Abstract: Methods, storage systems and computer program products implement embodiments of the present invention that include identifying multiple host computers executing respective instances of a specific software application, each given instance on each given host computer including a set of program instructions loaded, by the host computer, from a respective storage device. Information on actions performed by the executing instances is collected from the host computers, and features are computed based on the information collected from the multiple host computers. The collected information for a given instance are compared to the features so as to classify the given instance as benign or suspicious, and an alert s generated for the given instance only upon classifying the given instance as suspicious.

Abstract: A processor may identify one or more predicted microservice chains for each of one or more user profiles. The one or more predicted microservice chains may be selected based on historical information. The one or more user profiles may each be associated with a respective user of a user device. The processor may analyze user specific information. The user specific information may be associated with the user device. The processor may determine, based on the user specific information, if the user device causes network intrusion. The processor may perform, based on the determination, an action for the user device.

Abstract: A system and method for the detection and mitigation of data source compromises in an adversarial information environment. The system and method feature the ability to scan for, ingest and process, and then use relational, wide column, and graph stores for capturing entity data, their relationships, and actions associated with them. Furthermore, meta-data is gathered and linked to the ingested data, which provides a broader contextual view of the environment leading up to and during an event of interest. Data quality analysis is conducted on the data as it is ingested in order to identify various data source metrics and determine if a data source may be compromised. The results of the data quality analysis, the identified metrics, the gathered data, and meta-data are used to manage the reputation of the contributing data sources. The system can make recommendations on data sources based on the data source reputation scoring.

Abstract: A multimode system for receiving data in a retail environment includes: a secure input module for receiving high security input and low security input from a customer, the high security input to be communicated by the secure input module in cipher text, and the low security input to be communicated by the secure input module in plaintext. The multimode system is adapted to operate in a high security mode and a low security mode. The multimode system is adapted to enter the low security mode upon detection by the multimode system of a security breach condition. In the high security mode, the secure input module accepts low security input and high security input. In the low security mode, the secure input module accepts the low security input and does not accept the high security input.

Abstract: A protection system is provided for delivering runtime security to a task including a workload container. The protection system uses a sidecar to limit access of the workload container to a standard library of the operating system running the workload container by modifying the task so that the sidecar is executed before the workload container. The sidecar places a guard loader into a shared volume and binds the workload container, such that calls to the workload container are passed to an agent binary. The agent binary compares requested calls from the workload container to a policy to approve and/or deny the requested calls. If the requested call is approved, then the requested call is passed to the standard library.

Abstract: Techniques facilitating hardware-based memory-error mitigation for heap-objects. In one example, a system can comprise a process that executes computer executable components stored in a non-transitory computer readable medium. The computer executable components comprise: an entry component; and a re-purpose component. The entry component can allocate an entry in a table to store bounds-information when an object is allocated in memory. The re-purpose component can re-purpose unused bits of an object address to store an index to the table entry.

Abstract: This application provides a method for training a neural network model and an apparatus. The method includes: obtaining annotation data that is of a service and that is generated by a terminal device in a specified period; training a second neural network model by using the annotation data that is of the service and that is generated in the specified period, to obtain a trained second neural network model; and updating a first neural network model based on the trained second neural network model. In the method, training is performed based on the annotation data generated by the terminal device, so that in an updated first neural network model compared with a universal model, an inference result has a higher confidence level, and a personalized requirement of a user can be better met.

Abstract: An internal network can include a plurality of linked internal nodes, each internal node being configured to communicate with other internal nodes or with one or more external servers over an external network. The internal network can analyze the configuration of the internal nodes and the network traffic between internal nodes of the internal network and external servers. Based on the analysis, a network vulnerability score measuring the vulnerability of the internal network to attack can be determined. If the vulnerability score is below a threshold, the internal network can be isolated from the external network, for example by preventing internal nodes from communicating with or over the external network.

Abstract: Systems and methods are disclosed to implement a cyberattack detection system that monitors a computer network for lateral movement. In embodiments, the system uses network data from a computer network to build a baseline of connection behaviors for the network. Connection graphs are generated from new network data that indicate groups of nodes that made connections with one another during a last time interval. The graphs are analyzed for connection behavior anomalies and ranked to determine a subset of graphs with suspected lateral movement. Graphs with suspected lateral movement may be further analyzed to determine a set of possible attack paths in the lateral movements. The suspected attack paths are reported to network administrators via a notification interface. Advantageously, the disclosed system is able to detect potential lateral movements in localized portions of a network by monitoring for connection behavior anomalies in network data gathered from the network.

