Abstract: The disclosed computer-implemented method for detecting anomalous behavior within computing sessions may include (i) identifying, by the computing device, a set of execution events that correspond to a computing session, (ii) providing, by the computing device, the set of execution events as input to an autoencoder, (iii) receiving, by the computing device and from the autoencoder, a reconstruction error associated with autoencoding the set of execution events, (iv) detecting, by the computing device and based on the reconstruction error, an anomaly within the computing session, and (v) performing, by the computing device, a security action to address the anomaly within the computing session. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The present disclosure relates to using correlations between support interaction data and telemetry data to discover emerging incidents for remediation. One example method generally includes receiving a corpus of support interaction data and a corpus of telemetry data. Topics indicative of underlying problems experienced by users of an application are extracted from the corpus of support interaction data. A topic having a rate of appearance in the support interaction data above a threshold value is identified. A set of telemetry data relevant to the topic is extracted from the corpus of telemetry data, and a subset of the relevant set of telemetry data having a frequency in the relevant set of telemetry data above a second threshold value is identified. The topic and the subset of telemetry data are correlated to an incident to be remediated, and one or more actions are taken to remedy the incident.

Abstract: An autonomous controller for SDN, virtual, and/or physical networks can be used to optimize a network automatically and determine new optimizations as a network scales. The controller trains models that can determine in real-time the optimal path for the flow of data from node A to B in an arbitrary network. The controller processes a network topology to determine relative importance of nodes in the network. The controller reduces a search space for a machine learning model by selecting pivotal nodes based on the determined relative importance. When a demand to transfer traffic between two hosts is detected, the controller utilizes an AI model to determine one or more of the pivotal nodes to be used in routing the traffic between the two hosts. The controller determines a path between the two hosts which comprises the selected pivotal nodes and deploys a routing configuration for the path to the network.

Abstract: The disclosed computer-implemented method for protection of storage systems using decoy data may include identifying an original file comprising sensitive content to be protected against malicious access and protecting the sensitive content. Protecting the sensitive content may include (i) processing the original file to identify a structure of the original file and the sensitive content of the original file, (ii) generating a decoy file using the structure of the original file and using substitute content in a location corresponding to the sensitive content of the original file, and (iii) storing the decoy file with the original file. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for executing decision trees may include (i) executing a security classification decision tree that classifies an input data item, (ii) gathering, simultaneously using a gather instruction, values for both a current threshold at a parent node of the security classification decision tree and a subsequent threshold at a child node of the parent node, (iii) gathering, simultaneously using the gather instruction, values for both a current measurement at the parent node and a subsequent measurement at the child node, (iv) comparing, simultaneously using a comparison instruction, the current threshold at the parent node with the current measurement at the parent node and the subsequent threshold at the child node with the subsequent measurement at the child node, and (v) performing a security action to protect the computing device. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-executed process receives an object that characterizes a navigation capability of a website. The object includes a navigation parameter that specifies a navigation page of the web site, and a query parameter that specifies a subset of content of the navigation page. The process also executes a script to dynamically generate a navigation structure based upon the object data. The process detects selection of a navigation component of the navigation structure, and updates an address in a Uniform Resource Locator (URL) bar of the browser with a composite resource identifier to retrieve a requested subset of content of the selected navigation page. The composite resource identifier includes a subordinate resource identifier that identifies the navigation page, which is derived from the navigation parameter and at least one query derived from the query parameter, which specifies the requested subset of content of the navigation page.

Abstract: The disclosed computer-implemented method for detecting covert channels structured in Internet Protocol (IP) transactions may include (1) intercepting an IP transaction including textual data and a corresponding address, (2) evaluating the textual data against a model to determine a difference score, (3) determining that the textual data is suspicious when the difference score exceeds a threshold value associated with the model, (4) examining, upon determining that the textual data is suspicious, the address in the transaction to determine whether the address is invalid, (5) analyzing the transaction to determine a frequency of address requests that have been initiated from a source address over a predetermined period, and (6) identifying the transaction as a covert data channel for initiating a malware attack when the address is determined to be invalid and the frequency of the address requests exceeds a threshold value. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A cloud device is configured in an email transmission pathway. The cloud device receives an email attachment whose maliciousness status is determined to be unknown. The cloud device encrypts the email attachment and delivers the encrypted attachment to the recipient. When the recipient attempts to access the encrypted attachment, the cloud device re-determines the maliciousness status of the attachment. If the re-determined maliciousness status is benign, the cloud device allows the encrypted attachment to be decrypted and opened locally on the recipient's device. If the re-determined maliciousness status is still unknown, the cloud device provides a cloud-based viewing solution to the recipient using an isolation service.

Abstract: Isolating an iframe of a webpage. In one embodiment, a method may include targeting an iframe in a webpage for isolation, executing, in a server browser, iframe code, sending, from the remote isolation server to the local client, the webpage with the iframe code of the iframe replaced with isolation code, executing, in a client browser, webpage code and the isolation code, intercepting, in the client browser, webpage messages sent from the webpage code and intended to be delivered to the iframe, sending, to the remote isolation server, the intercepted webpage messages to be injected into the iframe code executing at the server browser, intercepting, at the server browser, iframe messages sent from the iframe code and intended to be delivered to the webpage, and sending, to the local client, the intercepted iframe messages to be injected into the webpage code executing at the client browser.

