Abstract: A satellite orbiting the Earth may perform orbit-aware routing by receiving a data packet, determining whether a final destination plane of the data packet is different from an orbital plane of the satellite, in response to determining that the final destination plane of the data packet is different from the orbital plane of the satellite, determining whether the satellite is able to communicate with one or more cross-plane neighboring satellites, selecting a neighboring satellite to receive the data packet based at least in part on whether the satellite is able to communicate with one or more cross-plane neighboring satellites, and forwarding the data packet to the neighboring satellite.

Abstract: Systems and methods for providing sensitive dataflow tracking for containerized applications is provided herein. In some embodiments, a taint tracking system for providing sensitive dataflow tracking may include an audit reporter configured to create a provenance graph; a taint tracking kernel configured to (1) create a screened provenance graph that includes data deemed sensitive, and (2) create one or more final taints set of sensitive data to be tracked at a container level that includes vertices and edges that are descended from a particular sensitive source using one or more dependency checkers; and a taint storage configured to store the taint sets of sensitive data to be tracked at the container level.

Abstract: A method of determining an adversarial attack playbook includes receiving, from an adversarial actor, an electronic communication intended for a target user. The method includes engaging in a deep dialog with the adversarial actor by deploying a synthetic persona dynamically during the electronic communication. The deep dialog includes multiple rounds of communication exchanges. The method includes determining a length and type of the deep dialog to obtain attributes related to the adversarial actor. The method includes identifying a conversational pattern from the deep dialog. The conversational pattern comprises dialog interaction elements utilized by the adversarial actor. The method includes dynamically producing, based on the conversational pattern, the playbook associated with the adversarial actor. The playbook is indicative of a dialog interaction strategy implemented by the adversarial actor.

Abstract: A method, apparatus and system for providing process-level forensics for a plurality of application containers includes for each of the plurality of application containers; monitoring forensics information of the application container, encoding the monitored forensics information using an encoder of a predetermined encoder/decoder pair to determine a forensics model, decoding the forensics model to determine a reconstructed representation of the forensics information, comparing the reconstructed representation of the forensics information to the monitored forensics information to determine an error and comparing the error to a threshold to determine if an error above the threshold exists. If the error is below the threshold, the forensics model is communicated to a higher-level manager to be used for higher-level management. If the error is above the threshold, the monitored forensics information of the application container is also communicated to the higher-level manager.

Abstract: A method, apparatus and system for providing security for a container network having a plurality of containers includes establishing a network stack for each of the plurality of containers of the container network, determining network and policy information from active containers, based on a set of pre-determined inter-container dependencies for the plurality of containers learned from the determined network and policy information, configuring container access in the container network to be limited to only containers of the plurality of containers that are relevant to a respective communication, and configuring inter-container traffic in the container network to be directed only from a source container into a destination container in a point-to-point manner such that exposure of the inter-container traffic to peer containers is prevented.

Abstract: A correlator that includes a number of modules cooperating with each other. A transaction correlation module correlates network flow information for one or more network packet flows corresponding to one or more host-agent network-transaction records on whom participated in a network packet flow. The host-agent network-transaction records at least contain source information. A host input module to take in the host-agent network-transaction records from each host agent on its host computing device connecting to the correlator. A merged record creator creates a merged record for corresponding matches of one or more of the host-agent network-transaction records to one or more of the network packet flows. The merged record gives the network policy enforcement module a complete picture of both the network traffic flow information along with the source information that participated in the network packet flows in order to apply network polices against the network packet flows.

Abstract: A method, apparatus and system for providing security for a container network having a plurality of containers includes establishing a network stack for each of the plurality of containers of the container network, determining network and policy information from active containers, based on a set of pre-determined inter-container dependencies for the plurality of containers learned from the determined network and policy information, configuring container access in the container network to be limited to only containers of the plurality of containers that are relevant to a respective communication, and configuring inter-container traffic in the container network to be directed only from a source container into a destination container in a point-to-point manner such that exposure of the inter-container traffic to peer containers is prevented.

Abstract: A method, apparatus and system for providing process-level forensics for a plurality of application containers includes for each of the plurality of application containers; monitoring forensics information of the application container, encoding the monitored forensics information using an encoder of a predetermined encoder/decoder pair to determine a forensics model, decoding the forensics model to determine a reconstructed representation of the forensics information, comparing the reconstructed representation of the forensics information to the monitored forensics information to determine an error and comparing the error to a threshold to determine if an error above the threshold exists. If the error is below the threshold, the forensics model is communicated to a higher-level manager to be used for higher-level management. If the error is above the threshold, the monitored forensics information of the application container is also communicated to the higher-level manager.

