Abstract: Techniques for providing identity protection are disclosed. A system, process, and/or computer program product for providing identity protection includes monitoring a plurality of sites, extracting predetermined user information for a user from the plurality of monitored sites to generate a profile of the user, analyzing, using a model, the profile of the user to detect whether one or more security vulnerabilities exist for social engineering attacks for one or more enterprise resources associated with the user, and performing an action in response to the one or more detected security vulnerabilities based on a policy.

Abstract: Techniques for probing for Cobalt Strike TeamServer detection are disclosed. In some embodiments, a system/process/computer program product for probing for Cobalt Strike TeamServer detection includes monitoring HyperText Transfer Protocol (HTTP), HTTPS, and/or Domain Name System (DNS) network traffic at a firewall; prefiltering the monitored HTTP, HTTPS, and/or DNS network traffic at the firewall to select a subset of the HTTP, HTTPS, and/or DNS network traffic to forward to a cloud security service; performing HTTP, HTTPS, and/or DNS probing of a target to detect whether the target is a Cobalt Strike TeamServer; and performing an action in response to detecting that the target is the Cobalt Strike TeamServer.

Abstract: A system and method for performing automated learning of an Internet-of-Things (IoT) application are disclosed. The automated learning is based on generation of application-agnostic events, allowing the automated learning to be performed without prior knowledge of the IoT application.

Abstract: Techniques for generating actionable indicators of compromise (IOCs) are disclosed. A set of potential sources for IOCs are received. One or more candidate IOCs are extracted from at least one source included in the set of potential sources. An actionable IOC is automatically identified from the one or more candidate IOCs. The actionable IOC is provided to a security enforcement service.

Abstract: Techniques for detecting anomalous behavior of an Internet-of-Things (IoT) device in an IoT network. IoT events of an IoT device are captured and analyzed to identify periodic activities of the IoT device. The periodic activities of the IoT device are tracked over time, and variations in the periodic activities are analyzed to assess potential threats to the IoT network.

Abstract: Data packets transmitted to and from an IoT device are obtained and at least one of the data packets are analyzed using deep packet inspection to identify transaction data from payload of the at least one of the data packets. An event log is generated for the IoT device from the transaction data, the event log, at least in part, used to generate a historical record for the IoT device. The IoT device into a device profile based on the historical record for the IoT device. The event log is updated in real-time to indicate current operation of the IoT device. Abnormal device behavior of the IoT device is determined using the event log and the device profile. The device profile is updated to indicate the abnormal device behavior of the IoT device.

Abstract: A set of software components has been created to form a path of execution outside of a kernel that triggers the authentication process based on MAC address determination for connected stations and separately managing that authentication per controlled port shared across stations. The architecture of the set of software components includes a control daemon that interacts with objects and services of the network access point OS or kernel to leverage dynamic host configuration protocol (DHCP) snooping and MAC address learning to determine MAC addresses. The control daemon instantiates an authenticator object/service for each controlled port and interacts with the authenticator object/service to cause an authenticator service of the OS to perform the authentication process for stations. The control daemon also leverages an Ethernet frames rules table of the kernel to authorize traffic of authenticated stations via the controlled port.

Abstract: A system generates vector representations of entries of traffic logs generated by a firewall. A first model learns contexts of values recorded in the logs during training, and the system extracts vector representations of the values from the trained model. For each log entry, vectors created for the corresponding values are combined to create a vector representing the entry. Cluster analysis of the vector representations can be performed to determine clusters of similar traffic and outliers indicative of potentially anomalous traffic. The system also generates a formal model representing firewall behavior which comprises formulas generated from the firewall rules. Proposed traffic scenarios not recorded in the logs can be evaluated based on the formulas to determine actions which the firewall would take in the scenarios. The combination of models which implement machine learning and formal techniques facilitates evaluation of both observed and hypothetical network traffic based on the firewall rules.

Abstract: Techniques for IoT policy recommendation LLM embeddings based on global behavior learning are disclosed. In some embodiments, a system, process, and/or computer program product for IoT policy recommendation LLM embeddings based on global behavior learning includes receiving information associated with network communications of a plurality of Internet of Things (IoT) devices; automatically learning a global common behavior for the plurality of IoT devices using a Large Language Model (LLM) classifier to generate a plurality of recommended rules; and applying a policy to at least one of the plurality of IoT devices based on one or more of the plurality of recommended rules.

Abstract: To automatically identify a sequence of recommended account/product pairs with highest likelihood of becoming a realized opportunity, an account/product sequence recommender uses an account propensity (AP) model and a reinforcement learning (RL) model and target engagement sequence generators trained on historical time series data, firmographic data, and product data. The trained AP model assigns propensity values to each product corresponding to received account characteristics. The trained RL model generates an optimal sequence of products that maximizes the reward over future realized opportunities. The target engagement sequence generators create target engagement sequences corresponding to the optimal sequence of products. The recommender prunes the optimal sequence of products based on the propensity values from the trained AP model, the completeness of these target engagement sequences, and a desired product sequence length.

