed challenge payload. The authenticator can cryptographically validate the response and generate an authentication token for use by the endpoint device when joining the enterprise network.
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
64.
HYBRID APPLIANCE FOR ZERO TRUST NETWORK ACCESS TO CUSTOMER APPLICATIONS
A zero trust network access appliance deployed at a customer premises can support gateway and cloud modes. In a gateway mode, the appliance operates as a zero trust network access gateway, and provides zero trust network access to applications hosted at the customer premises, using a firewall at the customer premises for network security. In the cloud mode, the appliance initiates a secure connection with a remote, cloud computing platform that provides a front end for zero trust network access. A threat management facility for the customer provides a control plane for managing zero trust network access provided through the cloud computing platform.
A cloud computing platform provides zero trust network access as a service to customers that maintain applications on-premises, and a zero trust network access appliance at the customer premises that couples the on-premises applications to the cloud computing platform. A customer may host multiple instances of the appliance in order to support scalable access, where each instance creates a separate secure tunnel to the cloud computing platform. In this context, when a new appliance authenticates a new secure tunnel, information such as a connector name, customer, and port for the tunnel may be shared on a control plane for the computing platform to facilitate programmatic load balancing within the cloud computing platform.
Infrastructure for zero trust network access (ZTNA) is deployed as a cloud-based service remotely from a customer premises where user applications are hosted. By connecting an appliance on the customer premises to the cloud-based service through a secure tunnel or the like, an application hosted on the customer premises can then be accessed externally as a ZTNA application without the customer premises opening a firewall to public networks or otherwise exposing potential attack surfaces to the customer premises.
A cloud-based platform for zero trust network access (ZTNA) services provides zero trust network access as a service for multiple customers in a multi-tenant architecture. In this context, the configuration for a new ZTNA application is validated with a service proxy in a sandbox or similar environment before release by the cloud-based platform for access through a public network. As a significant advantage, this approach mitigates inadvertent conflicts or instability in a service proxy that supports other applications and customers.
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
G06F 21/64 - Protecting data integrity, e.g. using checksums, certificates or signatures
68.
DOMAIN OWNERSHIP VERIFICATION FOR A ZTNA SERVICE PLATFORM
A cloud computing platform provides zero trust network access as a service to a customer that maintains an application on-premises. In this context, the customer may be required to demonstrate ownership of a domain before the cloud computing platform will provide access to the on-premises application via the domain.
A cloud computing platform provides zero trust network access as a service to customers that maintain applications on-premises. In this context, the cloud computing platform may associate customers and/or applications with specific service proxies, and add an abstraction layer for network access that maps an alias domain for each customer and/or application to a network load balancer associated with the specific service proxies associated with the corresponding application(s). This approach advantageously simplifies the configuration of service proxies at the cloud computing platform by permitting dedicated relationships among network load balancers, specific service proxies, and specific applications, while concurrently reducing or avoiding the administrative burden on customers of updating network pointers when the clusters of service proxies are periodically reconfigured to adjust to varying user traffic.
H04L 41/12 - Discovery or management of network topologies
H04L 67/1036 - Load balancing of requests to servers for services different from user content provisioning, e.g. load balancing across domain name servers
70.
SCALING TUNNELS FOR ZERO TRUST NETWORK ACCESS APPLIANCES
A cloud computing platform provides zero trust network access as a service to customers that maintain applications on-premises, and a zero trust network access appliance at the customer premises that couples the on-premises applications to the cloud computing platform. In this context, the number of secure tunnels maintained for an application between the customer premises and the cloud computing platform may be dynamically managed to support variations in user demand for the application.
A system for conducting a security recognition task, the system comprising a memory configured to store a model and training data including auxiliary information that will not be available as input to the model when the model is used as a security recognition task model for the security recognition task. The system further comprising one or more processors communicably linked to the memory and comprising a training unit and a prediction unit. The training unit is configured to receive the training data and the model from the memory and subsequently provide the training data to the model, and train the model, as the security recognition task model, using the training data to predict the auxiliary information as well as to perform the security recognition task, thereby improving performance of the security recognition task. The prediction unit is configured to use the security recognition task model output to perform the security recognition task while ignoring the auxiliary attributes in the model output.
