Abstract: Systems and methods include obtaining network communication information about hosts in a network and applications executed on the hosts; automatically generating one or more microsegments in the network based on analysis of the obtained network communication information, wherein each microsegment of the one or more microsegments is a grouping of resources including the hosts and the applications executed on the hosts that have rules for network communication; automatically generating a meaningful name for the one or more microsegments based on a plurality of techniques applied to information associated with the hosts; and displaying the automatically generated one or more microsegments and the corresponding automatically generated meaningful name.

Abstract: A distributed security system includes a plurality of content processing nodes that are located external to a network edge of an enterprise and located external from one of a computer device and a mobile device associated with a user, and a content processing node is configured to monitor a content item that is sent from or requested by the external system; classify the content item via a plurality of data inspection engines that utilize policy data and threat data; and one of distribute the content item, preclude distribution of the content item, allow distribution of the content item after a cleaning process, or perform threat detection on the content item, based on classification by the plurality of data inspection engines; and an authority node communicatively coupled to the plurality of content processing nodes and configured to provide the policy data and the threat data for threat classification.

Abstract: A system validates the establishment and/or continuation of a connection between two applications over a network. The system uses network application security rules to allow or disallow connections between the two applications. Those rules include definitions of the source and destination applications to which the rules apply. The system automatically updates the application definitions over time to encompass new versions of the applications covered by the security rules, but without encompassing other applications. The system is then capable of applying the updated rules both to the original applications and to the updated versions of those applications. This process enables the security rules to maintain security over time in a way that is consistent with the original intent of the rules even as applications on the network evolve.

Abstract: Systems and methods implemented by an application executed on a user device for service discovery and connectivity include, responsive to joining a new network, performing a Dynamic Host Configuration Protocol (DHCP) operation to obtain network configuration parameters; receiving a DHCP message in response with the network configuration parameters; via an application executed on the user device for service discovery and connectivity analyzing data in the DHCP message to determine one or more forwarding profiles on the new network, wherein the one or more forwarding profiles are based on a location or trust of the new network; and automatically installing the determined one or more forwarding profiles.

Abstract: Systems and methods include providing functionality for the user device while operating in background on the user device including providing secure connectivity with a cloud-based system over a network; continuously collecting packets intercepted by the enterprise application over a time interval, wherein the collected packets are collected over the time interval; and responsive to an issue with functionality of the enterprise application, transmitting the collected packets to a back end server for troubleshooting of the issue. The time interval is a set amount of time, and each collected packet is deleted at the expiration of the time interval.

Abstract: Systems, methods and apparatus for malware detection detect and stop the distribution of malware and other undesirable content before such content reaches computing systems. A cloud-based malware detection method includes receiving a signature from a computer, wherein the signature which identifies a file and the signature is smaller in size than the file; determining whether the file is trusted, untrusted, or unknown for malware based on the signature; and transmitting whether the file is trusted, untrusted, or unknown for malware to the computer based on the determining, wherein the computer is precluded from distribution of the file responsive to the file being untrusted.

Abstract: Disclosed is a computer implemented method for malware detection that analyses a file on a per packet basis. The method receives a packet of one or more packets associated a file, and converting a binary content associated with the packet into a digital representation and tokenizing plain text content associated with the packet. The method extracts one or more n-gram features, an entropy feature, and a domain feature from the converted content of the packet and applies a trained machine learning model to the one or more features extracted from the packet. The output of the machine learning method is a probability of maliciousness associated with the received packet. If the probability of maliciousness is above a threshold value, the method determines that the file associated with the received packet is malicious.

Abstract: Systems and methods include connecting to and authenticating a set of user devices of a plurality of user devices; determining an election of a subset of user devices of the set of user devices, wherein the election determines which user devices perform metric collection; providing any of policy and configuration to the plurality of user devices including election information; and receiving metrics based on measurements at the subset of user devices of user devices according to corresponding policy and configuration.

Abstract: Systems and methods include, in a cloud node, receiving Mobile Device Management (MDM) data from a central authority, wherein the MDM data includes policy metadata specifying MDM functions for mobile devices associated with users of an enterprise; communicating to an application on a mobile device associated with a user, via a tunnel, wherein the application is configured for service discovery and connectivity; and providing the MDM data to the mobile device associated with the user via the tunnel.

Abstract: A mobile application notification system that includes a cloud node including a subscription service and a publication service, each executed on the cloud node, wherein the subscription service is configured to manage a plurality of users associated with a tenant of multiple tenants, each of the plurality of users have a corresponding user device that executes a monitoring application thereon, wherein management via the subscription service includes subscribing each of the plurality of users and configuring the tenant and associated messages, and wherein the publication service is configured to communicate with the corresponding user device of the plurality of users and to communication to a plurality of publisher threads, for exchanging messages therebetween, based on the subscribing and the configuring, and wherein at least two corresponding user device of the plurality of users utilize a different operating system and platform from one another.

