Abstract: Presented is a network security system (NSS) that reliably detects malleable C2 traffic. The NSS intercepts outgoing transactions from user devices associated with user accounts. The NSS filters out transactions to known benign servers and analyzes remaining transactions for indicators of malleable command and control (C2) including heuristic, anomalous, and pattern-based detections. The NSS lowers the user confidence score associated with the user account or the user device based on the severity and number of detected indicators for each impacted outgoing transaction. When the user confidence score decreases below a threshold, the NSS implements a restricted security protocol for future outgoing transactions. Based on the detected indications, the NSS can identify malleable C2 attacker servers and add them to a blacklist of destination servers to further identify infected user accounts and devices.

Abstract: Disclosed is a method of building a customized deep learning (DL) stack classifier to detect organization sensitive data in images, referred to as image-borne organization sensitive documents, and protecting against loss of the image-borne organization sensitive documents, including distributing a trained feature map extractor stack, with stored parameters, configured to allow the organization to extract from image-borne organization sensitive documents, feature maps that are used to generate updated DL stacks and to save non invertible feature maps derived from the images, and ground truth labels for the image. Also included is receiving organization-specific examples including the non-invertible feature maps extracted from the organization-sensitive documents and the ground truth labels and using the received organization-specific examples to update a customer-specific DL stack classifier. Further included is sending the customer-specific DL stack classifier to the organization.

Abstract: Disclosed is a cloud-based security system implemented in a reverse proxy that provides bidirectional traffic inspection to protect against privacy and security concerns related to the GenAI services. The security system intercepts requests directed to the GenAI service protected by the reverse proxy implementation of the network security system. The security system includes a GenAI request classifier trained to classify prompts submitted to the GenAI application as one of benign, prompt injection attack, or uploaded files. The security system further includes a GenAI response classifier trained to classify responses from the GenAI application as one of normal, leaked system prompt, leaked user uploaded files, or leaked training data.

Abstract: Disclosed is a training data generation system for generating training data used to train machine learning models to inspect GenAI traffic to identify security and privacy concerns related to GenAI use. The training data generation system is seeded with initial prompts. The initial prompts include benign prompts, prompt injection attacks, and uploaded files. Each initial prompt is submitted to multiple GenAI applications to obtain responses. The corresponding prompts and responses are stored in a training data repository. Variations of the initial prompts are generated using, for example, one of the GenAI applications. Each variation is submitted to each of the GenAI applications as well, and the corresponding prompts and responses are stored. Another machine learning model, regex patterns, a combination, or the like may be used to label the prompts and responses in the training data repository to generate a large training data set quickly and efficiently.

Abstract: Disclosed is a cloud-based security system implemented using API notifications provided by a GenAI service or application. The security system provides bidirectional traffic inspection to protect against privacy and security concerns related to the GenAI services. The security system receives notifications of traffic including requests directed to the GenAI service from endpoints as well as the GenAI responses. The security system includes a GenAI request classifier trained to classify prompts as benign, prompt injection attack, or uploaded files. The security system further includes a GenAI response classifier trained to classify responses as normal, leaked system prompt, leaked user uploaded files, or leaked training data. Based on the classification, and optionally other security analysis, the security system may enforce security policies based on both the requests and responses that may include triggering alerts to administrators, deleting data stored by the GenAI service, and the like.

Abstract: Disclosed is a cloud-based security system implemented in a forward proxy that provides generative artificial intelligence (GenAI) traffic inspection to protect against security and privacy concerns related to GenAI use for protected endpoints. The security system intercepts requests and determines whether those requests are directed to a GenAI application. The security system includes a GenAI request classifier trained to classify prompts submitted to GenAI applications as one of benign, prompt injection attack, or uploaded files. The security system further includes a GenAI response classifier trained to classify responses from GenAI applications as one of normal, leaked system prompt, leaked user uploaded files, or leaked training data.

Abstract: Systems, methods, and related technologies for classification are described. In certain aspects, a plurality of device classification methods with associated models are accessed. Each of the classification methods have an associated reliability level. The models of classification methods with a higher reliability level than other classifications methods are used to at least one of train or tune the models associated with lower reliability level.

Abstract: Systems, methods, and related technologies for profiling an entity and classifying an entity based on a profile are described. In certain aspects, data associated with communications of a first entity on a network are accessed, behaviors are determined based on the data associated with the communications of the first entity, and sequences of the behaviors of the first entity are determined. A profile of the first entity is determined based on the sequences of the behaviors, the profile including a classification of the first entity, a state machine of the profile of the first entity is determined, the state machine being associated with the classification against which the behaviors can be matched, a second entity is detected coming onto the network, and responsive to detecting the second entity coming onto the network, the second entity is classified based on the state machine of the profile of the first entity.

Abstract: Systems, methods, and related technologies for profiling an entity and classifying an entity based on a profile are described. In certain aspects, data associated with communications of a first entity on a network are accessed, behaviors are determined based on the data associated with the communications of the first entity, and sequences of the behaviors of the first entity are determined. A profile of the first entity is determined based on the sequences of the behaviors, the profile including a classification of the first entity, a state machine of the profile of the first entity is determined, the state machine being associated with the classification against which the behaviors can be matched, a second entity is detected coming onto the network, and responsive to detecting the second entity coming onto the network, the second entity is classified based on the state machine of the profile of the first entity.

