Abstract: Systems and methods are described for scanning or monitoring of Domain Name System (DNS) records of an entity for identifying anomalous changes to the DNS records that may be indicative of possible DNS hijacking. According to one embodiment, DNS monitoring engine running on a network security appliance protecting a private network, or implemented as a cloud-based service can be used for monitoring DNS records of the entity. Any modification in the monitored DNS record(s) can be detected within a pre-defined or configurable time-frame. The detected modification can be determined to be anomalous or not, by assigning a criticality value based on current value and previous value of one or more fields of the DNS record, one or more attributes of the DNS record and one or more derived attributes based on the DNS record.

Abstract: Systems and methods for determining an efficiency score for an automation platform are provided. According to one embodiment, a first weight for each playbook of multiple playbooks of an automation framework and a second weight for each type of error of multiple types of errors that may cause execution of one of the multiple playbooks to fail are maintained. The first weight represents a relative importance of the playbook and the second weight represents an effort required to address the error. An efficiency score is calculated for execution of one or more playbooks of the multiple playbooks during a particular time period based on the first weight for each of the one or more playbooks and the second weight for each type of error observed during the particular time period. An indication of a health of the automation framework is then displayed based on the efficiency score.

Abstract: Systems and methods are provided for synergistically combining network security technologies to detect compromised devices. According to one embodiment, an endpoint detection and response (EDR) agent of multiple endpoint security agents running on an endpoint device detects an incident. A security incident alert is generated by the EDR agent by proactively collecting data regarding the incident. Identification of a device coupled to a private network as potentially being compromised by a security service of a Managed Security Service Provider (MSSP) protecting the private network is facilitated by the EDR agent transmitting the security incident alert to the security service via a security agent of the multiple endpoint security agents corresponding to the security service.

Abstract: Systems, devices, and methods are discussed that provide for discovering protected data from a code. Such detection provides an ability to discover potentially malicious code and/or datasets obfuscated within a code prior to full execution of the code.

Abstract: Systems and methods for detection and classification of malware using an AI-based approach are provided. In one embodiment, a T-node maintains a sample library including benign and malware samples. A classification model is generated by training a classifier based on features extracted from the samples. The classification model is distributed to D-nodes for use as a local malware detection model. Responsive to detection of malware in a sample processed by a D-node, the T-node receives the sample from the D-node. When the sample is not in the sample library, it is incorporated into the sample library. A feature depository is created/updated by the T-node by extracting features from the samples. Responsive to a retraining event: (i) an improved classification model is created by retraining the classifier based on the feature depository; and (ii) the D-nodes are upgraded by replacing their local malware detection models with the improved classification model.

Abstract: Systems and methods for providing an integrated or Smart NIC-based hardware accelerator for a network security device to facilitate identification and mitigation of DoS attacks is provided. According to one embodiment, a processor of a network security device receives an application layer protocol request from a client, directed to a domain hosted by various servers and protected by the network security device. The application layer protocol request is parsed to extract a domain name and a path string. The hardware acceleration sub-system updates rate-based counters based on the application layer protocol request by performing a longest prefix match on the domain name and the path string. When a rate threshold associated with the rate-based counters is exceeded, a challenge message is created and transmitted to the client, having embedded therein the application layer protocol request; otherwise the application layer protocol request is allowed to pass through the network security device.

Abstract: Systems and methods for detecting malicious behavior in a network by analyzing process interaction ratios (PIRs) are provided. According to one embodiment, information regarding historical process activity is maintained. The historical process activity includes information regarding various processes hosted by computing devices of a private network. Information regarding process activity within the private network is received for a current observation period. For each process, for each testing time period of a number of testing time periods within the current observation period, a PIR is determined based on (i) a number of unique computing devices that host the process and (ii) a number of unique users that have executed the process. A particular process is identified as potentially malicious when a measure of deviation of the PIR of the particular process from a historical PIR mean of the particular process exceeds a pre-defined or configurable threshold during a testing time period.

Abstract: Various systems and methods for surveillance using a combination of video image capture and passive wireless detection are described. In some cases, the methods include receiving a device identification information from a first wireless access point at a first location and corresponding to a first time, and receiving the device identification from a second wireless access point at a second location and corresponding to a second time. A video from a camera is received, and a travel path is assembled including a portion of the video.

