Abstract: Techniques for mapping policy documents to regulatory documents to check for compliance between the policies and documents are provided. In one example, a computer-implemented method determining, by a system operatively coupled to a processor, an information input, a control framework, and a document from a first group consisting of a regulatory document and a policy document, wherein the information input is a corpora from a second group consisting of a domain corpora and a global corpora. The computer-implemented method can also comprise mapping, by the system, the received regulatory document or the received policy document to the control framework using a supervised machine learning technique.

Abstract: A processing system may obtain a first sampled flow record for a first flow in a network, comprising information regarding selected packets of the first flow, derive, from the first sampled flow record, a data volume and a duration of the first flow, and determine a first flow metric for the first flow that is calculated from the data volume and the duration, where the first flow metric is one of a plurality of flow metrics for a plurality of flows, and where the plurality of flow metrics is determined from the plurality of sampled flow records associated with the plurality of flows. The processing system may then classify the first flow into one of at least two classes, based upon the first flow metric and at least a first flow metric threshold.

Abstract: A method may include a processing system having at least one processor obtaining a first plurality of domain name system traffic records, generating an input aggregate vector from the first plurality of domain name system traffic records, where the input aggregate vector comprises a plurality of features derived from the first plurality of domain name system traffic records, and applying an encoder-decoder neural network to the input aggregate vector to generate a reconstructed vector, where the encoder-decoder neural network is trained with a plurality of aggregate vectors generated from a second plurality of domain name system traffic records. In one example, the processing system may then calculate a distance between the input aggregate vector and the reconstructed vector, and apply at least one remedial action associated with the first plurality of domain name system traffic records when the distance is greater than a threshold distance.

Abstract: Domains and IPs are scored using domain resolution data to identify malicious domains and IPs. A domain and IP resolution graph for a set of domains and IPs in a system. A seed set of known malicious domains and known malicious IPs is selected from a malicious domain and malicious IP database. A graphical probabilistic propagation inference from the domain and IP resolution graph and the seed set of known malicious domains and known malicious IPs is generated. A malicious score is calculated for each domain in the set of domains and each IP in the set of IPs, and the malicious domain and malicious IP database is updated.

Abstract: Domains and IPs are scored using domain resolution data to identify malicious domains and IPs. A domain and IP resolution graph for a set of domains and IPs in a system. A seed set of known malicious domains and known malicious IPs is selected from a malicious domain and malicious IP database. A graphical probabilistic propagation inference from the domain and IP resolution graph and the seed set of known malicious domains and known malicious IPs is generated. A malicious score is calculated for each domain in the set of domains and each IP in the set of IPs, and the malicious domain and malicious IP database is updated.

Abstract: A method may include a processing system having at least one processor obtaining a first plurality of domain name system traffic records, generating an input aggregate vector from the first plurality of domain name system traffic records, where the input aggregate vector comprises a plurality of features derived from the first plurality of domain name system traffic records, and applying an encoder-decoder neural network to the input aggregate vector to generate a reconstructed vector, where the encoder-decoder neural network is trained with a plurality of aggregate vectors generated from a second plurality of domain name system traffic records. In one example, the processing system may then calculate a distance between the input aggregate vector and the reconstructed vector, and apply at least one remedial action associated with the first plurality of domain name system traffic records when the distance is greater than a threshold distance.

Abstract: A processing system may obtain a first sampled flow record for a first flow in a network, comprising information regarding selected packets of the first flow, derive, from the first sampled flow record, a data volume and a duration of the first flow, and determine a first flow metric for the first flow that is calculated from the data volume and the duration, where the first flow metric is one of a plurality of flow metrics for a plurality of flows, and where the plurality of flow metrics is determined from the plurality of sampled flow records associated with the plurality of flows. The processing system may then classify the first flow into one of at least two classes, based upon the first flow metric and at least a first flow metric threshold.

Abstract: The present disclosure describes detection and mitigation of malicious wireless devices, in a wireless communication network including a radio access network (RAN) and a core network (CN), in a manner for selectively preventing the malicious wireless devices from using the wireless communication network based on identification of the malicious wireless devices in the wireless communication network. In one example, detection and mitigation of malicious wireless devices may include detecting a malicious wireless device based on identification of malicious activity by the malicious wireless device, identifying the malicious wireless device within the RAN based on correlation of one or more CN-based identifiers of the malicious wireless device within the CN and one or more RAN-based identifiers of the malicious wireless device within the RAN, and preventing the malicious wireless device from using the wireless communication network based on the one or more RAN-based identifiers of the malicious wireless device.

