Abstract: A method includes: receiving selection of a document; correlating sequences of words, in the document, with a set of language signals; generating a set of document tags representing the set of language signals; and retrieving a first data access policy: associated with a particular document tag in the set of document tags; and including a set of identities permitted to access a document associated with the particular document tag; receiving selection of a recipient account of the document; and in response to detecting the set of identities excluding the recipient account, restricting access to the document by the recipient account.

Abstract: A method includes: accessing a corpus of emails sent from a email account prior to the initial time period; correlating sequences of words, in the corpus of emails, with language signals; aggregating the language signals into a sender model that represents combinations of language signals characteristic of language in emails sent from the email account; later, accessing a email outbound from the email account and directed to a recipient; scanning the email for the set of language signals; correlating sequences of words in the email with language signals; calculating a similarity score for the email based on the subset of language signals detected in the email and the sender model; and, in response to the similarity score falling below a threshold similarity, flagging the email as suspicious and redirecting the email away from the recipient.

Abstract: A method includes: accessing a corpus of messages previously sent from a user account; correlating sequences of words, in the corpus of messages, with behavior signals; aggregating the behavior signals into a behavioral model representing combinations of behavior signals characteristic of behavior in messages sent from the user account; later, accessing a message outbound from the user account to a recipient account, the message including a document associated with a document tag; correlating sequences of words, in the message, with behavior signals; retrieving a data access policy including a threshold at which access to a document associated with the document tag is restricted; and in response to detecting a difference between the behavioral signals from the message and the behavioral model exceeding the threshold, restricting access, by the recipient account, to the document in the message.

Abstract: A method includes: accessing a corpus of messages previously sent from a user account; correlating sequences of words, in the corpus of messages, with behavior signals; aggregating the behavior signals into a behavioral model representing combinations of behavior signals characteristic of behavior in messages sent from the user account; later, accessing a message outbound from the user account to a recipient account, the message including a document associated with a document tag; correlating sequences of words, in the message, with behavior signals; retrieving a data access policy including a threshold at which access to a document associated with the document tag is restricted; and in response to detecting a difference between the behavioral signals from the message and the behavioral model exceeding the threshold, restricting access, by the recipient account, to the document in the message.

Abstract: A method includes: receiving selection of a document; correlating sequences of words, in the document, with a set of language signals; generating a set of document tags representing the set of language signals; and retrieving a first data access policy: associated with a particular document tag in the set of document tags; and including a set of identities permitted to access a document associated with the particular document tag; receiving selection of a recipient account of the document; and in response to detecting the set of identities excluding the recipient account, restricting access to the document by the recipient account.

Abstract: A method includes: accessing a corpus of emails sent from a email account prior to the initial time period; correlating sequences of words, in the corpus of emails, with language signals; aggregating the language signals into a sender model that represents combinations of language signals characteristic of language in emails sent from the email account; later, accessing a email outbound from the email account and directed to a recipient; scanning the email for the set of language signals; correlating sequences of words in the email with language signals; calculating a similarity score for the email based on the subset of language signals detected in the email and the sender model; and, in response to the similarity score falling below a threshold similarity, flagging the email as suspicious and redirecting the email away from the recipient.

Abstract: A method for detecting spoofed webpages includes: accessing an email; and scanning the email for links. The method also includes, in response to detecting a link in the email: accessing web content contained in a target webpage at the link; extracting target visual features from the web content; accessing a set of verified webpage templates, each verified webpage template in the set of verified webpage templates containing a set of verified features present in a verified webpage associated with a verified resource locator; identifying a particular verified webpage template, in the set of verified webpage templates, containing a particular set of verified features approximating the target visual features; characterizing a difference between the link and a particular verified resource locator associated with the particular verified webpage template; and, in response to the difference exceeding a threshold difference, flagging the email as malicious.

Abstract: A method for detecting spoofed webpages includes: accessing an email; and scanning the email for links. The method also includes, in response to detecting a link in the email: accessing web content contained in a target webpage at the link; extracting target visual features from the web content; accessing a set of verified webpage templates, each verified webpage template in the set of verified webpage templates containing a set of verified features present in a verified webpage associated with a verified resource locator; identifying a particular verified webpage template, in the set of verified webpage templates, containing a particular set of verified features approximating the target visual features; characterizing a difference between the link and a particular verified resource locator associated with the particular verified webpage template; and, in response to the difference exceeding a threshold difference, flagging the email as malicious.

Abstract: A method includes: receiving selection of a document; correlating sequences of words, in the document, with a set of language signals; generating a set of document tags representing the set of language signals; and retrieving a first data access policy: associated with a particular document tag in the set of document tags; and including a set of identities permitted to access a document associated with the particular document tag; receiving selection of a recipient account of the document; and in response to detecting the set of identities excluding the recipient account, restricting access to the document by the recipient account.

