Abstract: A network apparatus maintains a database of a plurality of virtual private network (VPN) protocols and respective VPN providers. A VPN protocol detection process is performed for determining a VPN protocol used by a computing device based on analyzing network traffic data and the database. In response to detecting the VPN protocol detection process failing or detecting a need to identify a respective VPN provider, an endpoint detection process for determining the VPN usage of the computing device is performed. In response to detecting the endpoint detection process failing or detecting a need to identify VPN usage time information, a traffic pattern search process for determining the VPN usage of the computing device is performed. Further action is taken to protect the computing device in response to detecting the VPN usage on the basis of the VPN protocol detection process, the endpoint detection process, and/or the traffic pattern search process.

Abstract: After a data packet containing an active medium access control (MAC) address of a connected device enters a customer-premises equipment (CPE), the active MAC address of the connected device is replaced with an earlier MAC address of the connected device. Before the data packet with the earlier MAC address exits the CPE, the earlier MAC address of the connected device is replaced with the active MAC address of the connected device.

Abstract: A computing device receives an IP address and a port number related to a transport protocol and an application protocol version and other attributes related to an application protocol extracted from an encrypted client hello (ECH) enabled transport layer security (TLS) connection request from a client computing device and extracts, from the database, a set of all known hostnames matching the IP address. The device generates a reduced list of the set of all hostnames matching the IP address, and assigns a confidence score to each hostname of the reduced list based on an alias count and/or a popularity ranking of the hostname. Finally, a prioritized list of one or more hostnames is generated based on the confidence score, the prioritized list indicating the one or more hostnames in the order of descending probability of being requested in the ECH enabled TLS connection request.

Abstract: There is provided a method comprising receiving a domain name system (DNS) query from a client computing device, decrypting the DNS query by a DNS resolver device, and requesting reputation information related to the FQDN from an agent device of the router apparatus. If a matching FQDN is not found in a local database, the DNS query is allowed to proceed from the DNS resolver device to a cloud DNS resolver, the IP and MAC address of the client computing device are logged and mapped to the local database, the reputation information related to the FQDN is requested from a cloud FQDN server, and if the reputation information indicates that the FQDN should be blocked, the local database is updated with the reputation information and further queries to the FQDN are blocked.

Abstract: There is provided a method that comprises receiving one or more unique passwords for identifying respective one or more user devices of the wireless local area network; associating the one or more unique passwords with the respective one or more user devices and storing the one or more unique passwords to a database; in response to receiving, at an access point of the wireless local area network, a connection request from a user device, requesting, from the user device, a unique password of the user device; and identifying the user device based on the unique password.

Abstract: A first data communication of a first connected device related to a first target website is intercepted. The first data communication identifies the first target website by a first fully qualified domain name (FQDN), and the first FQDN is mapped to a first Internet protocol (IP) address. A pair of the first FQDN and the first IP address is determined. A second data communication of a second connected device related to a second target website is intercepted. The second data communication comprises a second encrypted FQDN and a second IP address of the second target website. The second IP address is determined to be equal to the first IP address. A cybersecurity reputation of the second target website is retrieved based on the first FQDN. In response to determining that the reputation matches a predetermined alarm condition, a cybersecurity operation is enforced for the second data communication.

Abstract: A network apparatus maintains a data repository comprising network traffic data related to a plurality of user devices, the network traffic data being collected from a plurality of Network Service Providers (NSPs). A subset of the plurality of user devices are detected to be communicating with one or more same endpoint devices based on analysing the network traffic data. A number of historical connections between each user device of the subset of the plurality of user devices and the one or more endpoint devices is determined based on analysing historical connection data maintained in the data repository, and in response to detecting that the number of historical connections between the subset of the plurality of user devices and the one or more endpoint devices exceeds a predetermined threshold, the one or more endpoint devices are identified as a suspected botnet.

Abstract: An application detection method includes running one or more applications in various application scenarios on one or more user devices for a predetermined time period, capturing network traffic data generated by the one or more applications, labelling the network traffic data according to an application scenario of the one or more applications and with respect to a user device of the one or more user devices, determining an active application usage time in relation to the application scenario during the predetermined time period based on the labelling, training a machine learning model to estimate the active application usage time based on the determining, and using the machine learning model to estimate the active application usage time on the one or more user devices.

Abstract: A network apparatus receives a first message relating to a transport layer security (TLS) handshake process for an initialization phase of a Quic user datagram protocol (UDP) Internet Connection (QUIC) connection from a client computing device toward a target computing device, wherein the first message of the TLS handshake process comprises at least a connection identifier. The network apparatus generates a second message relating to the TLS handshake process in response to the first message, wherein a cipher suite value of the second message is set to an invalid cipher suite value for the client computing device and wherein the invalid cipher suite value is unsupported by the client computing device, and sends the second message to the client computing device to cause the client computer device to close the QUIC connection.

Abstract: Maintaining a database of a plurality of time series data sets, wherein each time series data set is associated to a previously known computer device of a computer network; detecting a connection request from a second computer device of the computer network; collecting one or more new data sets related to the second computer device; comparing the one or more new data sets with one or more time series data sets; calculating one or more value scores related to the plurality of time series data sets based on the comparison; and determining a device association score based on the calculated one or more value scores related to the plurality of time series data sets, wherein the device association score determines an association level between the previously known computer device and the second computer device of the computer network.