Abstract: One embodiment of the described invention is directed to a computerized method for improving detection of cybersecurity threats initiated by a script. Herein, the method is configured to analyze the script provided as part of a script object by at least (i) determining whether any functional code blocks forming the script include a critical code statement, (ii) determining whether any of the functional code blocks include an evasive code statement, (iii) modifying the script to control processing of a subset of the functional code blocks by avoiding an execution code path including the evasive code statement and processing functional code blocks forming a code path including the critical code statement, and (iv) executing of the modified script and monitoring behaviors of a virtual environment. Thereafter, the method is configured to determine whether the script including cybersecurity threats based on the monitored behaviors.

Abstract: A system including at least one processor; and at least one memory having stored thereon computer program code that, when executed by the at least one processor, controls the at least one processor to: receive an email addressed to a user; separate the email into a plurality of email components; analyze, using respective machine-learning techniques, each of the plurality of email components; feed the analysis of each of the plurality of email components into a stacked ensemble analyzer; and based on an output of the stacked ensemble analyzer, determine whether the email is malicious.

Abstract: Aspects of the invention include receiving, at an operating system executing on a processor, a write request from a program to write data to a memory. The write request includes a virtual memory address and the data. It is determined that the virtual memory address is not assigned to a physical memory address. Based on the determining, the unassigned virtual memory address is assigned to a physical memory address in an overflow memory. The data is written to the physical memory address in the overflow memory and an indication that the write data was successfully written is returned to the program. Future requests by the program to access the virtual memory address are directed to the physical memory address in the overflow memory.

Abstract: Novel tools and techniques are provided for implementing fraud or distributed denial of service (“DDoS”) protection for session initiation protocol (“SIP”)-based communication. In various embodiments, a computing system may receive, from a first router, first SIP data indicating a request to initiate a SIP-based media communication session between a calling party at a source address and a called party at a destination address. The computing system may analyze the received first SIP data to determine whether the received first SIP data comprises any abnormalities indicative of potential fraudulent or malicious actions. If so, the computing system may reroute the first SIP data to a security deep packet inspection (“DPI”) engine, which may perform a deep scan of the received first SIP data to identify any known fraudulent or malicious attack vectors contained within the received first SIP data. If so, the security DPI engine may initiate mitigation actions.

Abstract: A system and method for a threat monitoring device for determining, within an industrial control system over a data communication network, cross-correlated behaviors of an information technology domain, an operational technology domain, and a physical access domain and associated threats. The method includes receiving sensor data from the information technology domain, sensor data from the operational technology domain, and sensor data from the physical access domain, fusing the sensor data of each of the domains to obtain fused sensor data, determining feature sets from the fused sensor data using behavior profiles, constructing behaviors as sets of the features over time periods, classifying the behaviors to determine a degree of anomaly, classifying anomalous behaviors to determine a threat probability, generating an alert based on the degree of anomaly and the threat probability, displaying particular sensor data and particular time periods associated with the alert.

Abstract: A system and method for providing dynamic network traffic policies. The method includes: detecting a cybersecurity risk on a workload deployed in a cloud computing environment, the cloud computing environment having a firewall connected to an untrusted network; and configuring the firewall to filter network traffic to the workload based on the detected cybersecurity risk.

Abstract: A method and system for mitigating against side channel attacks (SCA) that exploit speculative store-to-load forwarding is described. The method comprises conditioning store-to-load forwarding on the memory dependence predictor (MDP) being trained for that load instruction. Training involves identifying situations in which store-to-load forwarding could have been performed, but wasn't, and obversely, identifying situations in which store-to-load forwarding was performed but resulted in an error.

Abstract: A reader system for an access control system includes first and second antennas and first and second controllers. The first controller is configured to communicate with a credential device using a first communication protocol via the first antenna to exchange a credential with the credential device. The second controller is configured to communicate with the credential device using a second communication protocol via the second antenna to perform ranging for the credential device and is configured to communicate with the first controller via a communication link.

