Abstract: Network traffic inspection is disclosed. An application executing on a client device as an operating system that uses a virtual private network (VPN) stack of the operating system intercepts a first IP packet. The application determines that a policy should be applied to the intercepted first IP packet. The policy is applied to the intercepted first IP packet.

Abstract: An approach is proposed to support Internet traffic inspection to detect and prevent access to blocked websites or resources. First, access requests initiated by users to websites hosted on servers over a network are intercepted by an inspection agent, which identifies and caches a pair of the domain/host name of each website and its corresponding IP address on the Internet to a localized DNS cache. When a newly intercepted access request identifies the website by its IP address only without specifying its domain/host name, the inspection agent looks up the domain name by its IP address from the DNS cache. If no domain name is found, the inspection agent redirects the access request to a proxy server instead of forwarding it to the server hosting the website for further inspection. The proxy server then inspects the IP address to determine if it is a legitimate website or not.

Abstract: A new approach is proposed to support appliance configuration identification and profiling management. An appliance scanning component running on an appliance is configured to scan, examine, and determine current configuration of the appliance including hardware components and/or software components installed on the appliance. The configuration of the appliance is then provided to an appliance profiling engine running on a server, wherein the appliance profiling engine hashes the configuration of the appliance into a unique identifier of the appliance and look up a model of the appliance from an appliance profiling database using the unique identifier as a key. If the configuration of the appliance is not found, the appliance profiling engine identifies discrepancies between the configuration of the appliance and other appliances in the appliance profiling database to determine if the appliance is a new model, a revision of an existing model, or is simply misconfigured.

Abstract: A method and apparatus are described for user protection from external e-mail attack. Some embodiments pertain to receiving a first e-mail at an e-mail client, receiving a detection of a suspicious element in the first e-mail from a detection system, flagging the first e-mail as suspicious with a first flag and a first warning level in response to receiving the detection, flagging a second e-mail with a second flag and a second warning level, displaying the first and second flags with explanatory text in a mailbox view of the e-mail client without opening the first and second e-mail for display to the user, the suspicious element not being selectable in the mailbox view, and sorting the first and the second e-mail with other e-mails of the mailbox view based on the flag warning levels.

Abstract: A new approach is proposed to support account takeover (ATO) detection based on login attempts by users. The approach relies on assessing fraudulence confidence level of login IP addresses to classify the login attempts by the users. A plurality of attributes/features in one or more user login data logs are extracted and used to build a labeled dataset for training a machine learning (ML) model that relies on statistics of the login attempts to classify and detect fraudulent logins. These attributes make it possible to ascertain if a login attempt or instance by a user is suspicious based on the ML model. In some embodiments, the ML model is trained using anonymized user login data to preserve privacy of the users and a proper level of data anonymization is determined based on the ML model's accuracy in detecting the ATO attacks when trained with different versions of the anonymized data.

Abstract: An approach is proposed to support user-specific real time anti-phishing training of email recipients using real phishing attacks. When a recipient triggers an active content such as an URL link embedded in and/or opens an attachment to an email arrived at the recipient's account, the triggered active content is synchronously intercepted and examined in real time for potential malicious intent of a phishing attack. If the triggered active content is determined to be safe, the recipient is allowed to access the content. If the active content is determined to be malicious, the active content is blocked and the recipient is redirected a safe blocking mechanism. The recipient is then provided with an anti-phishing training exercise, which is specifically customized for the recipient based on the blocked active content in the payload of the email and/or the recipient's security posture and awareness.

Abstract: A new approach is proposed to support firewall protection of dynamically introduced routes in an internal communication network. Under the proposed approach, all routes dynamically introduced into the internal communication network via a dynamic routing service are dynamically learned and tagged by a route collection engine. A dynamic network object is created, which is a software component configured to store a plurality of single IP addresses and/or IP address ranges of the dynamically learned routes in a dynamic routing network. A firewall engine of the internal communication network is configured to create one or more firewall rules referencing the dynamic network object and apply various security measures/policies to network data packets routed on the dynamically learned routes in the dynamic routing network based on IP address matching with the dynamic network object.

