Abstract: A policy-controlled access system comprising a client device running a local application, A mid-link server monitors network traffic from the client device. The network traffic includes third-party content accessed by a user on the client device. A request for data from the end-user is received using the local application, a category associated with the request for the data is determined, and multiple administrator accounts of the end-user is identified based on the category. The multiple administrator accounts are associated with multiple policies to access the data. A correspondence is identified between multiple policies of the multiple administrator accounts. A set of policy conflicts are identified among the policies based on the correspondence and a notification is generated to administrator having the policy conflicts. The policy conflicts are resolved based on suggestions from machine learning (ML) models or the administrators. The request is authorized to access the data.

Abstract: Disclosed is a cloud-based security system implemented in a forward proxy that provides generative artificial intelligence (GenAI) traffic inspection to protect against security and privacy concerns related to GenAI use for protected endpoints. The security system intercepts requests and determines whether those requests are directed to a GenAI application. The security system includes a GenAI request classifier trained to classify prompts submitted to GenAI applications as one of benign, prompt injection attack, or uploaded files. The security system further includes a GenAI response classifier trained to classify responses from GenAI applications as one of normal, leaked system prompt, leaked user uploaded files, or leaked training data.

Abstract: The technology discloses training a classifier to label webpages with categories, extracting from a training database with thousands of webpages tentatively labeled with ground truth categories, dataset A and dataset B; training a classifier using A; and applying it to webpages in B to assign a webpage a label and a classification score. Also disclosed is cleaning B, removing webpages based on evaluation of a decision confidence metric derived from the score assigned for the webpage; and training a second classifier using cleaned B, with second classifier weights initialized independent of trained first classifier weights; and applying the second classifier to webpages in A to assign a webpage the label, score, and decision confidence matrix, and cleaning A, removing webpages from A based on the decision confidence metric. Then combining cleaned A and cleaned B into a combined clean dataset, and training the third classifier using the combined clean dataset.

Abstract: Disclosed technology of training a third classifier to select between sensitive or non-sensitive categories for a webpage including both sensitive and non-sensitive content. The technology involves collecting webpages as a tentatively labeled dataset A and a dataset B, training a first classifier including at least a first sensitive category classifier and a first non-sensitive category classifier using the tentatively labeled dataset A, referring some dual labelled webpages generated by the first classifier to a curator to curate and resolve label conflict, receiving curated labels from the curator and updating dataset B with the curated labels, training a second classifier using the updated dataset B, referring some dual labelled webpages generated by the second classifier to a curator to curate and resolve label conflict, receiving curated labels from the curator and updating dataset A with the curated labels, and training the third classifier with updated dataset A and updated dataset B.

Abstract: A system to generate an image classifier and test it nearly instantaneously is described herein. Image embeddings generated by an image fingerprinting model are indexed and an associated approximate nearest neighbors (ANN) model is generated. The embeddings in the index are clustered and the clusters are labeled. Users can provide just a few images to add to the index as a labeled cluster. The ANN model is trained to receive an image embedding as input and return a score and label of the most similar identified embedding. The label may be applied if the score exceeds a threshold value. The image classifier can be tested efficiently using Leave One Out Cross Validation (“LOOCV”) to provide near-instantaneous quality indications of the image classifier to the user. Near-instantaneous indications of outliers in the provided images can also be provided to the user using a distance to the centroid calculation.

Abstract: The technology disclosed relates to detecting a data attack on a file system stored on an independent data store. The detecting includes scanning a list to identify files of the independent data store that have been updated within a timeframe, assembling current metadata for files identified by the scanning, obtaining historical metadata of the files, determining that a malicious activity is in process by analyzing the current metadata of the files and the historical metadata to identify a pattern of changes that exceeds a predetermined change velocity. Further, the detecting includes determining that the malicious activity is in process by analyzing the current metadata of the files and known patterns of malicious metadata to identify a match between the current metadata and the known patterns of malicious metadata, determining a machine/user that initiated the malicious activity, and implementing a response mechanism that restricts file modifications by the determined machine/user.

Abstract: A cloud network for delivering local content to a user at a user location. The cloud network includes a client device comprising a local application, a mid link server and a cloud provider. The mid link server receives from the client device a request for local data from the user at the user location. The user has provided the request for the local data from the user location without a data center. A sub data center for the user location is identified and assigned an Internet Protocol (IP) address for the user location. The sub-data center is a data center nearest to the user location. Each data center has IP addresses for different locations to deliver the local content to the respective IP address for the location. The request is routed to the sub data center which is used to provide the local data to the user by the cloud provider. A cloud network for delivering local content to user locations. The cloud network includes a client device, a mid-link server, and a cloud provider.

