Abstract: The technology disclosed includes a system to perform multi-label support vector machine (SVM) classification of a document. The system creates document features representing frequencies or semantics of words in the document. Trained SVM classification parameters for a plurality of labels are applied to the document features for the document. The system determines positive and negative distances between SVM hyperplanes for the labels and the feature vector. Labels with positive distance to the feature vector are harvested. When the distribution of negative distances is characterized by a mean and standard deviation, the system further harvests the labels with a negative distance such that the harvested labels include the labels with a negative distance between the mean negative distance and zero and separated from the mean negative distance by a predetermined first number of standard deviations.

Abstract: A network security system and method provide dynamic access control for a protected resource using a client-initiated ticket generation scheme. A client application receives, from an access control manager, a limited-use access ticket and may include the limited-use access ticket within application program interface (API) calls to a service application. The service application may forward the limited-use access ticket as a service access ticket to a ticket-based access control layer. A transaction monitor monitors run-time transaction information generated by the API calls to the service application and if the limited-use access ticket is detected in the run-time transaction information, forward the limited-use access ticket to the access control manager to perform validation of the limited-use access ticket.

Abstract: The technology disclosed relates to a system. The system comprises a trained multi-label support vector machine running a one-vs-the-rest classifier. The trained multi-label support vector machine running a one-vs-the-rest classifier is configured with trained parameters. The trained parameters are learned from training the trained multi-label support vector machine running the one-vs-the-rest classifier on document features of documents belonging to a plurality of label classes, and hyperplane determinations on label classes in the plurality of label classes. The trained parameters include distributions of distances between the label classes and the hyperplanes.

Abstract: The technology disclosed relates to simulating spread of a malware in cloud applications. In particular, the technology disclosed relates to accessing sharing data for files shared between users via sync and share mechanisms of cloud applications, tracing connections between the users by traversing a directed graph constructed based on the sharing data, and simulating spread of a malware based on the traced connections to simulate user exposure to, infection by, and transmission of the malware. The connections are created as a result of syncing and sharing the files via the sync and share mechanisms. The malware is spread by syncing and sharing of infected ones of the files via the sync and share mechanisms.

Abstract: The technology disclosed works in real time, as base and subordinate HTTP URL requests are received, to attribute subordinate HTTP URL requests to base web pages. The main case uses the “referer” or “referrer” HTTP header field for attribution, directly and through a referer hierarchy to the base web page. A second case, which minimizes false generation of base web page log entries, involves small files, such as cascading style sheets (CSS) files, that often have a blank or no referer field. The technology disclosed applies equivalently to hypertext transfer protocol secure (HTTPS) data (e.g., HTTPS transactions, requests, and/or events).

Abstract: The technology disclosed relates to simulating spread of a malware in cloud applications. In particular, the technology disclosed relates to accessing sharing data for files shared between users via sync and share mechanisms of cloud applications, tracing connections between the users by traversing a directed graph constructed based on the sharing data, and simulating spread of a malware based on the traced connections to simulate user exposure to, infection by, and transmission of the malware. The connections are created as a result of syncing and sharing the files via the sync and share mechanisms. The malware is spread by syncing and sharing of infected ones of the files via the sync and share mechanisms.

Abstract: The technology disclosed works in real time, as base and subordinate HTTP URL requests are received, to attribute subordinate HTTP URL requests to base web pages. The main case uses the “referer” or “referrer” HTTP header field for attribution, directly and through a referer hierarchy to the base web page. A second case, which minimizes false generation of base web page log entries, involves small files, such as cascading style sheets (CSS) files, that often have a blank or no referer field. The technology disclosed applies equivalently to hypertext transfer protocol secure (HTTPS) data (e.g., HTTPS transactions, requests, and/or events).

Abstract: A network security system and method implements dynamic access control for a protected resource using run-time contextual information. In some embodiments, the network security system and method implements a dynamic access ticket scheme for access control where the access ticket is based on run-time application context. In other embodiments, the network security system and method implements policy enforcement actions in response to detected violations using application programming interface (API) to effectively block detected policy violations without negatively impacting the operation of the application or the user of the application. In some embodiments, the network security system uses enterprise social collaboration tools to interact with the end-user or with the system administrator in the event of detected security incidents.

Abstract: The technology disclosed relates to detecting a ransomware attack on a cloud-based file storage system. The detecting includes collecting metadata on files at they are manipulated, storing the collected metadata as historical metadata, detecting multiple artifacts of the ransomware attack resulting from ransomware manipulation of the files by (i) comparing at least one of the extension, the magic number and the size included in the historical metadata to at least one of the extension, the magic number and the size included in current metadata of the files to identify a volume of changes in the files, and (ii) detecting that the identified volume of changes exceeds a change volume to determine that the ransomware attack is in progress, and identifying a user/machine that manipulated the files and responding to the determination that the ransomware attack is in progress by restricting further manipulation of other files by the identified user/machine.

Abstract: The technology disclosed relates to detecting a data attack on a file system stored on an independent data store. The detecting includes scanning a list to identify files of the independent data store that have been updated within a timeframe, assembling current metadata for files identified by the scanning, obtaining historical metadata of the files, determining that a malicious activity is in process by analyzing the current metadata of the files and the historical metadata to identify a pattern of changes that exceeds a predetermined change velocity. Further, the detecting includes determining that the malicious activity is in process by analyzing the current metadata of the files and known patterns of malicious metadata to identify a match between the current metadata and the known patterns of malicious metadata, determining a machine/user that initiated the malicious activity, and implementing a response mechanism that restricts file modifications by the determined machine/user.

