Systems and methods for AI agent intent classification and taxonomy management include operating an Artificial Intelligence (AI) agent system that includes an agent core connected to memory, one or more tools, and a planner; providing the AI agent with a request; performing intent classification based on the request; and generating an answer to the request based on the intent classification. The intent taxonomy management can include, responsive to adding an intent, reviewing the one or more intents for ambiguity; generating one or more test cases for each of the one or more intents; running a regression test with the one or more test cases; checking for failure cases introduced by the one or more new intents; and providing one or more suggestions to edit the one or more new intents.
Systems and methods for detecting SDP user accounts that are associated with a company include querying a software development platform for account and repository data based on a customer name for each account analyzing associated account and repository data, generating a score for each account of the plurality of accounts based on the analyzing, the score being indicative of an account belonging to the customer, and labeling one or more accounts of the plurality of accounts as belonging to the customer based on the score.
Systems and methods for a zero trust mobile network-as-a-service include generating one or more virtualized mobile networks for one or more customers of a cloud service; receiving traffic from a Subscriber Identity Module (SIM) enabled device associated with a customer of the cloud service; steering the traffic through a virtualized mobile network based on the customer associated with the SIM enabled device; and applying zero trust policy to the traffic prior to the traffic exiting the virtualized mobile network.
Systems and methods for detecting secrets in deleted software development platforms (SDP) are disclosed herein, including querying an SDP for account and repository data, the querying being based on a customer name, identifying previously existing content that is no long present in a current version of the SDP, reconstructing the previously existing content, analyzing the reconstructed content for one or more indicators of sensitive information, and generating a report based on the analysis.
Systems and methods for intelligent network incident management, Root Cause Analysis (RCA), and automated remediation include receiving metrics, graphs, and historic logs associated with network performance of a tenant of the cloud system; identifying a network issue based on the received metrics, graphs, and historic logs; performing an automated RCA to determine a cause of the network issue; and remediating the identified network issue based on the determined cause. Various embodiments include training specialized Large Language Models (LLMs) for performing the automated incident identification, RCA, and remediation.
H04L 41/0631 - Management of faults, events, alarms or notifications using root cause analysisManagement of faults, events, alarms or notifications using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
6.
Query System using Multiple AI Agents for Text-to-SQL and Text-to-Python
Systems and methods are provided for enabling search and query functions. A query system having a framework, executed on one or more processors, includes a plurality of Artificial Intelligence (AI) agents working to support one of text-to-Structured Query Language (SQL) or text-to-Python, wherein the plurality of AI agents include a first AI agent prompted to act as a research analyst for performing a task of interpreting a natural language query from a user, wherein the natural language query relates to natural language to the one of text-to-SQL or text-to-Python; a second AI agent prompted to act as a search data engineer for performing a task of executing a search based on the natural language query; and a third AI agent prompted to act as a code developer for performing a task of writing code based on the search, wherein the plurality of AI agents act autonomously yet collaboratively.
Systems and methods for malicious beaconing detection include extracting one or more beaconing sequences from log data associated with a network; performing feature extraction for the one or more extracted beaconing sequences; and implementing one or more Machine Learning (ML) models for classifying each of the one or more beaconing sequences as any of clean, malicious, suspicious, and unknown. The one or more ML models can be associated with an ensemble model, where a final classification of a beaconing sequence can be based on results of each of the one or more ML models.
A cloud-based private access system integrates static CMDB data with real-time access telemetry to automate Zero Trust segmentation. Administrators upload CMDB files (e.g., CSV/JSON) describing applications, FQDNs, IPs, ports, protocols, ownership, and priorities. An analytics management service stages and normalizes the data, retrieves reference domain data from an in-memory cache, and queries a telemetry engine to correlate intended configurations with observed usage. The system detects mismatches, over-permissive wildcard access, and auto-discovers non-listed elements such as subdomains, ports, or protocol combinations. It then generates prioritized recommendations to refine wildcard rules, create explicit allow policies, and merge or split application groups. Administrators review, simulate, and approve updates, enabling phased rollout, rollback, auditing, and continuous policy tuning based on evolving user and application behavior.
Disclosed are systems and methods for generating location-aware reports for enterprise application usage. Transactional data is obtained from intermediaries mediating user access via application connectors, and location data is acquired for hosted applications, including hosting platform type (public cloud or private data center), region identifiers, and geo-location attributes. Geo-location is derived via API-integrated metadata and IP-based lookup, with administrator entry for private centers. The analyzed data produces site-level residency determinations and correlates access paths with geographic attributes. Reports include a global, interactive map that geo-tags sites in real time, a bar graph view that sorts application sites and displays endpoint counts, and dynamic insights per site (application listings, user access numbers, total and per-application traffic, and data volume trends), thereby enhancing visibility for compliance and operational oversight.
Disclosed are systems and methods for continuous exposure management across multiple cloud environments. Posture control data, including configuration, vulnerability, and identity activity information, is continuously collected and aggregated into a unified exposure dataset. A machine-learning correlation model analyzes the dataset to identify combinations of seemingly unrelated low-risk events that collectively form higher-risk exposure conditions. Each exposure condition is assigned a risk score, and potential remediation actions are evaluated using a remediation priority score based on the amount of risk mitigated and the relative remediation effort. Remediation actions are then prioritized to optimize overall risk reduction efficiency. The system continuously updates exposure data and prioritization as new information is received, enabling dynamic and scalable management of cloud security posture and reducing the operational burden of manual prioritization.
Systems and methods are disclosed for data owner control in Data Loss/Leakage Prevention (DLP). A data owner system processes sensitive data from a structured data source, normalizes fields, and generates an index comprising one-way hash representations of tokens. The index, including schema and primary key information, is uploaded via a secure channel to a cloud-based monitoring system. The cloud system distributes the index to enforcement nodes and performs inline monitoring of network traffic. Content is tokenized and normalized, and tokens are compared against the hashed index using index lookup tables and token windows to detect violations. Policies specify actions such as reporting, blocking, quarantining, or allowing authenticated personally identifiable information (PII) of a data owner. Incremental updates are supported through row hash-based deltas without regenerating the entire index. This approach provides efficient, precise, and privacy-preserving DLP while reducing false positives and granting data owners control over use of their own data.
Techniques are disclosed for enforcing application-centric microsegmentation policies in a network using machine learning. A trained machine learning model classifies network communication flows between hosts and applications to generate labeled flows. Based on these classifications, a microsegmentation policy is automatically generated that is independent of underlying network topology and optimized for performance, accuracy, or interpretability. A host in the network receives the microsegmentation policy and applies it locally to flows associated with the host. Enforcement of the policy includes allowing, blocking, quarantining, or redirecting flows according to the labels. The approach enables granular east-west traffic controls, dynamic adaptation to changing flow conditions, and automatic updates based on retrained models. Additional features include hierarchical policy structures, contextual metadata for flow classification, audit logging, and user-facing visualization of microsegments. The disclosed methods improve workload security by providing scalable, data-driven, and automatically generated microsegmentation policies.
