Abstract: Techniques for policy-based dynamic VPN profile selection using DNS protocol are provided. In some embodiments, a system/process/computer program product for policy-based dynamic VPN profile selection using DNS protocol includes receiving, at a DNS server for an enterprise network, a Domain Name System (DNS) request for a resource from an endpoint client; determining an IP address and an authentication token for the endpoint client to access the resource using a secure tunnel; and sending a DNS response, from the DNS server, including the IP address and the authentication token to the endpoint client.

Abstract: Techniques for Qprints using telemetry-based similarity for DNS are provided. In some embodiments, a system/process/computer program product for Qprints using telemetry-based similarity for DNS in accordance with some embodiments includes aggregating a set of network related event data, wherein the set of network related event data includes Domain Name System (DNS) related query data; clustering the DNS related query data; and generating similarity clusters for domains based on their DNS related query data. For example, the set of network related event data can include passive DNS (pDNS) data aggregated over a period of time to express pDNS data at-scale, and similarity of the pDNS data aggregated over the period of time is quantified, within and across networks based on telemetry-based similarity for DNS using a statistical model.

Abstract: Techniques for smart whitelisting for Domain Name System (DNS) security are provided. In some embodiments, a system/process/computer program product for smart whitelisting for DNS security in accordance with some embodiments includes receiving a set of network related event data, wherein the set of network related event data includes Domain Name System (DNS) related event data; receiving a set of network related threat data, wherein the set of network related threat data includes DNS related threat data; and generating a whitelist using the set of network related event data and the set of network related threat data, wherein the whitelist includes a subset of network domains included in the DNS related event data based on a data driven model of the DNS related event data and the DNS related threat data.

Abstract: Techniques for ranking services and top N rank lists are disclosed. In some embodiments, a system, process, and/or computer program product for ranking services and top N rank lists includes receiving a set of network related event data, wherein the set of network related event data includes Domain Name System (DNS) related event data; aggregating the DNS related event data over a period of time and rank order by popularity; and generating a top N rank list for ranking popularity over the period of time for a set of domains using the aggregated DNS related event data and rank order by popularity.

Abstract: Various techniques for detecting visual similarity between DNS fully qualified domain names (FQDNs) are disclosed. In some embodiments, a system, process, and/or computer program product for detecting visual similarity between DNS FQDNs includes receiving a DNS data stream, wherein the DNS data stream includes a DNS query and a DNS response for resolution of the DNS query; performing extended sequence alignment for each of the set of FQDNs to identify potential malware FQDNs for one or more target FQDNs based on a visual similarity for each domain in the DNS data stream; and classifying the set of domains as malware FQDNs or benign FQDNs based on results of the extended sequence alignment.

Abstract: Techniques for automated identification of false positives in DNS tunneling detectors are disclosed. In some embodiments, a system, process, and/or computer program product for automated identification of false positives in DNS tunneling detectors includes receiving a set of passive DNS data, wherein the set of passive DNS data includes a DNS query and a DNS response for resolution of the DNS query for each of a plurality of DNS queries; extracting a plurality of features associated with each domain in the set of passive DNS data; and classifying DNS tunneling activities and performing false positive reduction using the plurality of features associated with each domain in the set of passive DNS data to reduce false positive detections.

Abstract: Various techniques for detecting homographs of domain names are disclosed. In some embodiments, a system, process, and/or computer program product for detecting homographs of domain names includes receiving a DNS data stream, wherein the DNS data stream includes a DNS query and a DNS response for resolution of the DNS query; applying a homograph detector for each domain in the DNS data stream; and detecting a homograph of a domain name in the DNS data stream using the homograph detector.

Abstract: A cloud based network includes a plurality of nodes, each of which include at least one containerized microservice that enables intent-driven operation of the cloud based network. One or more resource controllers, each designated to manage a custom resource, communicate with a master controller of the node to manage operational and configuration states of the node and any microservices containerized within the node. The master enables a user to monitor and automate the management of microservices and the cloud based network as a whole. The containerized microservice architecture allows user customizable rendering of microservices, reconciliation of old and new versions of microservices, and facilitated management of a plurality of nodes.

Abstract: Techniques for detection of algorithmically generated domains based on a dictionary are disclosed. In some embodiments, a system, process, and/or computer program product for detection of algorithmically generated domains based on a dictionary includes receiving a DNS data stream, wherein the DNS data stream includes a DNS query and a DNS response for resolution of the DNS query; generating a graph based on the DNS data stream; and identifying a malicious dictionary based on the graph.

Abstract: Techniques for Qprints using telemetry-based similarity for DNS are provided. In some embodiments, a system/process/computer program product for Qprints using telemetry-based similarity for DNS in accordance with some embodiments includes aggregating a set of network related event data, wherein the set of network related event data includes Domain Name System (DNS) related query data; clustering the DNS related query data; and generating similarity clusters for domains based on their DNS related query data. For example, the set of network related event data can include passive DNS (pDNS) data aggregated over a period of time to express pDNS data at-scale, and similarity of the pDNS data aggregated over the period of time is quantified, within and across networks based on telemetry-based similarity for DNS using a statistical model.

