Abstract: Apparatus, systems, and methods for the detection and remediation of malicious network traffic. Network traffic is received from a network-based device and analyzed the network traffic to identify the network-based device as an infected network-based device. In response to identifying the network-based device as an infected network-based device, a response message is sent to the infected network-based device, the response message triggering a tarpitting effect on the network-based device.

Abstract: Aspects of the disclosure relate to monitoring virtual desktops accessed by devices at remote locations using machine-learning models to mitigate potential cyber-attacks. In some embodiments, a computing platform may monitor data associated with a series of activities from a virtual desktop accessed by a remote computing device. Subsequently, the computing platform may detect new activity data on the virtual desktop accessed by the remote computing device, and evaluate the new activity data relative to the data associated with the series of activities, wherein evaluating includes applying a machine learning model to the new activity data. Based on evaluating the new activity data, the computing platform may determine if the new activity data is indicative of a potential cyber-attack. In response to determining that the new activity data is indicative of a potential cyber-attack, the computing platform may initiate one or more security response actions.

Abstract: This disclosure provides systems, methods, and apparatuses for wireless sensing. In some aspects, a first wireless communication device may receive a first wireless transmission including a transmit (TX) parameter information element (IE). The first wireless communication device may verify the integrity of the TX parameter IE using a message integrity code (MIC) in the first wireless transmission, discarding the first wireless transmission when the MIC does not verify the integrity of the TX parameter IE. The first wireless device may obtain one or more transmission parameters for one or more second wireless communication devices associated with the TX parameter IE. The first wireless communication device may receive a second wireless transmission from one of the second wireless communication devices and obtain one or more wireless sensing measurements associated with the second wireless transmission and the one or more transmission parameters.

Abstract: Intraocular pressure in an eye is reduced by delivering a high resolution optical coherence tomography (OCT) beam and a high resolution laser beam through the cornea, and the anterior chamber into the irido-corneal angle along an angled beam path. The OCT beam provides OCT imaging for surgery planning and monitoring, while the laser beam is configured to modify tissue or affect ocular fluid by photo-disruptive interaction. In one implementation, a volume of ocular tissue within an outflow pathway in the irido-corneal angle is modified to create a channel opening in one or more layers of the trabecular meshwork. In another implementation, a volume of fluid in the Schlemm's canal is affected by the laser to bring about a pneumatic expansion of the canal. In either implementation, resistance to aqueous flow through the eye is reduced.

Abstract: A computing device may receive a first packet addressed to a destination node. The device may check a packet counter to determine if the counter exceeds a threshold, the counter recording a number of packets addressed to the destination node that have been received during a first time period. The device may in response to the packet counter exceeding the threshold: send, by the computing device, a query to an intermediate node; generate, by the device, a query flag in response to sending the query. The query flag can indicate that a query has been sent to the intermediate node. A reply from the intermediate node can be received by the device. The reply can identify a set of processes that the intermediate node is configured to perform on the first packet. The set of processes can be applied by the device to the first packet.

Abstract: This disclosure describes systems, methods, and devices related to network outage management. A method may include receiving, by a cloud-based system, a first indication of a first cable system outage; instantiating, by the cloud-based system, a first computing instance associated with generating event data indicative of the first cable system outage; instantiating, by the cloud-based system, a second computing instance associated with a machine learning model; generating, by the cloud-based system, using the event data as inputs to the machine learning model, a score indicative of a probability that the first cable system outage is repairable by a technician; and refrain from sending, by the cloud-based system, based on a comparison of the score to a score threshold, the event data to a first system associated with repairing the first cable system outage.

Abstract: Systems and methods include reception of a request for access to a target domain, the request including a source Internet Protocol (IP) address, determination of whether the source IP address is one of a plurality of IP addresses indicated within stored first data, determination, if it is determined that the source IP address is one of the plurality of stored IP addresses, of whether the target domain is one of a plurality of domains indicated within stored second data, and forwarding, if it is determined that the source IP address is one of the plurality of stored IP addresses and the target domain is one of a plurality of domains indicated within stored second data, of the request to the target domain.