Systems and methods for generating SDLC-based application segments include defining a set of applications, the set of applications comprising a plurality of applications associated with a tenant of the cloud-based system; generating a plurality of application pairs from the set of applications; analyzing applications within each application pair of the plurality of application pairs for filtering the plurality of application pairs, the analyzing comprising a plurality of similarity checks and identification of environment key words; and generating one or more application segments each comprising one or more applications from the set of applications based on the filtering.
Systems and methods for generating SCIM-based application segment policies include obtaining log data for a plurality of users of an enterprise where the log data relates to usage of a plurality of applications by the plurality of users, wherein the enterprise is one of a plurality of enterprises associated with the cloud-based system; determining one or more app-segments that are groupings of application of the plurality of applications; and generating access policy of the plurality of applications based on System for Cross-domain Identity Management (SCIM) data and the one or more app-segments.
Systems and methods for inline Uniform Resource Locator (URL) categorization include training a lightweight machine learning model to score content associated with unknown Uniform Resource Locators (URLs) to determine a category of the plurality of categories for each of the unknown URLs; deploying the trained lightweight machine learning model to a node in a cloud-based system for use in production; and utilizing the trained lightweight machine learning model to monitor traffic inline to categorize unknown URLs.
H04L 47/2441 - Traffic characterised by specific attributes, e.g. priority or QoS relying on flow classification, e.g. using integrated services [IntServ]
G06F 16/955 - Retrieval from the web using information identifiers, e.g. uniform resource locators [URL]
G06F 16/958 - Organisation or management of web site content, e.g. publishing, maintaining pages or automatic linking
16.
Systems and methods for cloud discovery and orchestration
Systems and methods for cloud discovery and orchestration include retrieving a plurality of out-of-band inputs related to a cloud environment; retrieving a plurality of inline inputs related to the cloud environment; determining one or more correlations between one or more destinations, sources, and networks associated with the cloud environment based on the out-of-band inputs and the inline inputs; and determining one or more relationships between the one or more destinations, sources, and networks based on the correlations.
42 - Scientific, technological and industrial services, research and design
Goods & Services
Software as a service (SAAS) services featuring software for digital security and experience management services, namely, enforcing, restricting, enhancing and controlling access to private applications and services, hosted applications and services, cloud applications and services, Software-as-a-Service (SaaS) applications and services, Anything-as-a-Service (XaaS) applications, devices and services; Platform as a service (PAAS) featuring computer software platforms for providing secure, cloud-delivered access to applications, data, artificial intelligence (AI), and services across distributed networks by enforcing security policies, including identity-based access control, secure web gateway, cloud firewall, CASB, DLP, threat detection and sandboxing, traffic inspection, and protection of users, workloads, and devices across on-premises, cloud, and hybrid environments.; Computer security threat analysis for protecting data; Data security consultancy; Internet security consultancy; Computer network security consultancy; Computer services, namely, on-line scanning, detecting, quarantining and eliminating of viruses, worms, trojans, spyware, adware, malware and unauthorized data and programs on computers and electronic devices; Software as a service (SAAS) services featuring software using artificial intelligence (AI) for detecting, analyzing, and remediating cybersecurity threats; correlating network, application, and user activity to identify anomalous behavior; automating policy enforcement and access decisions based on contextual risk signals; and generating predictive insights to enhance security controls across cloud, on-premises, and hybrid computing environments
42 - Scientific, technological and industrial services, research and design
Goods & Services
Software as a service (SAAS) services featuring software for providing a cloud-based security platform for securely connecting users, workloads, and devices to applications and data over any network and for AI-powered threat detection, data loss prevention, and zero trust network access; Research in the field of artificial intelligence; Computer network security consultancy; Computer security consultancy
19.
Utilizing cloud-based data for determining and recommending organization office site locations
Systems and methods for utilizing cloud-based data for determining and recommending organization office site locations include obtaining data from a cloud-based system associated with employees of an organization, wherein the cloud-based system includes a plurality of organizations with employees each assigned thereto; processing the data associated with the organization to determine a plurality of office site locations of the organization; and displaying the plurality of office site locations of the organization via a User Interface (UI) based on the processing.
Systems and methods for favicon comparison-based similar domain detection include receiving a base domain, the base domain being associated with an enterprise; receiving a domain list comprising a plurality of domains; performing a favicon comparison between the base domain and each of the plurality of domains within the domain list; and classifying each of the plurality of domains within the domain list as one of being associated with the enterprise or not being associated with the enterprise based on the favicon comparison.
The present disclosure describes systems and methods for performing adaptive network tracing using a hybrid approach. The method involves creating a valid TCP connection with a target destination and sending TCP packets with increasing TTL values to identify network hops. When a TCP handshake fails for specific packets, the system switches to sending TCP SYN packets with increasing TTLs to continue tracing. Hop and packet information are encoded into the IPV6 destination option header or the random bytes portion of a TLS Client Hello message for comprehensive tracking. Responses, including ICMP “Time Exceeded” messages, allow extraction of encoded trace data to identify routers along the path. The hybrid approach ensures robust results by overcoming network limitations, such as firewall restrictions and rate-limiting mechanisms, while maintaining low resource consumption. These systems optimize tracing, particularly in IPV6 and TLS environments, enabling accurate mapping of network routes for diagnostics and analysis.
H04L 43/106 - Active monitoring, e.g. heartbeat, ping or trace-route using time related information in packets, e.g. by adding timestamps
H04L 45/00 - Routing or path finding of packets in data switching networks
H04L 67/145 - Termination or inactivation of sessions, e.g. event-controlled end of session avoiding end of session, e.g. keep-alive, heartbeats, resumption message or wake-up for inactive or interrupted session
H04L 69/163 - In-band adaptation of TCP data exchangeIn-band control procedures
Systems and methods for similar domain detection include receiving a base domain, the base domain being associated with an enterprise; receiving a domain list comprising a plurality of domains; performing a plurality of similarity checks between the base domain and each of the plurality of domains within the domain list; and generating a directory of domains comprising one or more domains determined to be associated with the enterprise based on the one or more similarity checks.
H04L 61/4511 - Network directoriesName-to-address mapping using standardised directoriesNetwork directoriesName-to-address mapping using standardised directory access protocols using domain name system [DNS]
H04L 61/59 - Network arrangements, protocols or services for addressing or naming using proxies for addressing
23.