Various modifications to a zero trust network access system facilitate distributed and/or cloud-based deployments of zero trust network access applications and related services, as well as remote management of network security for an enterprise that is hosting the zero trust network access applications.
An apparatus for detecting malicious files includes a memory and a processor communicatively coupled to the memory. The processor receives multiple potentially malicious files. A first potentially malicious file has a first file format, and a second potentially malicious file has a second file format different than the first file format. The processor extracts a first set of strings from the first potentially malicious file, and extracts a second set of strings from the second potentially malicious file. First and second feature vectors are defined based on lengths of each string from the associated set of strings. The processor provides the first feature vector as an input to a machine learning model to produce a maliciousness classification of the first potentially malicious file, and provides the second feature vector as an input to the machine learning model to produce a maliciousness classification of the second potentially malicious file.
In one or more embodiments, an apparatus includes one or more memories and one or more processors operatively coupled to the one or more memories. The one or more processors is configured to receive a policy bundle associated with at least one tenant from a plurality of tenants, determine a policy change associated with a change between the policy bundle and a tenant policy, the policy change associated with a load value, subscribe an administration client to an administration layer server based on the tenant policy, transmit the policy change to the administration layer client, implement the policy change into an agent associated with the administration layer client, determine a system load status based on a plurality of administration layer clients and the load value, and responsive to determining the system load status exceeds a predetermined threshold, generate at least one agent associated with the at least one tenant.
Adapting automatic software update behavior for virtual desktop infrastructure deployed endpoints includes detecting a request for services of a threat management facility for an enterprise network that originates from a compute instance embodied as a virtual machine instantiated from a versioned software template, and updating software on the compute instance based on a determination of availability of updated software for the compute instance and an update pause parameter indicating that updating software for virtual machines instantiated from the versioned software template is permitted for the compute instance.
Secure hashing of large files to verify file identity. In some implementations, a method includes determining a size of a particular file received by an endpoint device, and searching for a record indexed in a data structure based on the size. In response to finding the record, a sequence of multiple records is accessed in the data structure. For each record of the sequence, a particular data portion is hashed that has a location in the particular file that corresponds to a location in the record to obtain a particular hash result. In response to the particular hash result matching a corresponding previous hash result stored in the record based on an associated data portion in an associated file, the particular file is determined to be the same as the associated file, and characteristics of the particular file are determined using file information for the associated file.
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
In a threat management platform, a number of endpoints log events in an event data recorder. A local agent filters this data and feeds a filtered data stream to a central threat management facility. The central threat management facility can locally or globally tune filtering by local agents based on the current data stream, and can query local event data recorders for additional information where necessary or helpful in threat detection or forensic analysis. The central threat management facility also stores and deploys a number of security tools such as a web-based user interface supported by machine learning models to identify potential threats requiring human intervention and other models to provide human-readable context for evaluating potential threats.
G06F 11/07 - Responding to the occurrence of a fault, e.g. fault tolerance
G06F 16/955 - Retrieval from the web using information identifiers, e.g. uniform resource locators [URL]
G06F 17/18 - Complex mathematical operations for evaluating statistical data
G06F 18/21 - Design or setup of recognition systems or techniquesExtraction of features in feature spaceBlind source separation
G06F 18/214 - Generating training patternsBootstrap methods, e.g. bagging or boosting
G06F 18/23213 - Non-hierarchical techniques using statistics or function optimisation, e.g. modelling of probability density functions with fixed number of clusters, e.g. K-means clustering
G06F 18/2413 - Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches based on distances to training or reference patterns
G06F 21/55 - Detecting local intrusion or implementing counter-measures
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
Methods, systems, and computer readable media for network security are described. In some implementations, security tasks and roles can be allocated between an endpoint device and a firewall device based on tag information sent from the endpoint, the tag information including one or more characteristics of a traffic flow, information of resource availability, and/or reputation of a process associated with a traffic flow.
A cluster of network flows is formed on the basis of a particular entity-to-entity relationship, and individual network flows within the cluster are further identified on an application-by-application basis to better characterize communications between two compute instances connected through a data network. By individually scoring network flows for each application with a variety of tools, and aggregating these individual scores into a composite score for the cluster of network flows, more accurate threat detections can be supported based on an increase in relevant threat data and a more complete view of risk factors.