Abstract: Some network architectures include perimeter or edge devices which perform network address translation or otherwise modify data in a network traffic packet header, such as the source address. The modification of the source address prevents downstream devices from knowing the true or original source address from which the traffic originated. To address this issue, perimeter devices can insert the original source address in an X-Forwarded-For field of the packet header. Firewalls and related security services can be programmed to record the original source address in the XFF field in addition to the other packet information and to consider the original source address during security analysis. Using the original source address in the XFF field, services can determine additional characteristics about the traffic, such as geographic origin or associated user accounts, and use these characteristics to identify applicable rules or policies.

Abstract: Disclosed are systems and associated methods for protecting systems against software intended to damage or disable computers and computer systems, commonly called “malware” especially encrypting malware. Both agent-based and agentless implementations allow the identification of malware and the protection of local and cloud-based data by observing changes to filesystem structure and the information content of files, with no need to scan memory or interfere with the processing of individual processes. The data permeability of the protected system can be dynamically changed, allowing user-directed changes to be committed to storage and backed up, while adverse or potentially adverse changes are quarantined.

Abstract: The disclosure provides a method performed by a wireless device for providing capability information. The method comprises: receiving a first message from a base station, the first message comprising an indication of a capability filter; utilizing the capability filter to generate a filtered set of capabilities of the wireless device; applying a hash function to the filtered set of capabilities to generate a hash value; and transmitting a second message to the base station, the second message comprising the hash value.

Abstract: A method includes creating a secured connection between a home network and a remote corporate network via a smart home gateway; detecting a plurality of devices are connected with the smart home gateway, wherein the plurality of devices are within the home network; determining that a first device of the plurality of devices is indicated as an authorized corporate device; determining that the first device has software updated to a threshold version of software; and based on the indication that the first device is an authorized corporate device or the first device has software update to the threshold version of software, automatically connecting the first device to the remote corporate network.

Abstract: A system and method for cybersecurity risk analysis and anomaly detection using active and passive external reconnaissance, that identifies critical network entities within a cyber-physical graph, identifies anomalous events within the network, determines the risk of identified anomalies based on the value of the entities involved, and determines an effectiveness score for the network based on the identified risks.

Abstract: The innovation disclosed and claimed herein, in one aspect thereof, comprises systems and methods of autonomous asset configuration modeling and management. The innovation includes probing elements of a networked architecture to compile information about elements in the networked architecture. The innovation learns a configuration for the at least one element in the environment based on the probing and determines vulnerabilities in the learned configuration. The innovation develops a threat model based on the learned configuration. The innovation applies the threat model to the elements of the networked architecture and deploys a configuration that resolves the vulnerabilities based on the threat model to the elements in the networked architecture. The threat model can be developed over time using machine learning concepts and deep learning of data sources associated with the elements and vulnerabilities.

Abstract: A logic circuit for managing reception of secure data packets in an industrial controller snoops data being transferred by a Media Access Controller (MAC) between a network port and a shared memory location within the industrial controller. The logic circuit is configured to perform authentication and/or decryption on the data packet as the data packet is being transferred between the port and the shared memory location. The logic circuit performs authentication as the data is being transferred and completes authentication shortly after the MAC has completed transferring the data to the shared memory. The logic circuit coordinates operation with the MAC and signals a Software Packet Processing (SPP) module when authentication is complete. The logic circuit is further configured to decrypt the data packet, if necessary, and to similarly coordinate operation with the MAC and delay signaling the SPP module that data is ready until decryption is complete.

Abstract: A method of monitoring and controlling network traffic within an industrial control system including receiving one or more data packets at a smart network switching system operating software-defined networking, analyzing the one or more data packets at a protocol level within a control plane of the software-defined networking, based on the analysis, determining whether the one or more data packets are authorized data packets, and forwarding a data packet of the one or more data packets to a destination device within a data plane of the software-defined networking upon determining that the data packet is an authorized data packet. The method further includes providing information related to the analysis of the one or more data packets to an out-of-band monitoring and control system for display to a user, and receiving a response communication from the out-of-band monitoring and control system indicating whether the one or more data packets are authorized data packets.

