Abstract: A computing system determines that a third party system has been exposed to a digital security violation. The computing system identifies a first user account of a user registered with the computing system that has a corresponding account associated with the third party system. The computing system determines that the first user account has stored a first set of user credentials for the corresponding account associated with the third party system at a storage location accessible by the computing system. The computing system launches a series of web browsers configured to access a first website associated with the third party system. The computing system executes, via a first web browser of the series of web browsers, a first automated script specific to the first website associated with the third party system. The computing system performs at least one of a plurality of remedial operations with respect to the corresponding account.

Abstract: In one embodiment, a global domain name system (DNS) server processes a DNS query based on an internal network policy. Upon receiving a DNS query that is associated with a source IP address, the global DNS server identifies a client subnet based on the DNS query. The client subnet is associated with an internal device on an internal network. The global DNS server selects an internal network policy from multiple predetermined policies based on the source IP address and the client subnet. The global DNS server then tailors one or more DNS resolution operations that generate a response to the DNS query based on the selected internal network policy. Advantageously, the client subnet provides the global DNS server with visibility into the internal network. Such visibility enables the global DNS server to apply policies selectively at the granularity of individual devices on the internal network.

Abstract: In one embodiment, a device obtains data regarding routing decisions made by a machine learning-based predictive routing engine for a network. The device determines, based on the data regarding the routing decisions, a behavior of the machine learning-based predictive routing engine. The device compares the behavior of the machine learning-based predictive routing engine to a behavioral policy for the machine learning-based predictive routing engine. The device adjusts operation of the machine learning-based predictive routing engine, when the behavior of the machine learning-based predictive routing engine violates the behavioral policy.

Abstract: An exploit probability value is calculated for each of the plurality of signatures learned from a history of exploits against attributes. The exploit probability value represents a likelihood of a particular signature exploiting one or more attributes of the private network. The exploit probability value is sorted or ranked to prioritize which exploit signatures have the highest probability of occurrence. Only a predetermined number of selected exploit signatures with the highest probabilities are scanned in real-time for signature matching.

Abstract: Systems and methods for using an embedded controller (EC) integrated into a heterogenous computing platform as a Trusted Platform Module (TPM). In an illustrative, non-limiting embodiment, an Information Handling System (IHS) may include a heterogeneous computing platform having a Reduced Instruction Set Computer (RISC) processor and a plurality of devices coupled thereto; and an EC integrated into the heterogeneous computing platform, wherein the EC is configured to operate as a TPM.

Abstract: Techniques are described herein that are capable of detecting an algorithmic attack against a hosted artificial intelligence (AI) system based on inputs (e.g., queries) and outputs of the hosted AI system. In a first example, a feature-based classifier model is used to generate a classification score based on features that are derived from numerical representations of the queries and the outputs, and an algorithmic attack is detected based on the classification score being greater than or equal to a score threshold. In a second example, a transformer-based model is used to generate a vector by providing a multivariate time series, which is based on attribute(s) of the inputs and attribute(s) of the outputs, as an input to the transformer-based model, and an algorithmic attack is detected based on a distance between the vector and a point corresponding to a reference vector being less than or equal to a distance threshold.

Abstract: Systems and methods for configuring a network security device. The methods include deploying a network security device on a network, wherein the network security device includes a network security device interface; accessing, via the network security device interface, a first cloud-based computing platform configured to request from a first library metadata associated with a first network resource on the first cloud-based computing platform; receiving at the network security device interface the metadata associated with the first network resource; and configuring the network security device in accord with the metadata associated with the first network resource.

Abstract: Systems and techniques are described for monitoring network communications using a distributed firewall. One of the techniques includes receiving, at a driver executing in a guest operating system of a virtual machine, a request to open a network connection from a process associated with a user, wherein the driver performs operations comprising: obtaining identity information for the user; providing the identity information and data identifying the network connection to an identity module external to the driver; and receiving, by a distributed firewall, data associating the identity information with the data identifying the network connection from the identity module, wherein the distributed firewall performs operations comprising: receiving an outgoing packet from the virtual machine; determining that the identity information corresponds to the outgoing packet; and evaluating one or more routing rules based at least in part on the identity information.

