Abstract: Techniques for providing Internet of Things (IoT) security are disclosed. An applicable system includes profiling IoT devices to limit the number of network signatures applicable to the IoT devices and performing pattern matching using a pattern that is appropriate for the profile of a given IoT device.

Abstract: The present application discloses a method, system, and computer system for detecting malicious SQL or command injection strings. The method includes obtaining an SQL or command injection string and determining whether the command injection string is malicious based at least in part on a machine learning model.

Abstract: Techniques for selective intelligent enforcement for mobile networks using a security platform are disclosed.

Abstract: Mitigating multiple authentications for a geo-distributed security service is disclosed. A request to access a web service from a client device is received. The request is redirected to a geo-distributed authentication service including a distributed cache for storing a user's authentication authorization. An authorization token included in a distributed authentication cache cookie and uniform resource locator (URL) for the web service to facilitate secure access to the web service from the client device are returned.

Abstract: Methods, storage systems and computer program products implement embodiments of the present invention for protecting a computing device, which includes a processor and a memory and is coupled to a storage device storing a set of one or more files. In embodiments of the present invention, a call to a specified function for execution by the processor is detected, and a stack trace for the call to the specified function is generated in the memory. Upon detecting, in the stack trace, a stack frame including a return address referencing a shellcode region in the memory, wherein the shellcode region includes executable code that was not loaded from any given file on the storage device, then the referenced executable code is compared to a list of malicious shellcode. Finally, a preventive action is initiated upon detecting a match between the referenced executable code and one of malicious shellcodes in the list.

Abstract: Zero trust network security is provided without modifying the underlying network infrastructure. A first entity at a first node in a network environment obtains an entity identifier and host certificate from a second entity installed on a second node. A determination is made as to whether the host certificate is valid based on a firewall policy and an intermediate certificate that was issued to the first entity. A determination is also made as to whether the entity identifier is valid based on a known infrastructure of the network environment. If the host certificate and entity identifier are valid, communications between the first and second entities can be allowed, while communications are blocked if at least one of the host certificate and the entity identifier is not valid.

Abstract: A system has been designed that examines details of a security advisory against informal vulnerability records. The system generates a vulnerability match confidence value based on comparison of different details in the security advisory against the informal vulnerability records. Based on the comparisons, the system determines similarity of different details between the security advisory and the informal vulnerability records and cumulatively updates a vulnerability match confidence value with various detail similarity weights according to the determined similarities. Based on the vulnerability match confidence value, the system can classify or designate a security advisory for automatic merging or for manual examination. This reduces the burden on cybersecurity personnel and allows cybersecurity personnel to focus their limited resources on analyzing new vulnerabilities.

Abstract: A configuration of a cloud application exposed via a public IP address is duplicated with modifications to include a private IP address to expose the application internally. The original configuration is updated so that external network traffic sent to the application is redirected to and distributed across agents running on nodes of a cloud cluster by which web application firewalls (WAFs) are implemented. A set of agents for which the respective WAFs should inspect the redirected network traffic are selected based on cluster metrics, such as network and resource utilization metrics. The redirected network traffic targets a port allocated to the agents that is unique to the application, where ports are allocated on a per-application basis so each of the agents can support WAF protection for multiple applications. Network traffic which a WAF allows to pass is directed from the agent to the application via its private IP address.

Abstract: A system and methods for protecting a serverless application, the system including: (a) a serverless application firewall configured to inspect input of the serverless function so as to ascertain whether the input contains malicious, suspicious or abnormal data; and (b) a behavioral protection engine configured to monitor behaviors and actions of the serverless functions during execution thereof.

Abstract: Techniques for supporting overlapping network addresses universally are disclosed. A system, process, and/or computer program product for supporting overlapping network addresses universally includes generating at least two virtual routers for a cloud security service, the at least two virtual routers including a first virtual router and a second virtual router, routing cloud security service packets using the first virtual router, and routing enterprise subscriber packets using the second virtual router.

