Abstract: Inline package name based supply chain attack detection and prevention is disclosed. An indication that a client device has made a request to a remote server for a package is received. A data appliance then performs an action responsive to the received indication. In an example implementation, the data appliance makes a determination of whether the request for the package is associated with a nonexisting package.

Abstract: Analysis of samples for maliciousness is disclosed. A sample is executed and one or more network activities associated with executing the sample are recorded. The recorded network activities are compared to a malware profile. The malware profile comprises a set of network activities taken by a known malicious application during execution of the known malicious application. A verdict of “malicious” is assigned to the sample based at least in part on a determination that the recorded network activities match the malware profile.

Abstract: At least initially blocking client download of certain content and injecting a user verification step for such downloads is disclosed. In some embodiments, a notification page with an option to accept a response from a server is provided to a client, an indication of user selection of the option to accept in the notification page is received from the client, and requested content received from the server is provided to the client. Injecting a user verification step via the notification page before providing requested content facilitates protecting the client from security threats.

Abstract: Malicious domain finding using DNS query pattern analysis is disclosed. A first DNS query signature and a second DNS query signature are generated, using a set of DNS query records. The first and second DNS query signatures are compared, and the second DNS query signature is identified as malicious based on a detected match between the first and second DNS query signatures.

Abstract: Techniques for providing innocent until proven guilty (IUPG) solutions for building and using adversary resistant and false positive resistant deep learning models are disclosed. In some embodiments, a system, process, and/or computer program product includes storing a set comprising one or more innocent until proven guilty (IUPG) models for static analysis of a sample; performing a static analysis of content associated with the sample, wherein performing the static analysis includes using at least one stored IUPG model; and determining that the sample is malicious based at least in part on the static analysis of the content associated with the sample, and in response to determining that the sample is malicious, performing an action based on a security policy.

Abstract: An initial test is executed to determine an end-to-end latency of a path between a source and a destination. Subsequent tests incrementally target each node of the path for measurement of metric values indicative of delay of the nodes (e.g., latency, jitter, and packet loss). As tests are performed incrementally for each node, the maximum observed latency is tracked and used for calculating timeout thresholds. For the first hop, the timeout threshold is determined relative to the end-to-end latency; for subsequent hops, the timeout threshold is determined relative to the maximum non-timeout latency measured for a previous hop. Each test is performed N times to obtain additional values of delay metrics for each node. Upon completion of the N passes through the path, the resulting delay metric values determined for each test set are aggregated to yield a single, comprehensive result set.

Abstract: To perform pattern-based detection of malicious URLs, patterns are first generated from known URLs to build a pattern repository. A URL is first normalized and parsed, and keywords are extracted and stored in an additional repository of keywords. Tokens are then determined from the parsed URL and tags are associated with the parsed substrings. Substring text may also be replaced with general identifying information. Patterns generated from known malicious and benign URLs satisfying certain criteria are published to a pattern repository of which can be accessed during subsequent detection operations. During detection, upon identifying a request which indicates an unknown URL, the URL is parsed and tokenized to generate a pattern. The repository of malicious URL patterns is queried to determine if a matching malicious URL pattern can be identified. If a matching malicious URL pattern is identified, the URL is detected as malicious.

Abstract: A client device requests a web page via a clientless VPN. In response to the request, web page content comprising at least one script element is received at the clientless VPN. The clientless VPN inserts a wrapper function around at least a portion of the script element, forming modified web content. The client device is provided with the modified web content.

Abstract: Techniques for mobile equipment identity and/or IoT equipment identity and application identity based security enforcement in service provider networks (e.g., service provider networks for mobile subscribers) are disclosed. In some embodiments, a system/process/computer program product for mobile equipment identity and/or IoT equipment identity and application identity based security enforcement in service provider networks includes monitoring network traffic on a service provider network at a security platform to identify a device identifier for a new session; determining an application identifier for user traffic associated with the new session at the security platform; and determining a security policy to apply at the security platform to the new session based on the device identifier and the application identifier.

Abstract: Computer systems and methods are provided for storing a first path profile. A computing device receives a first request to access a first location of a website, transmits the first request to a server, and receives a first cookie that includes identifying information for the first location. In response to receiving the first cookie, the device stores the identifying information. The device receives a second request to access a second location of the website that is distinct from the first location. The second request includes the identifying information for the first location. The device transmits the second request to the server and receives a second cookie that includes the identifying information for the first location and for the second location. In response to receiving the second cookie, the device stores the first path profile that includes the identifying information for the first location and the second location.