Abstract: In the IKE or IPSec SA rekeying, whether the rekey exchange includes the cryptographic suite in the payload depends on whether the cryptographic suite used in the old SA is changed on both ends, e.g., the initiator and the responder. If the cryptographic suite is not changed, then the rekey exchange does not include the cryptographic suite. Additionally, in the IPSec SA rekey, if the flowing information is not changed in either end, the rekey exchange further does not include the Traffic Selector (TS). As such, the size of the payload is decreased, which saves bandwidth, processing time, and power in the course of the IKE SA or the IPSec SA rekey.

Abstract: A method for preventing a task-signal deadlock arising due to contention for a mutex in a real-time operating system (RTOS) includes detecting, by a processing unit, a signal notification sent to a task for execution of a signal handler; identifying, by the processing unit, a mutex to be acquired by the signal handler, when the signal notification is detected; determining whether the identified mutex has been acquired by the task; and utilizing, by the processing unit, an alternative stack for execution of the signal handler, in response to determining that the mutex has been acquired by the task, for preventing a task-signal deadlock during the execution.

Abstract: Methods, computer readable media, and apparatuses are provided herein for enhancement of document metadata processing and marking capability across cloud platforms. A data streaming pipeline may be configured between a cloud document storage platform and a cloud platform. A metadata processing server may detect a document manipulation event associated with a document stored in the cloud document storage platform. The metadata processing server may determine a triggering rule associated with the document corresponding to the document manipulation event, and cause a resultant document action in the cloud document storage platform.

Abstract: Aspects of the present disclosure provide methods, devices, and computer-readable storage media that support dynamic enforcement of access control policies in a standardized manner. An administrator console enables access control policies to be defined as classes that may be combined and leveraged to rapidly define access control policies for enforcement in a standardized manner. An interceptor operates to detect access requests and perform policy administration (e.g., determining to grant/deny access) for the access requests and where access is granted, initiate policy resolution (e.g., determine any restrictions on the granted access request). An enforcer provides functionality for enforcing policy resolution outcomes, such as restricting access to information stored in a database or disabling interactive elements of a user interface.

Abstract: In one implementation, a method for detecting a configuration of wireless sensors within a vicinity includes a method of assessing wireless sensors in the vicinity of an application computing system. The application computing system is operated in a listen mode to receive and record wireless transmissions produced by one or more wireless sensors producing wireless transmissions in the vicinity of the application computing system. The recorded wireless transmissions are evaluated using a rule set that embodies normal operating characteristics of various types of wireless sensors in an operating environment to generate a conclusion regarding at least one attribute of at least one wireless sensor that produced the recorded wireless transmissions. The generated conclusion can be used so that the at least one wireless sensor is utilized in the application computing system.

Abstract: Methods and systems for providing a user interface and workflow for interacting with time series data, and applying portions of time series data sets for refining regression models. A system can present a user interface for receiving a first user input selecting a first model from a list of models for modeling the apparatus, generate and display a first chart depicting a first time series data set depicting data from a first sensor, generate and display a second chart depicting a second time series data set depicting a target output of the apparatus, receive a second user input of a portion of the first time series data set, and generate and display a third chart depicting a third time series data set depicting an output of the selected model and aligned with the second chart of the target output and updated in real-time in response to the second user input.

Abstract: A method of a new energy centralized control station network based on dynamic IP can determine the occurrence frequency and the occurrence interval of the abnormal traffic, further analyze and determine the defense state of a new energy centralized control station based on this, and execute the corresponding dynamic optimization solution according to different defense states, so that the IP address and the firewall of the new energy centralized control station can be dynamically adjusted to ensure the security performance of the new energy centralized control station, reduce the risk of external intrusion, effectively resist malicious network reconnaissance such as scanning attacks and ensure the stable operation of a new energy power generation system.

Abstract: Systems, methods, and devices can be utilized to verify wireless local area networks (WLANs) using fingerprints. An example method includes identifying a received fingerprint comprised in an advertisement message that is received by a user equipment (UE) at a time and within a coverage area. A source of the advertisement message is determined to be a rogue WLAN by determining that the received fingerprint is different than a verified fingerprint transmitted by an authorized WLAN at the time and in the coverage area. The UE outputs an alert indicating the rogue WLAN.

Abstract: An access gateway may grant a requestor access to a computer resource. The requestor may receive a credential from an identity provider and calculate a zero-knowledge proof of possession of the credential. The requestor may use the proof to request access to the computer resource. The identity provider may record a policy corresponding to the credential in a distributed ledger. The access gateway may, subject to verifying the proof, retrieve the policy from the distributed ledger. The policy may indicate that the requestor is authorized to access the computer resource. The access gateway may grant the requestor access to the computer resource as indicated by the policy.