Abstract: Techniques for application identification for phishing detection are disclosed. In some embodiments, a system/process/computer program product for application identification for phishing detection includes monitoring network activity associated with a session to detect a request to access a site; determining advanced application identification associated with the site; and identifying the site as a phishing site based on the advanced application identification.

Abstract: Techniques for distributed traffic steering and enforcement for security solutions are disclosed. In some embodiments, a system, process, and/or computer program product for distributed traffic steering and enforcement for security solutions includes encapsulating an original traffic header for a monitored flow from/to a host or a container; rerouting the flow from the host or the container to a security platform of a security service; performing security analysis at the security platform using the original traffic header; and rerouting the flow back to the host or the container for routing to an original destination based on the original traffic header.

Abstract: Techniques for providing innocent until proven guilty (IUPG) solutions for building and using adversary resistant and false positive resistant deep learning models are disclosed. In some embodiments, a system, process, and/or computer program product includes storing a set comprising one or more innocent until proven guilty (IUPG) models for static analysis of a sample; performing a static analysis of content associated with the sample, wherein performing the static analysis includes using at least one stored IUPG model; and determining that the sample is malicious based at least in part on the static analysis of the content associated with the sample, and in response to determining that the sample is malicious, performing an action based on a security policy.

Abstract: Malware signature generation through combination rule mining is disclosed. A set of properties associated, collectively, with a plurality of data samples is received. A first data sample has a first set of properties and a second data sample has a second set of properties. A combination signature comprising at least a first property included in the first set of properties and a second property included in the second set of properties is generated.

Abstract: A website misclassification report is received. A determination is made that a current classification model correctly classifies a website. The current classification model is different from a model that was previously used to classify the website. In response to a determination that the website is correctly classified by the current classification model, a reclassification operation is performed, using the current classification model, on a second website.

Abstract: Techniques for securing control and user plane separation in mobile networks (e.g., service provider networks for mobile subscribers, such as for 4G/5G networks) are disclosed. In some embodiments, a system/process/computer program product for securing control and user plane separation in mobile networks in accordance with some embodiments includes monitoring network traffic on a mobile network at a security platform to identify an Packet Forwarding Control Protocol (PFCP) message associated with a new session, in which the mobile network includes a 4G network or a 5G network; extracting a plurality of parameters from the PFCP message at the security platform; and enforcing a security policy at the security platform on the new session based on one or more of the plurality of parameters to secure control and user plane separation in the mobile network.

Abstract: Identifying Internet of Things (IoT) devices with packet flow behavior including by using machine learning models is disclosed. Information associated with a network communication of an IoT device is received. A determination of whether the IoT device has previously been classified is made. In response to determining that the IoT device has not previously been classified, a determination is made that a probability match for the IoT device against a behavior signature exceeds a threshold. Based at least in part on the probability match, a classification of the IoT device is provided to a security appliance configured to apply a policy to the IoT device.

Abstract: Comprehensive matching allows for automated conversion from runtime policy rules to build time rules that can be applied to an IaC configuration file(s). API specifications of a CSP and resource models defined in an IaC configuration file(s) are parsed and tokenized. The tokenized API specifications are evaluated to identify, for each resource model, a most appropriate API specification for mapping fields. Based on the evaluation and token matching, tokens of the API specifications are mapped to the tokens of the IaC resource models to form a mapping model. In an implementation phase, a runtime policy rule converter replaces tokens of a runtime security policy rule query with IaC tokens based on the mapping index to convert the runtime security policy rule query into a buildtime security policy rule query that can be applied against the IaC configuration files.

Abstract: A service prevents attacks carried out through container escape for silo-based containers. A callback is registered for a function(s) that may be invoked from inside a container and returns an object handle(s). The callback, when triggered by invocation of the function(s), executes for determination of whether requests for access to objects via their handles are issued by suspicious processes. Access to CExecSvc.exe is restricted for processes that request a handle for CExecSvc.exe and are determined to be associated with a container themselves. Processes that escape their container through a technique that evades detection are also blocked from accessing the host system. When a process requests access to an object via invocation of a function that returns a handle, the callback executes for determination of whether the process but not the requested object is associated with a container, in which case the service restricts the process' access to the host system.

Abstract: Management of IoT devices through a private cloud. An IoT device is coupled to a gateway. A request from the IoT device to connect to a private cloud, wherein the private cloud is used to manage IoT devices, is received at a private cloud control center agent. An identification of the IoT device is determined. The IoT device is onboarded, using the identification, for management through the private cloud. A device profile of the IoT device is generated. The flow of data to and from the IoT device is regulated through application of IoT rules according to the device profile of the IoT device.