Abstract: A computing system is configured to perform zero-trust domain name resolution. The computing system includes applications coupled to a zero-trust client. The zero-trust client is configured to receive requests for IP addresses corresponding to endpoint identifiers for internet connected endpoints. The zero-trust client includes a synthetic DNS service configured to identify synthetic IP addresses for the endpoint identifiers. The zero-trust client provides the synthetic IP addresses for the endpoint identifiers to the applications. The zero-trust client sends data traffic from the applications to a zero-trust service with the synthetic IP addresses and sends corresponding endpoint identifiers to the zero-trust service in a fashion that allows the synthetic IP addresses to be correlated to the endpoint identifiers at the zero-trust service.

Abstract: Methods, systems and computer program products are provided for intelligent secure access to private resources. A security service (e.g., SASE ZTNA) may maintain the same or similar security posture for users who work remotely and/or locally by providing authentication, authorization, and/or ongoing conditional access via a security service (e.g., private or public SASE) while intelligently routing remote client traffic to private resources through the security service and routing local client traffic to private resources locally. A traffic routing determination may be made by a security client and/or security server. A traffic routing determination may be based on the location of a client computing device, such as a trusted network detection for a private/trusted network. Traffic routing determinations may be based on conditions alternative or in addition to location, such as the type of private resource or information being accessed by a client computing device.

Abstract: Methods, systems and computer program products are provided for granular secure user access to private resources. Increased granularity of security policies for user access may reduce security threats to resources. Security policies indicating user access to secure resources may be based on various combinations of user identities, client-side process (e.g., sub-process) identities, device identities, device types, device locations, resource access types, intelligent access (e.g., selective traffic routing), etc. For example, a security policy may indicate user A, using computing device B executing process C with process signature S (e.g., a signing signature thumbprint, etc.) may access private resource D. A process identity may be indicated by at least one of a process name, a code signing signature, a thumbprint, a process version, or a process publisher. Resource access security policy determinations and/or enforcement may be performed by security clients and/or security engines (e.g.

Abstract: A recommendation system for recommending a target feature value for a target feature for a target deployment is provided. The recommendation system, for each of a plurality of deployments, collects feature values for the features of that deployment. The recommendation system then generates a model for recommending a target feature value for the target feature based on the collected feature values of the features for the deployments. The recommendation system applies the model to the features of the target deployment to identify a target feature value for the target feature. The recommendation system then provides the identified target feature value as a recommendation for the target feature for the target deployment.

Abstract: The devices and methods relate to web categorization of web requests. The devices and methods may perform a two-step classification of the web requests. The first classification may provide potential web categories for web request based on a fully qualified domain name (FQDN) of the web request. The first classification may be used to determine whether transport layer security (TLS) termination may be performed on the web request. The second classification may provide a web category for a uniform resource locator (URL) of the web request after performing the TLS termination. The web category may be used by a firewall in filtering web traffic for the web request.

Abstract: A recommendation system for recommending a target feature value for a target feature for a target deployment is provided. The recommendation system, for each of a plurality of deployments, collects feature values for the features of that deployment. The recommendation system then generates a model for recommending a target feature value for the target feature based on the collected feature values of the features for the deployments. The recommendation system applies the model to the features of the target deployment to identify a target feature value for the target feature. The recommendation system then provides the identified target feature value as a recommendation for the target feature for the target deployment.

Abstract: The devices and methods relate to web categorization of web requests. The devices and methods may perform a two-step classification of the web requests. The first classification may provide potential web categories for web request based on a fully qualified domain name (FQDN) of the web request. The first classification may be used to determine whether transport layer security (TLS) termination may be performed on the web request. The second classification may provide a web category for a uniform resource locator (URL) of the web request after performing the TLS termination. The web category may be used by a firewall in filtering web traffic for the web request.

Abstract: Disclosed herein is a system and method that can be used with any underlying classification technique. The method receives a test dataset and determines the features in that test dataset that are present. From these features the training dataset is modified to only have those features that are present in the test dataset. This modified test dataset is then used to calibrate the classifier for the particular incoming data set. The process repeats itself for each different incoming dataset providing a just in time calibration of the classifier.

Abstract: A solution for firewall auto-learning in in zero trust environments, such as cloud environments, includes: based at least on a first trigger event, determining a first set of restricted dependencies for a cloud service firewall to learn for a first application; during a first learning phase, learning a first set of candidate rules corresponding to at least a portion of the first set of restricted dependencies; receiving an indication of verifying, blocking, or tailoring one or more candidate rules within the first set of candidate rules, to generate a first set of verified rules; and operating the firewall with the first set of verified rules for the first application. Some examples include receiving a set of constraints, such as a selection from a set of preset constraints and/or a custom constraint. Some examples include retraining based at least on a second trigger event and/or learning rules for a second application.