Abstract: Systems and methods for dynamically updating firewall rules for a vehicle network are disclosed herein. In one example, a system includes a processor and a memory in communication with the processor having a cyber health engine module. The cyber health engine module includes instructions that, when executed by the processor, cause the processor to receive health status information from one or more nodes of the vehicle network, calculate a risk factor for the one or more nodes of the vehicle network based on the health status information, and in response to determining that the risk factor for the one or more nodes of the vehicle network indicates increased risk, update the firewall rules to address the increased risk.

Abstract: Disclosed techniques include integrated cybersecurity state change buffer service. A plurality of network-connected cybersecurity threat protection applications is accessed. A background synchronization service is initiated. The background synchronization service receives status from at least one of the plurality of cybersecurity threat protection applications. The status comprises high-volume incoming status data. The status is monitored, using the background synchronization service. A real-time state change in the status is identified, based on the monitoring. The identifying a real-time state change includes quantifying incoming data associated with the status. An actionable response is triggered, based on the state change that was identified. The actionable response enables self-healing of a connected security orchestration, automation, and response (SOAR) application system. The status is processed, using the background synchronization service, to provide the actionable response.

Abstract: A system and method for performing active inspection of vulnerability exploitation in a cloud computing environment. The method includes receiving at least one network path to access a first resource, wherein the first resource is a cloud object is deployed in the cloud computing environment and having a known vulnerability, wherein the first resource is potentially accessible from a network which is external to the cloud computing environment; actively inspecting the at least one network path to determine if the first resource is accessible through the at least one network path from a network external to the cloud computing environment; and triggering the known vulnerability to determine if the first resource can be exploited with the known vulnerability, in response to determining that the first resource is accessible through the external network.

Abstract: In some embodiments, a method stores an executable contract in a ledger. The executable contract is for a test to be performed on a network and includes terms for the test. The method receives an indication of traffic that is received at a network device. It is determined that the traffic is associated with the executable contract that is stored in the ledger based on the terms of the test. The method responds to the network device with a response indicating that the traffic is associated with the executable contract. The network device allows the traffic to be sent to a destination on the network to perform an operation for the test.

Abstract: An example network system includes processing circuitry and one or more memories coupled to the processing circuitry. The one or more memories are configured to store instructions which, when executed by the processing circuitry, cause the network system to receive connection data related to an egress connection of an application service of an application. The instructions cause the network system to analyze the connection data to determine that the egress connection is an anomalous connection. The instructions cause the network system to generate a notification indicative of the egress connection being an anomalous connection and send the notification to a computing device.

Abstract: A method for using encryption and tokenization to protect confidential data that is stored in a public cloud database is provided. The method includes: receiving a first data set; tokenizing the first data set; obtaining a first token for at least one attribute of the first data set; encrypting an original value of the attribute and the first data set; storing each of the original value of the at least one attribute, the encrypted value of the at least one attribute, and the first token in a first memory; storing each of the first token and the encrypted first data set in a second memory; and storing the tokenized first data set in a third memory that is hosted on a public cloud server.

Abstract: Techniques are described for deploying a virtualized computing environment configured in a user-specific configuration, the virtualized network function comprising a plurality of virtual machines. A solution definition file (SDF) identifies a configuration for the deployment. The SDF replaces each secret needed for the deployment with an identifier for the secret. A schema defines a format for each identifier for each secret included in the SDF and a format of the secrets. The secrets and corresponding identifiers are stored in a secure storage. The identifiers are sent to the deployed virtual machines, the identifiers being usable by the virtual machines to obtain the secrets from the secure storage.

Abstract: In one embodiment, a global domain name system (DNS) server processes a DNS query based on an internal network policy. Upon receiving a DNS query that is associated with a source IP address, the global DNS server identifies a client subnet based on the DNS query. The client subnet is associated with an internal device on an internal network. The global DNS server selects an internal network policy from multiple predetermined policies based on the source IP address and the client subnet. The global DNS server then tailors one or more DNS resolution operations that generate a response to the DNS query based on the selected internal network policy. Advantageously, the client subnet provides the global DNS server with visibility into the internal network. Such visibility enables the global DNS server to apply policies selectively at the granularity of individual devices on the internal network.

