Abstract: Systems, devices, and techniques are disclosed for network security policy management. A file including code written using a Domain Specific Language (DSL) for network security may be received. A cloud native enforcement artifact may be generated from the code written using DSL in the file. A policy domain model including hierarchical data, relational data, and graph data for a network security policy may be generated from the code written using DSL in the file and the cloud native enforcement artifact. The policy domain model may be stored in a persistent storage.

Abstract: Application servers may provide computing services to entities. A network ingress may receive application-level request messages and forward some or all of the request messages to an application server. A data aggregator may determine data buckets based on the application-level request messages. A data bucket may include information characterizing one or more features. The information may be determined based on a subset of the application-level request messages received during a respective period of time. A request analyzer may determine one or more of the data buckets and one or more of the features for analyzing an application-level request message and may determine a synthetic indicator for the request based on the one or more data buckets and the one or more features. A web application firewall may block the application-level request message upon determining that the synthetic indicator indicates that the request is illegitimate.

Abstract: A system performs security assessment of services, for example, services being migrated from first party datacenters to virtual datacenters configured on a cloud platform. The system receives information describing risk profiles of services. The system performs clustering of the services and uses the clusters of services for determining security assessment categories for new services. The system may train a machine learning model and use the trained machine learning model for predicting security assessment of new services. The system may recommend actions to be taken based on the security assessment or automatically take action, for example, configuring a firewall for a service.

Abstract: In some embodiments, a method determines a first functional domain that includes a group of security policies that have been copied from a second functional domain. Network flow data is queried to determine network traffic that is associated with a security policy in the group of security policies in the first functional domain. The method analyzes utilization of the security policy based on the network traffic. Based on the analyzing, a recommendation is generated to change the security policy in the first functional domain.

Abstract: A computer implemented method for managing and remediating security drift in a public cloud network is disclosed. A security drift event may be received at a contextual impact classification engine of a server. An impact tier for the received security drift event may be assigned at the contextual impact classification engine. A queue shaping orchestrator at the server may reorder a queue with entries that include the received security drift event based on the assigned impact tier. A remediation engine of the server may determine a remediation for the received security drift event based on the assigned impact tier, and/or one or more contextual inputs received by the server.

Abstract: A computer services environment may include web servers providing access domains and a network ingress paths receiving application-layer request messages. The application-layer request messages may each be received from a respective source via a respective ingress path and may be directed to a domain. The computing services environment may also include an orchestration engine configured to determine and implement mitigation policies corresponding with the ingress paths based on a classification of a subset of the plurality of application-layer request messages as being sent from a subset of the sources associated with a distributed denial of service attack. The mitigation policies may include rules to prevent a subset of subsequent application-layer request messages from the subset of the sources from reaching one or more components of the computing services environment.

Abstract: A computing services environment may include application gateways receiving application-layer request messages from various sources. The computing services environment may also include an autonomous agent platform configured to instantiate and execute an autonomous agent to evaluate network traffic associated with a portion of the computing services environment. The computing services environment may also include an orchestration engine configured to determine one or more mitigation policies corresponding with one or more of the application gateways based on identification of the application-layer distributed denial of service attack by the autonomous agent.

Abstract: A computing services environment may provide computing services to a plurality of recipients via the Internet. The computing services environment may include application gateways receiving application-layer request messages from various sources. The computing services environment may also include an orchestration engine determining mitigation policies corresponding with the application gateways based on a classification of a subset of the application-layer request messages as being sent from sources associated with a distributed denial of service attack. The computing services environment may also include application-layer web application firewalls corresponding to the application gateways and being configured to transition from a deactivated state to an activated state upon receipt of an instruction from the orchestration engine.

Abstract: A computing services environment may include application gateways receiving application-layer request messages from a plurality of sources. The computing services environment may also include an orchestration engine configured to identify an application-layer distributed denial of service attack based on input data characterizing network traffic received at the application gateways and to determine a mitigation plan update to address the application-layer distributed denial of service attack. The computing services environment may also include an autonomous AI agent platform configured to instantiate and execute an autonomous AI agent instance configured to determine whether to approve or reject the mitigation plan update by evaluating the mitigation plan update via a generative language model. The computing services environment may also include application-layer web application firewalls corresponding to application gateways.

Abstract: A system may receive a configuration associated with a tenant of a multi-tenant generative artificial intelligence (AI) system and tenant-specific training data, where the configuration includes a first indication of a first communication channel over which a tenant-specific conversational agent is to communicate with users and where the tenant-specific training data includes context information associated with the tenant that is expressed in natural language. The system may determine an intent of a query received from the tenant based at least in part on an analysis of the query. The system may transmit the query to a first generative AI model of a plurality of generative AI models, wherein the first generative AI model is selected based at least in part on the determined intent. The system may transmit, to the tenant over the first communication channel, a response to the query generated by the first generative AI model.

