Abstract: A system (20) includes a network interface (32) and a processor (34). The processor is configured to (i) receive, via the network interface, a request originating from a request-origin application and directed to a request-destination application (24b) that runs on a request-destination device (24), (ii) subsequently to receiving the request, communicate the request to the request-destination device, (iii) subsequently to communicating the request to the request-destination device, receive a response, from the request-destination application, to the request, (iv) while holding the response, identify information contained in at least one log entry that was recorded by the request-destination application responsively to the request, and (v) perform a function in response to the information. Other embodiments are also described.

Abstract: Embodiments for generating appropriate data sets for learning to identify user actions. A user uses one or more applications over a suitable period of time. As the user uses the applications, a monitoring device, acting as a “man-in-the-middle,” intermediates the exchange of encrypted communication between the applications and the servers that serve the applications. The monitoring device obtains, for each action performed by the user, two corresponding (bidirectional) flows of communication: an encrypted flow, and an unencrypted flow. Since the unencrypted flow indicates the type of action that was performed by the user, the correspondence between the encrypted flow and the unencrypted flow may be used to automatically label the encrypted flow, without decrypting the encrypted flow. Features of the encrypted communication may then be stored in association with the label to automatically generate appropriately-sized learning set for each application of interest.

Abstract: Described embodiments include an apparatus, comprising a communication interface and a processor. The processor is configured to obtain an NT Local Area Network Manager (NTLM) authentication token, which authenticates a client device to a service using an NTLM authentication protocol. The processor is further configured to, subsequently to obtaining the NTLM authentication token, receive, via the communication interface, from another processor that belongs to the client device, a challenge that was sent to the client device by the service in response to a request, from the client device, to access the service. The processor is further configured to, using the NTLM authentication token, compute a response to the received challenge, and to communicate the computed response to the client device, without exposing the NTLM authentication token to the client device. Other embodiments are also described.

Abstract: Described embodiments include an apparatus (40), comprising a communication interface (42) and a processor (44). The processor is configured to obtain an NT Local Area Network Manager (NTLM) authentication token, which authenticates a client device (22) to a service using an NTLM authentication protocol. The processor is further configured to, subsequently to obtaining the NTLM authentication token, receive, via the communication interface, from another processor (30) that belongs to the client device, a challenge that was sent to the client device by the service in response to a request, from the client device, to access the service. The processor is further configured to, using the NTLM authentication token, compute a response to the received challenge, and to communicate the computed response to the client device, without exposing the NTLM authentication token to the client device. Other embodiments are also described.

Abstract: Embodiments for generating appropriate data sets for learning to identify user actions. A user uses one or more applications over a suitable period of time. As the user uses the applications, a monitoring device, acting as a “man-in-the-middle,” intermediates the exchange of encrypted communication between the applications and the servers that serve the applications. The monitoring device obtains, for each action performed by the user, two corresponding (bidirectional) flows of communication: an encrypted flow, and an unencrypted flow. Since the unencrypted flow indicates the type of action that was performed by the user, the correspondence between the encrypted flow and the unencrypted flow may be used to automatically label the encrypted flow, without decrypting the encrypted flow. Features of the encrypted communication may then be stored in association with the label to automatically generate appropriately-sized learning set for each application of interest.

Abstract: Embodiments for generating appropriate data sets for learning to identify user actions. A user uses one or more applications over a suitable period of time. As the user uses the applications, a monitoring device, acting as a “man-in-the-middle,” intermediates the exchange of encrypted communication between the applications and the servers that serve the applications. The monitoring device obtains, for each action performed by the user, two corresponding (bidirectional) flows of communication: an encrypted flow, and an unencrypted flow. Since the unencrypted flow indicates the type of action that was performed by the user, the correspondence between the encrypted flow and the unencrypted flow may be used to automatically label the encrypted flow, without decrypting the encrypted flow. Features of the encrypted communication may then be stored in association with the label to automatically generate appropriately-sized learning set for each application of interest.

Abstract: A system (20) includes a network interface (32) and a processor (34). The processor is configured to (i) receive, via the network interface, a request originating from a request-origin application and directed to a request-destination application (24b) that runs on a request-destination device (24), (ii) subsequently to receiving the request, communicate the request to the request-destination device, (iii) subsequently to communicating the request to the request-destination device, receive a response, from the request-destination application, to the request, (iv) while holding the response, identify information contained in at least one log entry that was recorded by the request-destination application responsively to the request, and (v) perform a function in response to the information. Other embodiments are also described.

Abstract: Embodiments for generating appropriate data sets for learning to identify user actions. A user uses one or more applications over a suitable period of time. As the user uses the applications, a monitoring device, acting as a “man-in-the-middle,” intermediates the exchange of encrypted communication between the applications and the servers that serve the applications. The monitoring device obtains, for each action performed by the user, two corresponding (bidirectional) flows of communication: an encrypted flow, and an unencrypted flow. Since the unencrypted flow indicates the type of action that was performed by the user, the correspondence between the encrypted flow and the unencrypted flow may be used to automatically label the encrypted flow, without decrypting the encrypted flow. Features of the encrypted communication may then be stored in association with the label to automatically generate appropriately-sized learning set for each application of interest.

Abstract: Embodiments for generating appropriate data sets for learning to identify user actions. A user uses one or more applications over a suitable period of time. As the user uses the applications, a monitoring device, acting as a “man-in-the-middle,” intermediates the exchange of encrypted communication between the applications and the servers that serve the applications. The monitoring device obtains, for each action performed by the user, two corresponding (bidirectional) flows of communication: an encrypted flow, and an unencrypted flow. Since the unencrypted flow indicates the type of action that was performed by the user, the correspondence between the encrypted flow and the unencrypted flow may be used to automatically label the encrypted flow, without decrypting the encrypted flow. Features of the encrypted communication may then be stored in association with the label to automatically generate appropriately-sized learning set for each application of interest.

Abstract: A method includes receiving a message belonging to an access request or to a response to the access request, the access request originating from a request-origin device and directed to a request-destination application. The method further includes, without using the request-destination application, subsequently to receiving the message, forwarding the message to a traffic-management server before communicating the message to a destination of the message, subsequently to forwarding the message, receiving the message from the traffic-management server, and subsequently to receiving the message from the traffic-management server, communicating the message to the destination of the message. Other embodiments are also described.

Abstract: Embodiments for generating appropriate data sets for learning to identify user actions. A user uses one or more applications over a suitable period of time. As the user uses the applications, a monitoring device, acting as a “man-in-the-middle,” intermediates the exchange of encrypted communication between the applications and the servers that serve the applications. The monitoring device obtains, for each action performed by the user, two corresponding (bidirectional) flows of communication: an encrypted flow, and an unencrypted flow. Since the unencrypted flow indicates the type of action that was performed by the user, the correspondence between the encrypted flow and the unencrypted flow may be used to automatically label the encrypted flow, without decrypting the encrypted flow. Features of the encrypted communication may then be stored in association with the label to automatically generate appropriately-sized learning set for each application of interest.