The disclosed system determines a CVE identifier based on match confidence against entries in a database of indicators of vulnerability exploits that are mapped to corresponding CVE identifiers. The system builds and maintains the database by generating these exploit indicators from various cybersecurity data having associated vulnerability identifiers. The system extracts elements from the cybersecurity data to construct different exploit indicators and then stores them in the database mapped to corresponding CVE identifiers. Depending upon the cybersecurity data from which elements are extracted, different types of indicators of an exploit may be generated for a same vulnerability.
A knowledge base is built, maintained, and utilized for responding to user queries. The knowledge base is populated with queries and corresponding answers that have been generated based on prompting a foundation model with documents included in a datastore used for RAG. Embeddings of the queries are generated and stored in the knowledge base with their corresponding query-answer pairs. To manage changes to the documents in the datastore, updates, deletions, and/or additions to documents in the datastore are periodically identified, and the query-answer pairs that are associated with changes to documentation can be updated accordingly. As a support service receives user queries, the support service searches the knowledge base for queries that are sufficiently similar to the user query based on comparing the associated embeddings. The support service generates a response to the user query based on the answer that corresponds to the most similar query in the knowledge base.
A stable verdict recrawling policy maintains stable stored verdicts for uniform resource locators (URLs) with intelligent recrawling. Based on a malicious stored verdict for a URL, a web crawler initiates the recrawling policy. In a first observation window, a web crawler recrawls the URL at successively more infrequent times to obtain verdicts for the URL. If there are enough benign verdicts after the first observation window, a URL verdict flipping model receives recrawling data as input and outputs a flipping verdict indicating whether to flip the stored verdict from malicious to benign. If the stored verdict is flipped, in a second observation window the web crawler recrawls the URL at successively more infrequent times to obtain verdicts. If there is a malicious verdict in the second observation window, the stored verdict is again flipped from benign to malicious.
A malicious instructions detection model (“detector”) intercepts augmented prompts destined for a large language model (“LLM”). Each augmented prompt was augmented with data from potentially compromised data sources susceptible to indirect prompt injection attacks. The detector tokenizes/preprocesses sentences in the augmented prompts and is invoked on the tokenized/preprocessed sentences to obtain confidence scores that each sentence comprises malicious instructions. If one or more of the confidence scores is above a threshold, the detector blocks the augmented prompt and generates an alert indicating the blocking and the malicious instructions. Otherwise, the detector communicates the augmented prompt to its intended LLM.
Detection of strategically aged domains is detected. A set of initially benign aged dormant domains is determined as a list of candidate strategically aged domains. The list of candidate strategically aged domains is monitored for a change by a particular domain from a dormant domain status to an active status. In response to determining the change to active status of the particular domain, an action is taken with respect to the aged dormant domain.
Techniques for visual deep learning for inline phishing detection are disclosed. In some embodiments, a system/process/computer program product for visual deep learning for inline phishing detection includes extracting a logo from a screenshot of a web page; detecting phishing based on a match to at least one of a plurality of reference logos using a visual deep learning model and that a domain associated with the web page is not associated with an entity that matches the logo extracted from the web page; and performing a remedial action in response to determining that the web page is associated with phishing.
The detection of malicious documents using knowledge distillation assisted learning is disclosed. A document is received for maliciousness determination. A likelihood that the received document represents a threat is determined. The determination is made, at least in part, using a raw bytes model that was trained, at least in part, using image model prediction probabilities. A verdict for the document is provided as output based at least in part on the determined likelihood.
Various techniques for deep learning in a data plane are disclosed. In some embodiments, a system/process/computer program product for deep learning in a data plane includes monitoring a session at a security platform, wherein the session includes network traffic; executing a local deep learning model on the network traffic, wherein the local deep learning model is executed on the security platform; and performing an action in response to determining that the monitored session is associated with malware based at least in part on a verdict from the deep learning model.
Noise is added to data obtained from customers for differential privacy without reducing utility of the data for downstream use and/or analysis, such as data obtained from data loss prevention (DLP) services that are used for ongoing learning of DLP models. Noise is added to an N-dimensional text embedding(s) based on scaling values contained in the text embeddings on a per-dimension basis. For each dimension of the embedding(s), the corresponding value at that dimension is scaled based on minimum and maximum values that are localized to that dimension and were previously selected based on experimental data for which embeddings were generated. Noise is added to the resulting embeddings that have been scaled per dimension, such as with the Laplace mechanism.