Abstract: Disclosed are examples of systems, apparatus, methods and computer program products for automation of network security policy analysis and deployment. A server system can obtain a system input comprising two versions of a policy output. The system can generate a severity characteristic that indicates a severity of deploying the second version of the policy output. The system can then determine whether to deploy the second version of the policy output based on the severity characteristic. The system can then, in response to determining that the second version of the policy output is to be deployed, deploy the second version of the policy output to one of a plurality of clouds.

Abstract: First and second dashboards that provide a visual representation of respective intelligence information for a firewall may be generated. An indicator of correspondence between a first data element of the respective intelligence information for the first dashboard and a second data element of the respective intelligence information for the second dashboard may be displayed as an overlay of the first and second dashboards. Additionally, a guidance indicator that indicates an order to access respective values of the first dashboard, the second dashboard, and a third dashboard may be displayed based on an identifier of the first data element mapped to an identifier of the second data element and an identifier of the second data element mapped to an identifier of a third data element for the third dashboard. A summary window that provides a summary of intelligence dashboards of a user interface may be displayed.

Abstract: Implementation(s) for multi-factor network segmentation are described. A plurality of packets at a higher layer of a network stack is processed, where at least one packet of the plurality of packets was previously determined, as part of processing the at least one packet at lower layers of the network stack, to be authorized to be processed by the higher layer. Specifically, responsive to successful authentication of a cryptographic certificate received during the handshake process, a second service is identified from the cryptographic certificate. It is determined, based on a security policy, that the second service is authorized to access the first service. Responsive to the determination, a configuration is caused such that packets sent using the source address are now authorized to be processed by the higher layer.

Abstract: Methods and systems for data processing and troubleshooting at a query management service are described. The query management service may receive, via a proxy between the query management service and a communication service, an indication of a query from a user of the communication service. The query management service may determine an intent of the query based on using a third-party natural language processing (NLP) model and customized logic to analyze the query. The query management service may obtain query results based on executing, within a distributed computing environment that includes the query management service and a set of multi-substrate network security services, a sequence of actions, that correspond to the intent of the query. The query management service may transmit an indication of the query results to the communication service, where the query results are rendered according to feedback information received from the user.

Abstract: A computer-implemented method for monitoring and remediating security drift in a public cloud network is disclosed. The security drift event includes an unintended change to existing security controls effected through an unauthorized deployment channel, performed by an unauthorized user. The method includes providing a cloud server application including a number of cloud client accounts, and deploying the cloud client accounts in client account clusters. The client account clusters include a master account that includes a drift detection component and a number of service accounts including serverless application components. The method further includes instantiating cloud infrastructure resources in the service accounts, and detecting a security drift event in the client account cluster, by the drift detection components.

Abstract: Systems and methods are provided for requesting, at a service configured on a server, a public key infrastructure (PKI) generated certificate using a PKI agent, where the PKI agent stores a private key and the generated certificate in a key management service (KMS). An application layer security controller communicatively coupled to the server registers the service to enable the application layer to inspect packets. The PKI agent transmits version information for the certificates to the application layer security controller, and the PKI agent updates the certificates and keys in the KMS. The service and an application layer datapath component change the routing of packets using an overlay network and inspect at least one of the packets. The application layer datapath component decapsulates at least one packet by using the private keys and certificates retrieved from the KMS, and performs application inspection of the decapsulated packet.

Abstract: Implementation(s) for multi-factor network segmentation are described. A plurality of packets at a higher layer of a network stack is processed, where at least one packet of the plurality of packets was previously determined, as part of processing the at least one packet at lower layers of the network stack, to be authorized to be processed by the higher layer. Specifically, responsive to successful authentication of a cryptographic certificate received during the handshake process, a second service is identified from the cryptographic certificate. It is determined, based on a security policy, that the second service is authorized to access the first service. Responsive to the determination, a configuration is caused such that packets sent using the source address are now authorized to be processed by the higher layer.

Abstract: A method for testing connectivity comprises receiving, by one or more computing devices, a request for a connectivity test, and determining, by the one or more computing devices, whether a point-to-point connectivity test or a service-to-service connectivity test is to be performed. The method further comprises initiating, by the one or more computing devices, the connectivity test in response to the request and based on the determining, where initiating the connectivity test comprises invoking a connectivity testing mechanism. The method further comprises displaying, by the one or more computing devices, a location of a connectivity issue based on the connectivity test, and displaying, by the one or more computing devices, a next step to solve the connectivity issue based on the connectivity test.