Activities within a network environment are monitored (e.g., using agents). At least a portion of the monitored activities are used to generate a logical graph model. The generated logical graph model is used to determine an anomaly. The detected anomaly is recorded and can be used to generate an alert.
G06F 16/9535 - Search customisation based on user profiles and personalisation
G06F 16/9537 - Spatial or temporal dependent retrieval, e.g. spatiotemporal queries
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
H04L 43/045 - Processing captured monitoring data, e.g. for logfile generation for graphical visualisation of monitoring data
Security policies over a 5G private network are integrated with security policies over other wireless channels, such as a Wi-Fi private network, on a common private network. Security policies are set up for 5G, Wi-Fi, and wireless network combinations. An authenticated private cellular device connected to the private cellular network is detected as collocated with a second device connected to the second type of network. Responsive to the indication, adjusting the second device security permissions of the private cellular device with respect to services and applications.
At a first stage, cells of a row of the index table are searched, using a portion of the unified hash value bits as index to identify the row of the index table. Also, a pointer to the content table is identified by comparing an index table tag of an entry of a cell with a calculated tag of the hash to identify a cell in the row. At a second stage, a cell is looked up in the content table, responsive to a match of calculated tag of the hash and index table tag of entry, comparing the current full key value and the full key value in the content table entry. The content table full key value is retrieved using a pointer from the cell of the index table to the content table from the cell entry.
A baseline multicast traffic is derived for an SSID from the network traffic statistics using unsupervised machine learning. Responsive to detecting a deterioration in the real-time network traffic statistics for the SSID in relation to the baseline throughput and the baseline multicast traffic, the multicast data rate can be adjusted to match the lowest unicast data rate for the SSID.
A new link requests are received and an application making the request is identified. SD-WAN parameters are inferred from a protocol and network use behavior. A first parameter is a JLP loss requirement for the application, and can be either low JLP, medium JLP, or high JLP SLA level. A second parameter a downstream/upstream bandwidth capability requirement. Links are determined from the pool of available links that meet the JLP requirement. One of the links is selected for the new link request, from the pool of available links that meet the JLP requirement, based on a downstream and an upstream bandwidth capability. The best link is automatically activated for the new link request.
H04L 41/0816 - Configuration setting characterised by the conditions triggering a change of settings the condition being an adaptation, e.g. in response to network events
H04L 12/66 - Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
H04L 41/40 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using virtualisation of network functions or resources, e.g. SDN or NFV entities
6.
SYSTEMS AND METHODS FOR IDENTIFYING SECURITY REQUIREMENTS IN A ZTNA SYSTEM
H04L 41/16 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence
Various embodiments provide embodiments provide systems and methods for performing edge processing using selectively suspended network security processing.
Various embodiments provide embodiments provide systems and methods for performing edge processing using selectively suspended network security processing.
A plurality of fake vulnerabilities are exposed to network traffic alongside an active resource. Each fake vulnerability cannot harm the active resource and wherein the deceptive proxy device and the legitimate device are reachable by a common IP address. Network traffic is monitored in real-time, to detect an attack by a malicious device concerning at least one of the fake vulnerabilities of the plurality of fake vulnerabilities exposed by the deceptive proxy resource. The malicious device is trusted by the enterprise network. Responsive to the attack detection, a security action is taken with respect to the malicious device.
A string sample is received from a file in real-time and the string sample is converted to a Tetra code and used to search a database of Tetra code samples, organized by family and then by variant. Responsive to the real-time Tetra code not matching any stored Tetra codes, (a) an internal structure of the Tetra Code is generated to expose correlations of encrypted features of the file, without any access to the file, (b) machine learning is utilized to classify the internal structure of encrypted features against training data of encrypted features, and (c) a label is predicted based on the classification. The real-time Tetra code is stored in the database associated with the new family label and/or the new variant label. Any label for the file string sample is output for potential security actions.
Systems, devices, and methods are discussed for automatically determining a risk-based focus in determining zero trust network access policy on one or more network elements.
A private network is scanned to identify devices, and profiling identified devices for vulnerabilities. A score is determined from a Common Vulnerability Scoring System (CVSS) database for each vulnerability individually that characterizes severity. A score is determined for a collection of vulnerabilities. Exponential tapering functions curb an influence of large numbers of low priority threats on the collection score. The collection threat score increases with severity of the collection of vulnerabilities.