An unstructured data query-response pair generation system (generation system) populates a knowledge base of query-response pairs for queries of natural language content in unstructured data by prompting a first large language model (LLM) text extracted from the unstructured data. An unstructured data chatbot (chatbot) leverages the knowledge base by augmenting prompts to a second LLM responding to user queries for natural language content in the unstructured data with query-response pairs having queries that are semantically similar to the user queries. The knowledge base and LLMs are updated based on user feedback correcting responses, continually improving quality of the generation system and chatbot.
A system generates reliable bandwidth predictions which account for the dynamic behavior of cellular circuits. The system performs ongoing data collection of cellular parameters indicative of channel conditions of cellular circuits, cellular circuit performance and/or usage, bandwidth measurements of network paths that include the cellular circuits, and locations of edge devices with interfaces with cellular circuits attached. The collected data is stored as time series data to allow for repeating patterns to be detected and/or accounted. When a bandwidth prediction is triggered for a cellular circuit, the system retrieves most recent and historical data corresponding to cyclical/seasonal behavior and runs a trained model to generate a value representing likely current channel conditions of the cellular circuit. The system then uses the predicted current channel conditions value that accounts for repeating usage/performance patterns to calculate an estimated/predicted bandwidth of the cellular circuit.
A data path root cause analysis application (“application”) identifies a node in a computing fabric as a root cause of failure in a data path. Based on detecting a failure in the data path, the application performs a reverse traversal starting at the last node in the data path. At each node in the reverse traversal, the application sends modified packets through the data path with custom headers comprising flags to exit the data path at the current node. When modified packets successfully exit the data path at a current node in the reverse traversal, the application identifies a previous node as the root cause of failure. The node identified as a root cause of failure is then remediated to allow further communication of packets through the data path.
H04L 41/0631 - Gestion des fautes, des événements, des alarmes ou des notifications en utilisant l’analyse des causes profondesGestion des fautes, des événements, des alarmes ou des notifications en utilisant l’analyse de la corrélation entre les notifications, les alarmes ou les événements en fonction de critères de décision, p. ex. la hiérarchie ou l’analyse temporelle ou arborescente
H04L 41/0668 - Gestion des fautes, des événements, des alarmes ou des notifications en utilisant la reprise sur incident de réseau par sélection dynamique des éléments du réseau de récupération, p. ex. le remplacement par l’élément le plus approprié après une défaillance
Various techniques for deep learning in a data plane are disclosed. In some embodiments, a system/process/computer program product for deep learning in a data plane includes monitoring a session at a security platform, wherein the session includes network traffic; executing a local deep learning model on the network traffic, wherein the local deep learning model is executed on the security platform; and performing an action in response to determining that the monitored session is associated with malware based at least in part on a verdict from the deep learning model.
Various techniques for providing deep learning for inline detection of malicious command and control (C2) traffic from unstructured payloads are disclosed. In some embodiments, a system/process/computer program product for providing deep learning for inline detection of malicious C2 traffic from unstructured payloads includes monitoring a session at a security platform, wherein the session includes network traffic; executing a local deep learning model on the network traffic, wherein the local deep learning model is a machine learning implemented C2 (MLC2) model executed on the security platform; and performing an action in response to determining that the monitored session is associated with malware based at least in part on a verdict from the deep learning model.
Techniques for visual deep learning for inline phishing detection are disclosed. In some embodiments, a system/process/computer program product for visual deep learning for inline phishing detection includes extracting a logo from a screenshot of a web page; detecting phishing based on a match to at least one of a plurality of reference logos using a visual deep learning model and that a domain associated with the web page is not associated with an entity that matches the logo extracted from the web page; and performing a remedial action in response to determining that the web page is associated with phishing.
Increasing use of web-based applications or Software-as-a-Service and IoT devices within enterprise networks increases the variety of network traffic and variables for consideration in managing security posture, which includes policy management. A security posture management system as disclosed herein leverages application identification and device discovery from ongoing collection and analysis of network traffic data to manage policies at device granularity allowing tailored security posture management. The system can tailor policies to handle network traffic depending on identified application and device type inputs obtained from the ongoing collection and analysis. The security posture management system can configure SD-WAN construct based parameters of a policy to tailor policies for different application traffic from different types of devices.
