Abstract: An intrusion prevention system includes a machine learning model for inspecting network traffic. The intrusion prevention system receives and scans the network traffic for data that match an anchor pattern. A data stream that follows the data that match the anchor pattern is extracted from the network traffic. Model features of the machine learning model are identified in the data stream. The intrusion prevention system classifies the network traffic based at least on model coefficients of the machine learning model that are identified in the data stream. The intrusion prevention system apples a network policy on the network traffic (e.g., block the network traffic) when the network traffic is classified as malicious.

Abstract: In one embodiment, local begin and end tags are detected by a network security device to determine a local context of a network traffic flow, and a local feature vector is obtained for that local context. At least one triggering machine learning model is applied by the network security device to the local feature vector, and the result determines whether or not deeper analysis is warranted. In most cases, very substantial resources are not required because deeper analysis is not indicated. If deeper analysis is indicated, one or more deeper machine learning model may then be applied to global and local feature vectors, and regular expressions may be applied to packet data, which may include the triggering data packet and one or more subsequent data packets. Other embodiments, aspects and features are also disclosed.

Abstract: Examples relate to providing hierarchical classifiers. In some examples, a superclass classifier of a hierarchy of classifiers is trained with a first type of prediction threshold, where the superclass classifier classifies data into one of a number of subclasses. At this stage, a subclass classifier is trained with a second type of prediction threshold, where the subclass classifier classifies the data into one of a number of classes. The first type of prediction threshold of the superclass classifier and the second type of prediction threshold of the subclass classifier are alternatively applied to classify data segments.

Abstract: According to an example, network traffic pattern based identification may include analyzing each packet of a plurality of packets that are outgoing from and/or incoming to an entity to respectively determine features within a sequence of outgoing packets and/or a sequence of incoming packets of the plurality of packets. Network traffic pattern based identification may further include analyzing the determined features by respectively using an outgoing packet classification model and/or an incoming packet classification model, and classifying, based on the analysis of the features.

Abstract: In one embodiment, local begin and end tags are detected by a network security device to determine a local context of a network traffic flow, and a local feature vector is obtained for that local context. At least one triggering machine learning model is applied by the network security device to the local feature vector, and the result determines whether or not deeper analysis is warranted. In most cases, very substantial resources are not required because deeper analysis is not indicated. If deeper analysis is indicated, one or more deeper machine learning model may then be applied to global and local feature vectors, and regular expressions may be applied to packet data, which may include the triggering data packet and one or more subsequent data packets. Other embodiments, aspects and features are also disclosed.

Abstract: Examples relate to identifying algorithmically generated domains. In one example, a computing device may: receive a query domain name; split the query domain name into an ordered plurality of portions of the query domain name, the ordered plurality of portions beginning with a first portion and ending with a last portion, the last portion including a top level domain of the query domain name; provide, in reverse order beginning with the last portion, the portions of the query domain name as input to a predictive model that has been trained to determine whether the query domain name is an algorithmically generated domain name, the determination being based on syntactic features of the query domain name; and receive, as output from the predictive model, data indicating whether the query domain name is algorithmically generated.

Abstract: According to an example, network traffic pattern based identification may include analyzing each packet of a plurality of packets that are outgoing from and/or incoming to an entity to respectively determine features within a sequence of outgoing packets and/or a sequence of incoming packets of the plurality of packets. Network traffic pattern based identification may further include analyzing the determined features by respectively using an outgoing packet classification model and/or an incoming packet classification model, and classifying, based on the analysis of the features.

Abstract: Examples relate to identifying algorithmically generated domains. In one example, a computing device may: receive a query domain name; provide the query domain name as input to a predictive model that has been trained to determine whether the query domain name is an algorithmically generated domain name, the determination being based on syntactic features of the query domain name, the syntactic features including a count of particular character n-grams included in at least a portion of the query domain name, where n is a positive integer greater than one; and receive, as output from the predictive model, data indicating whether the query domain name is algorithmically generated.

Abstract: Examples relate to identifying algorithmically generated domains. In one example, a computing device may: receive a query domain name; split the query domain name into an ordered plurality of portions of the query domain name, the ordered plurality of portions beginning with a first portion and ending with a last portion, the last portion including a top level domain of the query domain name; provide, in reverse order beginning with the last portion, the portions of the query domain name as input to a predictive model that has been trained to determine whether the query domain name is an algorithmically generated domain name, the determination being based on syntactic features of the query domain name; and receive, as output from the predictive model, data indicating whether the query domain name is algorithmically generated.

Abstract: Examples relate to providing hierarchical classifiers. In some examples, a superclass classifier of a hierarchy of classifiers is trained with a first type of prediction threshold, where the superclass classifier classifies data into one of a number of subclasses. At this stage, a subclass classifier is trained with a second type of prediction threshold, where the subclass classifier classifies the data into one of a number of classes. The first type of prediction threshold of the superclass classifier and the second type of prediction threshold of the subclass classifier are alternatively applied to classify data segments.

Abstract: Examples relate to identifying algorithmically generated domains. In one example, a computing device may: receive a query domain name; provide the query domain name as input to a predictive model that has been trained to determine whether the query domain name is an algorithmically generated domain name, the determination being based on syntactic features of the query domain name, the syntactic features including a count of particular character n-grams included in at least a portion of the query domain name, where n is a positive integer greater than one; and receive, as output from the predictive model, data indicating whether the query domain name is algorithmically generated.

Abstract: Examples herein disclose packet size information collected over an encrypted tunnel. The examples identify an application communicated via the encrypted tunnel based on the packet size information.

Abstract: Examples relate to generating negative classifier data based on positive classifier data. In one example, a computing device may: obtain positive classifier data for a first class, the positive classifier data including at least one correlated feature set and, for each correlated feature set, a measure of likelihood that data matching the correlated feature set belongs to the first class; determine, for each feature included in the at least one correlated feature set, a de-correlated measure of likelihood that data including the feature belongs to the first class; and generate, based on each de-correlated measure of likelihood, negative classifier data for classifying data as belonging to a second class.

Abstract: Examples relate to identifying algorithmically generated domains. In one example, a computing device may: receive a query domain name; provide the query domain name as input to a predictive model that has been trained to determine whether the query domain name is an algorithmically generated domain name, the determination being based on syntactic features of the query domain name, the syntactic features including a count of particular character n-grams included in at least a portion of the query domain name, where n is a positive integer greater than one; and receive, as output from the predictive model, data indicating whether the query domain name is algorithmically generated.