Abstract: Domains and IPs are scored using domain resolution data to identify malicious domains and IPs. A domain and IP resolution graph for a set of domains and IPs in a system. A seed set of known malicious domains and known malicious IPs is selected from a malicious domain and malicious IP database. A graphical probabilistic propagation inference from the domain and IP resolution graph and the seed set of known malicious domains and known malicious IPs is generated. A malicious score is calculated for each domain in the set of domains and each IP in the set of IPs, and the malicious domain and malicious IP database is updated.

Abstract: Techniques for mapping policy documents to regulatory documents to check for compliance between the policies and documents are provided. In one example, a computer-implemented method determining, by a system operatively coupled to a processor, an information input, a control framework, and a document from a first group consisting of a regulatory document and a policy document, wherein the information input is a corpora from a second group consisting of a domain corpora and a global corpora. The computer-implemented method can also comprise mapping, by the system, the received regulatory document or the received policy document to the control framework using a supervised machine learning technique.

Abstract: Techniques for mapping policy documents to regulatory documents to check for compliance between the policies and documents are provided. In one example, a computer-implemented method determining, by a system operatively coupled to a processor, an information input, a control framework, and a document from a first group consisting of a regulatory document and a policy document, wherein the information input is a corpora from a second group consisting of a domain corpora and a global corpora. The computer-implemented method can also comprise mapping, by the system, the received regulatory document or the received policy document to the control framework using a supervised machine learning technique.

Abstract: A method may include a processing system assigning samples of network traffic data to positions in a list, where each of the samples is assigned a cluster identifier corresponding to the respective position, and traversing the list, where for each position, the processing system: increments an order indicator, and when the cluster identifier is not less than the order indicator, computes a distance between a sample assigned to the position and other samples, records a cluster identifier of another sample when a distance between the sample and the other sample is less than a threshold distance, and assigns a minimum cluster identifier that is recorded to all of the samples with cluster identifiers that are recorded. The processing system may determine clusters from cluster identifiers in the list after the traversing and identify at least one cluster as representing anomalous network traffic data.

Abstract: A request arrival rate is obtained at a given computing node in a computing network comprising a plurality of distributed computing nodes. A topology of the computing network is determined at the given computing node so as to identify neighboring computing nodes with respect to the given computing node. A probability is computed at the given computing node based on the obtained request arrival rate and the detected network topology. The computed probability is used to select a decision from a set of decision candidates in response to a request received at the given computing node in a given time slot. The selected decision is a decision with a top average reward attributed thereto across the given computing node and the neighboring computing nodes determined based on information shared by the neighboring computing node with the given computing node.

Abstract: A method may include a processing system assigning samples of network traffic data to positions in a list, where each of the samples is assigned a cluster identifier corresponding to the respective position, and traversing the list, where for each position, the processing system: increments an order indicator, and when the cluster identifier is not less than the order indicator, computes a distance between a sample assigned to the position and other samples, records a cluster identifier of another sample when a distance between the sample and the other sample is less than a threshold distance, and assigns a minimum cluster identifier that is recorded to all of the samples with cluster identifiers that are recorded. The processing system may determine clusters from cluster identifiers in the list after the traversing and identify at least one cluster as representing anomalous network traffic data.

Abstract: A method may include a processing system having at least one processor obtaining a first plurality of domain name system traffic records, generating an input aggregate vector from the first plurality of domain name system traffic records, where the input aggregate vector comprises a plurality of features derived from the first plurality of domain name system traffic records, and applying an encoder-decoder neural network to the input aggregate vector to generate a reconstructed vector, where the encoder-decoder neural network is trained with a plurality of aggregate vectors generated from a second plurality of domain name system traffic records. In one example, the processing system may then calculate a distance between the input aggregate vector and the reconstructed vector, and apply at least one remedial action associated with the first plurality of domain name system traffic records when the distance is greater than a threshold distance.

Abstract: Techniques for mapping policy documents to regulatory documents to check for compliance between the policies and documents are provided. In one example, a computer-implemented method determining, by a system operatively coupled to a processor, an information input, a control framework, and a document from a first group consisting of a regulatory document and a policy document, wherein the information input is a corpora from a second group consisting of a domain corpora and a global corpora. The computer-implemented method can also comprise mapping, by the system, the received regulatory document or the received policy document to the control framework using a supervised machine learning technique.

Abstract: A request arrival rate is obtained at a given computing node in a computing network comprising a plurality of distributed computing nodes. A topology of the computing network is determined at the given computing node so as to identify neighboring computing nodes with respect to the given computing node. A probability is computed at the given computing node based on the obtained request arrival rate and the detected network topology. The computed probability is used to select a decision from a set of decision candidates in response to a request received at the given computing node in a given time slot. The selected decision is a decision with a top average reward attributed thereto across the given computing node and the neighboring computing nodes determined based on information shared by the neighboring computing node with the given computing node.