Abstract: Techniques for applying context-based security over interfaces in NG-RAN environments in mobile networks are disclosed. In some embodiments, a system/process/computer program product for applying context-based security over interfaces in NG-RAN environments in mobile networks includes monitoring network traffic on a mobile network at a security platform to identify a GTP-U tunnel session setup message associated with a new session; extracting a plurality of parameters from the GTP-U tunnel session setup message and from XnAP traffic to extract contextual information at the security platform; and enforcing a security policy at the security platform on the new session based on one or more of the plurality of parameters to apply context-based security to the network traffic transported between NG-RAN nodes in an NG-RAN environment in the mobile network.

Abstract: Techniques for beacon and threat intelligence based Advanced Persistent Threat (APT) detection are disclosed. In some embodiments, a system/process/computer program product for beacon and threat intelligence based APT detection includes collecting firewall log data from monitored network traffic; analyzing the firewall log data at a cloud security service to identify beacon traffic based on a plurality of heuristics; performing a risk evaluation of the beacon traffic to detect malicious beacon traffic; and performing an action in response to detecting the malicious beacon traffic.

Abstract: A URL categorization query is received. The URL categorization query includes at least one URL. The URL is used to determine a set of data distribution keys. A distributed key-value data store is queried using at least one data distribution key included in the determined set of data distribution keys. Categorization information is returned. The returned URL categorization information can be used to enforce policies.

Abstract: A set of repackaging fingerprints generated independently of a particular original application is received. The set of repackaging fingerprints comprises a plurality of predetermined indicators of build-related structure that is independent of the particular original application's code structure. A mobile application is received. The received mobile application is analyzed for one or more indicators that the received mobile application is a repackaged version of the particular original application, using at least one repackaging fingerprint. In response to a result of the analysis, the received mobile application is categorized as a repackaged application.

Abstract: Embodiments of the present application relate to a method for policy enforcement, a system for policy enforcement, and a computer program product for policy enforcement. A method for policy enforcement is provided. The method includes receiving a host information profile report from a client device, and enforcing a security policy for network access based on the host information profile report. The host information profile report includes device profile information associated with the client device.

Abstract: The present application discloses a method, system, and computer system for detecting malicious .NET files. The method includes receiving a sample that comprises a .NET file, obtaining information pertaining to common language runtime (CLR) metadata and streams associated with the .NET file, and determining whether the sample is malware based at least in part on (i) a classifier, and (ii) the information pertaining to the CLR metadata and streams.

Abstract: The present application discloses a method, system, and computer system for predicting responses to DNS queries. The method includes receiving a DNS query comprising a subdomain portion and a root domain portion from a client device, determining whether to obtain target address information corresponding to the DNS from a predictive cache, in response to determining to obtain the target address information from the predictive cache, obtaining the target address information from the predictive cache, and providing the target address information to the client device.

Abstract: A hierarchical structure constructor constructs a hierarchical structure that comprises nodes associated with feature sets patterns of URLs. Nodes at each depth are labelled as malicious, benign, or mixed for corresponding to URLs that are malicious, benign, or malicious and benign that match the corresponding patterns. Malicious feature set patterns are extracted from malicious nodes in the hierarchical structure. A URL analyzer operates inline by logging traffic sessions, extracting URLs from the logs, and matching the extracted URLs with the malicious feature sets patterns extracted from the hierarchical structure. The hierarchical structure is periodically updated with known malicious/benign URLs to improve quality of malicious URL detection.

Abstract: Identifying Internet of Things (IoT) devices with packet flow behavior including by using machine learning models is disclosed. Information associated with a network communication of an IoT device is received. A determination of whether the IoT device has previously been classified is made. In response to determining that the IoT device has not previously been classified, a determination is made that a probability match for the IoT device against a behavior signature exceeds a threshold. The behavior signature includes at least one time series feature for an application used by the IoT device. Based at least in part on the probability match, a classification of the IoT device is provided to a security appliance configured to apply a policy to the IoT device.

Abstract: For a seamless and robust artificial intelligence-based assistant experience, an intent-based query and response router has been designed to operate as an intelligent layer between a user and multiple backend services that may respond to one or more queries over the course of a conversation with the user. The query router interacts with an intent classification service to obtain an intent classification for a prompt that is based on a user query. The query router uses the intent classification, which is used as an identifier of a backend service, to route the user query to an appropriate one (or more) of the backend services. When a response is detected, the query router determines a corresponding conversation and provides the response for the conversation.