Example systems and methods monitor a cloud compute environment. An example method includes: determining, by an agent deployed in a cloud environment and based on a plurality of data packets transmitted over a plurality of network interfaces of the cloud environment, a set of data packets that are associated with a communication between a first container and a second container; determining, by the agent and based on the set of data packets, communication data associated with the communication; and providing, by the agent, the communication data to a data platform, wherein providing the communication data to the data platform uses less network resources than providing the set of data packets to the data platform.
G06F 16/9535 - Search customisation based on user profiles and personalisation
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
Leveraging generative artificial intelligence (‘AI’) for securing a monitored deployment, including: receiving natural language input associated with the monitored deployment, the monitored deployment monitored by a monitoring tool; and receiving, from a generative AI application, a response to the natural language input, wherein: the generative AI application accesses publicly available information as well as data sources associated with the monitoring tool; and the response is generated based at least in part on information contained in the data sources associated with the monitoring tool.
G06F 16/9535 - Search customisation based on user profiles and personalisation
G06F 16/9537 - Spatial or temporal dependent retrieval, e.g. spatiotemporal queries
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
Learning from other cloud deployments to combat security threats, including: identifying, for at least a portion of a first cloud deployment, one or more additional cloud deployments to utilize for cross-customer learning; receiving information describing a security threat to one or more of the additional cloud deployments; receiving information describing configuration settings used to combat the security threat; and identifying, based on the information describing configuration settings used to combat the security threat, one or more configurations to adopt for the first cloud deployment.
G06F 16/9535 - Search customisation based on user profiles and personalisation
G06F 16/9537 - Spatial or temporal dependent retrieval, e.g. spatiotemporal queries
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
Systems, methods, and apparatuses enable one or more security microservices to resolve the disparate impact of security exploits to resources within a resource group. When a resource group is determined to be impacted by a security exploit, the one or more security microservices determines whether the members of the resource group are disparately impacted. In response, the one or more security microservices splits the resource group into an impacted resource group and a non-impacted resource group and applies exploit mitigation to the resource group members in the impacted resource group. When the one or more security microservices determine that the resource group members of the split resource group are no longer disparately impacted, the one or more security microservices combine the impacted resource group and the non-impacted resource group back into a single resource group.
A web request to the web browser is intercepted by the web browser extension to determine whether information is synchronously available to evaluate the web request. Responsive to not having information for synchronous evaluation, the web request is redirected to display a gateway page while asynchronous obtaining information from an external information provider server, the request tracked with a request identifier and storing the asynchronously gathered information for synchronous access along with the request identifier. Responsive to an automated notification from the web browser extension, the web request is reissued to the web browser by the gateway page to replace the gateway page with response content from the web request. The reissued web request is again intercepted by the web browser extension to synchronously evaluate the gathered information. The reissued web request is then based on the fetched.
Various approaches for providing scalable network access processing. In some cases, approaches discussed relate to systems and methods for providing scalable zero trust network access control.
An adaptive TTL model is generated from connection events, based on varying flight delay times for connecting the device manager to a plurality of managed devices. During a connection event for any of the plurality of managed devices, a TTL value is automatically chosen for the connection event from the adaptive TTL model.
H04L 41/16 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence
H04L 45/00 - Routing or path finding of packets in data switching networks
29.
LOCATIONING ACCURACY AND ANALYTICS OF WIRELESS DEVICES
A plurality of access points synch with a first synch event to establish a first predefined time interval for periodically sending STA reports. Responsive to detecting the new access point, each of the plurality of access points is resynched by sending a second sync event to establish a second predefined time interval for periodically sending STA reports. A real-time mapping can be displayed of the station using a first location at a first instance, as initially synched, and a second location at the second instance, as resynched.
Web requests are intercepted and it is determined whether information is synchronously available to evaluate the web request. Responsive to not having information for synchronous evaluation, the web request can be redirected to a parking service to asynchronously obtain information to evaluate the web request. A response from the redirected web request including information for evaluation is received and stored. Then, web requests are reissued for synchronously evaluation by the browser. A decision can be made to allow, redirect, or block, based on the retrieved information.
From deep packet inspection, it is determined whether each of the plurality of network devices is part of the IT segment or the OT segment by examining a physical network address, a data type and a network protocol of one or more of the network packets. A network hierarchy is dynamically generated that maps the IT segment with interconnected IT levels having IT devices relative to the OT segment with interconnected OT levels having OT devices. A plurality of security zones is set up from the IT layout and the OT layout. Each of the plurality of security zones has a corresponding one or more security zone policies. The network hierarchy is output and overlaid with the plurality of security zones for display to a user.
Various embodiments provide systems and methods for visually displaying an developing attack in a computer network based at least in part on historical information.
