Abstract: A device launches a respective instance on each respective cloud service provider (CSP) of a plurality of CSPs. The device receives, from each respective instance, performance benchmark data for each CSP shape of the respective CSP on which the respective instance is launched. The device inputs the performance benchmark data from each respective instance into a model and receives, as output from the model, a determination of, for each CSP shape, group of a plurality of groups to which the CSP shape belongs. The device ranks each group based on a parameter, and provides for display to a user a recommended CSP shape based on the ranking.

Abstract: A device launches a respective instance on each respective cloud service provider (CSP) of a plurality of CSPs. The device receives, from each respective instance, performance benchmark data for each CSP shape of the respective CSP on which the respective instance is launched. The device inputs the performance benchmark data from each respective instance into a model and receives, as output from the model, a determination of, for each CSP shape, group of a plurality of groups to which the CSP shape belongs. The device ranks each group based on a parameter, and provides for display to a user a recommended CSP shape based on the ranking.

Abstract: A cloud-based security solution that provides a robust and secure framework for managing and enforcing security policies related to various resources managed in the cloud is disclosed. The cloud-based security solution is implemented by a security zone policy enforcement system in a cloud service provider infrastructure. The system receives a request to perform an operation on a resource and determines a compartment associated with the resource. The system determines that the compartment is associated with a security zone and determines a set of one or more security zone policies applicable to the resource. The system then determines that the operation on the resource is permitted based on the set of one or more security zone policies and responsive to determining that the operation on the resource is permitted, allows the operation to be performed on the resource.

Abstract: A cloud-based security solution that provides a robust and secure framework for managing and enforcing security policies related to various resources managed in the cloud is disclosed. The cloud-based security solution is implemented by a security zone policy enforcement system in a cloud service provider infrastructure. The system receives a request to perform an operation on a resource and determines a compartment associated with the resource. The system determines that the compartment is associated with a security zone and determines a set of one or more security zone policies applicable to the resource. The system then determines that the operation on the resource is permitted based on the set of one or more security zone policies and responsive to determining that the operation on the resource is permitted, allows the operation to be performed on the resource.

Abstract: A multi-cloud service system establishes tunnels and network overlays across multiple CSPs while meeting a criterion for a latency threshold. The system conducts a latency benchmarking evaluation across each cloud region for multiple CSPs and based on the latency bench marking evaluation results, the system may identify a group of cloud regions that satisfy a criterion such as predetermined maximum latency threshold or geographical restriction. The system may provision the group of cloud regions by provisioning a tunnel between nodes of the multiple CSPs. The system further establishes an overlay network on top of the tunnel by encapsulating packets using encapsulation end point such as VTEP (VXLAN tunnel end point) over VXLAN (Virtual Extension Local Area Network), which may help to ensure reliable transmission of packets from pod to pod. The system may inject user data into each node to initiate operations across the provisioned nodes using injected user data.

Abstract: A multi-cloud service system establishes tunnels and network overlays across multiple CSPs while meeting a criterion for a latency threshold. The system conducts a latency benchmarking evaluation across each cloud region for multiple CSPs and based on the latency bench marking evaluation results, the system may identify a group of cloud regions that satisfy a criterion such as predetermined maximum latency threshold or geographical restriction. The system may provision the group of cloud regions by provisioning a tunnel between nodes of the multiple CSPs. The system further establishes an overlay network on top of the tunnel by encapsulating packets using encapsulation end point such as VTEP (VXLAN tunnel end point) over VXLAN (Virtual Extension Local Area Network), which may help to ensure reliable transmission of packets from pod to pod. The system may inject user data into each node to initiate operations across the provisioned nodes using injected user data.

Abstract: Fully qualified domain name determination is disclosed. A queue of fully qualified domain names (FQDN) is created using a predetermined amount of network domains. Each FQDN is crawled from a plurality of collection agents of a computer network. For each FQDN, data comprising an Internet Protocol (IP) address of the FQDN, IP addresses for resources loaded for the FQDN and load times of the resources loaded for the FQDN are extracted. A correlation model is generated based on the data. An FQDN being accessed by one or more computer devices of the computer network is determined by using the correlation model.