Abstract: Network traffic inspection is disclosed. An application executing on a client device as an operating system that uses a virtual private network (VPN) stack of the operating system intercepts a first IP packet. The application determines that a policy should be applied to the intercepted first IP packet. The policy is applied to the intercepted first IP packet.

Abstract: A method for processing security events by applying a rule-based alarm scheme may be provided. The method includes generating a rule index of rules and an indicator of compromise index for each of the rules. The method includes also processing the incoming security event by applying the rules, increasing a current rule counter relating to a triggered rule, and increasing a current indicator of compromise counter pertaining to the triggered rule. Furthermore, the method includes generating a pseudo security event from received data about known attacks and related indicators of compromise, processing the pseudo security events by sequentially applying the rules, increasing a current rule counter of pseudo security events, and increasing a current indicator of compromise counter for pseudo security events, and sorting the rules and sorting within each rule the indicator of compromise values in the indicator of compromise index.

Abstract: This document describes techniques and systems that enable face authentication embedding migration and drift-compensation. The techniques and systems include a user device that is updated to include both a current version of firmware and an updated version of the firmware. Then, an indication of a face-authentication attempt is received along with image data associated with a user's face. After successful authentication, using the current version of firmware on the image data, the user device uses the updated version of the firmware on the same image data to generate a new embedding. The new embedding is stored as part of a migration profile for the user. Additional new embeddings are collected over a series of subsequent face-authentication attempts until a complete set of new embeddings is stored for the migration profile. Then, the old profile is deleted and the migration profile becomes the enrollment profile used for face authentication.

Abstract: The invention relates to method and system for enhancing computer network security. The method includes receiving a plurality of requests from client devices to avail a plurality of responses from services running on servers; determining a URL pattern for each of the plurality of requests based on URL associated with that request; determining a request data signature for each of the plurality of requests or a response data signature for each of the plurality of responses based on a set of request parameters associated with that request or based on a set of response parameters associated with that response, respectively, using a first machine learning model; and determining an authenticity of each of the plurality of requests based on the URL pattern and the data signature associated with that request, or an authenticity of each of the plurality of responses based on the data signature associated with that response.

Abstract: Some embodiments of the invention provide a novel method for specifying firewall rules. In some embodiments, the method provides the ability to specify for a particular firewall rule, a set of network nodes (also called a set of enforcement points below) at which the particular firewall should be enforced. To provide this ability, the method of some embodiments adds an extra tuple (referred to below as the AppliedTo tuple) to a firewall rule. This added AppliedTo tuple lists the set of enforcement points at which the firewall rule has to be applied (i.e., enforced).

Abstract: An access gateway may grant a requestor access to a computer resource. The requestor may receive a credential from an identity provider and calculate a zero-knowledge proof of possession of the credential. The requestor may use the proof to request access to the computer resource. The identity provider may record a policy corresponding to the credential in a distributed ledger. The access gateway may, subject to verifying the proof, retrieve the policy from the distributed ledger. The policy may indicate that the requestor is authorized to access the computer resource. The access gateway may grant the requestor access to the computer resource as indicated by the policy.

Abstract: Systems and methods for managing use of power of a wireless communication device configured to communicate over a plurality of radio links. A criterion is detected, and one of the plurality of radio links is selected as a selected radio link based on detecting the criterion. Operation of the selected radio link is switched from a first operating mode to a second operating mode, and operation of one or more remaining radio links of the plurality of radio links is disabled. In response to switching operation of the selected radio link to the second operating mode, the selected radio link oscillates between an awake state and an asleep state. Radio traffic information for the plurality of radio links is received, via the selected radio link, during the awake state.

Abstract: A system may identify a resource deployed in a computer, where discovery protocol data traffic is unencrypted. The system may receive metadata associated with the discovery protocol data traffic, update the computer network based at least in part on the information included in the metadata, and provide a response to the client. The system may authenticate a request from the client to access the resource using an encrypted protocol, and provide, to the client, access to the resource upon authentication, according to a resource attribute.

Abstract: The present invention relates to a system for coordinating operation control and operation maintenance for an urban rail transit and a method using the same, where the system includes: an intelligent operation maintenance subsystem and an intelligent operation control subsystem, the intelligent operation maintenance subsystem and the intelligent operation control subsystem include coordination linkage engine modules respectively, and the intelligent operation maintenance subsystem synchronizes, by using the coordination linkage engine modules, a fault handling plan to the intelligent operation control subsystem. Compared with the prior art, the present invention has the advantages of scientific and reasonable dispatching decision-making, high efficiency and high intelligence.