A downstream wired port receives network packets over the at least one or more downstream wired port. An upstream routing table, responsive the failure of the at least one of the one or more upstream wired ports, in this embodiment, determines whether a valid route for the network packets exists over the upstream network device. The upstream routing table, responsive to determining that a valid route exists, redirects the network packets for the failed upstream wired port to the upstream Wi-Fi port.
A change of a user device from a wireless connection to the enterprise network to a wired connection to the enterprise network (or a cellular network) is detected. In response, a snapshot of network conditions relevant to the user device are detected. A health check on the network conditions can identify specific network issues negatively affecting the user device and the issues are remediated. A remediation model is generated with AI that a different user change will occur based on a later health check revealing similar network conditions to the earlier health check. In response, the issues are automatically remediating the specific network issues based on the earlier stored remediation the earlier.
H04L 41/0663 - Performing the actions predefined by failover planning, e.g. switching to standby network elements
H04L 41/0659 - Management of faults, events, alarms or notifications using network fault recovery by isolating or reconfiguring faulty entities
H04L 41/0816 - Configuration setting characterised by the conditions triggering a change of settings the condition being an adaptation, e.g. in response to network events
H04L 41/0823 - Configuration setting characterised by the purposes of a change of settings, e.g. optimising configuration for enhancing reliability
38.
FAST GAP REDUCTION IN POLICY TREE CREATION FOR POLICY SET WITH UNEVEN DENSITY
A policy tree of nodes and leaves is automatically created from a network security policy set, by identifying density zones of policy subsets. Responsive to identifying an uneven density zone in a node of the policy tree, child nodes are generated with normal density zones from the uneven density zones. A policy bitmap is generated from a set of network security policies. A partition number is configured during bitmap labeling for the policy bitmap. A configurable threshold during bitmap labeling is adjustable according to network security policies. Further, a plurality of boundaries between low-density zones and high-density zones utilizing bitmap labeling on the policy bitmap by counting lead zeros and tail zeros.
H04L 41/16 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence
Once a new session of data packets is detected, whether to proxy encrypt the data packets, on behalf of a specific headless endpoint device from the plurality of headless endpoint devices for a session, is determined based on analysis of payload data of a data packet from a session. Responsive to a determination to proxy encrypt data packets, encryption attributes are set up between a local data port on the network device and a remote data port on a remote network device as parsed from a header of the data packet. Outbound and inbound data packets of the session secure OSI layers 4 to 7 of the outbound data packets of the session are encrypted, according to the encryption attributes, without interference to OSI layers 1 to 3.
An example method includes accessing, by a data platform via a network, data from one or more cloud environments; identifying, by the data platform and in the data, first data associated with a first entity and a first data type and second data associated with a second entity and a second data type; mapping, by the data platform and based on the first entity and the first data type, the first data to a first data stream of a data streaming platform; mapping, by the data platform and based on the second entity and the second data type, the second data to a second data stream of the data streaming platform, the second data stream different from the first data stream of the data streaming platform; and generating, based on the first data stream, a graph representing activity associated with the first entity in the one or more cloud environments.
G06F 16/9535 - Search customisation based on user profiles and personalisation
G06F 16/9537 - Spatial or temporal dependent retrieval, e.g. spatiotemporal queries
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
Instruction-level threat assessment, including: identifying one or more probe insertion points in code of a package corresponding to one or more vulnerabilities of the package; inserting, into one or more instances of the package deployed in one or more hosts of a cloud deployment, one or more probes based on the one or more probe insertion points; and elevating a severity of a particular vulnerability in response to reaching a particular probe of the one or more probes.
G06F 16/9535 - Search customisation based on user profiles and personalisation
G06F 16/9537 - Spatial or temporal dependent retrieval, e.g. spatiotemporal queries
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
Identifying encountered and unencountered conditions in software applications, including: collecting, for an executing application, information describing the usage of the application, including: receiving, from one or more tracepoints inserted into the application, a first portion of the information describing a state of the application during execution; identifying, based on the information, one or more unencountered conditions that the application is configured to handle; and presenting information describing the unencountered conditions that the application is configured to handle.
G06F 16/9535 - Search customisation based on user profiles and personalisation
G06F 16/9537 - Spatial or temporal dependent retrieval, e.g. spatiotemporal queries
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
At a first stage, cells of a row of the index table are searched, using a portion of the unified hash value bits as index to identify the row of the index table. Also, a pointer to the content table is identified by comparing an index table tag of an entry of a cell with a calculated tag of the hash to identify a cell in the row. At a second stage, a cell is looked up in the content table, responsive to a match of calculated tag of the hash and index table tag of entry, comparing the current full key value and the full key value in the content table entry. The content table full key value is retrieved using a pointer from the cell of the index table to the content table from the cell entry.
