Abstract: A malware profile is received. The malware profile comprises a set of n-tuples of attributes that describe one or more activities associated with executing a copy of a known malicious application that is associated with the malware profile. A set of one or more log entries is analyzed for a set of entries that matches the malware profile. Based at least in part on identifying the set of entries matching the malware profile, a determination is made that a host was compromised. In response to determining that the host has been compromised, a remedial action is taken with respect to the host.

Abstract: Techniques for process privilege escalation protection in a computing environment are disclosed. For example, the disclosure describes a system/process/computer program product for process privilege escalation protection in a computing environment that includes monitoring a process executed on a computing device, detecting an unauthorized change in a token value associated with the process, and performing an action based on a policy (e.g., a kernel protection security policy/rule(s), which can include a whitelisted set of processes and/or configured actions/responses to perform for other/non-whitelisted processes) in response to an unauthorized change in the token value associated with the process.

Abstract: A method includes allocating an identifier to each of a plurality of policies each comprising a network-isolation identifier associated with a VXWAN directive and transmitting each of the plurality of policies to one or more devices in a network.

Abstract: Dynamic partitioning of a search space of queries is implemented for flexible, heuristic database querying. Search space partitioning refers to dividing the search space for a submitted query into smaller parts by augmenting the queries to append thereto an additional predicate comprising a dynamic partition key and a value(s) selected based on heuristics (e.g., recency and/or relevancy of the value(s)). A plurality of candidate augmentations of the query and corresponding query plans are generated and evaluated based on additional heuristics to determine which can be executed to yield the best results in terms of result quality and latency. This query plan is selected and executed for retrieval of results that satisfy the query, with pagination utilized for presentation of the results. The procedure of generating candidate query plans, selecting one of the candidates for execution, and paginating results is repeated until a search termination criterion is satisfied.

Abstract: Techniques for applying context-based security over interfaces in O-RAN environments in mobile networks are disclosed. In some embodiments, a system/process/computer program product for applying context-based security over interfaces in O-RAN environments in mobile networks includes monitoring network traffic on a mobile network at a security platform to identify a GTP-U tunnel session setup message associated with a new session; extracting a plurality of parameters from the GTP-U tunnel session setup message and from F1AP traffic to extract contextual information at the security platform; and enforcing a security policy at the security platform on the new session based on one or more of the plurality of parameters to apply context-based security to the network traffic transported between O-RAN Distributed Unit (O-DU) and O-RAN Centralized Unit Control Plane (O-CU-CP) nodes in an O-RAN environment in the mobile network.

Abstract: An access point provides a hidden wireless network that is configured with a set of SSIDs so that the hidden network is discoverable with multiple different SSIDs. Based on detection of a probe request frame which indicates an SSID from a device, the access point determines if the SSID for which network availability is requested matches one of the SSIDs in the set. If the SSID does match one of those included in the set, the SSID correctly identifies the hidden network, and the access point responds with a probe response frame. Devices connected to the hidden network may have initiated the establishment of the connection with a different SSIDs despite the hidden network being a single wireless network. Scaling the number of supported SSIDs therefore does not impact the frequency with which the access point transmits beacon frames for the hidden network.

Abstract: A system and method are provided for provisioning code snippets for programming a content delivery network. The method includes receiving a first client code snippet from a first client. The first client code snippet includes identity information of origin servers, standard responses for network requests, and configuration parameters to configure programmable content delivery nodes to respond to the one or more network requests. The method also includes publishing the first client code snippet to a snippet library, and indexing the first client code snippet in the snippet library. The method also includes receiving, from a second client, a request for a second client code snippet. The method also includes selecting a subset of client code snippets stored in the snippet library. The method also includes rendering identification information for the subset of client code snippets, and outputting a selected client code snippet from the subset of client code snippets.

Abstract: Techniques for securing containerized applications are disclosed. In some embodiments, a system, process, and/or computer program product for securing containerized applications includes detecting a new application container (e.g., an application pod); deploying a security entity (e.g., a firewall) to the application container; and monitoring all traffic to and from the application container (e.g., all layer-7 ingress, egress, and east-west traffic associated with the application container) using the security entity to enforce a policy.

Abstract: Techniques for mobile user identity and/or SIM-based IoT identity and application identity based security enforcement in service provider networks (e.g., service provider networks for mobile subscribers) are disclosed. In some embodiments, a system/process/computer program product for mobile user identity and/or SIM-based IOT identity and application identity based security enforcement in service provider networks includes monitoring network traffic on a service provider network at a security platform to identify a subscriber identity for a new session; determining an application identifier for user traffic associated with the new session at the security platform; and determining a security policy to apply at the security platform to the new session based on the subscriber identity and the application identifier.