Abstract: Systems and methods provide techniques for more effective and efficient predictive monitoring of a software application framework. In response, embodiments of the present invention provide methods, apparatuses, systems, computing devices, and/or the like that are configured to enable effective and efficient predictive monitoring of a software application framework using incident signatures for the software application that are generated by using a natural language processing machine learning framework, a structured data processing machine learning model, and an incident severity level detection machine learning model.

Abstract: Some embodiments provide a method that collects metrics for one or more paths of a first tunnel implementing a first security association (SA) and for one or more paths of a second tunnel implementing a second SA. The method selects a path based on the collected metrics of the paths of the first and second tunnels. When the selected path belongs to the first tunnel, the method encrypts data transmitted as encrypted payload of the first SA and transmits the encrypted payload in the first tunnel. When the selected path belongs to the second tunnel, the method encrypts data to be transmitted as encrypted payload of the second SA and transmits the encrypted payload in the second tunnel.

Abstract: One aspect of the instant application facilitates automatic policy engine selection. During operation, a system can monitor a network including a set of network devices. The system can receive, based on the monitoring, a set of attributes associated with the network. At least two network devices are equipped with a different policy enforcement engine for enforcing one or more given policy rules. The system can apply a unified policy model to determine, based on the set of attributes, an assignment of the one or more given policy rules to the first policy enforcement engine and the second policy enforcement engine for providing an optimized policy enforcement. The system may then select based on the assignment, one or both of the first policy enforcement engine and the second policy enforcement engine. The system may activate the selected one or both policy enforcement engines for enforcing the given policy rules.

Abstract: A method may include receiving, via a secure deployment management (SDM) system, configuration data associated with an industrial device, identifying, via the SDM system, a presence of a secure deployment management (SDM) node associated with the industrial device, and establishing, via the SDM system, a secure communication channel between the SDM system and the SDM node using one or more security protocols. The method may also involve sending, via the SDM system, the configuration data to the industrial device via the secure communication channel. The industrial device may receive the configuration data without performing one or more security operations on the configuration data.

Abstract: A level 2 (L2) switch receives a packet of upstream communication and a packet of downstream communication that are transmitted from a network device. Further, in a case where it is determined whether or not the received packet is a packet of upstream communication, and when it is determined that the packet is of session upstream communication and is a packet at a session start time, the L2 switch acquires session information and destination information included in the packet of the upstream communication, and stores in a session table. Further, when it is determined that the packet is of upstream communication and is not a packet at a session start time, and destination information of the packet is different from destination information stored in the session table, the L2 switch updates the destination information of the packet to the destination information stored in the session table.

Abstract: A communication system provides secure communication between two nodes in a self-organizing network without the need for a centralized security or control device. A first node of the two nodes is provisioned with one or more security profiles, auto-discovers a second node of the two nodes, authenticates the second node based on a security profile of the one or more security profiles, selects a security profile of the one or more security profiles to encrypt a communication session between the two nodes, and encrypts the communication session between the two nodes based on the selected security profile. The second node also is provisioned with the same one or more security profiles, authenticates the first node based on a same security profile as is used to authenticate the second node, and encrypts the communication session based on the same security profile as is used for encryption by the first node.

Abstract: A connected device at a client network implements a local data classification service for classifying data based on a data classification service of a remote provider network. The local data classification service receives a request to classify data at one or more data sources of the client network. The request is initiated from a client device of the client network according to a management interface for a data classification service of a remote provider network (e.g., using the same API request used by the remote classification service). The local data classification service obtains at least some of the data from the one or more data sources of the client network. The local data classification service classifies the obtained data according to different types of sensitivity using the data classification engine in the execution environment without the data being exposed outside of a data isolation boundary of the client network.

Abstract: Obtaining one or more metrics associated with a network location. Determining, based on the one or more metrics and one or more prefatory check conditions, a prefatory status of the network location, the prefatory status indicating a benign status, malicious status, or a suspicious status. If the prefatory status of the network location indicates the benign status or the malicious status, providing a notification of the prefatory status in response to the prefatory status being determined. If the prefatory status of the network location indicates a suspicious status, obtaining a document object model of the network location. Obtaining a screenshot of an entire page of content at the network location. Generating a null hypothesis based on the document object model, the null hypothesis including a potential brand list, the potential brand list including one or more potential brands. Obtaining a set of reference images for each of the one or more potential brands of the potential brand list.