Abstract: A correlator that includes a number of modules cooperating with each other. A transaction correlation module correlates network flow information for one or more network packet flows corresponding to one or more host-agent network-transaction records on whom participated in a network packet flow. The host-agent network-transaction records at least contain source information. A host input module to take in the host-agent network-transaction records from each host agent on its host computing device connecting to the correlator. A merged record creator creates a merged record for corresponding matches of one or more of the host-agent network-transaction records to one or more of the network packet flows. The merged record gives the network policy enforcement module a complete picture of both the network traffic flow information along with the source information that participated in the network packet flows in order to apply network polices against the network packet flows.

Abstract: A network security policy may be implemented at network switches as a set of active packet disposition directives. In a dynamically programmable network, the network switches can be dynamically reprogrammed with new packet disposition directives. A security mediation service permits such dynamic reprogramming as long as the new directives are consistent with the then-current network security policy. The security mediation service evaluates candidate packet disposition directives for conflicts with the currently active security policy, before instantiating the candidate packet disposition directives at the network switches.

Abstract: A network security policy may be implemented at network switches as a set of active packet disposition directives. In a dynamically programmable network, the network switches can be dynamically reprogrammed with new packet disposition directives. A security mediation service permits such dynamic reprogramming as long as the new directives are consistent with the then-current network security policy. The security mediation service evaluates candidate packet disposition directives for conflicts with the currently active security policy, before instantiating the candidate packet disposition directives at the network switches.

Abstract: Network security management technology as disclosed herein generates and dynamically updates an intuitive, interactive visualization of a computer network in live operation. The network security management technology interprets human user interactions, such as gestures, as network directives, and updates the interactive visualization in response to the network directives.

Abstract: Network management technology as disclosed herein performs an impact analysis of actual or hypothetical network commands, and presents the impact analysis results to facilitate the user's understanding of the predicted consequences of the actual or hypothetical commands on network operations, management, or security.

Abstract: In one embodiment, the present invention is a method and apparatus for detecting malware infection. One embodiment of a method for detecting a malware infection at a local host in a network, includes monitoring communications between the local host and one or more entities external to the network, generating a dialog warning if the communications include a transaction indicative of a malware infection, declaring a malware infection if, within a predefined period of time, the dialog warnings includes at least one dialog warning indicating a transaction initiated at the local host and at least one dialog warning indicating an additional transaction indicative of a malware infection, and outputting an infection profile for the local host.

Abstract: Network management technology as disclosed herein conducts conversational natural language dialog with a user to facilitate the user's analysis of network activity and the implementation of network security measures and other actions in furtherance of network operations, management, or security.

Abstract: Network management technology as disclosed herein performs an impact analysis of actual or hypothetical network commands, and presents the impact analysis results to facilitate the user's understanding of the predicted consequences of the actual or hypothetical commands on network operations, management, or security.

Abstract: A network security policy may be implemented at network switches as a set of active packet disposition directives. In a dynamically programmable network, the network switches can be dynamically reprogrammed with new packet disposition directives. An event auditor passively monitors network traffic and provides network activity data indicative of network flows to a network privilege manager. The network privilege manager determines a current network context based on the network activity data. In response to the current network context, the network privilege manager selects a security policy and generates one or more flow policy directives in accordance with the selected policy.

Abstract: A network security policy may be implemented at network switches as a set of active packet disposition directives. In a dynamically programmable network, the network switches can be dynamically reprogrammed with new packet disposition directives. An event auditor passively monitors network traffic and provides network activity data indicative of network flows to a network privilege manager. The network privilege manager determines a current network context based on the network activity data. In response to the current network context, the network privilege manager selects a security policy and generates one or more flow policy directives in accordance with the selected policy.

Abstract: Network management technology as disclosed herein generates and dynamically updates an intuitive, interactive visualization of a computer network in live operation. The network management technology interprets human user interactions, such as gestures, conversational natural language dialog, and combinations of gestures and natural language dialog, as network directives. The technology can implement the network directives to, for example, facilitate analysis of network activity or to respond to network security events.

Abstract: Network security management technology as disclosed herein generates and dynamically updates an intuitive, interactive visualization of a computer network in live operation. The network security management technology interprets human user interactions, such as gestures, as network directives. The network directives may be implemented by the network in response to security events.