Abstract: Techniques for time-based network authentication challenges are disclosed. In some embodiments, a system, process, and/or computer program product for time-based network authentication challenges includes monitoring a session at a firewall to identify a user associated with the session, generating a timestamp for an authentication factor associated with the user after the user successfully authenticates for access to a resource based on an authentication profile, intercepting another request from the user for access to the resource at the firewall, and determining whether the timestamp for the authentication factor is expired based on the authentication profile.

Abstract: A method and system for protecting an application from unsecure network exposure. The method includes identifying an at-risk application, wherein identifying the at-risk application further comprises determining that the application is configured incorrectly; identifying at least one port through which the at-risk application is accessible when the at-risk application is determined to be configured incorrectly; and determining, based on the identified at least one port through which the at-risk application is accessible, whether an exposure vulnerability exists, wherein the exposure vulnerability is an unapproved exposure of at least one of the at least one port to external resources.

Abstract: A security appliance samples data about software defined infrastructures (SDIs) of a cloud computing environment to incrementally build models that map resource attributes indicated in fields to data types. The security appliance uses the model(s) to provide context sensitive help in policy rule constructions.

Abstract: A service obtains traffic logs for traffic of a network that has been sent according to a Layer 7 protocol (e.g., SNMP or DNS). The service identifies from the traffic logs device names that appear to correspond to different devices/NICs as names of candidate multi-NIC devices. The service extracts features from names of the candidate multi-NIC devices and generates respective feature vectors. The service can generate “documents” representing each device name from which it extracts features by determining n-grams of each device name, where a set of n-grams of a device name is treated as a document, and each n-gram is treated as a term in the document. Exemplary features that can be extracted based on a device name document include within-document and cross-document uniqueness scores. The service clusters the feature vectors with unsupervised learning and identifies clusters of a size that satisfies a criterion as corresponding to multi-NIC devices.

Abstract: A system processes an API specification provided by a vendor to determine and classify the functions defined therein by CRUD operation type based on analysis of the function names. Classification of the function includes associating a bitmask corresponding to the class with the function name. The system then subscribes to an event stream including logged API function call events during a time window overlapping with a “blind spot” period of attack detection. The system analyzes incoming events to identify an associated resource and an API function call. The system classifies the function based on the determined function classes and performs a bitwise operation between bit values maintained for the identified resource that are indicative of resource state and the bitmask of the function class. If the resulting bit values indicate that the resource was both created and deleted during the time window, the system flags the resource as potentially involved in an attack.

Abstract: The disclosure describes various aspects of crowdsourcing traffic data for automatic and dynamic benchmarking of applications. In an aspect, an intelligence layer, communicatively coupled to a data collection layer and a visualization layer, is configured to receive traffic data from data sources (e.g., physical appliances, probes) in the data collection layer, the data sources being associated with multiple customers, and the traffic data being associated with at least one application (e.g., word processing, video streaming) used by the multiple customers. The intelligence layer is a cloud-based layer further configured to process the traffic data to determine performance thresholds for the at least one application, and may send one or more of the performance thresholds to a data source for a different customer to be used for benchmarking the at least one application for the different customer.

Abstract: Techniques for malware detection using watermark cookies are disclosed. In some embodiments, a system, process, and/or computer program product for malware detection using watermark cookies includes receiving a sample at a cloud security service; injecting a watermark cookie in a virtual environment to provide a modified virtual environment; detonating the sample in the modified virtual environment, wherein the modified virtual environment is instrumented for monitoring activities associated with the sample during automated malware analysis of the sample; detecting whether the watermark cookie was accessed in the modified virtual environment during the automated malware analysis of the sample; and determining whether the sample is malware based on whether the watermark cookie was accessed in the modified virtual environment.

Abstract: Detection of malicious JavaScript based on automated user interaction emulation is disclosed. A malware sample is executed in an instrumented virtual environment. Dynamic behavior is triggered based on emulated user interactions.

Abstract: A system, method, and device for generating data visualizations are disclosed. The method includes (i) obtaining a natural language query, (ii) determining an intent for the natural language query, (iii) generating one or more data requests to one or more selected data sources, the one or more data requests being based at least in part on the intent, (iv) abstracting result data to obtain a data abstraction, the result data being responsive to the one or more data requests, and (v) generating a visualization for the result data based at least in part on the data abstraction.

Abstract: The present application discloses a method, system, and computer system for detecting malicious files. The method includes receiving a sample, extracting an embedded script from the sample, applying a malicious script detector in connection with determining whether the sample is malicious, and in response to determining that the sample is malicious sending, to a security entity, an indication that the sample is malicious.