Abstract: Systems and methods include, responsive to a scan by the CASB system of a plurality of users associated with a tenant in a Software-as-a-Service (SaaS) application where the scan includes identifying malware in content in the SaaS application and performing Data Loss Prevention (DLP) in the content in the SaaS application, maintaining records associated with a plurality of incidents for the malware and the DLP; providing a User Interface (UI) for the tenant including an analytics view with a plurality of summary tiles including visualizations of the plurality of incidents for the malware and the DLP for the tenant; and providing the UI for the tenant including a table listing any of the plurality of incidents for the malware and the DLP for the tenant, including any of unique data objects, unique users internal to the tenant, and unique external entities, associated with the plurality of incidents.

Abstract: Provided are asynchronous data ingestion and enrichment systems and methods. The systems comprise a plurality of components (e.g., ingestion components, enrichment components, and/or publishing components). Instead of passing data from one component to another, the data is sent to a messaging queue that formats and hold the data until the subsequent component is ready to receive it. Additionally, each component comprises a central microservice and a plurality of instances, the central microservice configured to communicate with each instance of the plurality of instances.

Abstract: A network interface has an input port, which is designed to accept messages from a first device or first network, and an output port, which is designed to forward the messages to a second device or second network. A memory is provided for a timetable. The network interface is designed to forward messages arriving at the input port during open times defined by the timetable to the output port and to discard messages arriving at the input port during closed times defined by the timetable. A configuration unit is designed to accept and store in the memory a timetable defined by a monitoring unit as a shared secret for the network interface and at least one sender of messages, and/or to negotiate a timetable with at least one sender of messages as a shared secret.

Abstract: An image processing apparatus includes: a first hardware processor that sets cooperative processing including first processing and second processing that cooperate with each other in a server that provides a service that determines the cooperative processing; a second hardware processor that receives a command to execute the first processing; a third hardware processor that generates alternative processing in place of the first processing in a case where it is detected that the command cannot be received after the cooperative processing has been set; and a fourth hardware processor that executes the alternative processing.

Abstract: A system for storing data includes a controller, an Ethernet switch and a storage device. The controller is configured to receive data routing instructions, and manage forwarding rules of a switch forwarding table to implement the data routing instructions. The Ethernet switch is configured to receive data, access the switch forwarding table, and route the data to the storage device using the switch forwarding table.

Abstract: A segmentation firewall executing on a host enforces a segmentation policy. In a co-existence mode, the segmentation firewall operates in co-existence with a system firewall that enforces a security policy. The segmentation firewall is configured to either drop packets that do not match any permissive rule or pass packets that match a permissive rule to the system firewall to enable the system firewall to determine whether to drop or accept the passed packets. To enable efficient operation of the segmentation firewall when operating in co-existence with the system firewall, the segmentation firewall may include a plurality of rule chains and may be configured to exit a chain and bypass remaining rule chains upon an input packet matching a permissive rule of the segmentation policy.

Abstract: Disclosed are systems and methods for firewall configuration. A request can be transmitted to a DNS server. A response to the DNS request can include an Internet Protocol (IP) address. A firewall rule can be generated permitting access to the IP address. The firewall rule can be configured to be valid until expiration of a time-to-live value in the response to the DNS request. Thus, firewall rules can be automatically created as needed by executed processes, eliminating the need for manual firewall rule creation. As the firewall rule is invalid after the expiration of the time-to-live value, risks associated with maintaining out-of-date firewall rules are eliminated, as is the requirement to manually remove or modify out-of-date firewall rules.

Abstract: Techniques for outbound/inbound lateral traffic punting based upon process risk are disclosed. In some embodiments, a system/process/computer program product for outbound/inbound lateral traffic punting based upon process risk includes receiving, at a network device on an enterprise network, process identification (ID) information from an endpoint (EP) agent executed on an EP device, in which the process ID information identifies a process that is associated with an outbound or inbound network session on the EP device on the enterprise network, and the EP agent selected the network session for punting to the network device for inspection; monitoring network communications associated with the network session at the network device to identify an application identification (APP ID) for the network session; and performing an action based on a security policy using the process ID information and the APP ID.