Abstract: Embodiments of the present disclosure relate to a data analysis system that may automatically generate memory-efficient clustered data structures, automatically analyze those clustered data structures, automatically tag and group those clustered data structures, and provide results of the automated analysis and grouping in an optimized way to an analyst. The automated analysis of the clustered data structures (also referred to herein as data clusters) may include an automated application of various criteria, rules, indicators, or scenarios so as to generate scores, reports, alerts, or conclusions that the analyst may quickly and efficiently use to evaluate the groups of data clusters.

Abstract: Systems and methods are provided for dynamic virtual private network concentrators (VPNC) gateway selection and on-demand VRF-ID configuration. A dynamic VPNC gateway selection component can dynamically route to a particular VPNC gateway based on multiple user-specific factors, including: a) behavior of users on the network; and b) performance of a destination service/device. A dynamic VPNC gateway selection component can rank a user based on one or more factors relating to the behavior of the user. Also, the dynamic VPNC gateway selection component can determine whether a VPNC gateway at a data center is healthy, and whether a destination service at the data center is healthy. The dynamic VPNC gateway selection component can dynamically select a VPNC gateway from a plurality of VPNC gateways at the data center for communicating forwarded traffic from the user based on the user's ranking if either the VPNC gateway or the service are unhealthy.

Abstract: According to some embodiments, a method performed by a classification scanner comprises receiving an electronic message and determining whether the electronic message includes an express indication from the user indicating that a classification applies to the electronic message. In response to determining that the electronic message does not include the express indication that the classification applies to the electronic message, the message further comprises sending the electronic message to a machine learning scanner. The machine learning scanner is adapted to use a machine learning policy to determine whether the classification applies to the electronic message.

Abstract: Disclosed are systems and methods for improving interactions with and between computers in distributional similarity identification using randomized observations. In connection with an intrusion detection system monitoring a computing system, a pair of perturbed sample sets are generating using a pair of real sample set (or real observations) and a pair of random sample sets (of randomly-selected observations), and a similarity measuring representing a level of consistency in user behavior is determined. The systems improve the quality and accuracy of the similarity determination for use in intrusion detection.

Abstract: A system texecutes automatic attribute inference and includes: a processor; a memory coupled to the memory; a first engine that executes automatic attribute inference; an extraction engine in communication with a managed infrastructure and the first engine, the extraction engine configured to receive managed infrastructure data; and a signaliser engine that includes one or more of an NMF engine, a k-means clustering engine and a topology proximity engine, the signaliser engine inputting a list of devices and a list a connections between components or nodes in the managed infrastructure, the signaliser engine determining one or more common characteristics and produces one or more dusters of events.

Abstract: A synchronization adapter is coupled to the application that does not support synchronization and generates the necessary synchronization metadata for all data in the application that is to be synchronized. The synchronization adapter then combines the metadata to the actual data to be synchronized to form a synchronization feed. The synchronization feed is stored in an internal cache (or data store) which is internal to the application, or an external cache (or data store), which is external to the application, or it can be stored in both caches. The synchronization adapter also intermittently determines whether the application data has changed, thus warranting a change in its metadata, or whether a synchronization operation is warranted to synchronization operation is warranted to synchronize the data with data in another application. In either case, the synchronization adapter makes the changes to the data, or performs a synchronization operation.

Abstract: A search apparatus includes processing circuitry configured to extract fingerprints that are combinations of first communication data corresponding to requests and second communication data corresponding to responses to the requests, from communication data obtained by executing known malware, give degrees of priority corresponding to degrees of maliciousness of the malware, to the fingerprints, generate probes that are requests based on the first communication data included in the fingerprints and signatures based on the second communication data included in the fingerprints, decide, based on information about communication of sending-out destinations, search-target sending-out destinations from among the sending-out destinations, send out the probes generated to the search-target sending-out destinations decided in order according to the degrees of priority given, and determine whether the search-target sending-out destinations are malicious or not, based on whether responses to the probes sent out match th

Abstract: A security system detects and attributes anomalous activity in a network. The system logs user network activity, which can include ports used, IP addresses, commands typed, etc., and may detect anomalous activity by comparing users to find similar users, sorting similar users into cohorts, and comparing new user activity to logged behavior of the cohort. The comparison can include a divergence calculation. Origins of user activity can also be used to determine anomalous network activity. The hostname, username, IP address, and timestamp can be used to calculate aggregate scores and convoluted scores. The system extracts features from the logged anomalous network activity, and determines whether the activity is attributable to an actor profile by comparing the extracted features and attributes associated with the actor profile based upon previous activity attributed to the actor.

