Abstract: Network traffic inspection is disclosed. An application executing on a client device as an operating system that uses a virtual private network (VPN) stack of the operating system intercepts a first IP packet. The application determines that a policy should be applied to the intercepted first IP packet. The policy is applied to the intercepted first IP packet.

Abstract: A new approach is proposed that contemplates systems and methods to support quick recovery of an appliance by adopting a multi-layered filesystem having a plurality of layers that enables recovery and restoration of the appliance to factory default settings in seconds. In some embodiments, the multi-layered filesystem adopts a copy-on-write paradigm for all I/O operations to the appliance to create and superimpose an overlay layer by copying data from a read-only bottom layer of the appliance for modification and recovery of the appliance. The plurality of layers of the multi-layered filesystem are also tied to a general-purpose reset button or a software interface for implementation of an instant factory reset feature. When a reset signal is sent via the reset button or the software interface, one or more of the plurality of layers of the multi-layered filesystem are modified accordingly to provide a clean factory-reset of the appliance.

Abstract: A new approach is proposed to support software validation and licensing management. An instance of a software component deployed to a physical computing device is configured to request a copy of license of the software component from a license server out-of-band before the software component can be installed and/or booted up on the physical computing device. Upon receiving a request for the copy of license from the instance of the software component, the license server is configured to grant or deny the request based on the current number of copies of license of the software component available. If the request is granted, the instance of the software component is booted up on the physical computing device. During its operation, the instance of the software component continues to communicate with the license server periodically to indicate whether the copy of license assigned by the server is still in use.

Abstract: A new approach is proposed that supports IP address lookup. An IP address updater creates a bitmap of an IP address space, wherein each bit in the bitmap corresponds to an IP address in the IP address space. The compressed bitmap is then populated and stored permanently on a shared memory storage that is accessible by multiple client applications at the same time. The client applications may each establish and maintain a connection to the shared memory storage through an IP address lookup agent. When a lookup request for an IP address is received, the IP address lookup agent checks the bitmap and associated information of the IP address space on the shared memory storage to determine if the IP address is malicious or not and to inform the client application making the request accordingly, while the bitmap on the shared memory storage is updated with new IP address update.

Abstract: Network traffic inspection is disclosed. An application executing on a client device as an operating system that uses a virtual private network (VPN) stack of the operating system intercepts a first IP packet. The application determines that a policy should be applied to the intercepted first IP packet. The policy is applied to the intercepted first IP packet.

Abstract: An approach is proposed to support Internet traffic inspection to detect and prevent access to blocked websites or resources. First, access requests initiated by users to websites hosted on servers over a network are intercepted by an inspection agent, which identifies and caches a pair of the domain/host name of each website and its corresponding IP address on the Internet to a localized DNS cache. When a newly intercepted access request identifies the website by its IP address only without specifying its domain/host name, the inspection agent looks up the domain name by its IP address from the DNS cache. If no domain name is found, the inspection agent redirects the access request to a proxy server instead of forwarding it to the server hosting the website for further inspection. The proxy server then inspects the IP address to determine if it is a legitimate website or not.

Abstract: A new approach is proposed to support appliance configuration identification and profiling management. An appliance scanning component running on an appliance is configured to scan, examine, and determine current configuration of the appliance including hardware components and/or software components installed on the appliance. The configuration of the appliance is then provided to an appliance profiling engine running on a server, wherein the appliance profiling engine hashes the configuration of the appliance into a unique identifier of the appliance and look up a model of the appliance from an appliance profiling database using the unique identifier as a key. If the configuration of the appliance is not found, the appliance profiling engine identifies discrepancies between the configuration of the appliance and other appliances in the appliance profiling database to determine if the appliance is a new model, a revision of an existing model, or is simply misconfigured.

Abstract: A method and apparatus are described for user protection from external e-mail attack. Some embodiments pertain to receiving a first e-mail at an e-mail client, receiving a detection of a suspicious element in the first e-mail from a detection system, flagging the first e-mail as suspicious with a first flag and a first warning level in response to receiving the detection, flagging a second e-mail with a second flag and a second warning level, displaying the first and second flags with explanatory text in a mailbox view of the e-mail client without opening the first and second e-mail for display to the user, the suspicious element not being selectable in the mailbox view, and sorting the first and the second e-mail with other e-mails of the mailbox view based on the flag warning levels.

Abstract: A new approach is proposed to support account takeover (ATO) detection based on login attempts by users. The approach relies on assessing fraudulence confidence level of login IP addresses to classify the login attempts by the users. A plurality of attributes/features in one or more user login data logs are extracted and used to build a labeled dataset for training a machine learning (ML) model that relies on statistics of the login attempts to classify and detect fraudulent logins. These attributes make it possible to ascertain if a login attempt or instance by a user is suspicious based on the ML model. In some embodiments, the ML model is trained using anonymized user login data to preserve privacy of the users and a proper level of data anonymization is determined based on the ML model's accuracy in detecting the ATO attacks when trained with different versions of the anonymized data.

Abstract: An approach is proposed to support user-specific real time anti-phishing training of email recipients using real phishing attacks. When a recipient triggers an active content such as an URL link embedded in and/or opens an attachment to an email arrived at the recipient's account, the triggered active content is synchronously intercepted and examined in real time for potential malicious intent of a phishing attack. If the triggered active content is determined to be safe, the recipient is allowed to access the content. If the active content is determined to be malicious, the active content is blocked and the recipient is redirected a safe blocking mechanism. The recipient is then provided with an anti-phishing training exercise, which is specifically customized for the recipient based on the blocked active content in the payload of the email and/or the recipient's security posture and awareness.

