Abstract: Systems and methods for detecting malicious behavior in a network by analyzing process interaction ratios (PIRs) are provided. According to one embodiment, information regarding historical process activity is maintained. The historical process activity includes information regarding various processes hosted by computing devices of a private network. Information regarding process activity within the private network is received for a current observation period. For each process, for each testing time period of a number of testing time periods within the current observation period, a PIR is determined based on (i) a number of unique computing devices that hosted the process and (ii) a number of unique users that executed the process. A particular process is identified as potentially malicious when a measure of deviation of the PIR of the particular process from a historical PIR mean of the particular process exceeds a pre-defined or configurable threshold during a testing time period.

Abstract: Various approaches for securing networks against access from off network devices. In some cases, embodiments discussed relate to systems and methods for identifying potential threats included in a remote network by a network access device prior to requesting access to a known secure network via the remote network.

Abstract: In network devices, during manufacturing, input for designation of a region code to be a non-specific region code is stored in a BIOS memory of the network device, and a specific region code is stored off the BIOS. During boot up, the BIOS is checked for a specific region code to regulate wireless transmissions at a physical location of operation. Responsive to receiving the non-specific region code from BIOS, the specific region code is requested from a region code server based on a network device identifier. Once received, the region code is stored in flash memory, until rebooted or otherwise reset, rather than BIOS.

Abstract: Various embodiments provide systems and methods for automatically defining and enforcing network sessions based upon at least four dimensions of segmentation.

Abstract: Systems and methods for mitigating the impact of malware by reversing malware related modifications in a computing device are provided. According to an embodiment, a sandbox service running within a network security platform protecting an enterprise network receives a file containing malware and associated contextual information from an endpoint security solution running on an endpoint device, which has been infected by the malware. The sandbox service captures information regarding a first series of actions performed by the malware and based on the first series of actions generates a remediation script specifying a second series of actions that are configured to restore the endpoint device to a pre-infected state. The network security platform causes the endpoint device to be returned to the pre-infected state by causing the endpoint security solution to execute the remediation script on the endpoint device.

Abstract: Changes on a chat client, such as one or more edits or retractions, and is characterized relative to an original chat string, and uploaded to a chat server for storage. The chat server combines the message change with at least a second change to the specific chat string uploaded from a different chat client. Responsive to a regeneration of the chat string on the chat client, the chat daemon downloads the combined message change from the chat server. The edits and retractions originating from the chat client and the edits and retractions originating from the second chat client are downloaded and applied to the specific chat string for display in the chat client.

Abstract: Systems, devices, and methods are discussed for forward testing rule sets at a granularity that is less than all activity on the network. In some cases, the granularity is that of an individual application.

Abstract: Various approaches are discussed for generation of SOAR playbooks using a variety playbook sources.

Abstract: Various systems and methods for for clustering facial images in, for example, surveillance systems.

Abstract: Specific clients are assigned to a second access point based balancing an Ethernet uplink load status of the specific access point relative to the uplink load status of access points across a WLAN system, wherein the RSSI strength of the specific client relative to a first access point is higher than the RSSI strength of the specific client relative to the second access point.

Abstract: Systems and methods for a machine-learning based approach for dynamically generating incident-specific playbooks for a security orchestration and automated response (SOAR) platform are provided. The SOAR platform captures information regarding execution of a sequence of actions performed by analysts responsive to a first incident of a first type. The captured information is fed into a machine-learning model. When a second incident, observed by the SOAR platform, is similar in nature to the first incident or the first type a recommended sequence of actions is generated based on the machine-learning model for use by an analyst in connection with responding to the second incident. In response to rejection of the recommended sequence by the analyst, revising the recommended sequence based on input provided by the analyst and storing the revised recommendation sequence in a form of a revised playbook for response to subsequent incidents that are similar to the second incident.

Abstract: Systems and methods are described for synergistically combining network security technologies to improve incident classification and enrichment. According to one embodiment, an endpoint protection platform running on an endpoint device receives a request via an event management agent of the endpoint protection platform from an event management service for process information relating to an incident detected by the event management service. The request is caused to be processed by an endpoint detection and response (EDR) service by transmitting the request to an EDR agent of the endpoint protection platform corresponding to the EDR service. A response to the request is received from the EDR service via the EDR agent. The response includes the process information. Enrichment of an alert generated by the event management service based on the process information is facilitated by transmitting the response to the event management service via the event management agent.

Abstract: Systems and methods for a cloud state engine are provided. According to one embodiment, a query pertaining to state information associated with a packet to be processed by a first packet processing device of multiple packet processing devices associated with a distributed security environment is received by a centralized state engine running on a computing device associated with the distributed security environment. The state information associated with the packet influences how the packet is to be processed by the first packet processing device. Responsive to the query, the state information is identified by the centralized state engine by processing the received query with reference to a state database containing state information for multiple packets. The identified state information is provided to the first packet processing device by generating a response to the query containing the identified state information.

Abstract: Systems, devices, and methods are discussed for mitigating security threats due to web-domain characteristic changes.

Abstract: Systems, devices, and methods are discussed for avoiding data thefts in real-time transactions.

Abstract: Systems and methods for detecting physical loops in both native and non-native VLANs are provided. According to one embodiment, a processing resource of a network switch detects a physical loop in a non-native Virtual Local Area Network (VLAN) by configuring a set of one or more network chips (e.g., an ASIC) associated with an interface associated with the non-native VLAN of multiple interfaces of the network switch to provide an indication (e.g., a Media Access Control (MAC) address or a packet) regarding a MAC move event detected on the interface. Responsive to receipt of the indication, it is determined whether a number of MAC move events for the interface meets an event count threshold within each unit of time (e.g., one or more seconds) of multiple consecutive units of time. When the determination is affirmative, the existence of the physical loop is identified.

Abstract: Systems and methods for a unified, cloud-managed platform for controlling enterprise network security are provided. According to one embodiment, a network of an enterprise is protected by a cloud-managed platform. An underlying architecture of the cloud-managed platform is abstracted by providing a portal through which modifications to security policies are expressed as business requirements of the enterprise. The security policies are automatically enforced regardless of location or endpoint. A policy digest, including information regarding the modifications and formatted according to a predefined format, generated and locally queued by the portal is retrieved.

Abstract: Systems and methods for efficient kernel space packet processing and IoT device classification are provided. According to an embodiment, a computer system receives a packet in kernel space, ascertains whether the packet is destined for the computer system, when the ascertaining is affirmative the packet is forwarded to user space; otherwise, it is determined whether the packet is associated with a protocol used by IoT devices. When the determination is affirmative, header information is extracted from the packet, and subsequent IoT device detection processing is facilitated by sending the header information to the user space. The same or a separate computer system may perform the IoT device detection processing based on the header information by for each identified TCP or UDP flow: creating a variable-length feature set; and inferring whether the TCP or UDP flow represents an IoT device or a non-IoT device communication by applying an ML model.

Abstract: Systems, devices, and methods are discussed for treating a number of network security devices in a cooperative security fabric using a cloud based root.

Abstract: An orchestrator ensures the best available vehicle communication technology is selected. In the computer architecture, the orchestrator is injected on the data bus line is also coupled to a plurality of independent silos of vehicle communication technologies for autonomous driving vehicle technologies. Real-time accurate strength signals associated with the plurality of independent silos are received. One of the independent silos of communication is selected for rerouting the data transfer, based on a type of data involved in the data transfer, and based on a best available of the plurality of independent silos for the data transfer type. The data transfer is directed over the selected independent silo that is the best available.