Abstract: Disclosed are a Radio Resource Control (RRC) state transition method, a terminal, a Centralized Unit (CU), a Distributed Unit (DU) and a computer-readable storage medium. The RRC state transition method includes: when a terminal changes from a current state to an RRC connected state, the terminal requests to resume an RRC connection by using an existing Signaling Radio Bearer (SRB) configuration; when the terminal receives a response from a Distributed Unit (DU) for request of resuming the RRC connection, if the response comprises a newly allocated SRB configuration, the terminal replaces the existing SRB configuration with the newly allocated SRB configuration to resume the RRC connection.

Abstract: Embodiments described herein relate to methods and apparatuses for performing a re-establishment procedure. A method in a user equipment comprises: receiving a re-establishment message; upon reception of the re-establishment message, monitoring for an indication of an integrity check failure received from lower layers, wherein the indication relates to a first message or a second message received by the UE after transmitting a re-establishment request; responsive to the indication of the integrity check failure, performing actions upon going into an RRC_IDLE mode of operation; indicating a connection failure to upper layers; and based on the indication, upper layers triggering a recovery procedure.

Abstract: The disclosure provides an approach for coordinating a distributed vulnerability network scan. Embodiments include sending, by a computing node, a check-in message to a scanning coordinator, the check-in message indicating attributes of the computing node. Embodiments include receiving, by the computing node, a scan configuration message from the scanning coordinator, the scan configuration message comprising: scan timing information for the computing node; and a list of scanning targets for the computing node. Embodiments include determining, by the computing node, a scanning time window based on the scan timing information for the computing node. Embodiments include scanning, by the computing node, one or more scanning targets in the list of scanning targets for the computing node during the scanning time window.

Abstract: In one embodiment, a traffic inspection service executed by an intermediary device obtains, from a monitoring agent executed by an endpoint device, keying information for an encrypted traffic session between the endpoint device and a remote entity. The traffic inspection service provides a notification to the monitoring agent that acknowledges receipt of the keying information. The traffic inspection service uses the keying information to decrypt encrypted traffic from the encrypted traffic session. The traffic inspection service applies a policy to the encrypted traffic session between the endpoint device and the remote entity, based on the decrypted traffic from the session.

Abstract: Computer-implemented method of detecting potential cybersecurity threats from collected data pertaining to a monitored network, the collected data comprising network data and/or endpoint data. The method comprises structuring the collected data as at least one data matrix, each row of the data matrix being a datapoint and each column corresponding to a feature. The method also comprises identifying one or more datapoints as anomalous, thereby detecting a potential cybersecurity threat. The method also comprises extracting causal information about the anomalous datapoint based on an angular relationship between a second-pass coordinate vector of the anomalous datapoint and a second-pass coordinate vector of one or more features. The second-pass coordinate vectors are determined by applying a second-pass singular value decomposition (SVD) to a residuals matrix.

Abstract: The present invention is a website-based, Internet browser accessible method of behavior assessment that consists of a user within an organization accessing the website-hosted Workplace Behavior Observation Form (WBOF) through the Universal Resource Locator (URL) address for the site to answer all form items about an observed individual in the same workplace to determine when characteristics are identified indicating the presence of and predisposition to insider threat. When the WBOF is completed, the user completing the WBOF submits the form which then is automatically scored and analyzed by pattern classifiers trained using a multitude of past examples of known insider threat characteristics across all WBOF items as input which, in turn, provide outputs of threat and risk values that are embedded in a report template in designated locations to form a completed assessment of threat, organizational vulnerabilities, and risk to the organization. The completed report is forwarded to the user's email address.

Abstract: A network verification system obtains configuration data of a plurality of network devices, where a data model of the configuration data is described by using a general data modeling language independent of the network devices; and the network verification system verifies data links between the plurality of network devices based on the configuration data of the plurality of network devices and a topology structure between the plurality of network devices. The network verification system verifies the data links between the plurality of network devices based on the topology structure between the plurality of network devices and the configuration data described by using the general data modeling language independent of the network devices. This helps improve scalability of the network verification system and avoids relatively poor scalability of network simulation software that occurs when conventional network simulation software provides a template for configuration data of each type of network device.