Abstract: Techniques for a security platform with external inline processing of assembled selected traffic are disclosed. In some embodiments, a system/method/computer program product for providing a security platform with external inline processing of assembled selected traffic includes monitoring network traffic of a session at a security platform; selecting a subset of the monitored network traffic associated with the session to send to a cloud-based security service for analysis based on a security policy, wherein the selected subset of the monitored network traffic is proxied to the cloud-based security service; and receiving, from the cloud-based security service, results of the analysis based on the security policy, and performing a responsive action based on the results of the analysis based on the security policy.

Abstract: Automated, intelligent selection of regions for cloud-based firewall deployment and scaling of firewalls down to as few as zero in a cloud region is described herein. The service collects and evaluates Usage metrics pertaining to firewalls deployed in each region are collected and evaluated to determine whether to scale firewalls in a region up or down. Scaling down of firewalls to zero is conditioned on at least one other region having a firewall(s) available for traffic inspection such that the number of total firewalls available for inspection of network traffic is at least one at any given time. When scaling up through deployment of additional firewalls, if endpoint devices located near a region in which a firewall is not available contribute substantially to firewall usage in another region, the region nearest to those endpoint devices is determined and selected for deployment of the additional firewalls.

Abstract: An indication of an application to be installed on a local device is received. A request is transmitted to a remote server for information associated with the application. In some cases, in response to the receipt of a report from the remote server, a set of rules restricting behaviors of the application is implemented at the local device. In some cases, in response to the receipt of a report from the remote server, the installation of the application on the local device is prevented.

Abstract: Techniques for packet classification for network routing are disclosed. In some embodiments, packet classification for network routing includes receiving packets associated with a new flow at a security controller from a network device, in which the network device performs packet forwarding; classifying the flow; and determining an action for the flow based on a policy (e.g., a security policy). In some embodiments, the network device is a Software Defined Network (SDN) network device (e.g., a packet forwarding device that supports the OpenFlow protocol or another protocol).

Abstract: Power sourcing equipment (“PSE”) can temporarily suspend or indefinitely disable powered devices (“PDs”) exhibiting faults for more efficient resource utilization and preservation of the PSE hardware. The PSE maintains a first counter for each connected PD that indicates a count of fault events detected for the PD. Upon detecting a count of fault events for a PD within a designated time period that exceeds a first threshold, the PSE suspends the PD and increments a second counter maintained for the PD that indicates how many times the PD has been suspended. The PSE suspends processing of/responding to communications received from the suspended PD for the duration of the suspension. Subsequent fault detection and suspension for the PD can continue until the suspension count of the PD exceeds a second threshold, which triggers disabling of the faulty PD by discontinuing processing of/responding to communications received from the PD indefinitely.

Abstract: A virtual firewall configured with two interfaces assigned different security zones switches between Layer 3 routing and bump-in-the-wire (BITW) modes between sessions. After receiving a packet from a one-arm load balancer, an inner header is determined based on decapsulation which removes an outer header. A route lookup is performed based on the inner header to determine whether to communicate packets of the session with Layer 3 routing or according to the BITW model. The result of the route lookup indicates an egress interface. If the ingress and egress interfaces are the same, the firewall operates according to the BITW model for the session. If the egress and ingress interfaces are different, the firewall routes packets of the session with Layer 3 routing. Upon detection of subsequent packets, the firewall operates according to the determined mode for the session without performing additional inner header route lookups for operation mode determination.

Abstract: An auto scale monitoring service performs load balancing on a cloud firewall with minimized traffic disruption using eager and lazy load balancing protocols. The auto scale monitoring service operates through an orchestrator that initializes a new firewall and sends forwarding instructions to the new firewall for rerouting excess traffic. The auto scale monitoring service additionally operates through a software-defined wide area network controller that sends routing instructions to a local branch of network devices to reroute to the new firewall from an overloaded current firewall. The eager protocol immediately tears down a tunneling session from the local branch to the current firewall and the lazy protocols gradually tears down this tunneling session. Both protocols properly inform firewalls how to forward ongoing traffic in each case and establish updated traffic flow through a tunneling session from the local branch to the new firewall.

Abstract: A system, method, and device for generating data visualizations are disclosed. The method includes (i) obtaining a natural language query, (ii) determining an intent for the natural language query, (iii) generating one or more data requests to one or more selected data sources, the one or more data requests being based at least in part on the intent, (iv) obtaining a predicted visualization definition based at least in part on abstracting the result data, and (v) generating a visualization for the result data based at least in part on the predicted visualization definition.

Abstract: Automatic generation of network signatures is disclosed. Network profiles for malware samples are generated. Network signature candidates are selected based on the network profiles. The network signature candidates are automatically evaluated to automatically generate a new set of network signatures. The new set of network signatures is distributed to a security device/service to enforce the new set of network signatures to detect malware.

Abstract: Execution of an application in an application-level sandbox is disclosed. A request to launch an application is received by an operating system executing on a device. A determination is made that a stored copy of the application should be executed within an application-level sandbox. The stored copy of the application is executed in the application-level sandbox.