Abstract: Assigning priority values to applications in advance facilitates later precedence ordering of the application identifiers when processing network traffic. The priority values can be assigned according to defined rules that satisfy a paradigm for application precedence in policy enforcement. When multiple application identifiers are determined from inspecting network traffic of a flow, a control plane process retrieves the assigned priority values and sorts the application identifiers according to the priority values. The control plane then communicates the sorted list of application identifiers to the data plane. The data plane enforces policies set for the applications identified in the list of application identifiers on the corresponding network traffic flow according to the order of precedence conveyed by the sorted list. This allows flexible and accurate policy enforcement on network traffic.

Abstract: Techniques for deobfuscating and decloaking web-based malware with abstract execution is disclosed. In some embodiments, a system/process/computer program product for deobfuscating and decloaking web-based malware with abstract execution includes receiving a sample; performing an abstract execution of a script included in the sample; identifying the sample as malware based on the abstract execution of the script included in the sample; and generating a log of results from the abstract execution of the script included in the sample.

Abstract: Detection of squatting domains is disclosed. A set of new fully qualified domain names (FQDNs) is received. The set of new FQDNs is analyzed to detect domain squatting by identifying a subset of the new FQDNs as candidate squatting domains. The candidate squatting domains are distributed to a security device/service.

Abstract: Techniques for reduction and acceleration of a deterministic finite automaton (DFA) are disclosed. In some embodiments, a system, process, and/or computer program product for reduction and acceleration of a DFA includes receiving an input value; performing a reduced deterministic finite automaton lookup using a lookup key, wherein the lookup key comprises a current state and the input value; and determining a next state based on the lookup key.

Abstract: User reputation regarding exposure of data objects in a cloud computing environment is determined. Behavioral information, which indicates behavior of a user for a cloud computing environment corresponding to one or more data objects in the cloud computing environment that are associated with the user, is analyzed. Based on analyzing the behavior information, a plurality of characteristics for the user that indicate exposure of the data object(s) associated with the user is determined. Each of the plurality of characteristics reflects the behavior of the user pertaining to the one or more data objects. Based on compliance of the plurality of characteristics with corresponding ones of a plurality of rules, a reputation of the user for exposing data objects in the cloud computing environment is determined. The reputation of the user is indicated to an entity with which the user is associated.

Abstract: A sample is analyzed to determine a set of events that should be selected for performing by a dynamic analyzer executing the sample in an instrumented, emulated environment. The set of selected events is performed. In some cases, at least one emulator detection resistance action is performed. A maliciousness verdict is determined for the sample based at least in part on one or more responses taken by the sample in response to the set of selected events being performed by the dynamic analyzer.

Abstract: Internet of Things (IoT) device application workload capture is disclosed. A target IoT device is selected. A flow associated with the target device is determined and tagged. Packets from the tagged flow are admitted into a ring buffer. An indication is received that an extraction should be performed on a portion of the packets included in the ring buffer.

Abstract: When a transformation job of flow logs generated for a cloud environment is triggered, a security service determines a parameterized template for batch data processing operations offered by the cloud service provider (CSP) to use based on the type of transformation job. The security service communicates an indication of the template and the corresponding parameter values to a data processing service/pipeline offered by the CSP. The provisioned processing resources retrieve the flow logs from a designated location in cloud storage, complete the transformation, and store the transformed flow logs in a new storage location. If the CSP does not provide a data processing service/pipeline which can perform bulk data transformation, the security service uses a generic parameterized template specifying a transformation job to be run on a cluster. Upon completion, the security service retrieves and analyzes the transformed flow logs as part of threat detection performed for securing the cloud environment.

Abstract: Techniques for distributed offload leveraging different offload devices are disclosed. In some embodiments, a system, process, and/or computer program product for distributed offload leveraging different offload devices includes receiving a flow at a firewall of a security service (e.g., a cloud-based security service); inspecting the flow at the firewall to determine meta information associated with the flow; and offloading the flow to an offload entity (e.g., a SmartNIC, software executed on a Network Interface Card (NIC), and/or a network device, such as a network router and/or network switch) based on the meta information associated with the flow (e.g., an application identification associated with the flow determined using deep packet inspection) and based on a policy.

Abstract: Introduced here are Internet monitoring platforms configured to define, monitor, and assess the boundary of a private network associated with a client. By monitoring the entire Internet, a private network, and relationships between these networks, an Internet monitoring platform can discover changes in the boundary of the private network that is defined by those assets on the private network capable of interfacing with a public network, such as the Internet. The Internet monitoring platform may, in response to discovering the boundary of the private network has experienced a change, identify an appropriate remediation action by mapping the change to a technological issue, a relevant business relationship, etc. For example.

Abstract: Hierarchical scanning begins with communicating probes over the Internet to ports and networks addresses to determine publicly accessible devices. Based on responses to those probes, follow-up probes are determined to obtain additional information about the publicly accessible devices. The probes are transmitted from a system that is external to the networks corresponding to the network addresses. This provides an external view of the scanned networks and facilitates a probing paradigm that scales beyond a few networks.