Abstract: Aspects of the present application relate to systems and methods for automated web-based filter tuning. The method can include receiving information characterizing a plurality of attributes of a web server and normalizing the received information. The method can include identifying a set of relevant tags to the web server via comparison of the normalized received information to data contained in a tag database, and forming a set of signatures relevant to the web server based at least in part on the set of relevant tags. The method can include receiving an administrator selection of at least some of the set of signatures, enabling the selected at least some of the set of signatures for filtering of received web requests.

Abstract: Techniques for auto-remediating security issues with artificial intelligence. One technique includes obtaining a problem detected within a signal from an emitter associated with a user, inferring a first response, using a global model having a global set of model parameters learned from mappings between problems and responses globally with respect to preferences of all users using a security architecture, inferring a second response, using a local model having a local set of model parameters learned from mappings between problems and responses locally with respect to preferences of the user; evaluating the first response and the second response using criteria, determining a final response for the problem based on the evaluation of the first response and the second response, and selecting a responder from a set of responders based on the final response. The responder is adapted to take one or more actions to respond to the problem.

Abstract: The behavior analysis engine can condense stored machine-learned models and transmit the condensed versions of the machine-learned models to the network traffic hub to be applied in the local networks. When the behavior analysis engine receives new data that can be used to further train a machine-learned model, the behavior analysis engine updates the machine-learned model and generates a condensed-version of the machine-learned model. The condensed-version of the machine-learned model may be more resource efficient than the machine-learned model while capable of making similar or the same decisions as the machine-learned model. The behavior analysis engine transmits the condensed version of the machine-learned model to the network traffic hub and the network traffic hub uses the condensed-version of the machine-learned model to identify malicious behavior in the local network.

Abstract: The behavior analysis engine can identify malicious entities based on connections between the entity and other entities. The behavior analysis engine receives an entity from the network traffic hub and identifies entities that are connected to the entity within a threshold degree of separation. The behavior analysis engine applies a recursive process to the entity whereby the behavior analysis engine determines whether an entity is malicious based on whether its connections within a threshold degree of separation are malicious. The behavior analysis engine uses the maliciousness of the entities' connections to determine whether the entity is malicious and, if the entity is malicious, the behavior analysis engine may instruct the network traffic hub to block network communications associated with the malicious entity.

Abstract: The behavior analysis engine can also detect malicious network addresses that are sent to networked devices in the local network. The network traffic hub identifies network communications that are transmitted through the local network that contain network addresses. The network traffic hub transmits (or sends) the network address to the behavior analysis engine and the behavior analysis engine extracts network address features from the network address. The behavior analysis engine then applies an execution model to the execution features to determine a confidence score for the network address that represents the execution model's certainty that the network address is malicious. The behavior analysis engine uses the confidence score to provide instructions to the network traffic hub as to whether to allow the networked device to receive the network address.

Abstract: A cloud-based security solution that provides a robust and secure framework for managing and enforcing security policies related to various resources managed in the cloud is disclosed. The cloud-based security solution is implemented by a security zone policy enforcement system in a cloud service provider infrastructure. The system receives a request to perform an operation on a resource and determines a compartment associated with the resource. The system determines that the compartment is associated with a security zone and determines a set of one or more security zone policies applicable to the resource. The system then determines that the operation on the resource is permitted based on the set of one or more security zone policies and responsive to determining that the operation on the resource is permitted, allows the operation to be performed on the resource.