A catalog of pipelines for modular coding integrates resources for consistent use and verification of individual pipeline components. The platform may incorporate tools and metadata for version control, verification, and licensing in order to support a user when creating and deploying applications using resources from the catalog.
G06F 9/06 - Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
A catalog of pipelines for modular coding integrates resources for security compliance. The platform may incorporate tools and metadata for selecting suitable compliance standards and verifying security compliance for existing pipelines within the catalog as well as new pipelines created from existing pipelines.
G06F 21/52 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure
82.
CYBERSECURITY CONFIGURATION IN A CLOUD ENVIRONMENT
The present teachings include automatically determining the recommended security configuration of a first cloud service within a cloud computing network. This may include detecting a change in the cloud computing network relating to a second cloud service being deployed within the cloud computing network, and in response, obtaining contextual information related to the configuration and operation of the first cloud service, the contextual information including information related to the second cloud service. The contextual information may be provided to a prediction model operable to identify a security posture from input contextual information for obtaining a recommended security posture from the prediction model based on the contextual information provided thereto. Aspects may further include determining a security recommendation for the first cloud service based on a comparison of a current security posture of the first cloud service and the recommended security posture.
H04L 41/16 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence
A kernel driver on an endpoint uses a process cache to provide a stream of events associated with processes on the endpoint to a data recorder. The process cache can usefully provide related information about processes such as a name, type or path for the process to the data recorder through the kernel driver. Where a tamper protection cache or similarly secured repository is available, this secure information may also be provided to the data recorder for use in threat detection, forensic analysis and so forth.
G06F 21/54 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by adding security routines or objects to programs
G06F 12/0813 - Multiuser, multiprocessor or multiprocessing cache systems with a network or matrix configuration
G06F 21/50 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
G06F 21/51 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
G06F 21/55 - Detecting local intrusion or implementing counter-measures
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
A method for mitigating outbound electronic message spam includes determining whether an outbound electronic message to a recipient sent from an electronic messaging account of a sender has at least a predetermined number of indicators of compromise. The outbound electronic message is sent to the recipient using an IP address from a first pool of service delivery IP addresses based on a determination that the message has less than the predetermined number of indicators of compromise. The outbound electronic message is sent to the recipient using an IP address from a second pool of service delivery IP addresses based on a determination that the message has at least the predetermined number of indicators of compromise. The method may further include providing a notification of a possible compromise of the electronic messaging account and the notification may include a request to modify a security feature of the electronic messaging account.
An automated system attempts to characterize code as safe or unsafe. For intermediate code samples not placed with sufficient confidence in either category, human-readable analysis is automatically generated to assist a human reviewer in reaching a final disposition. For example, a random forest over human-interpretable features may be created and used to identify suspicious features in a manner that is understandable to, and actionable by, a human reviewer. Similarly, a k-nearest neighbor algorithm may be used to identify similar samples of known safe and unsafe code based on a model for, e.g., a file path, a URL, an executable, and so forth. Similar code may then be displayed (with other information) to a user for evaluation in a user interface. This comparative information can improve the speed and accuracy of human interventions by providing richer context for human review of potential threats.
G06V 20/52 - Surveillance or monitoring of activities, e.g. for recognising suspicious objects
G06F 18/214 - Generating training patternsBootstrap methods, e.g. bagging or boosting
G06F 18/21 - Design or setup of recognition systems or techniquesExtraction of features in feature spaceBlind source separation
G06F 18/23213 - Non-hierarchical techniques using statistics or function optimisation, e.g. modelling of probability density functions with fixed number of clusters, e.g. K-means clustering
G06F 18/2413 - Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches based on distances to training or reference patterns
In example embodiments, techniques are provided to detect LOLBin attacks using a trained machine learning model that classifies command lines as benign or malicious. The machine learning model may be trained using a dataset of command line data that describes executed binary executable files, sourced from the log of events of compute instances. The dataset may be sampled using an approximate content-based logarithmic sampling algorithm (e.g., an algorithm that employs logarithmic sampling based on a locality sensitive hash, for example, a MinHash). The dataset may be labeled and featurized. The featurized labeled dataset may be used to train the machine learning model, which is then deployed to detect LOLBin attacks on a compute instance. In response to detection of a LOLBin attack, a remedial action may be performed on the compute instance.