Client-Rooted Decryption Public Key Infrastructure (PKI) for Secure Cloud-Based Inspection of Encrypted Traffic
Techniques for implementing a client-rooted decryption Public Key Infrastructure (PKI) to securely inspect encrypted traffic in cloud-based proxy environments are disclosed. A proxy node generates an intermediate Certificate Authority (CA) certificate signing request (CSR) and sends it to a client device equipped with a locally-managed root CA. The client device cross-signs the CSR, creating a client-specific intermediate CA certificate, which it returns to the proxy node. This client-specific intermediate CA certificate is scoped uniquely to the individual client device, significantly reducing the potential blast radius in case of CA key compromise. The proxy node uses the client-specific CA certificate to dynamically generate short-lived, scoped decryption certificates for inspecting encrypted traffic. This architecture provides client-level control of trust boundaries, enhanced traceability, reduced complexity, and improved scalability of encrypted traffic inspection, minimizing the operational risks associated with conventional centralized certificate management.
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
Systems and methods for traffic inspection using payload offsets include performing inline monitoring between one or more endpoints and the internet; receiving a payload based on the inline monitoring; and performing traffic inspection of the payload based on one or more inspection offset values, wherein the one or more inspection offset values define one or more points within the payload for inspection to begin.
Systems and methods for probability-based inline rule inspection include performing inline monitoring between one or more endpoints and the internet; receiving a payload based on the inline monitoring; and performing traffic inspection of the payload based on one or more rules, wherein each of the one or more rules are inspected based on a probability assigned thereto, and wherein the probability assigned to each of the one or more rules can be a function of an execution time of each of the one or more rules and a historic effectiveness of each of the one or more rules.
Systems and methods for providing interactive visualizations of traffic characteristics within a network include determining, for one or more applications associated with a tenant of a cloud-based system, application information associated with each of the one or more applications; providing, via a Graphical User Interface (GUI), an interactive visualization of the application information associated with each of the one or more applications; and responsive to one or more selections being made via the interactive visualization, enabling one or more cloud-based security functions based on the one or more selections.
Systems and methods for an Artificial Intelligence (AI) agent adapted to support end users includes performing monitoring of one or more users via a cloud-based system and logging device metrics based thereon, wherein the device metrics are associated with one or more devices of the one or more users; providing an Artificial Intelligence (AI) agent adapted to troubleshoot issues related to the one or more devices; and responsive to the AI agent being invoked by a user of the one or more users, providing one or more remediation recommendations for one or more issues based on the device metrics.
G06F 11/07 - Responding to the occurrence of a fault, e.g. fault tolerance
G06K 19/06 - Record carriers for use with machines and with at least a part designed to carry digital markings characterised by the kind of the digital marking, e.g. shape, nature, code
Systems and methods for an Artificial Intelligence (AI) agent evaluation framework include operating, in a test environment, an Artificial Intelligence (AI) agent system that includes an agent core connected to memory, one or more tools, and a planner; providing the AI agent with one or more requests; receiving a response to each of the one or more requests; and evaluating performance of the AI agent based on responses to each of the one or more requests. The one or more requests can be LLM-generated variations of a seed request either for testing the AI agent's ability to respond to queries or to test the ability of the AI agent to ignore malicious requests.
Systems and methods for Artificial Intelligence (AI) agent playbook utilization and management include receiving a request from a natural language conversational interface where the request relates to user experience associated with one or more users using a network to access services; analyzing the request to determine intent; and processing the request based on the intent, wherein the processing is performed based on a playbook of a plurality of playbooks. The steps include generating one or more playbooks based on a playbook generation lifecycle, wherein the playbook generation lifecycle includes creating a playbook, testing the playbook, reviewing the playbook, and delivering the playbook.
Systems and methods are disclosed for anomaly detection using a “detect and collect” cybersecurity monitoring approach. Initially, a cybersecurity monitoring system obtains and analyzes a baseline subset of telemetry data from computing resources to detect potential anomalies indicative of cybersecurity threats. Responsive to identifying such anomalies, the system selectively determines additional, contextually relevant telemetry data for targeted collection. This selective data collection significantly reduces telemetry volumes, enhancing efficiency and scalability. An intelligent data fabric and dynamic security knowledge graph are employed to enrich telemetry data in real-time, enabling comprehensive anomaly characterization, risk scoring, and automated security responses. The disclosed techniques support multimodal and multiresolution anomaly detection, adaptive learning, and rapid threat response within diverse distributed computing environments.
Systems and methods include receiving a customer domain from a user via a user device; parsing a plurality of candidate look-alike domains based on the customer domain; executing at least one detection technique selected from a plurality of short URL detection techniques to determine whether one or more short URLs redirect to one of the plurality of candidate look-alike domains; and in response to determining, by the at least one detection technique, that the one or more short URLs redirect to one of the plurality of candidate look-alike domains, classifying that candidate look-alike domain as a phishing attempt.
Systems and methods for a context aware Artificial Intelligence (AI) assistant for troubleshooting network issues includes operating an Artificial Intelligence (AI) agent system that includes an agent core connected to memory, one or more tools, and a planner; receiving a request from a user; and generating, via the AI agent, an answer to the request using a plurality of inputs related to user experience of one or more users associated with a tenant of a cloud-based system.
Systems and methods for Artificial Intelligence (AI) agent inputs using User Interfaces (UIs) includes operating an Artificial Intelligence (AI) agent system that includes an agent core connected to memory, one or more tools, and a planner; receiving an input from a user, wherein the input includes any of a prompt from the user and a selection from a User Interface (UI); and generating, via the AI agent, an answer based on the input.
Systems and methods are disclosed for agentless monitoring of third-party applications in a software as a service (SaaS) environment. A monitoring agentless application (MAA) initiates a service instance in a cloud-based computing environment of a SaaS provider and populates the service instance with simulated resources and simulated data that emulate an authentic SaaS environment while excluding sensitive information. Access credentials are provided to a third-party application, enabling the third-party application to operate within the service instance under realistic conditions. The MAA monitors actions performed by the third-party application with respect to the simulated resources to extract behavior data, such as resource access patterns, data collection frequency, configuration changes, or network communications. The behavior data may be analyzed to detect anomalous or malicious activity, thereby enabling behavioral analysis of SaaS applications without installing agents or exposing production environments.
Systems and methods for generative User Interfaces (UIs) for Artificial Intelligence (AI) agents includes operating an Artificial Intelligence (AI) agent system that includes an agent core connected to memory, one or more tools, and a planner; receiving a request from a user; and generating, via the AI agent, a response including an interactive data visualization based on the request.
Large Language Model (LLM) security includes monitoring an LLM; detecting an attack on the LLM and defining an attack type of a plurality of attack types based on the monitoring, providing a notification of the attack; and causing a defense to the attack based on the attack type. Advantageously, the security can be configured to be executed between a user outside of the LLM. Further, the security can be configured to defend against multi-turn attacks.