Abstract: The technology disclosed automates aggregate network traffic monitoring using an aggregation index that maps URLs, domain names, and subdomain names to roll-up families. Network usage records for family members, i.e., URLs, domain names, and subdomain names mapped to the same roll-up family in the aggregation index, are rolled up and attributed to a family root name identifying the roll-up family.

Abstract: The technology disclosed relates to a system. The system comprises a trained multi-label support vector machine running a one-vs-the-rest classifier. The trained multi-label support vector machine running a one-vs-the-rest classifier is configured with trained parameters. The trained parameters are learned from training the trained multi-label support vector machine running the one-vs-the-rest classifier on document features of documents belonging to a plurality of label classes, and hyperplane determinations on label classes in the plurality of label classes. The trained parameters include distributions of distances between the label classes and the hyperplanes.

Abstract: The technology disclosed relates to detecting a data attack on a local file system. The detecting includes scanning a list to identify files of the local file system that have been updated within a timeframe, reading payloads of files identified by the scanning, calculating current content properties from the payload of the files, obtaining historical content properties of the files, determining that a malicious activity is in process by analyzing the current content properties and the historical content properties to identify a pattern of changes that exceeds a predetermined change velocity. Further, the detecting includes determining that the malicious activity is in process by analyzing the current content properties and known patterns of malicious metadata to identify a match between the current metadata and the known patterns of malicious metadata, determining a machine/user that initiated the malicious activity, and implementing a response mechanism that restricts file modifications by the machine/user.

Abstract: A network security system and method implements dynamic access control for a protected resource using run-time contextual information. In some embodiments, the network security system and method implements a dynamic access ticket scheme for access control where the access ticket is based on run-time application context. In other embodiments, the network security system and method implements policy enforcement actions in response to detected violations using application programming interface (API) to effectively block detected policy violations without negatively impacting the operation of the application or the user of the application. In some embodiments, the network security system uses enterprise social collaboration tools to interact with the end-user or with the system administrator in the event of detected security incidents.

Abstract: The technology disclosed relates to detecting a data attack on a file system stored on an independent data store. The detecting includes scanning a list to identify files of the independent data store that have been updated within a timeframe, assembling current metadata for files identified by the scanning, obtaining historical metadata of the files, determining that a malicious activity is in process by analyzing the current metadata of the files and the historical metadata to identify a pattern of changes that exceeds a predetermined change velocity. Further, the detecting includes determining that the malicious activity is in process by analyzing the current metadata of the files and known patterns of malicious metadata to identify a match between the current metadata and the known patterns of malicious metadata, determining a machine/user that initiated the malicious activity, and implementing a response mechanism that restricts file modifications by the determined machine/user.

Abstract: The technology disclosed includes a system to perform multi-label support vector machine (SVM) classification of a document. The system creates document features representing frequencies or semantics of words in the document. Trained SVM classification parameters for a plurality of labels are applied to the document features for the document. The system determines positive and negative distances between SVM hyperplanes for the labels and the feature vector. Labels with positive distance to the feature vector are harvested. When the distribution of negative distances is characterized by a mean and standard deviation, the system further harvests the labels with a negative distance such that the harvested labels include the labels with a negative distance between the mean negative distance and zero and separated from the mean negative distance by a predetermined first number of standard deviations.

Abstract: A network security system and method implements dynamic access control for a protected resource using run-time contextual information. In some embodiments, the network security system and method implements a dynamic access ticket scheme for access control where the access ticket is based on run-time application context. In other embodiments, the network security system and method implements policy enforcement actions in response to detected violations using application programming interface (API) to effectively block detected policy violations without negatively impacting the operation of the application or the user of the application. In some embodiments, the network security system uses enterprise social collaboration tools to interact with the end-user or with the system administrator in the event of detected security incidents.

Abstract: The technology disclosed relates to simulating spread of a malware in cloud applications. In particular, the technology disclosed relates to accessing sharing data for files shared between users via sync and share mechanisms of cloud applications, tracing connections between the users by traversing a directed graph constructed based on the sharing data, and simulating spread of a malware based on the traced connections to simulate user exposure to, infection by, and transmission of the malware. The connections are created as a result of syncing and sharing the files via the sync and share mechanisms. The malware is spread by syncing and sharing of infected ones of the files via the sync and share mechanisms.

Abstract: The technology disclosed works in real time, as base and subordinate HTTP URL requests are received, to attribute subordinate HTTP URL requests to base web pages. The main case uses the “referer” or “referrer” HTTP header field for attribution, directly and through a referer hierarchy to the base web page. A second case, which minimizes false generation of base web page log entries, involves small files, such as cascading style sheets (CSS) files, that often have a blank or no referer field. The technology disclosed applies equivalently to hypertext transfer protocol secure (HTTPS) data (e.g., HTTPS transactions, requests, and/or events).

Abstract: The technology disclosed automates aggregate network traffic monitoring using an aggregation index that maps URLs, domain names, and subdomain names to roll-up families. Network usage records for family members, i.e., URLs, domain names, and subdomain names mapped to the same roll-up family in the aggregation index, are rolled up and attributed to a family root name identifying the roll-up family.