Abstract: Stateful inspection and classification of packets is disclosed. A first differentiated services header value (DSHV) to associate with a first packet type and a corresponding first quality of service treatment is received from a configuration interface for a first packet type associated with a network traffic flow originating from a first application type. A second DSHV is received from the configuration interface to associate with a second packet type. A first packet having the first packet type is received and the first quality of service treatment is applied to the first packet. A second packet having the second packet type is received and the second quality of service treatment is applied to the second packet.

Abstract: An indication that a change associated with adjusting capacity to provide security services to network traffic in a network environment is received. In response to receiving the indication, a set of instructions for configuring at least one of: a network device and a security appliance is determined. As a result of applying the instructions, at least one of: an amount of network traffic provided by the network device to the security appliance will increase, or at least a portion of network traffic that would otherwise be provided by the network device to the security appliance will instead be provided to another security appliance. The set of instructions is transmitted.

Abstract: A sample is analyzed to determine a set of events that should be selected for performing by a dynamic analyzer executing the sample in an instrumented, emulated environment. The set of selected events is performed. In some cases, at least one emulator detection resistance action is performed. A maliciousness verdict is determined for the sample based at least in part on one or more responses taken by the sample in response to the set of selected events being performed by the dynamic analyzer.

Abstract: A pseudo-active/active firewall configuration handles firewall switchover events without traffic disruption. A passive firewall is set to an active state, and an active firewall is switched to a pseudo-active state wherein it continues to process ingress and egress traffic according to traffic handling protocols for its active state. An Internet protocol address binding linking the now pseudo-active firewall to an Internet gateway that forwards traffic to the firewalls is updated in a network address translation (NAT) table to route traffic to the newly active firewall. Once a pseudo-active timer expires and the binding is successfully updated to route traffic to the newly active firewall, the pseudo-active firewall is set to a passive state.

Abstract: The technology presented herein enables the use of a clustering algorithm to identify additional malicious domains based on known malicious domains. A domain identifier system identifies a first plurality of domain names associated with a malicious domain campaign and seeding a first clustering algorithm with the first plurality of domain names. After seeding the first clustering algorithm, the domain identifier system uses the first clustering algorithm to process passive domain name system (DNS) records to identify and group a second plurality of domain names associated with the malicious domain campaign.

Abstract: A security appliance monitors streams of events and detects anomalous behavior by users with respect to software defined infrastructure. The security appliance creates baselines of activities for each user. After generating baselines, the security appliance compares events to the activity baselines of users to detect deviations. If a deviation is detected, then a violation report is generated.

Abstract: A system/process/computer program product for building multi-representational learning models for static analysis of source code includes receiving training data, wherein the training data includes a set of source code files for training a multi-representational learning (MRL) model for classifying malicious source code and benign source code based on a static analysis; generating a first feature vector based on a set of characters extracted from the set of source code files; generating a second feature vector based on a set of tokens extracted from the set of source code files; and performing an ensemble of the first feature vector and the second feature vector to form a target feature vector for classifying malicious source code and benign source code based on the static analysis.

Abstract: For connection establishment, a system allocates memory that will be occupied by the data and handshake sub-protocol infrastructure that facilitates establishing a TLS connection. After connection establishment, the system allocates memory space for the data and record sub-protocol infrastructure that facilitates the asynchronous communication of application traffic. The memory space for the TLS session (i.e., the communication information separate from the handshake) has a substantially smaller footprint than the memory space for the TLS handshake. The TLS handshake memory space can be released and recycled for other connections while application communications use the smaller memory space allocated and populated with the TLS session data and infrastructure.

Abstract: Techniques for packet classification for network routing are disclosed. In some embodiments, packet classification for network routing includes receiving packets associated with a new flow at a security controller from a network device, in which the network device performs packet forwarding; classifying the flow; and determining an action for the flow based on a policy (e.g., a security policy). In some embodiments, the network device is a Software Defined Network (SDN) network device (e.g., a packet forwarding device that supports the OpenFlow protocol or another protocol).

Abstract: A copy of a model comprising a plurality of trees is received, as is a copy of training set data comprising a plurality of training set examples. For each tree included in the plurality of trees, the training set data is used to determine which training set examples are classified as a given leaf. A blame forest is generated at least in part by mapping each training set item to the respective leaves at which it arrives.