Systems and methods for dynamic invocation of synthetic probes based on Real User Monitoring (RUM) agents include monitoring application performance metrics using a Real User Monitoring (RUM) agent embedded within a client application, wherein the RUM agent continuously observes and reports metrics indicative of user experience; detecting performance anomalies by analyzing application and network metrics against baseline performance thresholds established during normal operations; and initiating dynamic synthetic probes in response to the detected anomalies, wherein said synthetic probes are adaptively configured to target relevant destinations, adjust probing frequency, and utilize specific probing methods tailored to the characteristics and severity of the performance anomalies.
The present disclosure enhances domain lookalike detection by integrating a phishing risk assessment score into a multi-layered evaluation framework. The method systematically generates lookalike domains through genetic algorithms. Registered domains undergo advanced phishing analysis, incorporating domain and URL checks, technical infrastructure assessments, content inspections, and reputation-based intelligence to calculate a dynamic phishing score. A comprehensive risk score is then determined by merging phishing likelihood with business attributes, graphical/contextual similarity metrics, and domain registration patterns. Domains are categorized into predefined risk levels including phishing, registered, preventative, company-owned, or watchlist, with specific action recommendations provided for each category. The system generates prioritized alerts for high-risk domains, offering customers actionable intelligence to mitigate threats. By combining phishing-specific indicators with contextual evaluations, this solution improves detection accuracy, reduces false positives, and enables organizations to respond effectively to domain-based threats in real time, addressing evolving cybersecurity challenges.
H04L 41/16 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence
39.
System and method for utilizing DHCP relay to accomplish quarantining client endpoints in a ransomware protected network
A technique to stop lateral movement of ransomware between endpoints in a VLAN is disclosed. A security appliance is set as the default gateway for intra-LAN communication by overwriting the DHCP responses. Message traffic from compromised endpoints is detected. Attributes of ransomware may be detected in the message traffic, as well as attempts to circumvent the security appliance. Compromised devices may be quarantined by assigning them the default gateway to a preset blackhole IP address.
This invention provides methods and systems for seamless mobile connectivity between public and private cellular networks. The system dynamically switches user devices between networks based on location, radio signal availability, or preconfigured policies that prioritize private networks when within range. For devices with physical SIM cards, an embedded applet enables switching between operator profiles, while ESIM profiles deploy applets for selecting among multiple identities within a profile. All cellular traffic, whether on public or private networks, is routed through a cloud-based system for centralized security and policy enforcement. Network selection may be influenced by defining the private network as the Home Public Land Mobile Network (HPLMN) or scanning available networks via applet capabilities. The system supports unified subscription, connectivity, and service management via a cloud-based portal, ensuring reliability and security across diverse network environments. This approach enhances mobility, security, and flexibility for enterprise and IoT applications.
H04W 36/14 - Reselecting a network or an air interface
H04W 8/18 - Processing of user or subscriber data, e.g. subscribed services, user preferences or user profilesTransfer of user or subscriber data
H04W 48/18 - Selecting a network or a communication service
H04W 72/56 - Allocation or scheduling criteria for wireless resources based on priority criteria
H04W 76/16 - Setup of multiple wireless link connections involving different core network technologies, e.g. a packet-switched [PS] bearer in combination with a circuit-switched [CS] bearer
41.
Zero Trust Policy Engine for Controlling Access to Network Applications
Disclosed is a method for implementing a Zero Trust Architecture (ZTA) to secure network resources by eliminating lateral threat movement and minimizing attack surfaces. A zero trust policy engine, positioned inline between user devices and network resources, receives and evaluates access requests by verifying user and device identities along with context information. Based on dynamic risk scores derived from these evaluations, the engine enforces least-privileged, identity-based access policies, selectively granting access exclusively to authorized resources. Connections are terminated and re-established through secure proxy techniques, with continuous inspection of traffic for threats and data loss. Adaptive security measures, including isolation through pixel-streaming and context-aware access adjustments, further enhance protection. This architecture integrates seamlessly with cloud-based security service platforms, supporting workload-to-workload security, external entity integration, and comprehensive compliance reporting through audit trails and dashboards.
Systems and methods for implementing a service identity platform with cloud-based Public Key Infrastructure (PKI) include providing security as a service via a cloud-based system for a plurality of tenants, wherein the cloud-based system includes a plurality of components communicatively coupled and adapted to communicate with one another based on mutual Transport Layer Security (mTLS) authentication; responsive to a new component requiring deployment within the cloud-based system, performing an enrollment process for the new component; and subsequent to the enrollment process, utilizing the new component within the cloud-based system for providing security as a service.
Systems and methods for providing cloud integration usage recommendations based on real-time traffic monitoring include monitoring traffic traversing a cloud-based system, the traffic originating from one or more endpoints associated with a customer of the cloud-based system; extracting metadata from the monitored traffic; determining one or more software usage recommendations based on the extracted metadata; and presenting the one or more software integration usage recommendations via a portal accessible by one or more users.
G06F 15/16 - Combinations of two or more digital computers each having at least an arithmetic unit, a program unit and a register, e.g. for a simultaneous processing of several programs
H04L 41/22 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks comprising specially adapted graphical user interfaces [GUI]
H04L 43/0876 - Network utilisation, e.g. volume of load or congestion level
44.
Divide-and-conquer prompt for LLM-based text-to-SQL conversion
Systems and methods for processing search queries are provided. A method, according to one implementation, includes a step of receiving a query from a user interface, the query including one or more questions or commands pertaining to datasets stored in a relational database. The method also includes a step of generating a prompt having instructions related to how a Large Language Model (LLM) is to handle a complex query having one or more cascading dependencies. Also, the method includes a step of providing the prompt, datasets, and query to an LLM with instructions to convert the query into Structure Query Language (SQL) code.
Systems and methods for analyzing compliance of an online service with pre-established regulations or standards are provided herein. In one example, a method includes a step of receiving a request to perform a compliance analysis on a cloud-based service to determine whether the cloud-based service complies with multiple compliance standards applicable to an environment in which the cloud-based service is intended to operate. The method further includes a step of collecting compliance controls associated with each of the multiple compliance standards. Also, the method includes a step of automatically organizing the compliance controls to reduce the number of assessment steps. The method further includes a step of enabling implementation of one or more assessment stages using the reduced number of assessment steps to determine whether the cloud-based service complies with the multiple compliance standards.
Systems and methods for anomaly detection based on endpoint and network traffic profiles include performing inline monitoring of traffic within a network of a plurality of networks via a cloud; identifying anomalous traffic within the traffic based on a network profile, wherein the network profile defines baseline network traffic parameters for the network; determining if one or more other networks of the plurality of networks exhibit traffic similar to the anomalous traffic; and performing an action based on the determining.