Abstract: Systems, devices, and methods are discussed for leveraging SD-WAN's property of redundant independent paths to enable out of band key exchange using the collection of available paths, dynamically managing link failures to keep the separation whenever possible, and/or signaling availability of quantum-safe data transfer to SD-WAN to enable quantum-safety to be used in SD-WAN policy decisions.

Abstract: Various embodiments discussed generally relate to securing applications that work across networks, and more particularly to systems and methods for mitigating malicious behavior integrated within an application that directly calls a separate cloud based malicious behavior mitigation system.

Abstract: Various embodiments provide for governing VPN access using a device remote from a VPN endpoint.

Abstract: Restrictions to control of wireless resources shared openly on a wireless network for playing media are described. At a high-level, advertisement are broadcast for an openly shared resource service are restricted with respect to who, when and where control is permitted. A resource controller app can be implemented on a Wi-Fi controller, on an SDN controller, or as a separate server to intercept advertisements (e.g., service advertisements) being sent for broadcast by an openly shared resource. The advertisements are then transmitted over unicast according to specific parameters concerning specific users, devices, or locations, for example.

Abstract: Systems and methods are provided for error correction in network data transfers. In some cases, such systems and methods include selection of a ratio of error correction to user data based upon determined communication channel health.

Abstract: An access point has a housing with at least one connector for at least one external antenna and at least one connector for at least one internal antenna. An RF controller detects whether the at least one external antenna is connected to the at least one connector for the at least one external antenna when an open circuit is closed. Responsive to detecting that the at least one external antenna is connected, a first mode in which the at least one internal antenna supports RF capabilities switches to a second mode wherein the at least one external antenna supports RF capabilities.

Abstract: A file is received from external to the gateway device and, prior to runtime, the received file is detected as being compressed. Also before runtime, a compression type of the received file is differentiated as packed, protected, and/or archived. Identification of a specific packer, a specific protector or a specific archiver corresponding to the compression type is attempted. Responsive to successful identification, the received file is decompressed and a static type of malware analysis is selected for the received file. Responsive to unsuccessful identification, decompress the received file is attempted with a general unpacker, a general unprotector or a general unarchiver, and responsive to successful decompression, the static type of malware analysis is selected for the received file. Responsive to unsuccessful decompression, a dynamic type of malware analysis on the received file is selected.

Abstract: Systems, devices, and methods are discussed for context protected access to an unadvertised cloud-based resource.

Abstract: Systems, devices, and methods are discussed for context protected access to an air-gapped network resource via a bridge server.

Abstract: Systems and methods for a security rating framework that translates compliance requirements to corresponding desired technical configurations to facilitate generation of security ratings for network elements is provided. According to one embodiment, a host network element executes a collection of security checks on at least a first network element. The execution is performed by receiving configuration data of the first network element pertaining to each security check of the collection of security checks in response to a request by the host network element and validating each security check by comparing the received configuration data pertaining to each security check with a pre-defined or configurable network security configuration recommendation to generate a compliance result. Further, the host network element generates a compliance report by aggregating the compliance results obtained by executing each security check of the collection of security checks.

Abstract: Various embodiments are discussed that provide systems and methods for identifying possible unsecured devices on a network. In some cases, embodiments discussed relate to systems and methods for identifying possible unsecured devices; clustering the identified devices with other similar devices, and/or determining default or simplified access processes for a given cluster of the identified devices.

Abstract: Systems and methods for dynamic service-based load balancing in an SD-WAN are provided. According to one embodiment, a subnet assigned to a client device by a hub network of the SD-WAN and one or more attributes of a path or a route to a group of clients within the subnet are received by a first process of an SD-WAN controller via a dynamic routing protocol. A tagged subnet is generated by the first process by tagging the subnet with a route tag corresponding to the one or more attributes. The first process informs the SD-WAN of the tagged subnet by communicating the tagged subnet to a second process of the SD-WAN controller via an inter-process communication mechanism. Responsive to receipt of the tagged subnet, the second process translates an SD-WAN service rule defined with reference to the route tag to an SD-WAN service rule defined with reference to the subnet.