In example embodiments, techniques are provided to detect LOLBin attacks using a trained machine learning model that classifies command lines as benign or malicious. The machine learning model may be trained using a dataset of command line data that describes executed binary executable files, sourced from the log of events of compute instances. The dataset may be sampled using an approximate content-based logarithmic sampling algorithm (e.g., an algorithm that employs logarithmic sampling based on a locality sensitive hash, for example, a MinHash). The dataset may be labeled and featurized. The featurized labeled dataset may be used to train the machine learning model, which is then deployed to detect LOLBin attacks on a compute instance. In response to detection of a LOLBin attack, a remedial action may be performed on the compute instance.
Methods and systems are described for developing a malicious content detector to identify new malicious text content, such as phishing messages, malicious documents, and/or malicious web content. A computing device is used to generate input data which contains an instruction, examples of content, and content to be analyzed. The examples include malicious and benign content samples, designed to recognize similar malicious content. The computing device feeds this input into a generative language model, which produces text labels that indicate the maliciousness of the content to be analyzed. The methods and systems enable rapid development of security protection by leveraging a small number of malicious samples, instead of training with a large dataset of new training samples.
Methods and systems are described for developing a malicious content detector to identify new malicious text content, such as phishing messages, malicious documents, and/or malicious web content. A computing device is used to generate input data which contains an instruction, examples of content, and content to be analyzed. The examples include malicious and benign content samples, designed to recognize similar malicious content. The computing device feeds this input into a generative language model, which produces text labels that indicate the maliciousness of the content to be analyzed. The methods and systems enable rapid development of security protection by leveraging a small number of malicious samples, instead of training with a large dataset of new training samples.
Systems and methods for detecting malicious activity. The methods include receiving at an interface at least one feature of a digital certificate; detecting, using one or more processors executing instructions stored on memory, an anomaly in the at least one feature of the digital certificate; identifying, using the one or more processors, at least one process or file associated with the digital certificate upon detecting the anomaly in the at least one feature; and analyzing, using the one or more processors, at least one property associated with the at least one identified process or file. The methods further include identifying, using the one or more processors, the at least one process or file as malicious based on the analysis of the at least one property associated with the at least one process or file and the identification of the anomaly in the at least one feature of the digital certificate; and executing at least one remedial action upon identifying the at least one process or file as malicious.
An endpoint coupled in a communicating relationship with an enterprise network may include a data recorder configured to store an event stream of data indicating events on the endpoint including types of changes to computing objects, a filter configured to locally process the event stream into a filtered event stream including a subset of types of changes to the computing objects, and a local security agent. The local security agent may be configured to transmit the filtered event stream to a threat management facility, respond to a filter adjustment from the threat management facility by adjusting the filter to modify the subset of types of changes included in the filtered event stream, and respond to a query from the threat management facility by retrieving data stored in the data recorder over a time window before the query and excluded from the filtered event stream.
G06F 11/07 - Responding to the occurrence of a fault, e.g. fault tolerance
G06F 16/955 - Retrieval from the web using information identifiers, e.g. uniform resource locators [URL]
G06F 17/18 - Complex mathematical operations for evaluating statistical data
G06F 18/21 - Design or setup of recognition systems or techniquesExtraction of features in feature spaceBlind source separation
G06F 18/214 - Generating training patternsBootstrap methods, e.g. bagging or boosting
G06F 18/23213 - Non-hierarchical techniques using statistics or function optimisation, e.g. modelling of probability density functions with fixed number of clusters, e.g. K-means clustering
G06F 18/2413 - Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches based on distances to training or reference patterns
G06F 21/55 - Detecting local intrusion or implementing counter-measures
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
Systems and methods for assigning a persistent internet protocol (IP) address to a virtual private network (VPN) client. The method includes receiving, at a first server, a request for access from a first VPN client, the request including access credentials and the first server having a routing table; sending, from the first server, the access credentials to an access server; receiving, from the access server at the first server, a first static IP address to be assigned to the first VPN client, wherein the first static IP address is selected from a plurality of available static IP addresses; assigning the first static IP address to the first VPN client; and adding the first static IP address to a static routing path in the routing table, the static routing path specifying an interface to which traffic associated with the first VPN client is to be routed. The static routing path is configured to be referenced to enable traffic associated with the first VPN client to be directed through the interface.