Abstract: A new approach is proposed to support account takeover (ATO) detection based on login attempts by users. The approach relies on assessing fraudulence confidence level of login IP addresses to classify the login attempts by the users. A plurality of attributes/features in one or more user login data logs are extracted and used to build a labeled dataset for training a machine learning (ML) model that relies on statistics of the login attempts to classify and detect fraudulent logins. These attributes make it possible to ascertain if a login attempt or instance by a user is suspicious based on the ML model. In some embodiments, the ML model is trained using anonymized user login data to preserve privacy of the users and a proper level of data anonymization is determined based on the ML model's accuracy in detecting the ATO attacks when trained with different versions of the anonymized data.

Abstract: A new approach is proposed to support autonomous similar and adjacent attack identification. First, an incident is created for a detected suspicious electronic message-borne attack at one user account with one tenant on an electronic communication platform. A plurality of insight events for similar or adjacent attacks are then generated automatically based on the detected attack and inserted into an insights queue. For each of the insight events in the insights queue, a search is conducted in a repository to identify a set of un-remediated attacks against user accounts of the same or different tenants on the electronic communication platform, wherein the set of un-remediated attacks are similar or adjacent to the detected attack. Insights on the identified un-remediated attacks against the user accounts in the same or different tenants that are similar or adjacent to the detected attack are automatically generated for an administrator and are remediated accordingly.

Abstract: External messaging attacks are detected using trust relationships. A profile is built for each target within an organization using extracted header data from multiple prior messages. Trust scores are derived for each sender of a message for each target profile, each trust score is derived from a degree and a quantity of communication between the respective sender and the target in the extracted header data. Incoming messages are received and a target and a sender of each incoming message is determined. A trust score is retrieved for the sender from the profile of the target for each incoming message, labels are generated for each of incoming message based on the respective trust score, and the respective label is applied to be visible to the target in association with the message for each respective message.

Abstract: A new approach is proposed that contemplates systems and methods to support utilizing security device plugins for external device control and monitoring in a secured environment. A plugin that implements one or more functionalities to communicate with and to control operations of an external device is provided to a network security device/appliance. The plugin is then loaded to the network security appliance and integrated with a software running on the network security device, wherein the software obtains the functionalities offered by the plugin. A communication link is established between the plugin of the network security device and the external device following a communication protocol. The network security device is then configured to issue/receive one or more commands to/from the external device following the communication protocol to monitor and collect information from and/or control or be controlled by the external device remotely.

Abstract: A new network security device/appliance is proposed to not only protect, but also to control and operate an industrial IoT device. Specifically, the network security device is configured to detect and block cyber attacks such as viruses, hacking attempts, and other types of cyber threats launched from an outside network against the industrial IoT device based on a set of configurable rules. In addition, the network security device is further configured to control and operate the industrial IoT device remotely in response to the cyber attacks by issuing and communicating certain instructions/command to the industrial IoT device. Besides accepting and executing control command from the network security device, the industrial IoT device is also configured to send a request to the network security device to make certain adjustments to the rules concerning network traffic directed to the industrial IoT device.

Abstract: Techniques for inspecting network traffic are disclosed. An application executing as an operating system extension that uses a virtual private network (VPN) stack of the operating system intercepts an Internet protocol (IP) packet for delivery to a remote computer system. A determination is made of an alteration action to take in response to intercepting the packet. The determined action is taken.

Abstract: A reverse TCP/IP stack infrastructure is disclosed. In an example use, an application executing on a client device as an operating system extension that uses a virtual private network stack of the operating system intercepts a first IP packet generated by a client program. The application determines that the first IP packet comprises a Transmission Control Protocol synchronize message and opens a socket to a destination Internet Protocol address and destination port. A synchronize acknowledgement is received. A packet to transmit to the client program is synthesized that includes a synchronize acknowledgment.

