Abstract: Software bill of materials (SBOM) vulnerability systems do not monitor software components behavior in real time, and rather rely on the static periodic updates. This gap leaves cloud-native software applications exposed to 0-day or supply chain attacks that exploit vulnerabilities that are not known or updated into the public vulnerability data sources. The techniques described herein provide dynamic and intelligent identification of 0-day and supply chain attacks in runtime environments, mitigate the attacks in real-time, and share intelligence to prevent a malicious workload from being deployed through the CI/CD pipeline.

Abstract: In one embodiment, a method includes classifying a first encrypted data flow in accordance with a classification. Classifying the first encrypted data flow is based on characteristic information associated with the first encrypted data flow. The method further includes generating an indicator that indicates a confidence in the classification of the first encrypted data flow. The method further includes generating a determination of whether the first encrypted data flow comprises malware. The method further includes classifying one or more subsequent encrypted data flows in accordance with the classification. Classifying the one or more subsequent encrypted data flows is based on the determination of whether the first encrypted data flow comprises malware.

Abstract: Techniques for leveraging efficient metadata communications to improve domain name system (DNS) security are described. The DNS service uses a hash value to uniquely identify a client, and detect any change in metadata in order to keep policies up-to-date for the client. In an example method a first DNS query for a client device is intercepted. A cryptographic hash function is applied to metadata associated with the client device to generate a hash value. The hash value is added to an additional records section of the first DNS query to generate a second DNS query. The second DNS query is transmitted to a DNS service. The metadata associated with the client device is transmitted to the DNS service on an out-of-band encrypted channel. A DNS response, including the hash value, is received from the DNS service and transmitted to the client device.

Abstract: Techniques for leveraging efficient metadata communications to improve domain name system (DNS) security are described. The DNS service receives metadata associated with a client device on an encrypted channel. The DNS service applies a cryptographic hash function to the metadata to determine a first hash value and stores the first hash value in a metadata registry record with the corresponding client device metadata. The DNS service receives a DNS query containing a second hash value in an additional records section and determines that the second hash value corresponds to the first hash value. Based at least in part on the second hash value corresponding to the first hash value and the metadata associated with the client device, the DNS service resolves the DNS query and transmits a DNS response including the second hash value.

Abstract: In one embodiment, a device identifies an application programming interface call within new code for an application. The device conducts testing of a plurality of endpoints associated with the application programming interface call. The device selects, based on results of the testing, a particular endpoint from among the plurality of endpoints. The device steers the application programming interface call made by the application towards the particular endpoint.

Abstract: Techniques for leveraging a distributed Domain Name System (DNS) infrastructure for preserving Personally Identifiable Information (PII) data by creating a hash to policy pair (HPP) database on premises at an enterprise organization. A policy engine hosted on premises at an enterprise organization applies a cryptographic hash function to metadata including PII associated with a client of the enterprise organization to generate a client hash value. The HPP is created by mapping the client hash value to a set of DNS policy instructions associated with the client and stored in the HPP database. The HPP database in published to a DNS security service, such that the DNS security service can resolve a DNS query for the client of the enterprise organization absent knowledge of the PII associated with the client by mapping the client hash value included in the DNS query to the client HPP in the HPP database.

Abstract: Techniques for mitigating network failures (e.g., SLA violations, service degradations, network outages, etc.) based on output(s) from a predictive network system. The techniques may include determining that a failure is predicted to occur in a network and determining a correlation between the failure and a previous failure that occurred in the network. In examples, the correlation may be determined using a machine-learned model. The techniques may also include determining, based at least in part on the correlation, a condition contributing to the failure. In this way, prior to occurrence of the failure, a parameter associated with the network may be altered based at least in part on the condition to mitigate or otherwise prevent the failure.

Abstract: Techniques for, among other things, embedding metadata in network traffic without having to implement an overlay network. By way of example, and not limitation, the techniques described herein may include receiving an Ethernet packet at a network node and determining that a preamble of the Ethernet packet includes metadata. The metadata may, in some examples, be associated with the Ethernet packet itself, a flow that the Ethernet packet belongs to, etc. Based at least in part on the metadata, a policy decision may be made for handling the Ethernet packet, and the Ethernet packet may be handled in accordance with the policy decision.

Abstract: Techniques for leveraging a distributed Domain Name System (DNS) infrastructure for preserving Personally Identifiable Information (PII) data for distributed resolvers using a hash to policy pair (HPP) database are described. A DNS security service receives metadata including PII associated with a client. A cryptographic hash function is applied to the metadata including PII associated with the client to generate a client hash value. A client HPP is created by mapping the client hash value to a set of DNS policy instructions associated with the client. The client HPP is stored in a HPP database. A distributed resolver is authorized to provide DNS services to the client. Finally, the HPP database is published to the distributed resolver.

Abstract: Techniques for leveraging a distributed Domain Name System (DNS) infrastructure for preserving Personally Identifiable Information (PII) data for distributed resolvers using a hash to policy pair (HPP) database are described. A DNS security service receives metadata including PII associated with a client. A cryptographic hash function is applied to the metadata including PII associated with the client to generate a client hash value. A client HPP is created by mapping the client hash value to a set of DNS policy instructions associated with the client. The client HPP is stored in a HPP database. A distributed resolver is authorized to provide DNS services to the client. Finally, the HPP database is published to the distributed resolver.

Abstract: Techniques for leveraging efficient metadata communications to improve domain name system (DNS) security are described. The DNS service uses a hash value to uniquely identify a client, and detect any change in metadata in order to keep policies up-to-date for the client. In an example method a first DNS query for a client device is intercepted. A cryptographic hash function is applied to metadata associated with the client device to generate a hash value. The hash value is added to an additional records section of the first DNS query to generate a second DNS query. The second DNS query is transmitted to a DNS service. The metadata associated with the client device is transmitted to the DNS service on an out-of-band encrypted channel. A DNS response, including the hash value, is received from the DNS service and transmitted to the client device.