Abstract: A new approach is proposed to support firewall protection of dynamically introduced routes in an internal communication network. Under the proposed approach, all routes dynamically introduced into the internal communication network via a dynamic routing service are dynamically learned and tagged by a route collection engine. A dynamic network object is created, which is a software component configured to store a plurality of single IP addresses and/or IP address ranges of the dynamically learned routes in a dynamic routing network. A firewall engine of the internal communication network is configured to create one or more firewall rules referencing the dynamic network object and apply various security measures/policies to network data packets routed on the dynamically learned routes in the dynamic routing network based on IP address matching with the dynamic network object.

Abstract: A new approach is proposed to support account takeover (ATO) detection based on login attempts by users. The approach relies on assessing fraudulence confidence level of login IP addresses to classify the login attempts by the users. A plurality of attributes/features in one or more user login data logs are extracted and used to build a labeled dataset for training a machine learning (ML) model that relies on statistics of the login attempts to classify and detect fraudulent logins. These attributes make it possible to ascertain if a login attempt or instance by a user is suspicious based on the ML model. In some embodiments, the ML model is trained using anonymized user login data to preserve privacy of the users and a proper level of data anonymization is determined based on the ML model's accuracy in detecting the ATO attacks when trained with different versions of the anonymized data.

Abstract: A new approach is proposed to support autonomous similar and adjacent attack identification. First, an incident is created for a detected suspicious electronic message-borne attack at one user account with one tenant on an electronic communication platform. A plurality of insight events for similar or adjacent attacks are then generated automatically based on the detected attack and inserted into an insights queue. For each of the insight events in the insights queue, a search is conducted in a repository to identify a set of un-remediated attacks against user accounts of the same or different tenants on the electronic communication platform, wherein the set of un-remediated attacks are similar or adjacent to the detected attack. Insights on the identified un-remediated attacks against the user accounts in the same or different tenants that are similar or adjacent to the detected attack are automatically generated for an administrator and are remediated accordingly.

Abstract: External messaging attacks are detected using trust relationships. A profile is built for each target within an organization using extracted header data from multiple prior messages. Trust scores are derived for each sender of a message for each target profile, each trust score is derived from a degree and a quantity of communication between the respective sender and the target in the extracted header data. Incoming messages are received and a target and a sender of each incoming message is determined. A trust score is retrieved for the sender from the profile of the target for each incoming message, labels are generated for each of incoming message based on the respective trust score, and the respective label is applied to be visible to the target in association with the message for each respective message.

Abstract: A new approach is proposed that contemplates systems and methods to support utilizing security device plugins for external device control and monitoring in a secured environment. A plugin that implements one or more functionalities to communicate with and to control operations of an external device is provided to a network security device/appliance. The plugin is then loaded to the network security appliance and integrated with a software running on the network security device, wherein the software obtains the functionalities offered by the plugin. A communication link is established between the plugin of the network security device and the external device following a communication protocol. The network security device is then configured to issue/receive one or more commands to/from the external device following the communication protocol to monitor and collect information from and/or control or be controlled by the external device remotely.

Abstract: A new network security device/appliance is proposed to not only protect, but also to control and operate an industrial IoT device. Specifically, the network security device is configured to detect and block cyber attacks such as viruses, hacking attempts, and other types of cyber threats launched from an outside network against the industrial IoT device based on a set of configurable rules. In addition, the network security device is further configured to control and operate the industrial IoT device remotely in response to the cyber attacks by issuing and communicating certain instructions/command to the industrial IoT device. Besides accepting and executing control command from the network security device, the industrial IoT device is also configured to send a request to the network security device to make certain adjustments to the rules concerning network traffic directed to the industrial IoT device.

Abstract: Techniques for inspecting network traffic are disclosed. An application executing as an operating system extension that uses a virtual private network (VPN) stack of the operating system intercepts an Internet protocol (IP) packet for delivery to a remote computer system. A determination is made of an alteration action to take in response to intercepting the packet. The determined action is taken.

Abstract: A reverse TCP/IP stack infrastructure is disclosed. In an example use, an application executing on a client device as an operating system extension that uses a virtual private network stack of the operating system intercepts a first IP packet generated by a client program. The application determines that the first IP packet comprises a Transmission Control Protocol synchronize message and opens a socket to a destination Internet Protocol address and destination port. A synchronize acknowledgement is received. A packet to transmit to the client program is synthesized that includes a synchronize acknowledgment.

Abstract: A new approach is proposed to support generating and presenting to a user cyber attack monetary impact estimation of a current or future cyber attack, which is used to stop monetary losses or to mitigate monetary impacts. First, both historic data and real time data on monetary impact of current and/or potential cyber attacks is continuously collected from a plurality of data pools. The collected data is then synchronized, correlated and filtered/cleansed once the data is available to create fidelity among the data from the plurality of data pools. The cyber attack monetary impact is calculated based on the correlated and cleansed data, and is presented to the user along with one or more suggested applications by the user in response to the cyber attack monetary impact, to mitigate the monetary impact of the current or future cyber attack.

Abstract: A new approach is proposed to support data filtering in machine learning (ML) to detect impersonation attacks. First, filters are applied to filter data or information collected from a user in order to extract features that are specific and/or unique for the identification of the user. The features extracted from the set of data are then used to train ML models configured to identify a set of key characteristics of electronic messages or web-based resources originated by the user. When a new electronic message or web-based resource purported to be from the user is intercepted, one or more of the trained ML models that are applicable are utilized to determine or predict if the newly intercepted electronic message or web-based resource is indeed originated by the user or is impersonated by an attacker under the same filtering criteria as training of the corresponding ML models.