Abstract: Data traffic statistics are generated for each IoT device over a training sliding window. Feature vectors and frequency can be extracted from the data traffic statistics over the training sliding window. A plurality of iTrees of an iForest. New data traffic is received for the specific IoT device. New features are continuously extracting new feature vectors from the new data traffic of the IoT device over a detection sliding window. An instance anomaly score can then be calculated for each instance of a specific IoT device by passing the new feature vectors for the IoT device through each iTree of the iForest for the specific IoT device. Each instance represents a data packet or other segment. An anomaly score is updated over the detection sliding window with the instance anomaly score. Anomaly is detected in a specific instance of the specific IoT device responsive to the anomaly score exceeding a predetermined threshold. In response, a security action can be taken.

Abstract: A first data packet can be forwarded to a virtual SDWAN interface which has multiple IPSec tunnels as members, each of which is disposed over a different uplink, wherein the multiple IPSec tunnels each connect to the remote SDWAN controller. Load balancing of the particular session is performed relative to other sessions by selecting one of the multiple uplinks for transmission to the remote SDWAN controller. Phase 2 of IPSec is set up for the particular session by updating an IPSec phase 2 table with the selected uplink associated with the particular session, to direct subsequent packets of the same session.

Abstract: Various approaches for providing network maintenance and health monitoring. In some cases, some approaches include systems, methods, and/or devices embodiments that provide for receiving and cataloging network incidents and in providing proposed solutions to mitigate the network incidents.

Abstract: A URL is detected that is potentially malicious, and is compared against one or more known legitimate URLs by calculating a similarity score between the detected URL and the known legitimate domain with respect to similarity features. The similarity score comprises a combination of a visual similarity score, a text similarity score and a Document Object Model (DOM) structure similarity score, and the similarity threshold represents a tolerance of variations from minor changes between the detected URL versus the one or more legitimate domains. Responsive to detecting a malicious URL based on the similarity score of the detected URL exceeding the similarity threshold, a security action can be taken against the detected URL as a phishing attempt according to a network security policy.

Abstract: Approaches policy set feature guided node level partitioning for policy search tree optimization are disclosed. A set of policy bins is generated by creating equal-width bins on a given dimension. An original policy set is scanned to determine a number of policies falling into each policy bin in the set of policy bins. An original policy set characteristic is measured based on the number of policies falling into each policy bin. Parameters that represent relationships between the policy set and another policy set are determined based on a number of policies falling into each policy bin and the policy set characteristic. A new policy set is generated based on the parameters. A new policy search tree is generated based on a new policy set. The new policy search tree provides improved build cost or improved search cost as compared a search tree based on the original policy set.

Abstract: Various embodiments provide systems and methods for computing risk scores for entities (e.g., hosts, users) in a network. A computer-implemented method includes determining incidents during a first time period for an entity of the network, calculating rarity for all incidents for the entity in the network using a first function, and updating severity for all incidents of the entity based on a confidence score for the incident using a second function.

Abstract: Among a great deal of other disclosure and scope, systems and methods are enclosed that enable automated labelling of a subset of vectors in a given problem space. For example, in some of many cases, a first machine learning model pre-trained on a given problem space makes predictions regarding fresh, unseen data. In addition to this prediction, the model can output a confidence metric indicating its confidence regarding the prediction made. A subset of these vectors with the highest confidence may be selected. Relevant heuristics assessing each vector in the subset may be computed. These heuristics can be fed through a second machine learning model, which identifies if the given prediction made by the first model is correct. If so, the vector is automatically annotated with the correct predicted label, the vector is appended to the labeled set of data, and the first model is retrained with the new labeled set of data.

Abstract: A bandwidth control device is disclosed. The bandwidth control device includes analysis circuitry to determine a user identifier (ID) associated with each of a plurality of data packets and determine a queue number each of the data packets based on the user IDs and bandwidth control circuitry to insert each of the plurality of data packets into one of a plurality of queues based on the queue numbers, generate weight information for each of the plurality of queues based on a weight value associated with each of the plurality of queues and schedule the plurality of packets to be transmitted based on the weight value each of the plurality of queues.

Abstract: Various embodiments provide systems and methods for enhancing the security of a ZTNA connection.