Abstract: A multi-cloud service system establishes tunnels and network overlays across multiple CSPs while meeting a criterion for a latency threshold. The system conducts a latency benchmarking evaluation across each cloud region for multiple CSPs and based on the latency bench marking evaluation results, the system may identify a group of cloud regions that satisfy a criterion such as predetermined maximum latency threshold or geographical restriction. The system may provision the group of cloud regions by provisioning a tunnel between nodes of the multiple CSPs. The system further establishes an overlay network on top of the tunnel by encapsulating packets using encapsulation end point such as VTEP (VXLAN tunnel end point) over VXLAN (Virtual Extension Local Area Network), which may help to ensure reliable transmission of packets from pod to pod. The system may inject user data into each node to initiate operations across the provisioned nodes using injected user data.

Abstract: A multi-cloud service system establishes tunnels and network overlays across multiple CSPs while meeting a criterion for a latency threshold. The system conducts a latency benchmarking evaluation across each cloud region for multiple CSPs and based on the latency bench marking evaluation results, the system may identify a group of cloud regions that satisfy a criterion such as predetermined maximum latency threshold or geographical restriction. The system may provision the group of cloud regions by provisioning a tunnel between nodes of the multiple CSPs. The system further establishes an overlay network on top of the tunnel by encapsulating packets using encapsulation end point such as VTEP (VXLAN tunnel end point) over VXLAN (Virtual Extension Local Area Network), which may help to ensure reliable transmission of packets from pod to pod. The system may inject user data into each node to initiate operations across the provisioned nodes using injected user data.

Abstract: A device launches a respective instance on each respective cloud service provider (CSP) of a plurality of CSPs. The device receives, from each respective instance, performance benchmark data for each CSP shape of the respective CSP on which the respective instance is launched. The device inputs the performance benchmark data from each respective instance into a model and receives, as output from the model, a determination of, for each CSP shape, group of a plurality of groups to which the CSP shape belongs. The device ranks each group based on a parameter, and provides for display to a user a recommended CSP shape based on the ranking.

Abstract: A network traffic hub extracts encryption metadata from messages establishing an encrypted connection between a smart appliance and a remote server and determines whether malicious behavior is present in the messages. For example, the network traffic hub can extract an encryption cipher suite, identified encryption algorithms, or a public certificate. The network traffic hub detects malicious behavior or security threats based on the encryption metadata. These security threats may include a man-in-the-middle attacker or a Padding Oracle On Downgraded Legacy Encryption attack. Upon detecting malicious behavior or security threats, the network traffic hub blocks the encrypted traffic or notifies a user.

Abstract: The behavior analysis engine can also detect malicious network addresses that are sent to networked devices in the local network. The network traffic hub identifies network communications that are transmitted through the local network that contain network addresses. The network traffic hub transmits (or sends) the network address to the behavior analysis engine and the behavior analysis engine extracts network address features from the network address. The behavior analysis engine then applies an execution model to the execution features to determine a confidence score for the network address that represents the execution model's certainty that the network address is malicious. The behavior analysis engine uses the confidence score to provide instructions to the network traffic hub as to whether to allow the networked device to receive the network address.

Abstract: Fully qualified domain name determination is disclosed. A queue of fully qualified domain names (FQDN) is created using a predetermined amount of network domains. Each FQDN is crawled from a plurality of collection agents of a computer network. For each FQDN, data comprising an Internet Protocol (IP) address of the FQDN, IP addresses for resources loaded for the FQDN and load times of the resources loaded for the FQDN are extracted. A correlation model is generated based on the data. An FQDN being accessed by one or more computer devices of the computer network is determined by using the correlation model.

Abstract: A network traffic hub receives network traffic from a user device running an application. The network traffic hub aggregates the network traffic into augmented netflows. Based on netflow parameters extracted by the network traffic hub, one or more augmented netflows are associated with the application. The network traffic hub determines whether an augmented netflow is a result of the application being in an active state or a passive state based on, for example, the quantity of data within the netflow. If the quantity of data within the augmented netflow is larger than a data threshold, the augmented netflow can be classified as an active usage, and if the data is less than the data threshold, the augmented netflow can be classified as a passive usage. Thus, by classifying network traffic of an application as active or passive, a record of a user's active usage of the application can be recorded.