Abstract: Techniques for ranking services and top N rank lists are disclosed. In some embodiments, a system, process, and/or computer program product for ranking services and top N rank lists includes receiving a set of network related event data, wherein the set of network related event data includes Domain Name System (DNS) related event data; aggregating the DNS related event data over a period of time and rank order by popularity; and generating a top N rank list for ranking popularity over the period of time for a set of domains using the aggregated DNS related event data and rank order by popularity.

Abstract: A cloud based network includes a plurality of nodes, each of which include at least one containerized microservice that enables intent-driven operation of the cloud based network. One or more resource controllers, each designated to manage a custom resource, communicate with a master controller of the node to manage operational and configuration states of the node and any microservices containerized within the node. The master enables a user to monitor and automate the management of microservices and the cloud based network as a whole. The containerized microservice architecture allows user customizable rendering of microservices, reconciliation of old and new versions of microservices, and facilitated management of a plurality of nodes.

Abstract: Various techniques for detecting homographs of domain names are disclosed. In some embodiments, a system, process, and/or computer program product for detecting homographs of domain names includes receiving a DNS data stream, wherein the DNS data stream includes a DNS query and a DNS response for resolution of the DNS query; applying a homograph detector for each domain in the DNS data stream; and detecting a homograph of a domain name in the DNS data stream using the homograph detector.

Abstract: Techniques for smart whitelisting for Domain Name System (DNS) security are provided. In some embodiments, a system/process/computer program product for smart whitelisting for DNS security in accordance with some embodiments includes receiving a set of network related event data, wherein the set of network related event data includes Domain Name System (DNS) related event data; receiving a set of network related threat data, wherein the set of network related threat data includes DNS related threat data; and generating a whitelist using the set of network related event data and the set of network related threat data, wherein the whitelist includes a subset of network domains included in the DNS related event data based on a data driven model of the DNS related event data and the DNS related threat data.

Abstract: Techniques for an exponential moving maximum (EMM) filter for predictive analytics in network reporting are disclosed. In some embodiments, a process for predictive analytics in network reporting using an EMM filter includes pre-processing network-related data by performing exponential moving maximum (EMM) filtering on the network-related data; and determining predictive analytics based on the EMM filtered network-related data.

Abstract: Techniques for community detection based on DNS querying patterns are disclosed. For example, techniques for community detection based on DNS querying patterns for anomaly detection and monitoring efficiencies are disclosed. In some embodiments, a system, process, and/or computer program product for community detection based on DNS querying patterns includes receiving DNS log files, wherein the DNS log files include a DNS query and a DNS response for resolution of the DNS query; generating a graph based on the DNS log files; identifying a plurality of communities using the graph based on DNS querying patterns; and detecting an anomaly in DNS activity associated with one or more of the communities based on a DNS querying rule.

Abstract: Techniques for monitoring and analysis of interactions between network endpoints are disclosed. In some embodiments, a process for monitoring and analysis of interactions between network endpoints includes collecting Domain Name System (DNS) response data from a network device; determining network endpoint interactions based on an analysis of the DNS response data (e.g., using a processor); and generating a graph corresponding to the network endpoint interactions. For example, the network device can include a DNS device and/or a software-defined networking (SDN) device (e.g., an SDN switch, such as an OpenFlow switch).

Abstract: A cloud based network includes a plurality of nodes, each of which include at least one containerized microservice that enables intent-driven operation of the cloud based network. One or more resource controllers, each designated to manage a custom resource, communicate with a master controller of the node to manage operational and configuration states of the node and any microservices containerized within the node. The master enables a user to monitor and automate the management of microservices and the cloud based network as a whole. The containerized microservice architecture allows user customizable rendering of microservices, reconciliation of old and new versions of microservices, and facilitated management of a plurality of nodes.

Abstract: Techniques for detection of algorithmically generated domains based on a dictionary are disclosed. In some embodiments, a system, process, and/or computer program product for detection of algorithmically generated domains based on a dictionary includes receiving a DNS data stream, wherein the DNS data stream includes a DNS query and a DNS response for resolution of the DNS query; generating a graph based on the DNS data stream; and identifying a malicious dictionary based on the graph.

Abstract: Techniques for cloud network automation for IP address and DNS record management are disclosed. In some embodiments, a system, process, and/or computer program product for cloud network automation for IP address and DNS record management includes receiving at a cloud platform appliance (e.g., a virtual or physical IP address and/or DNS management appliance) a cloud request related to a resource (e.g., a virtual or physical resource) in a cloud environment from a global cloud manager; and processing the cloud request at the cloud platform appliance to determine whether to proxy the cloud request to another cloud platform appliance or a grid master or to locally process the cloud request, wherein a storage of infrastructure metadata information for IP address and/or DNS record management is updated based on the cloud request.