Abstract: A cloud-based network security system that includes a packet tap and exposes a synthetic packet stream representing the bidirectional data between enterprise client devices and cloud hosted services is disclosed. The security system intercepts packets of communication sessions and uploads a copy of the packets to cloud storage. A proxy of the security system derives session keys for the communication session and uploads the session keys to the cloud storage. An enterprise stitcher obtains the packets from the cloud storage, stitches the packets together in sequential order, and modifies the Layer 3 and Layer 4 headers to generate synthetic packet streams representing the communication sessions. The stitcher may decrypt the packets or provide the session key with the synthetic packet stream. The stitcher provides the synthetic packet streams to enterprise packet analysis systems for storage, auditing, analysis, and the like.

Abstract: The technology disclosed includes a system to perform multi-label support vector machine (SVM) classification of a document. The system creates document features representing frequencies or semantics of words in the document. Trained SVM classification parameters for a plurality of labels are applied to the document features for the document. The system determines positive and negative distances between SVM hyperplanes for the labels and the feature vector. Labels with positive distance to the feature vector are harvested. When the distribution of negative distances is characterized by a mean and standard deviation, the system further harvests the labels with a negative distance such that the harvested labels include the labels with a negative distance between the mean negative distance and zero and separated from the mean negative distance by a predetermined first number of standard deviations.

Abstract: Systems and methods to continuously classify temporal communication data associated with a computing device are described. In one embodiment, temporal communication data associated with the computing device is accessed and processed to create a plurality of preprocessing models. The preprocessing models are used to train a neural network. The neural network derives one or more properties associated with the computing device from the temporal communication data. A device fingerprint is defined from the one or more properties. Subsequent to defining the device fingerprint, additional temporal communication data associated with the computing device is accessed. The neural network derives one or more additional properties associated with the computing device from the additional temporal communication data. The one or more additional properties are aggregated into the defined device fingerprint, refining the defined device fingerprint.

Abstract: The technology relates to machine responses to anomalies detected using machine learning based anomaly detection. In particular, to receiving evaluations of production events, prepared using activity models constructed on per-tenant and per-user basis using an online streaming machine learner that transforms an unsupervised learning problem into a supervised learning problem by fixing a target label and learning a regressor without a constant or intercept. Further, to responding to detected anomalies in near real-time streams of security-related events of tenants, the anomalies detected by transforming the events in categorized features and requiring a loss function analyzer to correlate, essentially through an origin, the categorized features with a target feature artificially labeled as a constant.

Abstract: Image fingerprints (embeddings) are generated by an image fingerprinting model and indexed with an approximate nearest neighbors (ANN) model trained to identify the most similar fingerprint based on a subject embedding. For image matching, a score is provided that indicates a similarity between the input embedding and the most similar identified embedding, which allows for matching even when an image has been distorted, rotated, cropped, or otherwise modified. For image classification, the embeddings in the index are clustered and the clusters are labeled. Users can provide just a few images to add to the index as a labeled cluster. The ANN model returns a score and label of the most similar identified embedding for labeling the subject image if the score exceeds a threshold. As improvements are made to the image fingerprinting model, a converter model is trained to convert the original embeddings to be compatible with the new embeddings.

Abstract: A clientless security system to secure cellular devices across a network in a cloud-based environment. The clientless security system includes a tenant with multiple cellular devices, tunnels for transmitting traffic, and a traffic steering module for directing traffic toward a gateway. The clientless security system further includes gateways to apply policies based on a device profile and an alert generator. The traffic steering module provides a SIM with network identifiers, configures the SIM with a custom network identifier, creates a device-to-IP mapping, and distributes the device-to-IP mapping to gateways in real-time. The gateways apply multiple policies based on a device profile, receive traffic from the traffic steering module, and perform a reverse lookup. The gateways further determine a device identity, apply policies, and forward traffic to a destination. The alert generator is also used to notify the tenant of further remediation in case of policy violations.