Abstract: Cloud-based Intrusion Prevention Systems (IPS) include receiving traffic associated with a user of a plurality of users, wherein each user is associated with a customer of a plurality of customers for a cloud-based security system, and wherein the traffic is between the user and the Internet; analyzing the traffic based on a set of signatures including stream-based signatures and security patterns; blocking the traffic responsive to a match of a signature of the set of signatures; and performing one or more of providing an alert based on the blocking and updating a log based on the blocking.

Abstract: Techniques for using traceroute with tunnels and cloud-based systems for determining measures of network performance are presented. Systems and methods include receiving a request from a client to perform a reverse trace; requesting a trace to an endpoint that is one of an egress router and a tunnel client, wherein there is a tunnel between i) the destination and ii) the one of the egress router and the tunnel client; receiving a response to the trace; and sending details associated with the response to the client so that the client aggregates these details with details from one or more additional legs to provide an overall view of a service path between the client and the destination.

Abstract: Systems and methods include determining log data for a time period at a plurality of senders, wherein each sender is a node in the cloud-based system, and the log data is associated with one or more cloud services; providing the log data to one or more storage clusters, via one or more distributors, for the time period; responsive to all of the plurality of senders performing the providing, moving to a next time period and repeating the determining and the providing; detecting a given sender is a faulty data source or a slow data source; and moving the given sender to a deferred processing list where the given sender does not hold up the moving to the next time period.

Abstract: Briefly, embodiments, such as methods and/or systems for network device identification, for example, are described.

Abstract: A computer system automatically generates a proposal for network application security policies to be applied on a telecommunications network. The system provides output representing the proposed network application security policies to a user. The user provides input either approving or disapproving of the network application security policies. If the user approves, then the system applies the of the proposed microsegmentation. This process may be repeated for a plurality of hosts and subsets thereof within the same network, and may be repeated over time to modify one or more existing network application security policies. The network application security policies govern inbound and outbound connections to the hosts in the network.

Abstract: System and methods implemented in a node in a cloud-based security system include obtaining a plurality of rules each define via a rule syntax that includes a rule header and rule options, wherein each rule header is used to for a rule database lookup, and each rule options is used to specify details about the associated rule; monitoring data associated with a user of the cloud-based security system; analyzing the data with the plurality of rules; and performing one or more security functions on the data based on triggering of a rule of the plurality of rules.

Abstract: Techniques for using traceroute with tunnels and cloud-based systems for determining measures of network performance are presented. Systems and methods include receiving a request, from a client, for one or more of a first trace of a tunnel and a second trace to a destination; checking a cache at the node for results from previous traces of the first trace and the second trace; responsive to the results not being in the cache, performing one or more of the first trace and the second trace; and providing the results to the client so that the client aggregates the results with details from one or more additional legs to provide an overall view of a service path between the client and the destination.

Abstract: Mobile device security, device management, and policy enforcement are described in a cloud-based system where the “cloud” is used to pervasively enforce security and policy and perform device management regardless of device type, platform, location, etc. A cloud-based method includes monitoring traffic between a mobile device and a network in a cloud-based system that is implemented as an overlay network relative to the mobile device and the network; analyzing the traffic from the mobile device to the network, for enforcing policy thereon, wherein the policy includes a set of use guidelines associated with the user of the mobile device; and blocking or allowing the traffic from the mobile device to the network based on the analyzing.

Abstract: Systems and methods for device identification for management and policy in the cloud, using a combination of several hardware parameters and user's identification to generate a unique identifier for a user device and associated user. IOCTL and Assembly can be used to get the different hardware parameters. All the hardware parameters can then run through a process to generate a fixed size hardware fingerprint. A base64 encoding can be performed to convert it into a string, for consumption of database. The resultant identifier is unique and it is never stored on machine. The application can simply generate it whenever needed. The resultant identifier can used by a service provider to uniquely identify the device even when the device is moving hands or locations. The resultant identifier is never stored, so moving data from one device to another will not result in the same identifier for two devices.

Abstract: Proxy Auto Config (PAC) file parser systems and methods enable file parsing on user devices without Just-in-Time (JIT) compilation in JavaScript, with a memory efficient implementation and with efficient performance. The PAC parser supports multi proxy connections, traffic rules (e.g., bypass/send to proxy, etc.) based on various PAC functions, etc. The PAC parser can be utilized on a user device with an enterprise application and with cloud-based services.