A string sample is received from a file in real-time and the string sample is converted to a Tetra code and used to search a database of Tetra code samples, organized by family and then by variant. It is determined whether the real-time Tetra code fits any family mask, and if not a new family mask is created. It is also determined whether real-time Tetra code fits any variant mask within the family mask, and if not, a new variant mask is created. The real-time Tetra code is stored in the database associated with the new family label and/or the new variant label. Any label for the file string sample is output for potential security actions.
A local spoke is configured with a hub that serves at least one remote spoke equipped with a plurality of IPSEC endpoint interfaces for routing traffic according to a routing table of the hub. A first routing path is received to the at least one remote spoke for dynamic VPN with a first IPSEC endpoint selected by the hub based on a Reply message without consideration of first link quality of the remote spoke relative to other available links. In another embodiment, an ADVPN shortcut is established. Data packets are then transmitted using a second routing path for dynamic VPN with a second IPSEC endpoint. A new ADVPN shortcut is established for more optimal routing, based on updated link quality metrics discovered during a health check. The existing ADVPN shortcut is then allowed to expire.
Multiple types of lines are made simultaneously available, including a Wi-Fi link, a cell link and a wired link. A list of running cloud applications is identified by monitoring A quality of each available link for each running cloud application is periodically tested, including measurements of latency, jitter and packet loss. A first link is selected for a first application and a second link is selected for a second application. Data packets related to the first application are transmitted over a first link and data packets related to the second application over the second link.
Integrating a natural language interface into an anomaly detection framework, including: detecting, by an anomaly detection framework, an occurrence of an event associated with one or more assets that are being monitored by an anomaly detection framework; generating, based on information associated with the detected event, one or more natural language inputs; and submitting, to a natural language interface, the one or more natural language inputs.
G06F 16/9535 - Search customisation based on user profiles and personalisation
G06F 16/9537 - Spatial or temporal dependent retrieval, e.g. spatiotemporal queries
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
H04L 41/06 - Management of faults, events, alarms or notifications
H04L 43/045 - Processing captured monitoring data, e.g. for logfile generation for graphical visualisation of monitoring data
Systems, devices, and methods are disclosed in relation to a system for natural language based message categorization designed to identify text from a particular topic from a potentially inexhaustible set of potential topics. In one of many possible implementations, a vector space model is first used to translate text into a vector representation. This vector is used to determine if the text can be recreated by swapping words and phrases from a training corpus of documents. This is done by determining if the vector is within the conical span of the vector representations of the text in the training corpus of documents. Span composition is evaluated by a two vector boolean comparison, enabling great computational complexity and short-circuiting enabling fast real-time topic determination.
G06F 40/284 - Lexical analysis, e.g. tokenisation or collocates
G06V 10/56 - Extraction of image or video features relating to colour
G06V 10/764 - Arrangements for image or video recognition or understanding using pattern recognition or machine learning using classification, e.g. of video objects
Systems, devices, and methods for correlating security policies to received packets are provided. In one example, a network device, maintains information regarding multiple security policies within a dual bitmap based search tree including a first bitmap and a second bitmap formatted as information embedded in a node structure. A packet is received by the network. A first field of the packet is compared with a first range, corresponding to a first bit location in the first bitmap in which the first bit location in the first bitmap is associated with at least a first security policy. After determining the first field is within the first range, the network device accesses a second bit location in the second bitmap, corresponding to the first bit location. Based at least in part upon a value in the second bit location, a set of one or more security policies are applied to the packet.
Systems, methods, and apparatuses enable one or more security microservices to resolve the disparate impact of security exploits to resources within a resource group. When a resource group is determined to be impacted by a security exploit, the one or more security microservices determines whether the members of the resource group are disparately impacted. In response, the one or more security microservices splits the resource group into an impacted resource group and a non-impacted resource group and applies exploit mitigation to the resource group members in the impacted resource group. When the one or more security microservices determine that the resource group members of the split resource group are no longer disparately impacted, the one or more security microservices combine the impacted resource group and the non-impacted resource group back into a single resource group.
Various approaches for providing scalable network access processing. In some cases, approaches discussed relate to systems and methods for providing scalable zero trust network access control.
Various approaches for call distribution in a communication network are discussed. In some embodiments, systems and methods for enhancing call distribution efficiency are discussed that include selective encryption application.