Abstract: Various techniques for detecting homographs of domain names are disclosed. In some embodiments, a system, process, and/or computer program product for detecting homographs of domain names includes receiving a DNS data stream, wherein the DNS data stream includes a DNS query and a DNS response for resolution of the DNS query; applying a homograph detector for each domain in the DNS data stream; and detecting a homograph of a domain name in the DNS data stream using the homograph detector.

Abstract: Disclosed herein is a fraud analysis data reduction technique. When reviewing a large set of data for potential fraudulent action there is often too much data for a human to reasonably analyze. A technique to reduce the overall amount of data associates entities that have duplicate values stored in corresponding data elements with one another and removes those entities that do not have at least one duplicate value. The entities with duplicate values are entered into a node graph and analyzed for connected components. The connected components analysis and a duplicate threshold analysis provide usable results to identify fraudulent activity.

Abstract: Various embodiments provide systems and methods for automatically defining and enforcing network sessions based upon at least four dimensions of segmentation.

Abstract: A dormant account identifier is disclosed. An inactive account can be determined based on whether a user activity of the account is outside a threshold amount. A determination can be made as to whether the inactive account is a dormant account based on account activity of a peer account to the inactive account.

Abstract: A system and method for reducing blockchain transaction delay are disclosed. The system consists of a trusted coin wallet framework that implements a trusted execution environment to initiate currency transactions between two clients. The trusted coin wallet framework includes an API proxy and a trusted shadow wallet. The method used by the trusted coin wallet framework involves interaction between the trusted shadow wallet and a peer trusted wallet owned by the other client, via the API proxy, from within the trusted execution environment. During these operations, the blockchain infrastructure is independently validating the transaction.

Abstract: Systems and methods of detecting an exploit of a vulnerability of a computing device, including receiving an execution flow of at least one process running in a processor of the computing device, wherein the execution flow is received from a performance monitoring unit (PMU) of the processor, receiving memory pages from a memory of the computing device, reconstructing the execution flow of the process on another processor based on PMU data and the memory pages, running at least one exploit detection algorithm on the reconstructed process in order to identify an exploit attempt and issuing an alert.

Abstract: A method may include detecting a keylogger based at least in part on an increase in power drawn by an input device, detecting the keylogger based at least in part on a driver of the input device, detecting the keylogger based at least in part on a duration of time that a signal generated by the input device takes to transmit to a computing device, or any combination thereof. The method may also include, in response to detecting the keylogger, generating an alert to indicate a presence of the keylogger.

Abstract: A system and method for assessing the identity fraud risk of an entity's (a user's, computer process's, or device's) behavior within a computer network and then to take appropriate action. The system uses real-time machine learning for its assessment. It records the entity's log-in behavior (conditions at log-in) and behavior once logged in to create an entity profile that helps identify behavior patterns. The system compares new entity behavior with the entity profile to determine a risk score and a confidence level for the behavior. If the risk score and confidence level indicate a credible identity fraud risk at log-in, the system can require more factors of authentication before log-in succeeds. If the system detects risky behavior after log-in, it can take remedial action such as ending the entity's session, curtailing the entity's privileges, or notifying a human administrator.

Abstract: A system, method, and computer-readable medium are disclosed for performing a security operation. The security operation includes: monitoring an entity, the monitoring observing at least one electronically-observable data source; identifying a security related activity of the entity, the security related activity being of analytic utility; accessing an entity behavior catalog based upon the security related activity, the entity behavior catalog providing an inventory of entity behaviors; and performing a security operation via a distributed security analytics environment, the security operation using entity behavior catalog data stored within the entity behavior catalog based upon the security related activity.

Abstract: Disclosed is an electronic device configured to perform a secure boot. The electronic device according to an embodiment disclosed herein may include: a first memory area for storing a firmware signed with a private key; a second memory area for storing a boot loader configured to verify integrity of the firmware and executing the firmware of which integrity has been verified; and a third memory area for storing a first public key paired with the private key, wherein the second memory area may store a second public key paired with the private key. The boot loader may verify the integrity of the firmware with the first public key when there is the first public key in the third memory area and verify the integrity of the firmware with the second public key when there is no first public key is in the third memory area.