The disclosure presents systems and methods for hierarchical classification of input data across a plurality of categories. A machine learning model processes various data formats, starting with dimensional reduction using tokenization techniques, such as Bert-tiny tokenization, to create model-readable representations. The system predicts super-categories, sub-categories, and granular categories through selective activation of sub-layers tied to identified super-categories, optimizing computational efficiency. Label smoothing during training mitigates overconfidence in predictions, while softmax normalization refines inference outputs. Synthetic data generation using Large Language Models (LLMs) supplements training datasets, and an automated data labeling pipeline efficiently generates hierarchical labels. Modifications to the model, such as stop word removal and file size limitations, further reduce latency. Inference analyzes logits to predict hierarchical paths, providing detailed classifications with clear outputs. The method is adaptable for multimodal formats, ensuring scalable and accurate predictions across diverse data types while minimizing computational costs and improving reliability.
42 - Scientific, technological and industrial services, research and design
Goods & Services
Application service provider (ASP) featuring software for use in cybersecurity; Cloud computing featuring software for use in cybersecurity including Zero Trust Network Access for AI-driven endpoints and workflows; Computer security services, namely, restricting unauthorized access to artificial intelligence (AI)-driven endpoints and workflows; Maintenance of computer software relating to computer security and prevention of computer risks; Computer security threat analysis for protecting data; Providing temporary use of non-downloadable cloud-based software for cybersecurity including Zero Trust Network Access for AI-driven endpoints and workflows; Research in the field of artificial intelligence (AI)
49.
Detecting Phishing Websites Using Perceptual Image Hashing
Systems and methods for detecting phishing using image hashing include obtaining a plurality of images from different sources, generating a hash for each image, comparing at least one hash associated with a first image to one or more hashes associated with a second image, calculating a similarity score based on the comparing, and classifying the first image based on the similarity score.
The present invention provides systems and methods for cellular network performance monitoring and optimization, enabling SIM-based devices to dynamically adapt to changing network conditions for improved connectivity. The invention introduces a process that includes determining baseline path performance through detailed probing of network metrics, continuously assessing current path performance via real-time monitoring, and instructing the SIM to switch from its current connected mobile network carrier to an alternate carrier when predefined performance thresholds are not met. Switching instructions are securely delivered Over-The-Air (OTA) to the SIM, ensuring seamless transitions to the most efficient and reliable network path. The system leverages both active and passive application layer observations to optimize latency, throughput, and reliability while supporting diverse applications, including IoT devices, industrial systems, and consumer devices.
H04W 36/30 - Reselection being triggered by specific parameters by measured or perceived connection quality data
H04L 41/16 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence
Systems and methods for securely transferring Data Loss Prevention (DLP) incident data from a cloud-based DLP system to a tenant's cloud storage account in a multi-tenant environment include detecting a DLP incident by identifying a policy violation and generating an incident event and an associated request containing metadata and contextual information for the incident; processing the request, the processing comprising validating the tenant's configuration settings for storage access permissions and target storage details and determining routing information for the tenant's cloud storage account; and writing DLP incident data associated with the DLP incident into the tenant's public cloud storage account.
Systems and methods for providing continued access via a tenant-specific private cloud include monitoring an operation state of a cloud-based system to detect disruptions based on predefined conditions; enabling a disaster recovery mode in response to detecting a disruption in the cloud-based system; and responsive to activation of the disaster recovery mode, redirecting traffic associated with a tenant from the cloud-based system to a tenant-specific private cloud, the tenant-specific private cloud being configured to enforce tenant-specific policies and maintain access to internet, Software-as-a-Service (SaaS) applications, and private applications.
Systems and methods for generating and utilizing lookalike Uniform Resource Locators (URLs) include receiving an original target domain, the original target domain being associated with an enterprise; generating a plurality of lookalike domains via a genetic algorithm based on the original target domain and a plurality of deception methods; and utilizing the plurality of lookalike domains for performing one or more functions, wherein the one or more functions include providing a report and performing inline URL access filtering.
Systems and methods for generating and utilizing lookalike Uniform Resource Locators (URLs) include receiving an original target domain; generating a first generation of lookalike domains based on the original target domain and a plurality of deception methods; generating a penalty value for each of a plurality of lookalike domains in the first generation of lookalike domains; generating subsequent generations of lookalike domains and penalty values therefor based on penalty values associated with each of a plurality of lookalike domains in a preceding generation of lookalike domains; and repeating the steps for an N number of generations.
Systems and methods for generating and utilizing lookalike Uniform Resource Locators (URLs) based on a graphical comparison include receiving an original target domain and a lookalike domain, converting the original target domain and lookalike domain into pixelated images, calculating a similarity based on the images of the original target domain and the lookalike domain, and calculating a percentage difference of the images of the original target domain and the lookalike domain.
G06V 10/75 - Organisation of the matching processes, e.g. simultaneous or sequential comparisons of image or video featuresCoarse-fine approaches, e.g. multi-scale approachesImage or video pattern matchingProximity measures in feature spaces using context analysisSelection of dictionaries
G06T 3/40 - Scaling of whole images or parts thereof, e.g. expanding or contracting
G06V 20/62 - Text, e.g. of license plates, overlay texts or captions on TV images
Systems and methods for determining Uniform Resource Locator (URL) similarity via Convolutional Neural Networks (CNN) include receiving an original target domain and a lookalike domain; converting the original target domain and the lookalike domain into pixelated images; calculating a similarity via a trained CNN based on the pixelated images of the original target domain and the lookalike domain; and providing a similarity score based on the similarity.
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
57.
Integrating Deception-Based Attack Intelligence with External Attack Surface Management (EASM) Data
The invention provides systems and methods for integrating deception-based attack intelligence with External Attack Surface Management (EASM) vulnerability data to enhance cybersecurity threat detection and mitigation. The method collects deception data, including attack details and Common Vulnerabilities and Exposures (CVE) identifiers, or classifies attacks into Common Weakness Enumeration (CWE) categories using AI when no CVE is present. EASM tools scan external-facing assets to identify CVE-linked vulnerabilities, which are also mapped to CWE categories. A matching procedure correlates deception and EASM data by identifying CVE matches for known vulnerabilities or CWE matches for broader structural weaknesses. Alerts are generated to prioritize patching efforts and proactive defenses, ensuring actionable responses to imminent threats or systemic vulnerabilities. By automating classification, correlation, and alerting, the invention reduces manual effort, accelerates remediation, and offers a scalable solution for modern organizations to adapt to evolving cyber threats.