Systems and methods for assigning a persistent internet protocol (IP) address to a virtual private network (VPN) client. The method includes receiving, at a first server, a request for access from a first VPN client, the request including access credentials and the first server having a routing table; sending, from the first server, the access credentials to an access server; receiving, from the access server at the first server, a first static IP address to be assigned to the first VPN client, wherein the first static IP address is selected from a plurality of available static IP addresses; assigning the first static IP address to the first VPN client; and adding the first static IP address to a static routing path in the routing table, the static routing path specifying an interface to which traffic associated with the first VPN client is to be routed. The static routing path is configured to be referenced to enable traffic associated with the first VPN client to be directed through the interface.
H04L 61/503 - Internet protocol [IP] addresses using an authentication, authorisation and accounting [AAA] protocol, e.g. remote authentication dial-in user service [RADIUS] or Diameter
Threat management devices and methods. The methods include receiving, at an interface of a threat management device, contextual data associated with a first endpoint device that is in operable connectivity with the threat management device, wherein the threat management device is configured to execute at least one subsystem to scan network traffic. The methods further include determining at least a first signature from a plurality of signatures to use in scanning the network traffic based on the received contextual data and instructing the at least one subsystem to scan network traffic using at least the first determined signature.
A threat management facility for an enterprise provides security services to a number of virtual compute instances executing on a remote cloud computing platform. In order to prevent or reduce an accumulation of records for abandoned compute instances, each new virtual compute instance is explicitly identified by a user (and optionally a template), and then compared to existing records to identify possible redundancies, which can be deleted or otherwise managed.
A potentially malicious command including a plurality of features is received. Additionally, a plurality of nodes included in a decision tree are traversed, based on the plurality of features, to identify a leaf node included in the plurality of nodes. The leaf node is associated with (1) a first set of similar commands, each similar command from the first set of similar commands including the plurality of features, and (2) a second set of similar commands from the first set of similar commands and that were previously detected. Additionally, a probability that the potentially malicious command will be escalated as potentially malicious is determined based on the first set of similar commands and the second set of similar commands. Additionally, a first indication quantifying the first set of similar commands, a second indication quantifying the second set of similar commands, and the probability are caused to be displayed.
A threat management system provides a collection of queries for investigating security issues within an enterprise. Useful inferences are drawn about the value of different queries, and about the security posture of the enterprise, by monitoring contextual activity such as the popularity and context of query usage, patterns of end user modification to queries, and post-query activity.
A potentially malicious command including a plurality of features is received. Additionally, a plurality of nodes included in a decision tree are traversed, based on the plurality of features, to identify a leaf node included in the plurality of nodes. The leaf node is associated with (1) a first set of similar commands, each similar command from the first set of similar commands including the plurality of features, and (2) a second set of similar commands from the first set of similar commands and that were previously detected. Additionally, a probability that the potentially malicious command will be escalated as potentially malicious is determined based on the first set of similar commands and the second set of similar commands. Additionally, a first indication quantifying the first set of similar commands, a second indication quantifying the second set of similar commands, and the probability are caused to be displayed.
A method for prioritizing security events comprises receiving a security event that includes security event data having been generated by an endpoint agent based on a detected activity, wherein the security event data includes one or more features; applying a first computing model to the security event data to automatically determine which of the one or more features are one or more input features to a machine learning system; applying a second computing model to historical data related to the security event data to determine time pattern information of the security event data as an input to the machine learning system; combining the one or more input features from the first computing model and the input from the second computing model to generate a computed feature result; and generating an updated security level value of the security event from the computed feature result.
A method for prioritizing security events comprises receiving a security event that includes security event data having been generated by an endpoint agent based on a detected activity, wherein the security event data includes one or more features; applying a first computing model to the security event data to automatically determine which of the one or more features are one or more input features to a machine learning system; applying a second computing model to historical data related to the security event data to determine time pattern information of the security event data as an input to the machine learning system; combining the one or more input features from the first computing model and the input from the second computing model to generate a computed feature result; and generating an updated security level value of the security event from the computed feature result.
