Abstract: Techniques for automated identification of false positives in DNS tunneling detectors are disclosed. In some embodiments, a system, process, and/or computer program product for automated identification of false positives in DNS tunneling detectors includes receiving a set of passive DNS data, wherein the set of passive DNS data includes a DNS query and a DNS response for resolution of the DNS query for each of a plurality of DNS queries; extracting a plurality of features associated with each domain in the set of passive DNS data; and classifying DNS tunneling activities and performing false positive reduction using the plurality of features associated with each domain in the set of passive DNS data to reduce false positive detections.

Abstract: Various techniques for detecting homographs of domain names are disclosed. In some embodiments, a system, process, and/or computer program product for detecting homographs of domain names includes receiving a DNS data stream, wherein the DNS data stream includes a DNS query and a DNS response for resolution of the DNS query; applying a homograph detector for each domain in the DNS data stream; and detecting a homograph of a domain name in the DNS data stream using the homograph detector.

Abstract: A cloud based network includes a plurality of nodes, each of which include at least one containerized microservice that enables intent-driven operation of the cloud based network. One or more resource controllers, each designated to manage a custom resource, communicate with a master controller of the node to manage operational and configuration states of the node and any microservices containerized within the node. The master enables a user to monitor and automate the management of microservices and the cloud based network as a whole. The containerized microservice architecture allows user customizable rendering of microservices, reconciliation of old and new versions of microservices, and facilitated management of a plurality of nodes.

Abstract: Techniques for detection of algorithmically generated domains based on a dictionary are disclosed. In some embodiments, a system, process, and/or computer program product for detection of algorithmically generated domains based on a dictionary includes receiving a DNS data stream, wherein the DNS data stream includes a DNS query and a DNS response for resolution of the DNS query; generating a graph based on the DNS data stream; and identifying a malicious dictionary based on the graph.

Abstract: Techniques for Qprints using telemetry-based similarity for DNS are provided. In some embodiments, a system/process/computer program product for Qprints using telemetry-based similarity for DNS in accordance with some embodiments includes aggregating a set of network related event data, wherein the set of network related event data includes Domain Name System (DNS) related query data; clustering the DNS related query data; and generating similarity clusters for domains based on their DNS related query data. For example, the set of network related event data can include passive DNS (pDNS) data aggregated over a period of time to express pDNS data at-scale, and similarity of the pDNS data aggregated over the period of time is quantified, within and across networks based on telemetry-based similarity for DNS using a statistical model.

Abstract: Techniques for ranking services and top N rank lists are disclosed. In some embodiments, a system, process, and/or computer program product for ranking services and top N rank lists includes receiving a set of network related event data, wherein the set of network related event data includes Domain Name System (DNS) related event data; aggregating the DNS related event data over a period of time and rank order by popularity; and generating a top N rank list for ranking popularity over the period of time for a set of domains using the aggregated DNS related event data and rank order by popularity.

Abstract: A cloud based network includes a plurality of nodes, each of which include at least one containerized microservice that enables intent-driven operation of the cloud based network. One or more resource controllers, each designated to manage a custom resource, communicate with a master controller of the node to manage operational and configuration states of the node and any microservices containerized within the node. The master enables a user to monitor and automate the management of microservices and the cloud based network as a whole. The containerized microservice architecture allows user customizable rendering of microservices, reconciliation of old and new versions of microservices, and facilitated management of a plurality of nodes.

Abstract: Various techniques for detecting homographs of domain names are disclosed. In some embodiments, a system, process, and/or computer program product for detecting homographs of domain names includes receiving a DNS data stream, wherein the DNS data stream includes a DNS query and a DNS response for resolution of the DNS query; applying a homograph detector for each domain in the DNS data stream; and detecting a homograph of a domain name in the DNS data stream using the homograph detector.

Abstract: Techniques for smart whitelisting for Domain Name System (DNS) security are provided. In some embodiments, a system/process/computer program product for smart whitelisting for DNS security in accordance with some embodiments includes receiving a set of network related event data, wherein the set of network related event data includes Domain Name System (DNS) related event data; receiving a set of network related threat data, wherein the set of network related threat data includes DNS related threat data; and generating a whitelist using the set of network related event data and the set of network related threat data, wherein the whitelist includes a subset of network domains included in the DNS related event data based on a data driven model of the DNS related event data and the DNS related threat data.

Abstract: Techniques for an exponential moving maximum (EMM) filter for predictive analytics in network reporting are disclosed. In some embodiments, a process for predictive analytics in network reporting using an EMM filter includes pre-processing network-related data by performing exponential moving maximum (EMM) filtering on the network-related data; and determining predictive analytics based on the EMM filtered network-related data.