Anomaly detection in cloud-based systems involves predicting identity behavior using historical activity data. Historical activities and their timestamps are analyzed to determine future intervals when activity is expected. Predictions are generated using weighted historical data emphasizing recent activity, and an anomaly score quantifying risk is calculated for each future interval based on deviation from expected behavior. Inline monitoring may detect and alert administrators or trigger automated responses to unexpected identity behavior. The method includes confidence scoring based on historical validation, visualization via graphical user interfaces, and lightweight, scalable computations suitable for monitoring extensive cloud deployments, enhancing both precision and efficiency in detecting suspicious cloud activity.
Systems and methods for uniquely labeling egress traffic from Secure Service Edge (SSE) platforms include intercepting traffic at cloud, wherein the traffic is associated with a tenant of one or more tenants of the cloud, and wherein the traffic is destined for an application; labeling the traffic with an egress Internet Protocol (IP) address and a unique hash value; and forwarding the traffic including the egress IP address and the unique hash value to the application. The unique hash value is unique to the tenant and identifiable by the application for determining the tenant of the one or more tenants based thereon.
Systems and methods for a cloud environment configuration Artificial Intelligence (AI) assistant include receiving a query from a user associated with an enterprise in natural language, the query being associated with one or more configurations within a cloud environment of the enterprise; processing the query via one or more Large Language Models (LLMs); and providing a response to the query, wherein the response comprises data associated with the one or more configurations based on the query and a feedback mechanism for obtaining feedback from the user based on the response.
Systems and methods for memory surge protection for application segmentation models include obtaining log data for a plurality of users of an enterprise where the log data relates to usage of a plurality of applications by the plurality of users and user metadata; determining a memory usage estimation based on the log data; determining i) app-segments that are groupings of application of the plurality of applications and ii) user-groups that are groupings of users of the plurality of users, based on the log data and the memory usage estimation; and providing access policy of the plurality of applications based on the user-groups and the app-segments.
Systems and methods for Configuration Management Database (CMDB) based application segmentation include obtaining transactional data for a plurality of users of an enterprise, wherein the transactional data relates to usage of a plurality of applications by the plurality of users; obtaining Configuration Management Database (CMDB) data of the enterprise, wherein the CMDB data includes information about hardware and software assets of the enterprise; matching application information within the transactional data and the CMDB data; and generating one or more application segments based on the matching.
Systems and methods for generating location-based application segments include obtaining transactional data for a plurality of users of an enterprise, wherein the transactional data relates to usage of a plurality of applications by the plurality of users; obtaining location data associated with the plurality of applications; and generating one or more application segments based on the transactional data and the location data. In various embodiments, the location data can be leveraged to alter various application segmentation factor thresholds for adapting the likelihood of applications to be grouped together.
Systems and methods for a Hypertext Transfer Protocol Secure (HTTPS) proxy service include monitoring traffic via a cloud, the traffic being monitored inline between one or more endpoints and one or more destinations; performing a mutual TLS (mTLS) handshake with an endpoint of the one or more endpoints based on a request to a destination of the one or more destinations; deriving endpoint information based on the mTLS handshake; and performing one or more actions on the request based on the endpoint information.
Systems and methods for detecting and fixing collisions in Artificial intelligence agents include, responsive to obtaining a plurality of tuples in a Retrieval-Augmented Generation (RAG) system with each tuple including a first value and a second value, generating a plurality of different first values from a corresponding first value where the plurality of different first values are similar to the corresponding first value; determining top-k, k is an integer greater than or equal to one, matches for the plurality of different first values to the second values in the RAG system; determining a confusion matrix based on the top-k matches; and utilizing the confusion matrix to debug the RAG system.
Systems and methods include obtaining application data for a plurality of applications of an enterprise, wherein the application data relates to applications present in an enterprises network; obtaining log data for a plurality of users of an enterprise where the user data relates to usage of the plurality of applications by the plurality of users; determining i) app-segments that are groupings of application of the plurality of applications and ii) user-groups that are groupings of users of the plurality of users; and providing access policy of the plurality of applications based on the user-groups and the app-segments.
Systems and methods for generating and utilizing synthetic data include receiving a set of real network traffic data; generating synthetic data from the received set of real network traffic data based on patterns learned from the set of real network traffic data; and utilizing the synthetic data for any of training a machine learning model, testing a machine learning model, and configuring a customer cloud environment. The systems are adapted to generate a large amount of synthetic data from a limited set of real network traffic data. The produced synthetic data is altered in one or more ways to anonymize sensitive information present in the real data. Therefore, the systems are adapted to generate a large amount of synthetic data which accurately resembles real network traffic data while complying with data privacy practices.
Systems and methods for active directory protection in zero trust networks. In an embodiment, steps include performing inline monitoring of traffic associated with a cloud-based system; detecting one or more active directory protocols based on the inline monitoring; classifying the traffic as being associated with any of the one or more active directory protocols; inspecting the traffic associated with the one or more detected active directory protocols; and generating one or more active directory logs based on the inspecting and classifying.
H04L 41/22 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks comprising specially adapted graphical user interfaces [GUI]
69.
Active Directory Security Enforcement and Threat Insights on Zero Trust Networks
Systems and methods for active directory security enforcement and threat insights on zero trust networks include performing inline monitoring of traffic associated with a plurality of tenants of the cloud-based system; classifying the traffic as being associated with any of one or more active directory protocols; inspecting the traffic associated with the one or more detected active directory protocols; and performing one or more actions on the traffic based on the inspecting.
Systems and methods for cloud-centric biometric step-up and authentication include monitoring traffic from one or more endpoints via a cloud service; determining a requirement for authentication of a user associated with the traffic based on the monitoring; causing a computing device associated with the user and the traffic to capture a photograph of the user; and processing the photograph to confirm an identity of the user. In various embodiments, the capturing of the photograph is performed by a computing device associated with the user, wherein the processing of the photograph is performed by the cloud service for identification of the user.
A method for inspecting encrypted network traffic in a cloud-based security system is provided. A node receives a request from a user device targeting a server and obtains a domain certificate corresponding to the server. The method establishes a first encrypted tunnel between the user device and the node, and a second encrypted tunnel between the node and the server using the obtained certificate. The encrypted traffic flowing between the user device and the server is inspected at the node. The method leverages a cloud-based hardware security module (HSM) to securely generate and store intermediate certificate authority keys compliant with FIPS 140-2 Level 3 standards, facilitating secure man-in-the-middle (MITM) inspection. The method also enables caching and synchronization of domain certificates across distributed nodes, providing scalable and secure traffic monitoring.
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
Systems and methods for inline HTTP cookie encryption include responsive to a user authenticating to a web service, intercepting a response form the web service; encrypting an HTTP cookie in the response; and forwarding the response to the user, the response comprising the encrypted HTTP cookie. Responsive to intercepting a subsequent request from the user to the web service, wherein the subsequent request includes the encrypted HTTP cookie; decrypting the encrypted HTTP cookie; and forwarding the subsequent request to the web service with the decrypted HTTP cookie.