Abstract: There is provided a method comprising receiving a domain name system (DNS) query from a client computing device, decrypting the DNS query by a DNS resolver device, and requesting reputation information related to the FQDN from an agent device of the router apparatus. If a matching FQDN is not found in a local database, the DNS query is allowed to proceed from the DNS resolver device to a cloud DNS resolver, the IP and MAC address of the client computing device are logged and mapped to the local database, the reputation information related to the FQDN is requested from a cloud FQDN server, and if the reputation information indicates that the FQDN should be blocked, the local database is updated with the reputation information and further queries to the FQDN are blocked.

Abstract: A network gateway apparatus monitors Quic user datagram protocol (UDP) Internet Connection (QUIC) packets between a first device and a second device, extracts a version of the QUIC protocol and a connection identification from an unprotected portion of the protected header in response to detecting a QUIC packet having a protected header in use, determines a salt used in encryption of the protected header based on the version of the QUIC protocol, calculates a client initial secret based on the salt and the connection identification, determines an unprotected payload of the QUIC packet based on the client initial secret, a protected payload of the QUIC packet and the unprotected portion of the protected header, and extracts a server name indication (SNI) from the unprotected payload.

Abstract: A device identification method where a device application usage profile is generated and maintained for each one or more known computing devices of a local network based on network traffic data. In response to detecting an unknown computing device in the local network, network traffic data related to the unknown computing device is collected, and a device application usage profile for the unknown computing device is generated based on the network traffic data related to the unknown computing device. The device application usage profile of the unknown computing device is compared with the device application usage profile of the one or more known computing devices of the local network.

Abstract: A network apparatus is configured to detect a network connection request on a platform having a hardware accelerator to process network traffic, wherein the hardware accelerator implements computing tasks related to data packets of at least part of the network traffic. The network apparatus is further configured to intercept the network traffic related to the network connection request before the start of the hardware accelerator process, to extract network connection data required by a network traffic analysis function from the network traffic, to allow the hardware accelerator to start acceleration process after the network connection data extraction has finished, and to analyse the network connection based on the extracted network connection data.

Abstract: A network apparatus detects connection requests and extracts related data. The data is analyzed to determine whether the host is in an active state, whether the host matches a domain referrer and an amount of time from a last connection request. If it is detected that the host is not in an active state, the host is not matching the domain referrer and the amount of time from the last connection request exceeds a predetermined new session threshold, then a connection request is classified as a main request. If the amount of time from the last connection request is below a predetermined continuous session threshold, then any connection requests following the main request are classified as sub-requests. If the domain of host in the active state does not match current host for a sub-request, the sub-request is classified as a third-party request.

Abstract: A network apparatus receives a connection request from a client computing device toward a target computing device. Next a target identifier that identifies the target computing device is extracted from the connection request. The connection request is sent to the target computing device and a reputation request with the target identifier is sent to a web resource analyser engine. In response to detecting that a response from the target computing device is received before a response from the web resource analyser engine, the response to the connection request from the target computing device is held by performing a rewrite in a target section of a user-space utility program rule and by using operating system kernel module in user-space memory area of the network apparatus. In response to a receipt of the response from the web resource analyser engine, the response to the connection request is released.

Abstract: Network device identification. A method includes extracting, from network traffic data of a plurality of user devices in a computer network, one or more data fragments relating to a device model of each user device, associating the one or more data fragments with device identification data assigned to each user device, determining a device model for a specific data fragment based on analyzing one or more data fields associated with the specific data fragment, and generating one or more device model identification rules based on the specific data fragment.

Abstract: Network device identification is disclosed. A set of data attributes relating to at least two different data types is extracted from network traffic data associated with each user device of a set of user devices. A cluster data set of one or more known device clusters is expanded with the set of data attributes for generating an expanded cluster data set. One or more new device clusters is identified from the expanded cluster data set of the one or more known device clusters by using similarity-based metrics and a weighting factor selected based on the data types of the set of data attributes, and one or more device identification rules is generated based on the one or more new device clusters.

Abstract: A method includes receiving network traffic data relating to one or more devices of a plurality of home networks, wherein each home network of the plurality of home networks relates to a respective household. The method further includes determining one or more household related features by feature engineering the network traffic data, wherein the one or more household related features are related to one or more of: a device property, a security threat event, and an application usage, associating, in a database, the one or more household related features with identification data assigned to each household, identifying household clusters that represent groups of households comprising a predetermined number of common household related features, and providing a targeted service to a customer based on a household cluster associated with a household of the customer.

Abstract: Fully qualified domain name determination is disclosed. A queue of fully qualified domain names (FQDN) is created using a predetermined amount of network domains. Each FQDN is crawled from a plurality of collection agents of a computer network. For each FQDN, data comprising an Internet Protocol (IP) address of the FQDN, IP addresses for resources loaded for the FQDN and load times of the resources loaded for the FQDN are extracted. A correlation model is generated based on the data. An FQDN being accessed by one or more computer devices of the computer network is determined by using the correlation model.