Abstract: A cloud-based network security system (NSS) is described. The NSS uses a sandbox to safely detonate and extract information about a document and uses machine learning algorithms to analyze the information to predict whether the document contains malicious software. Specifically, during the detonation, static and dynamic information about the document is captured in the sandbox as well as character strings from images in the document. The dynamic information (and sometimes the static information) is input to an AI or machine learning model trained to provide an output indicating a prediction of whether the document contains malware. The character strings are compared with a batch of phishing keywords to generate a heuristic score. A validation engine combines the output from the AI or machine learning model and the heuristic score to classify the document as malicious or clean. Security policies can then be applied based on the classification.

Abstract: The present disclosure provides an electronic inspection method and system comprising user endpoints, end-link servers belonging to a tenant, and a mid-link server. The mid-link server connects the user endpoints with an end-link server through tunnels. The mid-link server models an interaction in the tunnels using a model of an application layer. The mid-link server receives communication from the user endpoints through the tunnels, differentiates between a data object, and stores the data object based on a plurality of policies and context developed. The mid-link analyzes the model and the data object in the tunnels and determines the context according to a policy. The mid-link server performs the electronic inspection between a plurality of end-link servers and a plurality of user endpoints by inspecting the data object from the plurality of tunnels.

Abstract: Disclosed is phishing classifier that classifies a URL and content page accessed via the URL as phishing or not is disclosed, with URL feature hasher that parses and hashes the URL to produce feature hashes, and headless browser to access and internally render a content page at the URL, extract HTML tokens, and capture an image of the rendering. Also disclosed are an HTML encoder, trained on HTML tokens extracted from pages at URLs, encoded, then decoded to reproduce images captured from rendering, that produces an HTML encoding of the tokens extracted, and an image embedder, pretrained on images, that produces an image embedding of the image captured. Further, phishing classifier layers, trained on the feature hashes, the HTML encoding, and the image embedding, process the URL feature hashes, HTML encoding and image embeddings to produce a likelihood score that the URL and the page accessed presents a phishing risk.

Abstract: A policy-based security system for establishing a secure session from client devices to a web server includes a policy component with policies, a client device with a local application to select a cloud service, and a mid-link server. A set of policies is determined based on parameters and a tag of a shared content between the client device and the web server for the cloud service. The set of policies selectively direct traffic to the mid-link server based on the tag, and the set of policies specify a direct link between the client device and the web server if the client device satisfies security standards or a secure tunnel between the client device and the mid-link server for the secure session based on the client device does not satisfy the security standards. The secure session establishes the secure session for the cloud service and for providing the shared content.

Abstract: A method and system for mediating non-compliance of residency policies associated with multiple routes within a cloud-based multi-tenant system. The system includes several routes for delivering services to various end user devices, with each route connecting to different cloud services across the Internet. A telemetry beacon is deployed to monitor compliance with pre-configured residency, routing, and performance settings, which link to multiple residency policies of the routes. An application running on an end user device requests a residency policy from the available residency policies, where residency policies control residency requirements for cloud services and routes. The telemetry beacon transmits compliance data related to the selected residency policy to an Application Resource Server (ARS). The ARS detects non-compliance with the residency policy based on this telemetry data and updates the route to resolve the issue.

Abstract: A system for policy based vulnerability management of a network equipment of an enterprise is disclosed. A plurality of vulnerabilities associated with an end user device and a plurality of policies associated with the plurality of vulnerabilities is identified. Security risks associated with the plurality of vulnerabilities based on a type of the plurality of vulnerabilities are identified. Remediation for the plurality of vulnerabilities is determined based on the plurality of policies and prioritized based on the vulnerabilities, the security risks, and the policies. The plurality of policies is based on a cloud service selected from the end user device, a tenant, and a role associated with the end user device. A route corresponding to the plurality of policies and the cloud service is identified. The route specifies the end user device or a mid-link server. The cloud service is provided to the end user device via the route.

Abstract: A cellular security system that uses multiple policies to protect a cellular network against various threats in a cloud-based environment. The cellular security system includes a tenant with multiple cellular devices, multiple tunnels that receive and route traffic, monitor traffic, capture real-time traffic attributes, and detect anomalies. The cellular security system further includes an anomaly detection model, an alert generator, and an anomaly reporter. The anomaly detection model retrieves baseline profiles from a threat database, loads policies related to a threat, and compares real-time traffic features with baseline profiles. The anomaly detection model further applies an anomaly detection algorithm to a traffic instance, assigns an anomaly score, and raises a flag for anomaly detection. The alert generator sends an alert to the tenant in the cloud-based environment, and the anomaly reporter notifies a management plane for further remediation of the anomaly.