09 - Appareils et instruments scientifiques et électriques
42 - Services scientifiques, technologiques et industriels, recherche et conception
Produits et services
Computer hardware; Downloadable security software for sharing and storing sensitive information over an enterprise network and over the Internet; Downloadable security software for protecting, monitoring and detecting privileged accounts; Downloadable computer manuals for software for sharing and storing sensitive information, distributed integrally therewith; recorded and downloadable computer software for management of human and non-human digital identities; recorded and downloadable software for management, optimization and integration of computer systems and networks, software applications, users, and network resources; recorded and downloadable computer software for access control management of human and non-human digital identities; recorded and downloadable computer software for securing, auditing, monitoring, reporting and analysis of computer systems, computer networks, cloud computing environments and enterprise software applications; recorded and downloadable computer software for detection, analysis and remediation of cyber threats; downloadable software for securing software development and operation pipelines; downloadable electronic instruction computer program manuals distributed with all of the foregoing software Design and development of computer hardware and software; software as a service (SAAS) services featuring software for managing digital identities; software as a service (SAAS) services featuring software for management, optimization and integration of computer systems and networks, software applications, users, and network resources; software as a service (SAAS) services featuring software for managing access control of human and non-human digital identities; software as a service (SAAS) featuring software for securing, auditing, monitoring and analysis of computer systems, computer networks, cloud computing environments and enterprise software applications; software as a service (SAAS) services featuring software for detection, analysis and remediation of cyber threats; software as a service (SAAS) services featuring software for securing software development and operations pipelines
18.
MACHINE LEARNING-BASED CONTENT DISARM AND RECONSTRUCTION WITH WEB BROWSER PREFETCHING
A web page content disarm and reconstruction (“CDR”) service (“service”) intercepts user requests for a web page via a web browser and prefetches source code for the web page and any web pages hyperlinked therein. The service generates features from sections of source code of the web page and hyperlinked web pages. Classifiers then classify the features to obtain malicious/benign verdicts of corresponding sections of source code as output. The service applies criteria to malicious verdicts to determine whether to disable hyperlinks in the web page, remove malicious code for the web page, and/or block the web page. Once a corresponding action has been taken for source code of the web page, the service reconstructs the source code and communicates the reconstructed code to the web browser for rendering.
Techniques for prevention of man-in-the-middle phishing are disclosed. In some embodiments, a system/process/computer program product for prevention of man-in-the-middle (MitM) phishing includes monitoring a session, wherein the session includes a request to access a website; evaluating a payload associated with the request to access the website using a MitM phishing profile to determine that the request to access the website matches at least in part the MitM phishing profile; and performing a remedial action in response to determining that the payload is associated with MitM phishing activity.
Techniques for providing security for providing Secure Access Service Edge (SASE) for mobile networks (e.g., service provider networks for mobile subscribers) are disclosed. In some embodiments, a system/process/computer program product for providing SASE for mobile networks in accordance with some embodiments includes receiving traffic associated with a User Equipment (UE) from a mobile core network at a SASE cloud network; enforcing a security policy on data plane traffic associated with the UE based on contextual information associated with the UE to provide secured data plane traffic; and forwarding the secured data plane traffic from the SASE cloud network to the mobile core network, wherein the secured data plane traffic egresses the mobile core network for its original destination (e.g., or in other embodiments, forwarding the secured data plane traffic from the SASE cloud network to its original destination).
Techniques for providing security for providing a Secure Access Service Edge (SASE) solution for enhanced security for unmanaged devices for mobile networks (e.g., service provider networks for mobile subscribers) are disclosed. In some embodiments, various techniques to apply per network slice security for unmanaged devices in mobile networks with SASE are disclosed. In some embodiments, various techniques to apply per subscriber identity and/or equipment identity and/or subscriber number security for unmanaged devices in mobile networks with SASE are disclosed. In some embodiments, various techniques to apply per access point name/ data network name (APN/DNN) security for unmanaged devices in mobile networks with SASE are disclosed. In some embodiments, various techniques to apply per location security for unmanaged devices in mobile networks with SASE are disclosed. In some embodiments, various techniques to apply per Radio Access Technology (RAT) security for unmanaged devices in mobile networks with SASE are disclosed.