Abstract: A new approach is proposed to support generating and presenting to a user cyber attack monetary impact estimation of a current or future cyber attack, which is used to stop monetary losses or to mitigate monetary impacts. First, both historic data and real time data on monetary impact of current and/or potential cyber attacks is continuously collected from a plurality of data pools. The collected data is then synchronized, correlated and filtered/cleansed once the data is available to create fidelity among the data from the plurality of data pools. The cyber attack monetary impact is calculated based on the correlated and cleansed data, and is presented to the user along with one or more suggested applications by the user in response to the cyber attack monetary impact, to mitigate the monetary impact of the current or future cyber attack.

Abstract: A new approach is proposed to support data filtering in machine learning (ML) to detect impersonation attacks. First, filters are applied to filter data or information collected from a user in order to extract features that are specific and/or unique for the identification of the user. The features extracted from the set of data are then used to train ML models configured to identify a set of key characteristics of electronic messages or web-based resources originated by the user. When a new electronic message or web-based resource purported to be from the user is intercepted, one or more of the trained ML models that are applicable are utilized to determine or predict if the newly intercepted electronic message or web-based resource is indeed originated by the user or is impersonated by an attacker under the same filtering criteria as training of the corresponding ML models.

Abstract: An approach is proposed to support Internet traffic inspection to detect and prevent access to blocked websites or resources. First, access requests initiated by users to websites hosted on servers over a network are intercepted by an inspection agent, which identifies and caches a pair of the domain/host name of each website and its corresponding IP address on the Internet to a localized DNS cache. When a newly intercepted access request identifies the website by its IP address only without specifying its domain/host name, the inspection agent looks up the domain name by its IP address from the DNS cache. If no domain name is found, the inspection agent redirects the access request to a proxy server instead of forwarding it to the server hosting the website for further inspection. The proxy server then inspects the IP address to determine if it is a legitimate website or not.

Abstract: A new approach is proposed that contemplates systems and methods to support scanning through a file of large size without having to load the entire file into memory of single file parser or scanner. The proposed approach is configured to divide a ginormous file to be parsed and scanned into a plurality of sections following a divide and conquer scheme. The plurality sections of the file are then parsed and loaded to a plurality of file scanners each configured to scan its allocated file section of a certain file type. Each of the plurality of file scanners is then configured to extract and evaluate from its allocated section file parts that can be harmful to a user of the file and/or expose sensitive/protected information of the user. The scan results are then collected, analyzed, and report to a user with a final determination on the malicious content and sensitive data.

Abstract: A new approach is proposed that contemplates systems and methods to support email account takeover detection and remediation by utilizing an artificial intelligence (AI) engine/classifier that detects and remediates such attacks in real time. The AI engine is configured to continuously monitor and identify communication patterns of a user on an electronic messaging system of an entity via application programming interface (API) calls. The AI engine is then configured to collect and utilize a variety of features and/or signals from an email sent from an internal email account of the entity. The AI engine combines these signals to automatically detect whether the email account has been compromised by an external attacker and alert the individual user of the account and/or a system administrator accordingly in real time. The AI engine further enables the parties to remediate the effects of the compromised email account by performing one or more remediating actions.

Abstract: An approach is proposed to support neutralizing real cyber threats to training materials by intercepting, modifying and redistributing active content(s) of an email arrived at a recipient's email account. Specifically, when the recipient triggers an active content such as an URL link embedded in and/or opens an attachment to the email, the triggered active content is synchronously intercepted and examined in real time for potential malicious intent of a phishing attack. If the active content is determined to be malicious, the malicious active content in the email is then disassembled and deactivated while the payload is reconstructed with links and markings for training purposes. The recipient is then provided with an anti-phishing training exercise, wherein content of the training exercise is specifically customized for the recipient based on the reconstructed payload of the received email and/or the recipient's security posture and awareness.