Abstract: Systems and methods for providing remote network security using a network embeddings model are provided. A method consistent with the present disclosure includes retrieving a corpus of network activity data associated with a first network. The network activity data may be generated from users within the first network submitting network requests for network assets to service the network requests. The method also includes creating a crafted encoded corpus by selecting a subset of the corpus of network activity data and creating a network embeddings model based on the crafted encoded corpus. Lastly, the method includes generating an alert in an event that the network security system identifies an anomaly associated with the crafted encoded corpus of network activity data.

Abstract: Systems and methods are provided for utilizing natural language process (NLP), namely sequence prediction approaches, in the realm of network security. Techniques include analyzing network transaction records to form network sentences representative of network activity. The network sentences are formulated by regularizing transactions records using words, allowing the network sentences to represent the network activity using natural language terminology. In some cases, multiple variations of the network sentences having different sequences of words are generated to form a corpus of network sentences related to a semantics of network activity. Accordingly, an NLP-based network prediction model can be created and trained using the corpus of network sentences. The network prediction model can be trained over to identify dimensions corresponding to particular sequences of words in the network sentences, and predict an expected dimension.

Abstract: Systems and methods are provided for utilizing natural language process (NLP), namely semantic learning approaches in network security. Techniques include analyzing network transaction records to form a corpus related to a semantics of network activity. The corpus includes formulated network sentences, representing sequences of network entities that are accessed in the network. A corpus of network sentences can include sequences of servers accessed by each user. A network sentence embeddings model can be trained on the corpus. The network sentence embeddings model includes an embedding space of text that captures the semantic meanings of the network sentences. In sentence embeddings, network sentences with equivalent semantic meanings are co-located in the embeddings space. Further, proximity measures in the embedding space can be used to identify whether network sentences (e.g., access sequences), are semantically equivalent.

Abstract: Systems and methods for providing remote network security using a network embeddings model are provided. A method consistent with the present disclosure includes retrieving a corpus of network activity data associated with a first network. The network activity data may be generated from users within the first network submitting network requests for network assets to service the network requests. The method also includes creating a crafted encoded corpus by selecting a subset of the corpus of network activity data and creating a network embeddings model based on the crafted encoded corpus. Lastly, the method includes generating an alert in an event that the network security system identifies an anomaly associated with the crafted encoded corpus of network activity data.

Abstract: A system may select a list of servers in a computer network to perform behavioural profiling, wherein each server is associated with a domain name, the list of servers includes domain name entries, and the list of servers is prioritized according to a popularity value for each server. The system may update the list of servers based on a popularity threshold, partition the computer network into one of: subnetworks or subdomains, and establish a hierarchy along one of: the subnetworks or the subdomains based on the domain name entries in the list of servers. The system may update the popularity value for a server associated with a resolved network address, and may update the hierarchy along one of: the subnetworks or the subdomains based on the popularity value.

Abstract: Systems and methods are provided for utilizing natural language process (NLP), namely semantic learning approaches, in the realm of network security. Techniques include analyzing network transaction records to form a crafted corpus related to a semantics of network activity. The crafted corpus can be adapted to include sequences of network entities that are deemed most appropriate for analyzing a particular category related to network activity. For example, crafted corpuses can include sequences of servers accessed by each user, in order to identify activity trends in a user's normal activity. A network embeddings model can be trained on the crafted corpus. The network embeddings model includes an embedding space of text that represents interactions between network entities and captures contextual similarities of text, which further measures similarities between the network entities in the embedding space.

Abstract: A method including correlating a network address of a user to a domain name in a domain name system of a computing network, based on a service log, is provided. The method includes identifying a user group, generating a watch list of servers that control access to a new resource, and establishing a baseline behaviour for a client device based on a first access and a last access to one server in the watch list of servers during a time to live period. The method also includes adding the true network address and a correlated domain name to the baseline behaviour, retrieving a timestamp of an access by the client device to the network address, and flagging, as a violation, the access by the client device to the network address when the access is outside of a legitimate window around the baseline behaviour.

Abstract: A system may retrieve a packet in a network edge of a computer network. The system may identify a source address of the packet and a domain name that is being resolved that is associated with the packet and determining a time to live for the domain name, based at least in part on a record associated with the domain name. The server may further determine a relevance value indicative of an importance of a server associated with the domain name based at least in part on a frequency of the domain name in a domain name system list comprising a plurality of servers associated with a plurality of domain names, wherein the frequency is normalized by the time to live for the domain name. The system may sort the domain name system list according to the relevance value.

Abstract: Systems and methods are provided for utilizing natural language process (NLP), namely semantic learning approaches in network security. Techniques include analyzing network transaction records to form a corpus related to a semantics of network activity. The corpus includes formulated network sentences, representing sequences of network entities that are accessed in the network. A corpus of network sentences can include sequences of servers accessed by each user. A network sentence embeddings model can be trained on the corpus. The network sentence embeddings model includes an embedding space of text that captures the semantic meanings of the network sentences. In sentence embeddings, network sentences with equivalent semantic meanings are co-located in the embeddings space. Further, proximity measures in the embedding space can be used to identify whether network sentences (e.g., access sequences), are semantically equivalent.