Abstract: Techniques for community detection based on DNS querying patterns are disclosed. For example, techniques for community detection based on DNS querying patterns for anomaly detection and monitoring efficiencies are disclosed. In some embodiments, a system, process, and/or computer program product for community detection based on DNS querying patterns includes receiving DNS log files, wherein the DNS log files include a DNS query and a DNS response for resolution of the DNS query; generating a graph based on the DNS log files; identifying a plurality of communities using the graph based on DNS querying patterns; and detecting an anomaly in DNS activity associated with one or more of the communities based on a DNS querying rule.

Abstract: Techniques for monitoring and analysis of interactions between network endpoints are disclosed. In some embodiments, a process for monitoring and analysis of interactions between network endpoints includes collecting Domain Name System (DNS) response data from a network device; determining network endpoint interactions based on an analysis of the DNS response data (e.g., using a processor); and generating a graph corresponding to the network endpoint interactions. For example, the network device can include a DNS device and/or a software-defined networking (SDN) device (e.g., an SDN switch, such as an OpenFlow switch).

Abstract: A cloud based network includes a plurality of nodes, each of which include at least one containerized microservice that enables intent-driven operation of the cloud based network. One or more resource controllers, each designated to manage a custom resource, communicate with a master controller of the node to manage operational and configuration states of the node and any microservices containerized within the node. The master enables a user to monitor and automate the management of microservices and the cloud based network as a whole. The containerized microservice architecture allows user customizable rendering of microservices, reconciliation of old and new versions of microservices, and facilitated management of a plurality of nodes.

Abstract: Techniques for detection of algorithmically generated domains based on a dictionary are disclosed. In some embodiments, a system, process, and/or computer program product for detection of algorithmically generated domains based on a dictionary includes receiving a DNS data stream, wherein the DNS data stream includes a DNS query and a DNS response for resolution of the DNS query; generating a graph based on the DNS data stream; and identifying a malicious dictionary based on the graph.

Abstract: Techniques for cloud network automation for IP address and DNS record management are disclosed. In some embodiments, a system, process, and/or computer program product for cloud network automation for IP address and DNS record management includes receiving at a cloud platform appliance (e.g., a virtual or physical IP address and/or DNS management appliance) a cloud request related to a resource (e.g., a virtual or physical resource) in a cloud environment from a global cloud manager; and processing the cloud request at the cloud platform appliance to determine whether to proxy the cloud request to another cloud platform appliance or a grid master or to locally process the cloud request, wherein a storage of infrastructure metadata information for IP address and/or DNS record management is updated based on the cloud request.

Abstract: Techniques for monitoring and analysis of interactions between network endpoints are disclosed. In some embodiments, a process for monitoring and analysis of interactions between network endpoints includes collecting Domain Name System (DNS) response data from a network device; determining network endpoint interactions based on an analysis of the DNS response data (e.g., using a processor); and generating a graph corresponding to the network endpoint interactions. For example, the network device can include a DNS device and/or a software-defined networking (SDN) device (e.g., an SDN switch, such as an OpenFlow switch).

Abstract: Various techniques for providing inline DGA detection with deep networks are disclosed. In some embodiments, a system, process, and/or computer program product for inline DGA detection with deep networks includes receiving a DNS data stream, in which the DNS data stream includes a DNS query and a DNS response for resolution of the DNS query; determining whether the DNS query is associated with a potentially malicious network domain based on the inline DGA detection model; and performing a mitigation action if it is determined that the DNS query is associated with a potentially malicious network domain based on the inline DGA detection model.

Abstract: Techniques for providing an API gateway for network policy and configuration management with public cloud are disclosed. In some embodiments, a system, process, and/or computer program product for an API gateway for network policy and configuration management with public cloud includes receiving a native or extended public cloud application programming interface (API) request at the API gateway; processing the public cloud API request; extracting data from the request for use in other API calls; and, in some cases, translating the public cloud API request into a native public cloud API request with or without adding parameters or properties to and/or substituting new values for parameters in the public cloud API request (e.g., in some cases modifying the public cloud API request can include inserting additional parameters/properties, such as instance IP address that was not present in the initial API request); and sending the native public cloud API request to the public cloud environment.

Abstract: Flux domain is generally an active threat vector, and flux domain behaviors are continually changing in an attempt to evade existing detection measures. Accordingly, new and improved techniques are disclosed for flux domain detection. In some embodiments, an online platform implementing an analytics framework for DNS security is provided for facilitating flux domain detection. For example, the online platform can implement an analytics framework for DNS security based on passive DNS traffic analysis, disclosed herein with respect to various embodiments.

Abstract: New and improved techniques for a behavior analysis based DNS tunneling detection and classification framework for network security are disclosed. In some embodiments, a platform implementing an analytics framework for DNS security is provided for facilitating DNS tunneling detection. For example, an online platform can implement an analytics framework for DNS security based on passive DNS traffic analysis.