Abstract: A method includes: accessing a corpus of messages previously sent from a user account; correlating sequences of words, in the corpus of messages, with behavior signals; aggregating the behavior signals into a behavioral model representing combinations of behavior signals characteristic of behavior in messages sent from the user account; later, accessing a message outbound from the user account to a recipient account, the message including a document associated with a document tag; correlating sequences of words, in the message, with behavior signals; retrieving a data access policy including a threshold at which access to a document associated with the document tag is restricted; and in response to detecting a difference between the behavioral signals from the message and the behavioral model exceeding the threshold, restricting access, by the recipient account, to the document in the message.

Abstract: A method includes: accessing a corpus of emails sent from a email account prior to the initial time period; correlating sequences of words, in the corpus of emails, with language signals; aggregating the language signals into a sender model that represents combinations of language signals characteristic of language in emails sent from the email account; later, accessing a email outbound from the email account and directed to a recipient; scanning the email for the set of language signals; correlating sequences of words in the email with language signals; calculating a similarity score for the email based on the subset of language signals detected in the email and the sender model; and, in response to the similarity score falling below a threshold similarity, flagging the email as suspicious and redirecting the email away from the recipient.

Abstract: A method for detecting spoofed webpages includes: accessing an email; and scanning the email for links. The method also includes, in response to detecting a link in the email: accessing web content contained in a target webpage at the link; extracting target visual features from the web content; accessing a set of verified webpage templates, each verified webpage template in the set of verified webpage templates containing a set of verified features present in a verified webpage associated with a verified resource locator; identifying a particular verified webpage template, in the set of verified webpage templates, containing a particular set of verified features approximating the target visual features; characterizing a difference between the link and a particular verified resource locator associated with the particular verified webpage template; and, in response to the difference exceeding a threshold difference, flagging the email as malicious.

Abstract: A method for detecting financial attacks in emails includes: accessing an email inbound to a recipient address; scanning a body of the email for language signals; correlating a first sequence of words, in the email, with a financial signal; correlating a second sequence of words, in the email, with an action request signal; calculating a risk for the email representing a financial attack based on the financial signal and the action request signal detected in the email; and, in response to the risk exceeding a threshold risk, annotating the first sequence of words in the email according to a first visual highlighting scheme associated with the financial signal, annotating the second sequence of words in the email according to a second visual highlighting scheme—different from the first visual highlighting scheme—associated with the action request signal, and redirecting the email to a quarantine folder.

Abstract: A computer-implemented method is described to monitor and control enterprise information stored on a cloud computing service (CCS). The method includes using a cross-application monitor to detect a cloud computing service (CCS) application programming interface (API) in use and a function or an activity being performed via the CCS API. The method also includes determining the function or the activity being performed via the CCS API by parsing a data stream based on the CCS API and identifying content being transmitted to the CCS. The method further includes applying a content inspection rule to find strings and interrelated strings in the content that are subject to content control and triggering a security action responsive to finding the strings and interrelated strings subject to content control in the parsed stream.

Abstract: A computer-implemented method is described to monitor and control enterprise information stored on a cloud computing service (CCS). The method includes using a cross-application monitor to detect a cloud computing service (CCS) application programming interface (API) in use and a function or an activity being performed via the CCS API. The method also includes determining the function or the activity being performed via the CCS API by parsing a data stream based on the CCS API and identifying content being transmitted to the CCS. The method further includes applying a content inspection rule to find strings and interrelated strings in the content that are subject to content control and triggering a security action responsive to finding the strings and interrelated strings subject to content control in the parsed stream.

Abstract: A computer-implemented method is described to monitor and control enterprise information stored on a cloud computing service (CCS). The method includes using a cross-application monitor to detect a cloud computing service (CCS) application programming interface (API) in use and a function or an activity being performed via the CCS API. The method also includes determining the function or the activity being performed via the CCS API by parsing a data stream based on the CCS API and identifying content being transmitted to the CCS. The method further includes applying a content inspection rule to find strings and interrelated strings in the content that are subject to content control and triggering a security action responsive to finding the strings and interrelated strings subject to content control in the parsed stream.

Abstract: The invention is directed to techniques for dynamic policy provisioning. A network security device may comprise a memory that stores a first policy that identifies a first set of patterns that correspond to a first set of network attacks and a second policy, and a control unit that applies the first policy to the network traffic to detect the first set of network attacks. The control unit, while applying the first policy, monitors parameters corresponding to one or more resources and dynamically determines whether to apply a second policy to the network traffic based on the parameters. The control unit, based on the dynamic determination, applies the second policy to the network traffic to detect a second set of network attacks and forwards the network traffic based on the application of the second policy. In this manner, the network security device may implement the dynamic policy provisioning techniques.