Abstract: For a seamless and robust artificial intelligence-based assistant experience, an intent-based query and response router has been designed to operate as an intelligent layer between a user and multiple backend services that may respond to one or more queries over the course of a conversation with the user. The query router interacts with an intent classification service to obtain an intent classification for a prompt that is based on a user query. The query router uses the intent classification, which is used as an identifier of a backend service, to route the user query to an appropriate one (or more) of the backend services. When a response is detected, the query router determines a corresponding conversation and provides the response for the conversation.

Abstract: Application-initiated network traffic is intercepted and analyzed by an application firewall in order to identify streams of traffic for a target application. An application signature generator preprocesses the raw data packets from the intercepted network traffic by tokenizing the data packets and then weighting each token according to its importance for application identification. The weighted features for each data packet are clustered using an unsupervised learning model, and the resulting clusters are iteratively refined and re-clustered using a proximity score between the clusters and feature vectors for key tokens for the target application. The application signature generator generates a signature for the clusters corresponding to the target application which the application firewall implements for filtering network traffic.

Abstract: Adaptive normal profiles are generated at a hierarchical scope corresponding to a set of endpoints and a process. Abnormal endpoint activity is detected by verifying whether event data tracking activity on the set of endpoints conforms to the adaptive normal profiles. False positives are reduced by verifying alarms correspond to normal endpoint activity. Abnormal event data is forwarded to a causality chain identifier that identifies abnormal chains of processes for the abnormal endpoint activity. A trained threat detection model receives abnormal causality chains from the causality chain identifier and indicates a likelihood of corresponding to a malicious attack that indicates abnormal endpoint behavior.

Abstract: An anomalous behavior detector has been designed to detect novel behavioral changes of devices based on network traffic data that likely correlate to anomalous behaviors. The anomalous behavior detector uses the local outlier factor (LOF) algorithm with novelty detection. After initial semi-supervised training with a single class training dataset representing stable device behaviors, the obtained model continues learning frontiers that delimit subspaces of inlier observations with live network traffic data. Instead of traffic variables being used as features, the features that form feature vectors are similarities of network traffic variable values across time intervals. A feature vector for the anomalous behavior detector represents stability or similarity of network traffic variables that have been chosen as device identifiers and behavioral indicators.

Abstract: Techniques for providing localization at scale for a cloud-based security service are disclosed. In some embodiments, a system/method/computer program product for providing localization at scale for a cloud-based security service includes receiving a connection request at a network gateway of a cloud-based security service; performing a source Network Address Translation (NAT) from a registered set of public IP addresses associated with a tenant; and providing secure access to a Software as a Service (SaaS) using the cloud-based security service.

Abstract: A cloud resource join query for join operations across cloud resources is parsed to extract join rules and queries to each cloud resource in the cloud resource join query. Results from the individual cloud queries are dynamically indexed based on pairs of cloud resources indicated in the join rules. A search engine applies first order predicates in the join rules using the dynamic indexes to generate pairwise join results corresponding to the query. A result for the cloud resource join query comprises the pairwise join results after merging.

Abstract: A sample is received for analysis. A determination is made that the sample was compiled for a CPU architecture that is different from a host CPU architecture. The sample is executed in an emulated user space corresponding to the CPU architecture for which the sample was compiled. The emulated user space is provided by executing a user space emulation utility in a virtual machine that shares the host CPU architecture.

Abstract: Techniques for generating actionable indicators of compromise (IOCs) are disclosed. A set of potential sources for IOCs are received. One or more candidate IOCs are extracted from at least one source included in the set of potential sources. An actionable IOC is automatically identified from the one or more candidate IOCs. The actionable IOC is provided to a security enforcement service.

Abstract: Detection of malicious JavaScript based on automated user interaction emulation is disclosed. A malware sample is executed in an instrumented virtual environment. Dynamic behavior is triggered based on emulated user interactions.

Abstract: Various techniques for dynamic path selection and data flow forwarding are disclosed. For example, various systems, processes, and computer program products for dynamic path selection and data flow forwarding are disclosed for providing dynamic path selection and data flow forwarding that can facilitate preserving/enforcing symmetry in data flows as disclosed with respect to various embodiments.

Abstract: The use of browser context in detecting malware is disclosed. A client device requests content from a remote server. Data received by the client device from the remote server is transmitted to an external scanner for analysis by the external scanner. The external scanner is configured to use a browser executed in an instrumented virtual machine environment to analyze the data provided by the client device. The client device is configured to request the content from the remote server using a browser extension configured to retrieve data and provide the retrieved data to the external scanner without rendering the retrieved data.