Systems and methods for endpoint application metadata based policy enforcement include monitoring traffic via a cloud, the traffic being monitored inline between one or more endpoints and one or more destinations; identifying, within a request from an endpoint, endpoint process metadata associated with an endpoint process used to make the request; processing the endpoint process metadata; and performing one or more actions on the request based on the processing. The endpoint process metadata can be collected by a connector application executing on the one or more endpoints, and forwarded to the cloud in-band therefrom.
Systems and methods for deploying independent pipelines in a cloud-based system include providing a service to a plurality of customers via a cloud-based system, wherein the service is adapted to receive requests and provide an output to perform a function for the plurality of customers; deploying one or more Independent Pipelines (IPs), wherein each of the one or more IPs comprises an instance of the service, and wherein the one or more IPs are independent of one another; feeding real production data through the service and each of the one or more IPs; and using an output from one of the service or any of the one or more IPs to perform the function of the service for the plurality of customers.
Systems and methods are provided for quantifying and visualizing an organizations risk, the systems and methods including detecting one or more cybersecurity risk factors associated with an organization to determine a risk posture of the organization, wherein the one or more cybersecurity risk factors include vulnerabilities of Customer-Premises Equipment (CPE) devices associated with employees of the organization; quantifying a risk score of the organization based on the one or more cybersecurity risk factors, wherein the risk score contextualizes a security posture of a network associated with the organization; and communicating display information to a user device associated with the organization, the display information including at least the one or more cybersecurity risk factors, one or more remediation recommendations, and the risk score.
Systems and methods include performing inline monitoring of traffic within a network environment; requesting a Uniform Resource Identifier (URI) associated with a request within the traffic; responsive to receiving a URI in a response, identifying one or more similar URIs, the one or more similar URIs being associated with known legitimate network traffic; and determining if the request is one of benign or malicious based on a comparison between the received URI and the one or more similar URIs.
Systems and methods for hyper-customized customer defined machine learning models include providing a first set of data obtained based on monitoring a plurality of endpoints by a service provider, wherein the plurality of endpoints are associated with a customer, and wherein the first set of data includes an index; responsive to the customer wanting to create a user-defined machine learning model, receiving a second set of data that maps to a subset of the first set of data based on the index, wherein the second set of data is maintained private from the service provider; receiving a metric from the customer for accepting criteria of the user-defined machine learning model; and determining the user-defined machine learning model based on the first set of data, the second set of data, and the metric.
H04L 41/16 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence
78.
Systems and methods for centralized management of a plurality of cloud services of a cloud-based system
Systems and methods for managing a plurality of cloud services of a cloud-based system include receiving a request from a client associated with a cloud-based system, wherein the request is to perform one or more actions associated with the cloud-based system; determining if the client is allowed to perform the one or more actions based on a scope associated with the client; and routing the request to one or more services of the cloud-based system based on the determining. The systems can automatically determine the one or more services of the cloud-based system associated with the request; and route the request to the one or more services of the cloud-based system based thereon.
A method for automatically generating network communication policies employs unsupervised machine learning on unlabeled network data representing communications between applications on multiple computer systems. This approach uniquely derives policy rules without predefined labels or user-defined communication categories, ensuring automated rules complement existing user-generated policies by excluding them during training. The method validates network interactions by enforcing rules that leverage application fingerprints and identified feature clusters to distinguish permitted from prohibited communications. Additional techniques include dynamically adapting policies, utilizing decision trees, frequent itemset discovery, and evolutionary algorithms. Suspicious applications are flagged, and malicious data is excluded from training. The system uses aggregated flows, MapReduce processing, and simulated annealing optimization, providing human-readable, periodically retrained rules for balanced network security management.
H04L 41/16 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence
Systems and methods for enforcing tag-based policy on dynamic workloads include monitoring, via a cloud-based system, traffic associated with one or more customers of the cloud-based system; receiving a packet from a workload associated with a customer of the one or more customers; performing a tag lookup at one or more nodes of the cloud-based system based on the packet; enforcing one or more policies based on the tag lookup. Based on no tags being found for the workload during the tag lookup at the one or more nodes, the nodes are adapted to drop the packet; query the one or more cloud connectors for workload information; and receive, in a next packet, all tags and a version associated with the workload.
Inline Multimodal Data Loss Protection (DLP) includes training one or more machine learning models for classifying input data into categories of a plurality of categories; performing one or more modifications to the one or more machine learning models, wherein the one or more modifications reduce latency associated with the one or more machine learning models; receiving an input comprising data in any of a plurality of formats; processing the input to classify the input into a category of a plurality of categories; and providing an indication of the category of the plurality of categories. Advantageously, by performing the various modifications to the one or more models, the systems can accurately classify data inline with minimal latency.
Systems and methods for Data Loss Protection (DLP) utilizing distilled models include receiving a plurality of general data predictions from a teacher model; determining one or more strengths of the teacher model based on the received general data predictions; generating a synthetic dataset based on the one or more strengths of the teacher model; providing the synthetic dataset to the teacher model and receiving a plurality of synthetic data predictions from the teacher model based thereon; and performing knowledge distillation on a student model based on the synthetic data predictions received from the teacher model to produce a distilled model. The distilled model is then used in production for classifying inputs to a DLP system.
Multimodal Data Loss Protection (DLP) includes receiving an input comprising data in any of a plurality of formats; processing the input to determine whether or not the data includes sensitive data; and responsive to the input including sensitive data, performing steps of: processing the input to classify the input into a category of a plurality of categories; and providing an indication of the category of the plurality of categories. Advantageously, the trained multimodal system can detect categories of data being accessed, transferred, etc., without the requirement of up-front dictionaries from corporate Information Technology (IT).
Systems and methods for enforcing policy based on assigned user risk scores in a cloud-based system. Various methods include receiving a request to access a resource; determining whether a user associated with the request is allowed to access the resource, wherein the determining is based on a risk score of the user; and responsive to the user being permitted to access the resource, stitching together a connection between a cloud-based system, the resource, and the device to provide access to the resource.
Systems and methods for structural similarity based hash for sample identification and detection include, monitoring traffic associated with a cloud-based system; identifying a unique file within the traffic and computing a Structural Similarity Hash (SSHash) for the file, wherein the SSHash is based on auxiliary information and a complexity of the file; identifying one or more similar files based on the SSHash; and defining the file as belonging to one or more groups based on the one or more similar files.