Anycast IP addressing and policy-based forwarding are implemented so that resources deployed in association with different accounts of a tenant but have overlapping IP addresses appear distinct to the tenant. A service that executes on a network controller configures a DHCP address pool for an account for which associated resources are indicated for deployment. The service also orchestrates instantiation of one or more connectors configured to front the resource(s) and allocates an anycast IP address to the connector(s) that is unique with respect to other connectors that front resources associated with the same account or different accounts. The service then creates a policy-based forwarding rule to forward network traffic originating from an IP address within the account's DHCP address pool and with a destination address that matches the resource(s) IP address to the anycast IP address allocated to the connector(s) that fronts the resources.
H04L 61/5014 - Adresses de protocole Internet [IP] en utilisant le protocole de configuration dynamique de l'hôte [DHCP] ou le protocole d'amorçage [BOOTP]
Described herein are systems, methods, and software to enhance failover operations in a cloud computing environment. In one implementation, a method of operating a first service instance in a cloud computing environment includes obtaining a communication from a computing asset, wherein the communication comprises a first destination address. The method further provides replacing the first destination address with a second destination address in the communication, wherein the second destination address comprises a shared address for failover from a second service instance. After replacing the address, the method determines whether the communication is permitted based on the second destination address, and if permitted, processes the communication in accordance with a service executing on the service instance.
H04L 61/2517 - Traduction d'adresses de protocole Internet [IP] en utilisant des numéros de port
G06F 9/455 - ÉmulationInterprétationSimulation de logiciel, p. ex. virtualisation ou émulation des moteurs d’exécution d’applications ou de systèmes d’exploitation
G06F 11/20 - Détection ou correction d'erreur dans une donnée par redondance dans le matériel en utilisant un masquage actif du défaut, p. ex. en déconnectant les éléments défaillants ou en insérant des éléments de rechange
H04L 67/10 - Protocoles dans lesquels une application est distribuée parmi les nœuds du réseau
H04L 69/40 - Dispositions, protocoles ou services de réseau indépendants de la charge utile de l'application et non couverts dans un des autres groupes de la présente sous-classe pour se remettre d'une défaillance d'une instance de protocole ou d'une entité, p. ex. protocoles de redondance de service, état de redondance de protocole ou redirection de service de protocole
24.
SERVICE ACCESS SERVICE EDGE SOLUTION FOR PROVIDING ENHANCED SECURITY FOR MOBILE NETWORKS
Techniques for providing security for providing a Secure Access Service Edge (SASE) solution for enhanced security for mobile networks (e.g., service provider networks for mobile subscribers) are disclosed. In some embodiments, various techniques to apply per network slice security in mobile networks with SASE are disclosed. In some embodiments, various techniques to apply per subscriber identity and/or equipment identity and/or subscriber number security in mobile networks with SASE are disclosed. In some embodiments, various techniques to apply per access point name/ data network name (APN/DNN) security in mobile networks with SASE are disclosed. In some embodiments, various techniques to apply per location security in mobile networks with SASE are disclosed. In some embodiments, various techniques to apply per Radio Access Technology (RAT) security in mobile networks with SASE are disclosed.
In some embodiments, a system, a process, and/or a computer program product for providing explicit proxy solutions for 5G SASE with service provider network attach includes receiving data plane traffic associated with a User Equipment (UE) from a mobile core network at a Secure Access Service Edge (SASE) cloud network via a service provider network attach using an interconnect between the mobile core network and the SASE cloud network; enforcing a security policy on data plane traffic associated with the UE based on contextual information associated with the UE to provide secured data plane traffic using the security policy configured per user group and/or per user; and forwarding the secured data plane traffic from the SASE cloud network to its original destination if allowed by the security policy, and blocking or dropping the data plane traffic from the SASE cloud network if not allowed by the security policy.
In some embodiments, a system, process, and/or computer program product includes processing a Radius start message and populating 5G synchronized (sync) data with a 5G user identity and IP mapping using a 5G Secure Access Service Edge (SASE) service, wherein a service provider (SP) configures IMSI, IMEI, and APN information to identify UEs from each SP 5G network, and configures a security policy per user group and/or individual users for a 5G SASE service; extracting contextual information associated with monitored 5G SP data plane traffic to determine a security policy to apply to the 5G SP data plane traffic; enforcing the security policy on the 5G SP data plane traffic associated with a UE based on contextual information associated with the UE to provide secured 5G SP data plane traffic; and egressing the secured 5G SP data plane traffic back to an SP backbone or to an external network.