Abstract: A system adapted to link email conversations is disclosed. An email client identifies email conversations from email header information and presents the conversations along with other emails in a user's inbox. The user interface receives user inputs selecting first and second email conversations and specifying that the two should be linked. The email client generates an identifier and associates the identifier with emails that are comprised in the selected first and second conversations. When a recipient receives an email that is part of a conversation that has been linked by another user, the recipient's email client notifies the user of the prior linking and provides a button with which the recipient may also implement the link. A user may select to create a new email and link the new email to an existing conversation. An identifier is generated and associated with the new email and emails in the selected conversation.

Abstract: A charging cable has a current sensor, a charging state indicator and logic circuitry to operate the indicator based on detected levels of current flow to a chargeable device. If the sensor detects current below a low threshold, the logic circuitry operates the indicator to indicate that the cable is not connected to any chargeable device. If the sensor detects current above a higher threshold, the logic circuitry operates the indicator to provide a perceptible output indicating that the cable is connected to the chargeable device and the current is charging the battery. If the sensor detects current at or above the low threshold but below the high threshold, the logic circuitry operates the indicator to provide a perceptible output indicating that the cable is connected to a chargeable device but is not charging the battery of the device, e.g., when the battery is, or is nearly, fully charged.

Abstract: Disclosed is a method and system for verifying a regex sanitizer and a validator. The method comprises verifying of at least one of a regex sanitizer and a validator by applying the regex sanitizer and a validator over multiple predefined tainted inputs. An output obtained after applying at least one of the regex sanitizer is checked for one of a tainted output or a non-tainted output. The at least one of the regex sanitizer and validator may be qualified as a valid regex sanitizer and validator based upon the checking. The valid regex sanitizer may be tagged with a validation signature. The valid regex sanitizer is used for checking the tainted input in the user's input.

Abstract: A system facilitates detection of malicious properties of software packages. A generic application which comprises known functionality into which a software package has been included is analyzed through a static analysis and/or dynamic analysis, which is performed based on executing the generic application in a controlled environment. The static analysis and/or dynamic analysis are performed to determine whether one or more properties associated with the software package comprise deviations from the known behavior of the generic application. Behavior deviations identified based on the static and/or dynamic analysis are associated with a score. An aggregate score is calculated for the software package based on the scores which have been assigned to the identified behavior deviations and may be adjusted based on a reputation multiplier determined based on metadata of the software package. If the aggregate score of the software package exceeds a score threshold, the software package is flagged as malicious.

Abstract: Embodiments of the present invention provide an innovative system, method, and computer program product for automated device activity analysis in both a forward and reverse fashion. A collaborative system for receiving data and continuously analyzing the data to determine emerging patterns associated with particular user devices is provided. The system is also designed to generate a historical query of user device touch points or interaction points with entity systems across multiple data vectors, and generate system alerts as patterns or potential issues are identified. Common characteristics of data may be used to detect patterns that are broadened in scope and used in a generative neural network approach.

Abstract: A network device obtains information, associated with blacklisted domains, that includes blacklisted domain identifiers, and sinkhole server identifiers associated with the blacklisted domain identifiers. The network device obtains a set of rules that specify match criteria, associated with the blacklisted domains, that include source network addresses and/or destination network addresses for comparison to packet source network addresses and/or packet destination network addresses associated with incoming packets. The set of rules specify actions to perform based on a result of comparing the match criteria and the packet source network addresses and/or the packet destination network addresses for the incoming packets.

Abstract: One or more event logs are received. The one or more event logs are analyzed using a plurality of models to detect one or more anomalous events. A graphical representation of risk entities associated with at least one of the one or more detected anomalous events is provided. A visual representation of automatically detected relationships between the risk entities associated with the at least one of the one or more detected anomalous events is provided in the graphical representation. Indications of measures of anomaly associated with detected anomalous events are provided for the associated risk entities.

Abstract: Application-initiated network traffic is intercepted and analyzed by an application firewall in order to identify streams of traffic for a target application. An application signature generator preprocesses the raw data packets from the intercepted network traffic by tokenizing the data packets and then weighting each token according to its importance for application identification. The weighted features for each data packet are clustered using an unsupervised learning model, and the resulting clusters are iteratively refined and re-clustered using a proximity score between the clusters and feature vectors for key tokens for the target application. The application signature generator generates a signature for the clusters corresponding to the target application which the application firewall implements for filtering network traffic.