Abstract: Disclosed herein is a system and method that can be used with any underlying classification technique. The method takes into account both the value of the current feature vector. It is based on evaluating the effect of perturbing each feature by bootstrapping it with the negative samples and measuring the change in the classifier output. To assess the importance of a given feature value in the classified feature vector, a random negatively labeled instance is taken out of the training set and replaces the feature at question with a corresponding feature from this set. Then, by classifying the modified feature vector and comparing its predicted label and classifier output a user is able measure and observe the effect of changing each feature.

Abstract: A recommendation system for recommending a target feature value for a target feature for a target deployment is provided. The recommendation system, for each of a plurality of deployments, collects feature values for the features of that deployment. The recommendation system then generates a model for recommending a target feature value for the target feature based on the collected feature values of the features for the deployments. The recommendation system applies the model to the features of the target deployment to identify a target feature value for the target feature. The recommendation system then provides the identified target feature value as a recommendation for the target feature for the target deployment.

Abstract: Disclosed herein is a system and method that can be used with any underlying classification technique. The method receives a test dataset and determines the features in that test dataset that are present. From these features the training dataset is modified to only have those features that are present in the test dataset. This modified test dataset is then used to calibrate the classifier for the particular incoming data set. The process repeats itself for each different incoming dataset providing a just in time calibration of the classifier.

Abstract: Disclosed herein is a system and method that can be used with any underlying classification technique. The method takes into account both the value of the current feature vector. It is based on evaluating the effect of perturbing each feature by bootstrapping it with the negative samples and measuring the change in the classifier output. To assess the importance of a given feature value in the classified feature vector, a random negatively labeled instance is taken out of the training set and replaces the feature at question with a corresponding feature from this set. Then, by classifying the modified feature vector and comparing its predicted label and classifier output a user is able measure and observe the effect of changing each feature.

Abstract: Embodiments of the invention provide techniques for basing access control decisions at the network layer at least in part on information provided in claims, which may describe attributes of a computer requesting access, one or more resources to which access is requested, the user, the circumstances surrounding the requested access, and/or other information. The information may be evaluated based on one or more access control policies, which may be pre-set or dynamically generated, and used in making a decision whether to grant or deny the computer access to the specified resource(s).

Abstract: Embodiments of the invention make the issuance of trustworthy device claims available to client devices as a service, so that a client device to which device claims are issued may use the device claims in relation to an attempt to access a network application. The service may conduct an assessment of the device's characteristics and/or state, characterize the results of this assessment in device claims, and issue the device claims to the device. The service may be accessible to a client device from outside administrative boundaries of an entity that makes a network application accessible, and thus may be useful to entities making network applications accessible in business-to-consumer (B2C) and business-to-business (B2B) topologies, such as over the publicly accessible Internet.

Abstract: Embodiments of the invention provide a trusted intermediary for use in a system in which access control decisions may be based at least in part on information provided in claims. The intermediary may request claims on behalf of a network resource to which access is requested, and submit the claims for a decision whether to grant or deny access. The decision may be based at least in part on one or more access control policies, which may be pre-set or dynamically generated. Because the intermediary requests the claims and submits the claims for an access control decision, the network resource (e.g., a server application) need not be configured to process claims information.

Abstract: Attestation by a self-regulating attestation client. The attestation client requests a credential of health from an attestation service, which includes an ordered attestation log and proof of integrity and freshness of the log. The attestation client receives the requested credential of health, which certifies the attestation client was healthy when it requested the credential of health and that the attestation service trusts the attestation client to be healthy each time the attestation client authenticates using the credential of health. The attestation client receives a request to authenticate that it is healthy using the credential of health, verifies that it is currently healthy, and performs the requested authentication.

Abstract: Architecture that provides additional data that can be obtained and employed in security models in order to provide security to services over the service lifecycle. The architecture automatically propagates security classifications throughout the lifecycle of the service, which can include initial deployment, expansion, moving servers, monitoring, and reporting, for example, and further include classification propagation from the workload (computer), classification propagation in the model, classification propagation according to the lineage of the storage location (e.g., virtual hard drive), status propagation in the model and classification based on data stored in the machine.

Abstract: Embodiments of the invention enable a client device to procure trustworthy device claims describing one or more attributes of the client device, have those device claims included in a data structure having a format suitable for processing by an application, and use the data structure which includes the device claims in connection with a request to access the application. The application may use the device claims to drive any of numerous types of application functionality, such as security-related and/or other functionality.

Abstract: Attestation by a self-regulating attestation client. The attestation client requests a credential of health from an attestation service, which includes an ordered attestation log and proof of integrity and freshness of the log. The attestation client receives the requested credential of health, which certifies the attestation client was healthy when it requested the credential of health and that the attestation service trusts the attestation client to be healthy each time the attestation client authenticates using the credential of health. The attestation client receives a request to authenticate that it is healthy using the credential of health, verifies that it is currently healthy, and performs the requested authentication.