Abstract: Disclosed in some examples are methods, systems, and machine readable mediums for secure, low end-user effort computing device configuration. In some examples the IoT device is configured via a user's computing device over a short range wireless link of a first type. This short range wireless communication may use a connection establishment that does not require end-user input. For example, the end user will not have to enter, or confirm a PIN number or other authentication information such as usernames and/or passwords. This allows configuration to involve less user input. In some examples, to prevent man-in-the-middle attacks, the power of a transmitter in the IoT device that transmits the short range wireless link is reduced during a configuration procedure so that the range of the transmissions to and from the user's computing device are reduced to a short distance.

Abstract: Systems and methods for implementing filters within computer networks include obtaining blocklist data that includes blocklist entries for a network. Each of the blocklist entries includes one or more network traffic attributes for identifying traffic to be blocked. In response to receiving the blocklist data, a filter based on a common network traffic attribute shared between at least two of the plurality of blocklist entries is generated. The filter is then deployed to a network device within the network such that the filter may be implemented at the network device to block corresponding traffic.

Abstract: A packet gateway may protect TCP/IP networks by enforcing security policies on in-transit packets that are crossing network boundaries. The policies may include packet filtering rules derived from cyber threat intelligence (CTI). The rapid growth in the volume of CTI and in the size of associated CTI-derived policies, coupled with ever-increasing network link speeds and network traffic volume, may cause the costs of sufficient computational resources to be prohibitive. To efficiently process packets, a packet gateway may be provided with at least one probabilistic data structure, such as a Bloom filter, for testing packets to determine if packet data may match a packet filtering rule. Packet filtering rules may be grouped into subsets of rules, and a data structure may be provided for determining a matching subset of rules associated with a particular packet.

Abstract: A packet-filtering system configured to filter packets in accordance with packet-filtering rules may receive data indicating network-threat indicators and may configure the packet-filtering rules to cause the packet-filtering system to identify packets comprising unencrypted data, and packets comprising encrypted data. A portion of the unencrypted data may correspond to one or more of the network-threat indicators, and the packet-filtering rules may be configured to cause the packet-filtering system to determine, based on the portion of the unencrypted data, that the packets comprising encrypted data correspond to the one or more network-threat indicators.

Abstract: A method for automatically adjusting one or more device security settings includes receiving a plurality of information feeds received over a communications network from a plurality of information sources. The method further includes accessing a particular information feed from the plurality of information feeds and accessing a predefined trigger associated with the particular information feed. The method further includes determining, by comparing the particular information feed with the predefined trigger, whether a security event is predicted to occur. When the security event is predicted to occur, the method generates an alert for display on a user device and sends, over the communications network, one or more instructions to adjust the one or more device security settings.

Abstract: A speech-processing system may provide access to one or more virtual assistants via a voice-controlled device. The system may be activated by detecting a wakeword in speech received by a microphone of the device. The system may process the speech and provide a response in the form of synthetic speech. When a speaker of the device synthetic emits the speech, the microphone may detect some or all of the speech. If the synthetic speech includes a wakeword or words or phrases similar to the wakeword, a wakeword detection component of the device may detect the wakeword and activate an assistant, resulting in a self-wake or cross-wake. Self- or cross-wake may interrupt an action or response currently in progress, which may frustrate the user and result in a poor user experience. This disclosure thus proposes systems and methods for preventing cross-wake and self-wake in a voice-controlled device.

Abstract: Described are techniques including a computer-implemented method that comprises defining a respective priority classification for each of a plurality of sockets used for communicating between an initiator computational system and a target computational system. The method further comprises automatically assigning a respective priority classification to each of a plurality of Input/Output (IO) requests based on a type of data associated with each IO request. The method further comprises sending the plurality of IO requests to respective sockets of the plurality of sockets with a matching priority classification.