Abstract: Methods of managing an information technology (IT) infrastructure include detecting by a configuration management system an unauthorized change to one of a plurality of network elements, determining by the configuration management system that the unauthorized change to the one of the plurality of network elements creates a risk condition to an operation of one of the services provided by the IT infrastructure, and initiating an action to remedy the unauthorized change in response to determining that the unauthorized change to the one of the plurality of network elements creates the risk condition to the operation of one of the services provided by the IT infrastructure. Related systems and computer program products are disclosed.

Abstract: A computer-implemented method of generating a security policy for a microsegmented computing system is provided. The method includes generating a port service map that indicates inbound packet activity by port for a plurality of network addresses within the microsegmented computing system and a port distribution map that indicates inbound packet activity by port for a plurality of network addresses within the microsegmented computing system, and generating a list of security policy recommendations based on the port service map and/or the port distribution map.

Abstract: A method for detecting and protecting against abnormal user behavior is described. The method may include generating a tensor model based on a set of user information within a temporal period. The tensor model may include a behavioral profile associated with a user of a set of users. In some examples, the method may include determining that a behavior associated with the user of the set of users is abnormal based on the tensor model, adapting the tensor model based on feedback from an additional user of a set of additional users different from the set of users, and performing a security action on at least one computing device to protect against the abnormal user behavior based on the adapting.

Abstract: A topology-based transversal analysis service has been created that correlates topologies of different domains of a distributed application and creates cross-domain “stories” for the different types of transactions provided by the distributed application. A “story” for a transaction type associates an event(s) with a node in an execution path of the transaction type. This provides context to the event(s) with respect to the transaction type (“transaction contextualization”) and their potential business impact. The story is a journal of previously detected events and/or information based on previously detected events. The events have been detected over multiple instances of a transaction type and the journal is contextualized within an aggregate of execution paths of the multiple instances of the transaction type. The story can be considered a computed, ongoing narrative around application and infrastructure performance events, and the narrative grows as more performance-related events are detected.

Abstract: The disclosed computer-implemented method for preventing data loss from data containers may include (1) identifying, at a computing device, a process running in a data container on the computing device, (2) intercepting an attempt by the process to exfiltrate information from the computing device via at least one of a file system operation or a network operation, and (3) performing a security action to prevent the intercepted attempt. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Provided is a process of determining a future battery level of one or more battery-powered computing devices, the process including: accessing an event record in memory describing a scheduled event in which a user of a plurality of computing devices is scheduled to participate, inferring a subset of the plurality of computing devices to be used in that time period, determining present battery levels of the computing devices, the levels being values indicative of an amount of energy stored by batteries, determining present usage rates of battery energy, inferring battery outlooks corresponding to the scheduled event, a battery outlook being an estimated amount of energy consumption attributable to the scheduled event, and predicting future battery levels of computing devices based on at least a present battery level, a present usage rate, and a battery outlook corresponding to the scheduled event.

Abstract: A method of dynamic adaptive authentication includes receiving a request from a user to access a resource of a network and determining whether the resource is protected. In response to determining that the resource is protected, a dynamic authentication chain is generated. The dynamic authentication chain includes a plurality of authentication schemes that are arranged in a particular order. The method also includes challenging the user with the dynamic authentication chain and receiving a set of credentials from the user based at least in part on the particular order of the dynamic authentication chain. The method includes determining whether the set of credentials satisfies the dynamic authentication chain. In response to determining that the set of credentials satisfies the dynamic authentication chain, the user is authenticated.

Abstract: A multivariate clustering-based anomaly detector can generate an event for consumption by an APM manager that indicates detection of an anomaly based on multivariate clustering analysis after topology-based feature selection. The anomaly detector accumulates time-series data across a series of time instants to form a multivariate time-series data slice or multivariate data slice. The anomaly detector then performs multivariate clustering analysis with the multivariate data slice. The anomaly detector determines whether a multivariate data slice is within a cluster of multivariate data slices. If the multivariate data slice is within the cluster and the cluster is a known anomaly cluster, then the anomaly detector generates an anomaly detection event indicating detection of the known anomaly. The anomaly detector can also determine that a multivariate data slice is within an unknown cluster and generate an event indicating detection of an unknown anomaly.

Abstract: Detecting and protecting against computing breaches based on lateral movement of a computer file within an enterprise. A method may include obtaining data associated with an existence a computer file in a first computing device and a second computing device of an enterprise, detecting a pattern of lateral movement of the computer from the first computing device to the second computing device over a predetermined period of time, based on the data, calculating a likelihood score that the computer file is malicious based on the detected pattern, determining that the likelihood score satisfies a predetermined breach threshold, and in response to determining that the likelihood score satisfies the predetermined breach threshold, initiating remedial action on the computer file to protect the enterprise against the computer file.

Abstract: The disclosed computer-implemented method for preserving system contextual information in an encapsulated packet may include (1) receiving, at a computing device, a network packet from the network via a network adapter port, (2) encapsulating the received network packet with a tunnel header, where a network identifier field in the tunnel header comprises information identifying the network adapter port, (3) determine an outer Internet protocol (IP) address for the encapsulated network packet, where the destination IP address corresponds to a destination on the network, (4) addressing an outer header of the encapsulated network packet with the IP address, and (5) sending the encapsulated network packet toward the destination identified by the destination IP address. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for preventing electronic form data from being electronically transmitted to untrusted domains may include (i) identifying a web page that includes an electronic form with field for data entry, (ii) detecting that the web page is electronically sending first and second messages that each include data from the field of the electronic form and that are directed to first and second destinations, respectively, (iii) determining that the first destination includes an untrusted destination, and (iv) blocking the web page from electronically sending the data from the field of the electronic form to the untrusted destination by blocking the first message from being electronically sent. Various other methods, systems, and computer-readable media are also disclosed.