Systems and methods for next generation artificial intelligence agents include operating an Artificial Intelligence (AI) agent system that includes an agent core connected to memory, one or more tools, and a planner; receiving a request from a user; utilizing the planner to break the request down into a plurality of sub-parts that are each individually simpler than the request; and generating an answer to the request using the plurality of sub-parts with the memory and the one or more tools.
Systems and methods for browser isolation with Graphics Processing Unit (GPU) forking includes initializing a plurality of virtual GPU instances within one or more servers of a cloud-based system; receiving a rendering request from a client device; analyzing the rendering request and determining a workload distribution across a plurality of virtual Graphics Processing Unit (GPU) instances based on the analyzing; executing rendering tasks across the plurality of virtual GPU instances and generating rendering instructions; and pushing the rendering instructions to the client device.
Systems and methods for detailed cloud posture remediation recommendations utilizing custom Large Language Models (LLMs). The present systems and methods are configured to perform the steps of scanning a cloud environment for posture control data; generating one or more alerts related to any of risky configurations and risky activities associated with the cloud environment; generating one or more remediation recommendations based on the one or more alerts; and providing the one or more alerts and the one or more remediation recommendations to administrators of the cloud environment.
Systems and methods for cloud security system assistance utilizing custom Large Language Models (LLMs) include providing a cloud-based security solution for an enterprise via a cloud-based system; displaying a User Interface (UI) associated with the cloud-based security solution having a chatbot, wherein the chatbot is configured to allow a user associated with the enterprise to enter a question; and responsive to receiving a question from a user via the chatbot, generating a detailed response to the question via a custom LLM, wherein the custom LLM is trained to provide assistance to users of the cloud-based security solution.
H04L 51/02 - User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail using automatic reactions or user delegation, e.g. automatic replies or chatbot-generated messages
90.
Cloud-Based Data Security Posture Management (DSPM)
Tummalapalli, Lokanadha Venkata Rama Chandra Sai Kishore
Bhallamudi, Arun
Vivekanandan, Shankar
Tangudu, Sreekanth
Paul, Narinder
Abstract
Systems and methods include discovering and classifying any of data discovered by inline cloud inspection, data stored across one or more cloud services, and data stored across one or more endpoints; continuously monitoring access to and usage of classified data, wherein the monitoring is performed in real-time and includes analyzing data access patterns, user behaviors, and application interactions; evaluating a security posture of the classified data by identifying misconfigurations, compliance violations, excessive permissions, and vulnerabilities; and enforcing one or more security policies based on the evaluated security posture.
Systems and methods for automated certificate generation and management inside zero trust private networks. Various methods include monitoring access to one or more private applications; responsive to identifying a request to access an application of the one or more private applications, generating a certificate; providing the generated certificate to a broker; and utilizing the generated certificate to provide access to the application by stitching together a connection between a user and the application.
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
92.
Systems and methods for visualizing security coverage based on MITRE ATT&CK framework
Systems and methods for visualizing security coverage based on MITRE ATT&CK framework include obtaining cybersecurity monitoring data for an organization where the cybersecurity monitoring data is from a plurality of sources including from cybersecurity monitoring of a cloud environment associated with the organization; providing an interactive User Interface (UI), wherein the UI overlays a catalog of known malicious tactics with the cybersecurity monitoring data; and responsive to one or more selections within the UI, providing information related to coverage of one or more threat techniques.
Systems and methods for operating a scanning system, implemented either on-premises or in a cloud-based service, for crawling and analyzing files stored in one or more data repositories. The scanning system includes a controller, a message broker, and a distributed pool of workers, and, in one embodiment, a method includes receiving, by the controller, policy and configuration data associated with at least one organization; generating, by the controller, job assignments corresponding to files to be analyzed according to the received policy and configuration data; publishing the job assignments to the message broker for parallel distribution among the distributed pool of workers; retrieving and scanning, by at least one worker, the files from the one or more data repositories in accordance with the assigned job; and executing, where required by the policy and configuration data, at least one policy-based action on the files within the data repositories.
Systems and methods for updating a security agent installed on a computing device without requiring a scheduled software update window include steps of receiving a digitally signed script from a remote server, wherein the security agent includes an embedded interpreter configured to execute script-based instructions; verifying a digital signature of the digitally signed script using a public key embedded in the security agent; and executing the digitally signed script via the embedded interpreter at runtime to modify functionality of the security agent without recompiling or reinstalling compiled code.
Systems and methods for utilizing small sized Large Language Models (LLMs) for performing domain classification include responsive to training one or more machine learning models for performing classification of domains, the training including performing one or more optimizations to the one or more machine learning models, receiving a domain; obtaining data associated with the domain including log data from a cloud-based system that performs monitoring of a plurality of users; and analyzing the domain via the one or more trained machine learning models for classifying the domain.
Systems and methods for training a machine learning model for malware detection include steps of collecting a training dataset comprising a plurality of malicious files and a plurality of benign files from one or more sources; extracting features from each file in the training dataset, wherein the features include at least one of n-gram features, entropy features, or domain features; labeling each file in the training dataset as malicious or benign based on a predefined criterion; and applying a supervised machine learning technique to learn patterns in the extracted features and generate a trained machine learning model configured to predict whether a file is malicious or benign based on an incremental packet-based analysis.
A method of providing cloud-based security services includes receiving, at one or more distributed processing nodes in a cloud-based system, network traffic from a plurality of endpoints associated with at least one tenant; applying, by each distributed processing node, at least one cloud-based security inspection function configured to detect threats or enforce policy controls in the received network traffic; determining, via a policy engine whether to block, allow, or further analyze the network traffic based on per-tenant security policies; logging, in a cloud-based logging repository, inspection results, policy decisions, and rule matches for subsequent reporting and analytics; and updating the security inspection function at the distributed processing nodes, in real time, with newly discovered threat signatures and policy changes to provide continuous protection across the cloud-based system.
Systems and methods for directing and enforcing zero trust control on requests to destination services. In various embodiments, steps include receiving a request from a user to access a destination service; directing the request to a control layer; enforcing one or more controls, via the control layer, on the request based on a configuration provided by an owner of the destination service; and providing access to the destination service to the user based on the one or more controls.
Systems and methods for active exposure and unwanted connection protection. In various embodiments, steps include receiving a request from a user to access a destination service; directing the request to a control layer; enforcing one or more controls, via the control layer, on the request based on a configuration provided by an owner of the destination service; and creating a connection from the destination service to the control layer based on the one or more controls, thereby providing access to the destination service without exposing the destination service to a direct connection.
Systems and methods for abnormal Classless Inter-Domain Routing (CIDR) access detection. The present systems and methods are configured to perform the steps of scanning one or more security groups associated with a cloud environment; assigning a score to one or more Classless Inter-Domain Routing (CIDR) groups within the one or more security groups; and providing one or more suggested actions based on the score of the one or more CIDR groups.