Abstract: A method including configuring a VPN server to determine, based on requesting data of interest from a host device, that the host device has declined to provide the data of interest; configuring the VPN server to verify, based on determining that the host device has declined to provide the data of interest, an identity of a secondary server with which the VPN server is authorized to establish a secure connection; configuring the VPN server to establish, based on verifying the identity of the secondary server, a secure connection with the secondary server to enable communication of encrypted information; and configuring the VPN server to transmit, to the secondary server, an encrypted message identifying the host device and the data of interest to be retrieved from the host device to enable the secondary server to request the data of interest from the host device is disclosed. Various other aspects are contemplated.

Abstract: A system for managing connection from a smartphone 1 provided to a child to specific connection destinations via the Internet, comprising: a filter server 9 for restricting packet transmission to the Internet based on a destination of the packet and a source IP of the smartphone 1; a VPN server 6 for establishing a tunnel connection 27 between the VPN server 6 and the smartphone 1, wherein the tunnel connection 27 passes all communication traffic from the smartphone 1, and also transmitting to the filter server the packet which passed through the tunnel connection 27; and an API server 8 connected to the VPN server 6 for confirming existence of the tunnel connection 27 at predetermined timing and, when lack of the existence is determined, blocking the Internet connection itself of the information communication device.

Abstract: Systems and methods for admitting new nodes into an existing network, for example a MoCA network. As a non-limiting example, various aspects of the present disclosure provide systems and methods for adding a new node to an existing network without requiring on-site manual configuration, for example utilizing communication between the new node and a network coordinator of the existing network prior to admission of the new node to the existing network.

Abstract: A network device includes one or more ports, and action-select circuitry. The ports are to exchange packets over a network. The act-ion-select circuitry is to determine, for a given packet, a first search key based on a first header field of the given packet, and a second search key based on a second header field of the given packet, to compare the first search key to a first group of compare values, to output a multi-element vector responsively to a match between the first search key and a first compare value, to generate a composite search key by concatenating the second search key and the multi-element vector, to compare the composite search key to a second group of compare values, and, responsively to a match between the composite search key and a second compare value, to output an action indicator for applying to the given packet.

Abstract: A device monitoring method includes: receiving a message transmitted from a first device to a second device and addressed to the second device; determining whether the message contains a device control command for controlling the second device; if the message contains the device control command, further determining whether to transmit the message to the second device based on a predetermined condition; and when the message is determined to be transmitted to the second device, transmitting the message to the second device. The predetermined condition includes a first condition that the first device is registered as a device having a predetermined function in a device list containing information about whether each of the devices is a device having the predetermined function. The message is determined to be transmitted to the second device when the predetermined condition is satisfied.

Abstract: Mechanisms for generating documents with confidential information are provided, the systems comprising: a memory; and a first collection of at least of one hardware processor coupled to the memory and configured to: receive from a user device a request for a first document with confidential information; generate a second document, that corresponds to the first document, with at least one token corresponding to the confidential information; transmit the second document to a second collection of at least one hardware processor in a computer network that is entitled to access the confidential information; receive from the second collection of at least one hardware processor in the computer network a uniform resource locator (URL) corresponding to the first document; and transmit the URL to the user device. In some of these mechanisms, the user device is in the computer network.

Abstract: A system, method, and computer program product for implementing network state processing is provided. The method includes detecting operational states for ports of a server Internet protocol (IP) data plane component of an integrated switching device. Each operational state is analyzed and matching and action rules associated with the operational states are generated with respect to data packets arriving at the ports. Data describing each operational state is stored within a port cache structure of a port. An incoming data packet is detected at a first port and the matching and action rules are distributed between port engines of the ports. The matching and action rules are executed with respect to the incoming data packet and the incoming data packet is transmitted to a destination port. Operational functionality of the integrated switching device is enabled with respect to execution of the incoming data packet at the destination port.

Abstract: A cloud-based traffic classification engine maintains a catalog of application-based traffic classes which have been developed based on known applications, and a local traffic classification engine maintains a subset of these classes. Network traffic intercepted by the firewall which cannot be classified by the local engine is forwarded to the cloud-based engine for classification. Upon determination of a class of the traffic, the cloud-based engine forwards the determined class and corresponding signature to the local engine. The firewall maintains a cache which is updated with the signatures corresponding to the class communicated by the cloud-based engine. Subsequent network traffic sent from the application can be determined to correspond to the application and classified according locally at the firewall based on the cached signatures. Localization of the cache to the firewall reduces latency of traffic classification operations as the catalog of classification information stored in the cloud scales.

