Abstract: A device may receive data identifying malicious behavior by a compromised endpoint device associated with a network and may receive user identity data identifying a user of the compromised endpoint device associated with the network. The device may receive endpoint device data identifying the compromised endpoint device and other endpoint devices associated with the network and may receive network device data identifying network devices associated with the network. The device may utilize the data identifying malicious behavior, the user identity data, and the endpoint device data to generate, based on an identity of the user, a security policy to isolate the malicious behavior. The device may cause the security policy to be provided to the network devices and the other endpoint devices based on the network device data and the endpoint device data.

Abstract: In some implementations, a security device may receive a traffic flow. The security device may determine an amount of a padding included in the traffic flow. The security device may determine whether the amount of the padding included in the traffic flow satisfies a padding threshold. The security device may perform, based on the amount of the padding satisfying the padding threshold, offloading for the traffic flow. The security device may inspect, based on the amount of the padding failing to satisfy the padding threshold, an entire portion of the traffic flow.

Abstract: A device receives end user device information for end user devices associated with a network, and creates a data structure that includes the end user device information. The device creates a data structure that includes false account credentials, and maps the end user device information and the false account credentials to create a mapped data structure. The device provides the false account credentials to memory locations of corresponding ones of the end user devices, and provides information from the mapped data structure to one or more network devices associated with the network, wherein the information from the mapped data structure enables the one or more network devices to detect an unauthorized access attempt of the network using one or more of the false account credentials.

Abstract: A device receives information identifying malicious behavior by a compromised endpoint device associated with a network and traffic associated with the compromised endpoint device after the malicious behavior is identified. The device receives endpoint device information identifying other endpoint devices associated with the network, wherein the compromised endpoint device is not one of the other endpoint devices. The device receives network device information identifying network devices associated with the network, and processes the traffic, the endpoint device information, and the network device information, with a machine learning model, to generate a security policy to isolate the malicious behavior. The device performs one or more actions based on the security policy to isolate the malicious behavior.

Abstract: A network device may receive a packet associated with a traffic flow of a session that includes session identification information for the session. The network device may determine to offload subsequent packets associated with the traffic flow using offloading indicators and/or a data model. The network device may store, using a data structure, the session identification information with other session identification information for other sessions that have been selected for offloading, and may provide the packet to a device. The network device may receive another packet associated with the traffic flow, and may determine to offload the other packet by determining that the other packet includes the session identification information. The device may offload the other packet to permit the other packet to traverse through the network device without the network device performing security checks on the other packet, and may provide the other packet to the device.

Abstract: The disclosed apparatus may include a storage device that stores a set of security policies. In this example, the apparatus may also include a physical processor that is communicatively coupled to the storage device. This physical processor may (1) analyze an unknown flow of packets that are destined for a target node within the network, (2) identify at least one characteristic of the unknown flow of packets based at least in part on the analysis, (3) predictively select, from the set of security policies stored in the storage device, a security policy to apply to the unknown flow of packets based at least in part on the characteristic of the unknown flow of packets, and then (4) perform at least one security action defined by the predictively selected security policy on the unknown flow of packets. Various other apparatuses, systems, and methods are also disclosed.

Abstract: A device receives end user device information for end user devices associated with a network, and creates a data structure that includes the end user device information. The device creates a data structure that includes false account credentials, and maps the end user device information and the false account credentials to create a mapped data structure. The device provides the false account credentials to memory locations of corresponding ones of the end user devices, and provides information from the mapped data structure to one or more network devices associated with the network, wherein the information from the mapped data structure enables the one or more network devices to detect an unauthorized access attempt of the network using one or more of the false account credentials.

Abstract: A device may receive a first portion of network traffic associated with a flow. The device may perform a first upper layer inspection of the first portion of network traffic associated with the flow. The device may identify a set of parameters of the flow based on performing the first upper layer inspection of the first portion of network traffic associated with the flow. The device may determine, based on the set of parameters, a sampling rate at which to perform a second upper layer inspection of a second portion of network traffic associated with the flow. The device may instruct a lower layer to use the sampling rate to provide the second portion of network traffic associated with the flow for the second upper layer inspection. The device may perform the second upper layer inspection of the second portion of network traffic associated with the flow based on receiving the second portion of network traffic associated with the flow from the lower layer.

Abstract: A device may include one or more processors to receive a file that may be analyzed for malware; open the received file in a secure environment; determine that a secondary file in the secure environment may have been accessed based on the received file being opened; analyze the secondary file in the secure environment to identify malware; and/or perform an action associated with the received file based on the secondary file being analyzed.

Abstract: The disclosed apparatus may include a storage device that stores a set of routes. In this example, the apparatus may also include a processing unit that is communicatively coupled to the storage device. This processing unit may (1) analyze an unknown flow of packets that are destined for a certain node, (2) identify at least one characteristic of the unknown flow based at least in part on the analysis, (3) determine, based at least in part on the characteristic, that the unknown flow of packets likely represents traffic that corresponds to a specific application, (4) predictively select, from the set of routes, a non-default route that facilitates transfer to the certain node in connection with the specific application, and then (5) forward a first packet of the unknown flow to the certain node by way of the non-default route. Various other apparatuses, systems, and methods are also disclosed.

Abstract: A device may include one or more processors to receive a file that may be analyzed for malware; open the received file in a secure environment; determine that a secondary file in the secure environment may have been accessed based on the received file being opened; analyze the secondary file in the secure environment to identify malware; and/or perform an action associated with the received file based on the secondary file being analyzed.

Abstract: A device may receive a first portion of network traffic associated with a flow. The device may perform a first upper layer inspection of the first portion of network traffic associated with the flow. The device may identify a set of parameters of the flow based on performing the first upper layer inspection of the first portion of network traffic associated with the flow. The device may determine, based on the set of parameters, a sampling rate at which to perform a second upper layer inspection of a second portion of network traffic associated with the flow. The device may instruct a lower layer to use the sampling rate to provide the second portion of network traffic associated with the flow for the second upper layer inspection. The device may perform the second upper layer inspection of the second portion of network traffic associated with the flow based on receiving the second portion of network traffic associated with the flow from the lower layer.