An illustrative method includes generating a logical graph by performing a clustering operation with respect to log data associated with one or more machines, the clustering operation performed using a first clustering criteria and causing the logical graph to initially include a first set of nodes generated in accordance with relationship requirements of an underlying model and a first set of edges representing communication between nodes included in the first set of nodes; and reclustering, using a second clustering criteria, the logical graph to include, in place of the first set of nodes, a second set of nodes generated while maintaining the relationship requirements of the underlying model and a second set of edges representing communication between nodes included in the second set of nodes.
An illustrative method includes determining that a first user login session and a second user login session have a parent-child relationship that indicates that a particular user is associated with both the first and second user login sessions and linking first user login activity performed during the first user login session and second user login activity performed during the second user login session to the user.
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
Security policies over a 5G private network are integrated with security policies over other wireless channels, such as a Wi-Fi private network, on a common private network. Security policies are set up for 5G, Wi-Fi, and wireless network combinations. An authenticated private cellular device connected to the private cellular network is detected as collocated with a second device connected to the second type of network. Responsive to the indication, adjusting the second device security permissions of the private cellular device with respect to services and applications.
A size of a data packet being transmitted downlink to a specific Wi-Fi 7 client is determined from real-time data traffic. A number of small tones and large tones needed in combination for the data packet transmission, either alone or in combination, is calculated. The combination of small RU tones and large RU tones is allocated to the specific wireless client for use in downlink. The data packet is transmitted downlink to the Wi-Fi 7 client across the combination of small and large RU tones.
BSS (basic service set) sharing is enabled on the Wi-Fi 7 access point, wherein the Wi-Fi 7 access point is wirelessly connected to a plurality of stations over the common wireless channel. A puncturing pattern is determined to share spectrum of the common wireless channel between the multiple BSSs. All shared BSSs are advertised in beacons with an EHT field comprising the puncturing pattern and broadcast over the common wireless channel. At least two stations of the plurality of stations are connected over at least two different BSSs of the multiple BSSs. Data frames are transmitted simultaneously to the at least two stations across the at least two different BSSs. A first BSS occupies a first portion of a spectrum and a second BSS occupies a second portion of the spectrum, according to the puncturing pattern.
A threshold usage of the primary channel transmission bandwidth is detected exceeding a predetermined value, triggering a second mode. Responsive to reaching the threshold usage detection, a puncturing pattern is activated to transmit data frames over the remaining channel transmission bandwidth while continuing to transmit management frames over the primary channel transmission bandwidth. Responsive to reaching the threshold usage detection, data packets are separated using RU allocations for multiple wireless clients over the remaining channel transmission bandwidth. Data packets are then transmitted according to bandwidth limitations and spectral limitations
A dynamic radio signal strength indicator (RSSI) connection threshold is determined, with machine learning, based on previous Wi-Fi 6E connection data for the Wi-Fi 6E access point. An authentication request frame (or other type of frame) is received from a Wi-Fi 6E client that received a beacon. The authentication request or other management frame includes an RSSI measurement characterizing signal strength between the Wi-Fi 6E client and the Wi-Fi 6E access point. It is determining whether the RSSI measurement of the authentication request frame satisfies the machine learning RSSI threshold as a minimum signal strength for connections. Responsive to the RSSI measurement not satisfying the RSSI threshold, the connection with the Wi-Fi 6E client is refused.
Groups of Wi-Fi 7 stations are created including identifying Wi-Fi 7 stations accessing the channel for multimedia traffic and creating a group of stations accessing the channel for multimedia traffic. Responsive to reaching the threshold usage for channel usage, a high usage priority mode is activated to prioritize multimedia traffic. In high usage priority mode, notifying the group of Wi-Fi 7 stations of EDCA channel contention parameters using broadcast, management action frame, including notifying the group of multimedia Wi-Fi 7 stations. Values of EDCA parameters in the broadcast management action frame for the at least one multimedia group are modified during high usage to allow more aggressive contention to the at least one multimedia group with multimedia traffic.
A rogue Wi-Fi 6E access points are identified by on-wire data traffic of authorized Wi-Fi 6E access points. Data traffic is monitored across all access points for the rogue Wi-Fi 6E access points according to an SSID/BSSID scan table. In response, modified CSA values are sent from spoofed action frames that have a source BSSID of the rogue access points rather than the authenticated access point that transmits.