Abstract: Described herein are techniques for preventing a user from continuing to access an online service once access rights have been revoked. In some embodiments, the techniques comprise receiving a request to determine a current status of access rights in association with a user and an online service, determining, based on one or more conditions associated with the online service, the current status of access rights, upon determining that the current status of access rights indicates that the user is not authorized to access the online service, identifying at least one user device associated with the user, generating programmatic instructions to cause a session token associated with the online service to be removed from a memory of the at least one user device, and providing the programmatic instructions to the at least one user device.

Abstract: Techniques are disclosed for a network device to preserve packet flow information across bump-in-the-wire (BITW) firewalls. For example, a method comprises receiving, by a network device, a packet. The method also comprises determining, by the network device, that the packet matches a packet flow that is associated with an action to redirect the packet to a firewall configured as a bump-in-the-wire. The method further comprises, in response to the determination: modifying, by the network device, a Media Access Control (MAC) address field of a layer 2 (L2) packet header with a flow identifier of the packet flow; sending, by the network device, the packet to the firewall; receiving, by the network device, the packet from the firewall; and recovering, by the network device, the packet flow by modifying the packet according to the flow identifier in the packet to restore the L2 packet header of the packet.

Abstract: A communication log aggregation device includes: a communicator that obtains flow information including one or more flow records and first statistical information for each flow from each of collection devices, the one or more flow records each including flow identification information included in a message received by at least one observer that is disposed in a control network system, the flow being classified based on the flow identification information, the collection devices each collecting the one or more flow records and the first statistical information for each flow from the message received by the observer; and a flow aggregator that generates aggregated flow information by performing at least one of the following: (i) selecting at least one of the one or more flow records, (ii) adding second statistical information, and (iii) deleting at least one of the one or more flow records, and outputs the aggregated flow information.

Abstract: A packet-filtering system configured to filter packets in accordance with packet-filtering rules may receive data indicating network-threat indicators and may configure the packet-filtering rules to cause the packet-filtering system to identify packets comprising unencrypted data, and packets comprising encrypted data. A portion of the unencrypted data may correspond to one or more of the network-threat indicators, and the packet-filtering rules may be configured to cause the packet-filtering system to determine, based on the portion of the unencrypted data, that the packets comprising encrypted data correspond to the one or more network-threat indicators.

Abstract: Some embodiments of the invention provide a novel method for performing firewall operations on a computer. The method of some embodiments instantiates first and second firewall processes on the computer. These two processes are two separate processes, which in some embodiments have separate memory allocations in the memory system of the computer. The method uses the first firewall process to examine a data message to determine whether an encryption based firewall policy (e.g., a TLS-based firewall policy) has to be enforced on the data message. Based on a determination that the encryption-based firewall policy has to be enforced on the data message, the method provides metadata, which is produced by the first firewall process in its examination of the data message, to the second firewall process. The second firewall process then uses the provided metadata to perform an encryption-based firewall operation based on the encryption-based firewall policy.

Abstract: A firewall configuration server includes a processor in communication with a memory device. The processor is configured to: receive, from an admin computer device, group-based firewall rules, wherein the group-based firewall rules identify a plurality of groups of virtual machines (VMs) executable on a VM server system and a respective set of firewall policies to be applied to the VMs in each group; receive, from a virtual machine (VM) server system, group membership data, the group membership data identifying the plurality of groups and a respective list of VMs associated with each group; parse the group membership data according to the group-based firewall rules to generate VM-specific firewall rules; and transmit the VM-specific firewall rules to a firewall, wherein each VM-specific firewall rule is configured for application by the firewall to communication requests identifying an IP address of one of the VMs.