Abstract: Systems, methods, and related technologies for device classification are described. Methods include determining device information associated with a device coupled to a network, the device information including information obtained from one or more sources, classifying the device using the device information as input to a classifier, and applying a policy to the device based on the classification of the device.

Abstract: Disclosed are methods and systems for customizing a deep learning (“DL”) stack to detect organization sensitive data in images, referred to as image-borne organization sensitive documents, and protecting against loss of the image-borne organization sensitive documents. The methods and systems include distributing a trained master DL stack with stored parameters to a plurality of organizations. Providing at least some of the organizations with a DL stack update trainer, under the organizations' control, configured to save, during generation of updated DL stacks, non-invertible features derived from images of organization-sensitive training examples, ground truth labels for the images, and parameters of the updated DL stacks. Receiving, from at least one of the DL stack update trainers, organization-specific examples including the non-invertible features and the ground truth labels, without receiving images of the organization-specific examples.

Abstract: Presented is a network security system (NSS) that reliably detects malleable C2 traffic. The NSS intercepts outgoing transactions from user devices associated with user accounts. The NSS filters out transactions to known benign servers and analyzes remaining transactions for indicators of malleable command and control (C2) including heuristic, anomalous, and pattern-based detections. The NSS lowers the user confidence score associated with the user account or the user device based on the severity and number of detected indicators for each impacted outgoing transaction. When the user confidence score decreases below a threshold, the NSS implements a restricted security protocol for future outgoing transactions. Based on the detected indications, the NSS can identify malleable C2 attacker servers and add them to a blacklist of destination servers to further identify infected user accounts and devices.

Abstract: Disclosed are methods and systems for detecting screenshot images and protecting against loss of sensitive screenshot-borne data. One disclosed method includes collecting examples of the screenshot images and non-screenshot images and creating labelled ground-truth data for the examples. The method also includes applying re-rendering of at least some of the collected example screenshot images to represent different variations of screenshots that may contain sensitive information, and further includes training a deep learning stack by forward inference and back propagation using labelled ground-truth data for the screenshot images and the examples of the non-screenshot images. The method further includes using results of the back propagation to configure parameters of the trained DL stack for inference from images in production. Also disclosed is applying a screenshot robot to collect the examples of the screenshot images and non-screenshot images.

Abstract: The disclosed technology facilitates User and Entity Behavior Analytics (UEBA) by classifying a file being transferred as encrypted or not. The technology involves monitoring movement of a files by a user over a wide area network, detecting file encryption for the files using a trained classifier, wherein the detecting includes processing by the classifier some or all of the following features extracted from each of the files: a chi-square randomness test; an arithmetic mean test; a serial correlation coefficient test; a Monte Carlo-Pi test; and a Shannon entropy test, counting a number of the encrypted files moved by the user in a predetermined period, comparing a predetermined maximum number of encrypted files allowed in the predetermined period to the count of the encrypted files moved by the user and detecting that the user has moved more encrypted files than the predetermined maximum number, and generating an alert.

Abstract: Systems, methods, and related technologies for classification are described. In certain aspects, a plurality of device classification methods with associated models are accessed. Each of the classification methods have an associated reliability level. The models of classification methods with a higher reliability level than other classifications methods are used to at least one of train or tune the models associated with lower reliability level.

Abstract: Device scanning aspects are described. In certain aspects, the method includes performing a scan of a device based on a port forwarding policy.

Abstract: The disclosed technology teaches facilitate User and Entity Behavior Analytics (UEBA) by classifying a file being transferred as encrypted or not. The technology involves monitoring movement of a files by a user over a wide area network, detecting file encryption for the files using a trained classifier, wherein the detecting includes processing by the classifier some or all of the following features extracted from each of the files: a chi-square randomness test; an arithmetic mean test; a serial correlation coefficient test; a Monte Carlo-Pi test; and a Shannon entropy test, counting a number of the encrypted files moved by the user in a predetermined period, comparing a predetermined maximum number of encrypted files allowed in the predetermined period to the count of the encrypted files moved by the user and detecting that the user has moved more encrypted files than the predetermined maximum number, and generating an alert.

Abstract: Systems, methods, and related technologies for self-training classification are described. In certain aspects, a plurality of device classification methods with associated models are accessed. Each of the classification methods have an associated reliability level. The models of classification methods with a higher reliability level than other classifications methods are used to train the models associated with lower reliability level. The trained models and associated classification methods are thus improved.

Abstract: Device scanning aspects are described. In certain aspects, the method includes configuring a port forwarding policy on a first device based on a network session information, performing a scan of a second device based on a port forwarding policy.

Abstract: Systems, methods, and related technologies for profiling an entity and classifying an entity based on a profile are described. In certain aspects, data associated with communications of a first entity on a network are accessed, behaviors are determined based on the data associated with the communications of the first entity, and sequences of the behaviors of the first entity are determined. A profile of the first entity is determined based on the sequences of the behaviors, the profile including a classification of the first entity, a state machine of the profile of the first entity is determined, the state machine being associated with the classification against which the behaviors can be matched, a second entity is detected coming onto the network, and responsive to detecting the second entity coming onto the network, the second entity is classified based on the state machine of the profile of the first entity.