Abstract: Systems and methods are provided for utilizing natural language process (NLP), namely sequence prediction approaches, in the realm of network security. Techniques include analyzing network transaction records to form network sentences representative of network activity. The network sentences are formulated by regularizing transactions records using words, allowing the network sentences to represent the network activity using natural language terminology. In some cases, multiple variations of the network sentences having different sequences of words are generated to form a corpus of network sentences related to a semantics of network activity. Accordingly, an NLP-based network prediction model can be created and trained using the corpus of network sentences. The network prediction model can be trained over to identify dimensions corresponding to particular sequences of words in the network sentences, and predict an expected dimension.

Abstract: Systems and methods are provided for utilizing natural language process (NLP), namely semantic learning approaches, in the realm of network security. Techniques include analyzing network transaction records to form a crafted corpus related to a semantics of network activity. The crafted corpus can be adapted to include sequences of network entities that are deemed most appropriate for analyzing a particular category related to network activity. For example, crafted corpuses can include sequences of servers accessed by each user, in order to identify activity trends in a user's normal activity. A network embeddings model can be trained on the crafted corpus. The network embeddings model includes an embedding space of text that represents interactions between network entities and captures contextual similarities of text, which further measures similarities between the network entities in the embedding space.

Abstract: Systems and methods for providing remote network security using a network embeddings model are provided. A method consistent with the present disclosure includes retrieving a corpus of network activity data associated with a first network. The network activity data may be generated from users within the first network submitting network requests for network assets to service the network requests. The method also includes creating a crafted encoded corpus by selecting a subset of the corpus of network activity data and creating a network embeddings model based on the crafted encoded corpus. Lastly, the method includes generating an alert in an event that the network security system identifies an anomaly associated with the crafted encoded corpus of network activity data.

Abstract: Systems and methods are provided for interactively clustering a plurality of devices within a communication network. Techniques can include collecting intent to access messages and service advertisement messages that are communicated to a plurality of devices within the communication network. The intent to access messages and service advertisement messages can be formatted in accordance with a discovery protocol. The collected messages are analyzed to identify services, attributes, and attribute values associated with the plurality of devices using text-based analysis. Distances separating each the plurality of devices according to an associated distance value, can be determined. Distance values relate to a degree of similarity between each of the plurality devices based on the identify services, attributes, and attribute values. Clusters of devices can be generated based on the determined distances.

Abstract: Systems and methods are provided for interactively clustering a plurality of devices within a communication network. Techniques can include collecting intent to access messages and service advertisement messages that are communicated to a plurality of devices within the communication network. The intent to access messages and service advertisement messages can be formatted in accordance with a discovery protocol. The collected messages are analyzed to identify services, attributes, and attribute values associated with the plurality of devices using text-based analysis. Distances separating each the plurality of devices according to an associated distance value, can be determined. Distance values relate to a degree of similarity between each of the plurality devices based on the identify services, attributes, and attribute values. Clusters of devices can be generated based on the determined distances.

Abstract: A network sensor that features a data store and a packet processing engine. In communication with the data store, the packet processing engine comprises (1) a cache management logic and (2) deduplication logic. The cache management logic is configured to analyze packets to determine whether (a) a packet under analysis include duplicated data and (b) content of the packet is targeted for storage in a same continuous logical storage area as the duplicated data. The deduplication logic, when activated by the cache management logic, is configured to generate a deduplication reference for insertion into the packet prior to storage.

Abstract: A system may identify a resource deployed in a computer, where discovery protocol data traffic is unencrypted. The system may receive metadata associated with the discovery protocol data traffic, update the computer network based at least in part on the information included in the metadata, and provide a response to the client. The system may authenticate a request from the client to access the resource using an encrypted protocol, and provide, to the client, access to the resource upon authentication, according to a resource attribute.

Abstract: A method including correlating a network address of a user to a domain name in a domain name system of a computing network, based on a service log, is provided. The method includes identifying a user group, generating a watch list of servers that control access to a new resource, and establishing a baseline behaviour for a client device based on a first access and a last access to one server in the watch list of servers during a time to live period. The method also includes adding the true network address and a correlated domain name to the baseline behaviour, retrieving a timestamp of an access by the client device to the network address, and flagging, as a violation, the access by the client device to the network address when the access is outside of a legitimate window around the baseline behaviour.

Abstract: A system may select a list of servers in a computer network to perform behavioural profiling, wherein each server is associated with a domain name, the list of servers includes domain name entries, and the list of servers is prioritized according to a popularity value for each server. The system may update the list of servers based on a popularity threshold, partition the computer network into one of: subnetworks or subdomains, and establish a hierarchy along one of: the subnetworks or the subdomains based on the domain name entries in the list of servers. The system may update the popularity value for a server associated with a resolved network address, and may update the hierarchy along one of: the subnetworks or the subdomains based on the popularity value.

Abstract: A system may retrieve a packet in a network edge of a computer network. The system may identify a source address of the packet and a domain name that is being resolved that is associated with the packet and determining a time to live for the domain name, based at least in part on a record associated with the domain name. The server may further determine a relevance value indicative of an importance of a server associated with the domain name based at least in part on a frequency of the domain name in a domain name system list comprising a plurality of servers associated with a plurality of domain names, wherein the frequency is normalized by the time to live for the domain name. The system may sort the domain name system list according to the relevance value.

Abstract: A system may identify a resource deployed in a computer network. In response to encountering a packet that is part of a flow of packets between the resource and a server in the computer network, the system may determine whether to mirror the packet based at least in part on whether the packet carries a header of a specified protocol. In response to determining to mirror the packet, the system may mirror additional packets of the flow of packets between the resource and the server until at least one of: encountering a marker or determining that a specified amount of data in the flow of packets has been mirrored.