Abstract: Methods, apparatuses, and products for automating remediation actions in a cloud environment, including: detecting an alert associated with a cloud deployment; selecting, based on the alert, a remediation type; and providing, to a user, one or more resources to perform a remediation corresponding to the remediation type.

Abstract: Predicting attack paths using code analysis, including: detecting a vulnerability in code by performing a static code analysis of the code; identifying an attack surface for the vulnerability in a cloud deployment; and generating an alert for the vulnerability by assigning a priority to the alert based on the attack surface.

Abstract: A data platform monitors a compute environment by performing multi-stage heuristic analysis of event data representing a plurality of events occurring within the environment. The platform utilizes multiple event analyzers, each configured according to a distinct analysis heuristic, to evaluate different subsets of the event data and generate corresponding output signals. A higher-level event analyzer applies a further heuristic to the multiple output signals to generate a composite alert signal, indicating whether the combination of analyzed events collectively represents a security intrusion or other anomalous condition of sufficient severity to warrant alerting. Based on the composite alert signal, the platform performs an alert-based operation, such as generating a user-facing alert, initiating an automated mitigation, or updating a contextual model of system behavior.

Abstract: Generating the ancestry of a deployment in a cloud environment, including: gathering information describing a deployment in a cloud environment; and generating, based on the information, an ancestry of the deployment describing one or more relationships between the deployment and one or more application development resources incorporated into the deployment.

Abstract: A build artifact to be used in an application in a development pipeline and information associated with the build artifact is identified. Metadata including the information associated with the build artifact is generated. The metadata is associated with the build artifact, wherein the metadata conveys with the build artifact in the development pipeline.

Abstract: Systems, devices, and methods are discussed for determining zero trust network access policy based upon intent defined groups of workloads.

Abstract: Systems and methods are described for providing effective hardware acceleration by performing a combination of string matching and range comparison. According to one embodiment, acceleration device of a host device associated with datacenter receives an input stream of information. The received information is matched with contents of a hash-based lookup table to identify one or more units, which satisfy at least one condition for any or a combination of a string match and a range comparison. The identified one or more units are correlated based on a set of conditions, which define at least one rule related to any of a network policy definition, a packet inspection rule, a database operation command or a format of the input stream. Any or a combination of exact string matching and exact range matching is then performed based on the at least one set of correlated units.

Abstract: An illustrative system includes a processor configured to: determine that a first user login session and a second user login session have a parent-child relationship that indicates that a particular user is associated with both the first and second user login sessions; link first user login activity performed during the first user login session and second user login activity performed during the second user login session to the user; and identify, at least in part by using an ssh lineage table, an original login session associated with a subsequent chain of login sessions; and a memory coupled to the processor and configured to provide the processor with instructions.

Abstract: Systems and methods for performing zero-trust network access (ZTNA) secure traffic forwarding are provided. In one example, as part of setting up a transmission control protocol (TCP) forward access proxy (TFAP) tunnel, between a target service and an endpoint security agent of an endpoint device through which an application running on the endpoint device can interact with the target service, a secure connection is established between the endpoint security agent and a ZTNA access proxy (AP). Based on an encryption status of traffic transmitted from the application to the target service: (i) protection against eavesdropping by a man-in-the-middle attacker is provided by using the secure connection to encrypt one or more critical messages of the traffic between the endpoint security agent and the ZTNA AP; and (ii) the endpoint security agent abstains from switching to bypassing mode through the TFAP tunnel until after the one or more critical messages of the traffic have been exchanged.

Abstract: Methods, systems, and products for leveraging user feedback for alert generation in an anomaly detection framework, including: receiving, from a user, user feedback for an alert of a cloud deployment; and initiating, based on the user feedback, a workflow for modifying one or more parameters for generating the alert.

Abstract: Secure data tunnels are established with a plurality of edge points on a plurality of local enterprise networks. At some point, request packets are received in real-time over the first secure tunnel from a first edge point that has encapsulated the request packets. The request packets originate from a malicious actor attacking a projected decoy. Response packets generated from high-fidelity processing of the request packets are encapsulated by the first decoy device and routing to the first secure data tunnel. The response packets are decapsulated and forwarded by edge points back to the malicious actor.