Responsive to receiving a probe request at a first 6 GHz access point from a first 6 GHz station, while usage is above a threshold, a Wi-Fi controller with an AI neuron finds a best serving 6 GHz access point, from the plurality of 6 GHz access points, for the first 6 GHz station to be a second 6 GHz station, based in part on resource usage. A modified reduced neighbor report (RNR) is constructed for the first 6 GHz access point including adjusting a standard RNR report to steer the first 6 GHz station to the second 6 GHz access point with lower real-time resource usage than the first 6 GHz.
A list is received from the Wi-Fi controller of rogue Wi-Fi 6E access points identified by BSSID within a vicinity of the Wi-Fi 6E access points based on RSSI measurements sent to the Wi-Fi controller. A rogue Wi-Fi 6E access point of the Wi-Fi controller list from the periodic beacon scanning. In response, prior to connection of any station to the rogue Wi-Fi 6E access point, broadcasts spoofed beacons on behalf of the rogue Wi-Fi 6E access point, using SSID and BSSID over the current operating channel of the rogue Wi-Fi 6E access point. The beacons are spoofed by modifying the MFP field value to indicate no encryption capability and also to indicate no encryption requirement for management frames.
An illustrative method includes accessing data representative of a first role associated with a set of permissions with respect to resources within the compute environment and specifying a group of identities assigned to the first role, determining that a first subgroup of one or more identities included the group of identities only uses a first subset of permissions included in the set of permissions to access the resources within the compute environment without using a second subset of permissions, and performing, based on the determining that the first subgroup of one or more identities only uses the first subset of permissions, an operation to reduce permissions usable by the one or more identities.
G06F 16/9535 - Search customisation based on user profiles and personalisation
G06F 16/9537 - Spatial or temporal dependent retrieval, e.g. spatiotemporal queries
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
H04L 43/045 - Processing captured monitoring data, e.g. for logfile generation for graphical visualisation of monitoring data
A CRC rule is generated for each CRC parity check circuit from a bank of CRC parity check circuits for mapping a fixed-length CRC output to a signature, each of the CRC parity check circuits servicing a specific string length. The selected CRC parity circuit outputs a fixed-length parity-check data for the specific data packet, and the string mapper maps the fixed-length parity-check data for the specific data packet to one of the string identifiers associated with the group of signatures. If a fixed-length parity-check match is found, outputting a string identifier of the match for a security action.
A string sample is received from a file in real-time and the string sample is converted to a Tetra code and used to search a database of Tetra code samples, organized by family and then by variant. It is determined whether the real-time Tetra code fits any family mask, and if not a new family mask is created. It is also determined whether real-time Tetra code fits any variant mask within the family mask, and if not, a new variant mask is created. The real-time Tetra code is stored in the database associated with the new family label and/or the new variant label. Any label for the file string sample is output for potential security actions.
VXLAN tunnels are configured between a VXLAN tunnel server and each of the plurality of access points using a VXLAN profile. Tunnel groups are formed between the access point and the plurality of access points. Each tunnel group defines interconnections between VXLAN tunnels such that each tunnel in a group is able to exchange packets securely. A data packet is switched between a first VXLAN tunnel coupled to the first access point on the first LAN and a second VXLAN tunnel coupled to the second access point on the second LAN, based on a VLAN ID stored within of the data packet. The data packet is transmitted to the second station through the second access point on the second LAN over the second VXLAN.
A first data packet can be forwarded to a virtual SDWAN interface which has multiple IPSec tunnels as members, each of which is disposed over a different uplink, wherein the multiple IPSec tunnels each connect to the remote SDWAN controller. Load balancing of the particular session is performed relative to other sessions by selecting one of the multiple uplinks for transmission to the remote SDWAN controller. Phase 2 of IPSec is set up for the particular session by updating an IPSec phase 2 table with the selected uplink associated with the particular session, to direct subsequent packets of the same session.
Detecting anomalous behavior of a device, including: generating, using information describing historical activity associated with a user device, a trained model for detecting normal activity for the user device; gathering information describing current activity associated with the user device; and determining, by using the information describing current activity associated with the user device as input to the trained model, whether the user device has deviated from normal activity.
G06F 16/9535 - Search customisation based on user profiles and personalisation
G06F 16/9537 - Spatial or temporal dependent retrieval, e.g. spatiotemporal queries
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
Elastic privileges in a secure access service edge, including: identifying, based on one or more access policies, an application accessible to a user; determining, for the user, an access pattern of the application; and restricting, without modifying the one or more access policies, access to the application by the user based on the access pattern.