Abstract: A cloud-based traffic classification engine maintains a catalog of application-based traffic classes which have been developed based on known applications, and a local traffic classification engine maintains a subset of these classes. Network traffic intercepted by the firewall which cannot be classified by the local engine is forwarded to the cloud-based engine for classification. Upon determination of a class of the traffic, the cloud-based engine forwards the determined class and corresponding signature to the local engine. The firewall maintains a cache which is updated with the signatures corresponding to the class communicated by the cloud-based engine. Subsequent network traffic sent from the application can be determined to correspond to the application and classified according locally at the firewall based on the cached signatures. Localization of the cache to the firewall reduces latency of traffic classification operations as the catalog of classification information stored in the cloud scales.

Abstract: Techniques for preventing ransomware from encrypting files on a target machine are disclosed. In some embodiments, a system/process/computer program product for preventing ransomware from encrypting files on a target machine includes monitoring file system activities on a computing device; detecting an unauthorized activity associated with a honeypot file or honeypot folder; and performing an action based on a policy in response to the unauthorized activity associated with the honeypot file or honeypot folder.

Abstract: Techniques for applying context-based security over interfaces in NG-RAN environments in mobile networks are disclosed. In some embodiments, a system/process/computer program product for applying context-based security over interfaces in NG-RAN environments in mobile networks includes monitoring network traffic on a mobile network at a security platform to identify a GTP-U tunnel session setup message associated with a new session; extracting a plurality of parameters from the GTP-U tunnel session setup message and from XnAP traffic to extract contextual information at the security platform; and enforcing a security policy at the security platform on the new session based on one or more of the plurality of parameters to apply context-based security to the network traffic transported between NG-RAN nodes in an NG-RAN environment in the mobile network.

Abstract: A malware profile is received. The malware profile comprises a set of n-tuples of attributes that describe one or more activities associated with executing a copy of a known malicious application that is associated with the malware profile. A set of one or more log entries is analyzed for a set of entries that matches the malware profile. Based at least in part on identifying the set of entries matching the malware profile, a determination is made that a host was compromised. In response to determining that the host has been compromised, a remedial action is taken with respect to the host.

Abstract: Techniques for process privilege escalation protection in a computing environment are disclosed. For example, the disclosure describes a system/process/computer program product for process privilege escalation protection in a computing environment that includes monitoring a process executed on a computing device, detecting an unauthorized change in a token value associated with the process, and performing an action based on a policy (e.g., a kernel protection security policy/rule(s), which can include a whitelisted set of processes and/or configured actions/responses to perform for other/non-whitelisted processes) in response to an unauthorized change in the token value associated with the process.

Abstract: A method includes allocating an identifier to each of a plurality of policies each comprising a network-isolation identifier associated with a VXWAN directive and transmitting each of the plurality of policies to one or more devices in a network.

Abstract: Dynamic partitioning of a search space of queries is implemented for flexible, heuristic database querying. Search space partitioning refers to dividing the search space for a submitted query into smaller parts by augmenting the queries to append thereto an additional predicate comprising a dynamic partition key and a value(s) selected based on heuristics (e.g., recency and/or relevancy of the value(s)). A plurality of candidate augmentations of the query and corresponding query plans are generated and evaluated based on additional heuristics to determine which can be executed to yield the best results in terms of result quality and latency. This query plan is selected and executed for retrieval of results that satisfy the query, with pagination utilized for presentation of the results. The procedure of generating candidate query plans, selecting one of the candidates for execution, and paginating results is repeated until a search termination criterion is satisfied.

Abstract: Techniques for applying context-based security over interfaces in O-RAN environments in mobile networks are disclosed. In some embodiments, a system/process/computer program product for applying context-based security over interfaces in O-RAN environments in mobile networks includes monitoring network traffic on a mobile network at a security platform to identify a GTP-U tunnel session setup message associated with a new session; extracting a plurality of parameters from the GTP-U tunnel session setup message and from F1AP traffic to extract contextual information at the security platform; and enforcing a security policy at the security platform on the new session based on one or more of the plurality of parameters to apply context-based security to the network traffic transported between O-RAN Distributed Unit (O-DU) and O-RAN Centralized Unit Control Plane (O-CU-CP) nodes in an O-RAN environment in the mobile network.

Abstract: An access point provides a hidden wireless network that is configured with a set of SSIDs so that the hidden network is discoverable with multiple different SSIDs. Based on detection of a probe request frame which indicates an SSID from a device, the access point determines if the SSID for which network availability is requested matches one of the SSIDs in the set. If the SSID does match one of those included in the set, the SSID correctly identifies the hidden network, and the access point responds with a probe response frame. Devices connected to the hidden network may have initiated the establishment of the connection with a different SSIDs despite the hidden network being a single wireless network. Scaling the number of supported SSIDs therefore does not impact the frequency with which the access point transmits beacon frames for the hidden network.