Abstract: A node receives an internet protocol (IP) payload packet that includes an IPv6 transport header that has been extended with a compressed routing header (CRH). The CRH includes a list of segment identifiers (SIDs) that identify nodes that the IP payload packet is to traverse. The node determines, by referencing the list of SIDs, a next segment for the IP payload packet. The node updates a destination IP address that is included in the IPv6 transport header to a particular destination IP address of a next-hop node. The node updates a remaining segments value, included in the CRH, that identifies a number of segments left in a route of the IP payload packet. The node provides the IP payload packet to the next-hop node to allow the next-hop node to route the IP payload packet to another node in the network or to a destination device.

Abstract: Techniques are described herein that are capable of evaluating a result of enforcement of access control policies instead of enforcing the access control policies. For instance, a result of enforcement of an access control policy with regard to sign-in processes is evaluated instead of enforcing the access control policy with regard to the sign-in processes. The evaluation includes monitoring access requests that are received during the sign-in processes. Each access request requests access to a resource. The evaluation further includes comparing attributes of each access request against the access control policy that specifies criteria that are to be satisfied as a prerequisite to granting access to the resource to which access is requested by the respective access request. Metadata associated with the sign-in processes is generated instead of enforcing the access control policy with regard to the sign-in processes.

Abstract: Systems and processes for operating an intelligent automated assistant are provided. In one example process, a speech input is received from a user. In response to determining that the speech input corresponds to a user intent of obtaining information associated with a user experience of the user, one or more parameters referencing a user experience of the user are identified. Metadata associated with the referenced user experience is obtained from an experiential data structure. Based on the metadata, one or more media items associated with the referenced are retrieved based on the metadata. The one or more media items associated with the referenced user experience are output together.

Abstract: The attack vectors for some denial-of-service cyber attacks on the Internet's Domain Name System (DNS) are bad, bogus, or unregistered domain name DNS requests to resolve domain names that are not registered in the DNS. Some other cyber attacks steal sensitive data by encoding the data in bogus domain names, or domain names otherwise not registered in the DNS, that are transferred across networks in bogus DNS requests. A DNS gatekeeper may filter in-transit packets containing DNS requests and may efficiently determine if a request's domain name is registered in the DNS. When the domain name is not registered in the DNS, the DNS gatekeeper may take one of a plurality of protective actions. The DNS gatekeeper drops requests determined not to be legitimate, which may prevent an attack.

Abstract: Systems and methods are provided to implement a moving target defense for a server computer. The server computer can be provided both a permanent IP address and a temporary IP address. The temporary IP address can be used when communicating with client computers connected to the server computer. The temporary IP address can be dynamically changed at a predetermined interval that can be varied based on conditions at the server computer. An intrusion detection system can be used with the moving target defense systems and methods to identify attacks on the server computer based on the temporary IP address(es) provided by the server computer. When an attack is identified, the corresponding client computer is determined based on the temporary IP address and the client computer is placed on a blacklist that is not provided with new temporary IP addresses when the server computer changes temporary IP address.

Abstract: A system includes one or more “BotMagnet” modules that are exposed to infection by malicious code. The BotMagnets may include one or more virtual machines hosting operating systems in which malicious code may be installed and executed without exposing sensitive data or other parts of a network. In particular, outbound traffic may be transmitted to a Sinkhole module that implements a service requested by the outbound traffic and transmits responses to the malicious code executing within the BotMagnet. Credentials for services implemented by a BotSink may be planted in an active directory (AD) server. The BotSink periodically uses the credentials thereby creating log entries indicating use thereof. When an attacker accesses the services using the credentials, the BotSink engages and monitors an attacker system and may generate an alert. Decoy services may be assigned to a domain and associated with names according to a naming convention of the domain.

Abstract: A method of monitoring a network is provided. The method includes receiving a packet of network traffic, determining a source IP address of the packet, consulting a database of source IP addresses, each source IP address having an associated probability of threat indicator (PTI) that indicates a probability of threat posed by the source IP address. The packet's source IP address' PTI is assigned to the packet as the packet's PTI, and one or more inspection checks are selected to be performed on the packet, wherein the selection of the inspection checks is a function of the packet's source IP address PTI. The method further includes performing the selected inspection checks, assigning treatment of the packet based on a result of the inspection checks performed, and adjusting the packet's source IP address' PTI or the packet's PTI based on the result of the one or more inspection checks performed.