G06F 16/9535 - Search customisation based on user profiles and personalisation
G06F 16/9537 - Spatial or temporal dependent retrieval, e.g. spatiotemporal queries
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
A natural language interface for an anomaly detection framework, including: receiving a natural language input associated with a cloud deployment; generating a query corresponding to the natural language input by disambiguating at least a portion of the natural language input based on data describing activity associated with an anomaly detection framework monitoring the cloud deployment; and providing, based on a response to the query, a response to the natural language input.
G06F 16/9535 - Search customisation based on user profiles and personalisation
G06F 16/9537 - Spatial or temporal dependent retrieval, e.g. spatiotemporal queries
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
H04L 43/045 - Processing captured monitoring data, e.g. for logfile generation for graphical visualisation of monitoring data
H04L 41/5009 - Determining service level performance parameters or violations of service level contracts, e.g. violations of agreed response time or mean time between failures [MTBF]
H04L 41/5003 - Managing SLAInteraction between SLA and QoS
H04L 43/00 - Arrangements for monitoring or testing data switching networks
79.
SYSTEMS AND METHODS FOR USING A NETWORK ACCESS DEVICE TO SECURE A NETWORK PRIOR TO REQUESTING ACCESS TO THE NETWORK BY THE NETWORK ACCESS DEVICE
Various approaches for securing networks against access from off network devices. In some cases, embodiments discussed relate to systems and methods for identifying potential threats included in a remote network by a network access device prior to requesting access to a known secure network via the remote network.
Dynamic thresholds are derived for each connection phase, using machine learning (e.g., K-means clustering) for an enterprise network. A time interval can be tracked between samples of collected data packets for each phase of connections, including the association phase, the authentication phase and the DHCP phase of connecting. A specific dynamic threshold for one of the connection phases is detected as out-of-range. Responsive to the out-of-range detection, network issues corresponding to the phase of the specific dynamic threshold are checked and automatically remediated.
A logical graph is generated using at least a portion of log data received from a set of agents executing on one or more nodes in one or more data centers. The logical graph is augmented using data obtained from one or more agents executing in containerized environments, including by representing communications between pods within the logical graph. The augmented logical graph is used to detect an anomaly.
To activate side nodes, a traversal node is partitioned into deeper traversal nodes and leaf nodes. A limit is set on a number of leaf node policies. Each traversal node above the limit is cut into a deeper level with a new traversal node. Each traversal node at or below the limit is converted to a leaf node populated with a list of policies within the limit. Once reaching a leaf node, during policy tree searching mode, linear searching a policy set corresponding to the leaf node to select a policy, and the selected policy to the data packet is applied
Scan mode is configured in an access point to monitor WLAN conditions. A channel list is progressively scanned using full capabilities available from MIMO transceivers. During a hop period, each MIMO transceiver is configured to a first set of channels from the channel list within an RF band. During a dwell period, an RF analysis is performed for the set of channels to identify conditions on the WLAN.
Responsive to receiving uplink traffic from a specific edge client on the edge client table, in-service monitoring for frame retries and collisions associated with the specific edge client is performed. Responsive to detecting that a rate of frame retries and collisions exceed a threshold, a BSS color change announcement frame is transmitted to the specific edge client comprising a second color. The BSS color change announcement directs the specific edge client to contend for medium access based on preambles observed from a specific overlapping BSS associated with the second BSS color rather than its home BSS. The default color can be restored after the uplink.
During authentication of an SDWAN tunnel, Intent ISAKMP packets authenticate the local SDWAN controller and the remote SDWAN controller with each other, wherein the ISAKMP packets include a notify payload. Configured link costs associated with at least two member paths at the remote SDWAN controller that have heterogeneous physical attributes from the notify payload of the ISAKMP packets are retrieved. The configured link-cost of the at least two member paths is reflective of link physical attributes. One of the at least two member paths is identified based on a lowest link-cost between the at least two member paths, for steering SDWAN network traffic.
Systems and methods for remote monitoring of a Security Operations Center (SOC) via a mobile application are provided. According to one embodiment, a management service retrieves information regarding multiple network elements that are associated with an enterprise network and extracts parameters of the monitored network elements from the retrieved information. The management service prioritizes the monitored network elements by determining a severity level associated with security-related issues of the network elements and generates various monitoring views that summarize in real time various categories of potential security-related issues detected by the SOC. Further, the management service assigns a priority to each monitoring view and displays a video on the display device that cycles through monitoring views in accordance with their respective assigned priorities.