Abstract: An access point (AP) device for controlling spectrum usage of a hierarchical communication system, in which a spectrum reserved for an Incumbent is usable by at least one user equipment (UE) for transmission when the spectrum is not required by the Incumbent, is disclosed. The AP device includes a processor configured to receive a message from the Incumbent requesting vacating of a spectrum; generate a group of users affected by the message from the Incumbent requesting vacating of the spectrum; and perform a spectrum management operation on the group of users.

Abstract: Systems and methods of the disclosure can implement intrusion radiation protection (IRP) to prevent malicious IP traffic in a secure network. The IRP system can receive an IP packet, determine that a protocol of the IP packet matches a predetermined policy of a plurality of predetermined policies, classify the IP packet based on the predetermined policy and a size of the IP packet, inspect a payload of the IP packet responsive to the classification to determine features of the IP packet, determine that one of the features of the IP packet is improper based on the classification, and flag the IP packet as suspect based on the determination. The IRP system can log and/or drop the flagged IP packet. The IRP system can additionally replace a payload of the IP packet with a second payload, and transmit the IP packet with the second payload to its destination.

Abstract: Various example embodiments relate generally to providing security for a communication network based on detection and mitigation of an attack in the communication network. Various example embodiments supporting attack detection and mitigation may be configured to support detection and mitigation of an attack in a communication network based on distributed collection of network traffic information at network elements and analysis of aggregated network traffic information at a network controller for determining whether a traffic anomaly indicative of an attack on the communication network is detected. Various example embodiments supporting attack detection and mitigation may be configured to support detection and mitigation of an attack in a communication network based on use of traffic records for supporting the collection, aggregation, and analysis of network traffic information.

Abstract: A URL velocity monitor is integrated with a message-hold decision maker of an electronic mail processing system that processes electronic messages for a protected computer network. The URL velocity monitor receives or obtains a URL, decomposes the URL into URL features based on logical boundaries, and determines features of interest from the URL features for velocity tracking. Examples of URL features can include a randomized URL segment. The velocity of each feature of interest is tracked over a period of time using a counting algorithm that employs a slow counter or a fast counter. The two different counters track two types of velocities which represent different domain behaviors targeting the protected computer network. The URL velocity monitor determines whether the velocity of a feature of interest is accelerating within the time period. If so, the URL is placed in a queue or a sandbox.

Abstract: In various examples, a first network interface duplicates received network traffic and forwards a first set of network traffic data to a central processing unit (CPU) and a second set of identical network traffic to one or more parallel processing units (PPUs). In an embodiment, the one or more PPUs analyze the second set of network traffic to identify whether the second set of network traffic is malicious. First, the one or more PPUs filter and classify the second set of network traffic into flows, or logical groupings or subsets of the second set of network traffic. Second, the one or more PPUs sort the network packets within each flow and extract features of interest specific to each flow. Using the extracted features of interest, one or more deep learning techniques infer a status indicating whether each flow is malicious (mal) or good.

Abstract: Using a natural language analysis, a current message is classified into a current message class, the current message being a portion of an interaction in narrative text form. Using a trained message class prediction model, a probability of a previous message class having resulted in the current message class is determined. A previous message is extracted from the interaction using the probability, the previous message being a portion of the interaction occurring prior to the current message, the previous message being classified into the previous message class.

Abstract: A system for to monitor image input of a computing device having a control circuit with a programmable processor, and configured to receive images and to output the images to an image output device coupled to the computing device. The computing device can be configured to monitor the received images via the processor of the computing device being programmed using a Machine Learning Image Classification (MLIC) algorithm configured to determine a score of at least one received image within a predetermined criteria for classifying said at least one received image as a restricted subject image. Based on determination of the score, a modify or non-modify command is generated; and wherein in response to said at least one received image being scored by said processor within the modify criteria, the processor is programmed to generate a command to output the modified image.