Flow pair values are identified from flow pairs of labeled devices as candidates by comparing individual flows of the unknown device that surpass a candidate threshold by generating a difference flow matrix from the individual flows of the unknown device and the labeled device. Known devices can be identified as device candidates from a sum of flow pair values for each candidate device in relation to the unknown device. A device type can be retrieved for each candidate device, and one of the device types can be selected based on at least a closeness or a frequency of each device type to the unknown device.
A baseline multicast traffic is derived for an SSID from the network traffic statistics using unsupervised machine learning. Responsive to detecting a deterioration in the real-time network traffic statistics for the SSID in relation to the baseline throughput and the baseline multicast traffic, the multicast data rate can be adjusted to match the lowest unicast data rate for the SSID.
A panic button is configured and disposed outside a network gateway, managing integrated OT network devices and IT devices, for access by a user. Responsive to physical activation of the panic button, a 2 factor MFA authorizes the action with an authorized user. Upon authorization, the OT network devices are quarantined from the IT network devices to prevent malicious actions.
Responsive to the request for a security fabric report, an upper-level node transits a request to a lower-level node for a subtree security report. If there are additional network gateways at lower hierarchical levels, the next level down repeats the process. A root level network gateway will transmit the first request, as the high level of the hierarchy, and a last leaf receives the last request, as the lowest level. An overall security fabric report is returned from the root node.
Systems and methods for intent-based orchestration of independent automations are provided. Examples described herein alleviate the complexities and technical challenges associated with deploying, provisioning, configuring, and managing configurable endpoints, including network devices, network security systems, cloud-based security services (e.g., provided by or representing a Secure Access Service Edge (SASE) platform), and other infrastructure, on behalf of numerous customers (or tenants). For example, customer intent may be automatically translated into concrete jobs and tasks that operate to make changes to one or more of the configurable endpoints so as to insulate the user from being required to know which configurable endpoint(s) need(s) to change, which vendor supports a given configurable endpoint, and/or vendor specific issues involved in changing the configurable endpoints.
Detecting anomalous behavior using a browser extension, including: gathering first information describing activity associated with a user and generated by a browser extension on a user device; gathering second information describing activity associated with the user and generated by an application executed on the user device; and determining, based on the first information and the second information, whether the user has deviated from normal activity.
G06F 16/9535 - Search customisation based on user profiles and personalisation
G06F 16/9537 - Spatial or temporal dependent retrieval, e.g. spatiotemporal queries
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
H04L 43/045 - Processing captured monitoring data, e.g. for logfile generation for graphical visualisation of monitoring data
Various approaches for multi-node network cluster systems and methods. In some cases systems and methods for incident detection and/or recovery in multi-node processors are discussed.
H04L 41/0668 - Management of faults, events, alarms or notifications using network fault recovery by dynamic selection of recovery network elements, e.g. replacement by the most appropriate element after failure
H04L 41/0663 - Performing the actions predefined by failover planning, e.g. switching to standby network elements
96.
Detecting malicious behavior in a network using security analytics by analyzing process interaction ratios
Systems and methods for detecting malicious behavior in a network by analyzing process interaction ratios (PIRs) are provided. According to one embodiment, information regarding historical process activity is maintained. The historical process activity includes information regarding various processes hosted by computing devices of a private network. Information regarding process activity within the private network is received for a current observation period. For each process, for each testing time period of a number of testing time periods within the current observation period, a PIR is determined based on (i) a number of unique computing devices that hosted the process and (ii) a number of unique users that executed the process. A particular process is identified as potentially malicious when a measure of deviation of the PIR of the particular process from a historical PIR mean of the particular process exceeds a pre-defined or configurable threshold during a testing time period.
Detecting deviations from typical user behavior, including: identifying a geographic location of a device that is associated with a user; determining device activity associated with the user; and detecting, based on a profile associated with the user, that the device activity associated with the user deviates from normal activity for the user.
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
H04L 43/045 - Processing captured monitoring data, e.g. for logfile generation for graphical visualisation of monitoring data
Various embodiments provide systems and methods for automatically defining and enforcing network sessions based upon at least four dimensions of segmentation.
Changes on a chat client, such as one or more edits or retractions, and is characterized relative to an original chat string, and uploaded to a chat server for storage. The chat server combines the message change with at least a second change to the specific chat string uploaded from a different chat client. Responsive to a regeneration of the chat string on the chat client, the chat daemon downloads the combined message change from the chat server. The edits and retractions originating from the chat client and the edits and retractions originating from the second chat client are downloaded and applied to the specific chat string for display in the chat client.
Systems, devices, and methods are discussed for forward testing rule sets at a granularity that is less than all activity on the network. In some cases, the granularity is that of an individual application.