H04L 41/50 - Gestion des services réseau, p. ex. en assurant une bonne réalisation du service conformément aux accords
H04L 9/32 - Dispositions pour les communications secrètes ou protégéesProtocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
Methods, storage systems and computer program products implement embodiments of the present invention for identifying a vulnerability in a software application. In these embodiments, a specification is received that includes a plurality of application programming interface (API) endpoints in the software application, and a first API endpoint of the software application that exposes user information is identified. An execution path in the software application is identified that includes an ordered sequence of two or more of the API endpoints, the ordered sequence starting with a second API endpoint and ending with the first API endpoint. An attack on the software application that exploits the identified execution path is simulated, and finally, an alert is issued when the simulated attack is found to have been successful.
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
28.
SERVICE ACCESS SERVICE EDGE SOLUTION FOR PROVIDING ENHANCED SECURITY FOR MOBILE NETWORKS
Techniques for providing security for providing a Secure Access Service Edge (SASE) solution for enhanced security for mobile networks (e.g., service provider networks for mobile subscribers) are disclosed. In some embodiments, various techniques to apply per network slice security in mobile networks with SASE are disclosed. In some embodiments, various techniques to apply per subscriber identity and/or equipment identity and/or subscriber number security in mobile networks with SASE are disclosed. In some embodiments, various techniques to apply per access point name/data network name (APN/DNN) security in mobile networks with SASE are disclosed. In some embodiments, various techniques to apply per location security in mobile networks with SASE are disclosed. In some embodiments, various techniques to apply per Radio Access Technology (RAT) security in mobile networks with SASE are disclosed.
Techniques for providing security for providing a Secure Access Service Edge (SASE) solution for enhanced security for unmanaged devices for mobile networks (e.g., service provider networks for mobile subscribers) are disclosed. In some embodiments, various techniques to apply per network slice security for unmanaged devices in mobile networks with SASE are disclosed. In some embodiments, various techniques to apply per subscriber identity and/or equipment identity and/or subscriber number security for unmanaged devices in mobile networks with SASE are disclosed. In some embodiments, various techniques to apply per access point name/data network name (APN/DNN) security for unmanaged devices in mobile networks with SASE are disclosed. In some embodiments, various techniques to apply per location security for unmanaged devices in mobile networks with SASE are disclosed. In some embodiments, various techniques to apply per Radio Access Technology (RAT) security for unmanaged devices in mobile networks with SASE are disclosed.
Techniques for providing security for providing Secure Access Service Edge (SASE) for mobile networks (e.g., service provider networks for mobile subscribers) are disclosed. In some embodiments, a system/process/computer program product for providing SASE for mobile networks in accordance with some embodiments includes receiving traffic associated with a User Equipment (UE) from a mobile core network at a SASE cloud network; enforcing a security policy on data plane traffic associated with the UE based on contextual information associated with the UE to provide secured data plane traffic; and forwarding the secured data plane traffic from the SASE cloud network to the mobile core network, wherein the secured data plane traffic egresses the mobile core network for its original destination.
Techniques for providing security for providing Secure Access Service Edge (SASE) for mobile networks (e.g., service provider networks for mobile subscribers) are disclosed. In some embodiments, a system/process/computer program product for providing SASE for mobile networks in accordance with some embodiments includes receiving traffic associated with a User Equipment (UE) from a mobile core network at a SASE cloud network; enforcing a security policy on data plane traffic associated with the UE based on contextual information associated with the UE to provide secured data plane traffic; and forwarding the secured data plane traffic from the SASE cloud network to its original destination.
Techniques for providing explicit proxy solutions for 5G Service Access Service Edge (SASE) with service provider network attach are disclosed. In some embodiments, a system, a process, and/or a computer program product for providing explicit proxy solutions for 5G SASE with service provider network attach includes receiving data plane traffic associated with a User Equipment (UE) from a mobile core network at a Secure Access Service Edge (SASE) cloud network via a service provider network attach using an interconnect between the mobile core network and the SASE cloud network; enforcing a security policy on data plane traffic associated with the UE based on contextual information associated with the UE to provide secured data plane traffic using the security policy configured per user group and/or per user; and forwarding the secured data plane traffic from the SASE cloud network to its original destination if allowed by the security policy, and blocking or dropping the data plane traffic from the SASE cloud network if not allowed by the security policy.
Techniques for providing security for providing a Secure Access Service Edge (SASE) Interconnect Platform are disclosed. In some embodiments, a system, process, and/or computer program product for a SASE Interconnect Platform includes receiving ingress Service Provider (SP) data plane traffic for a tenant from an SP backbone to a SASE cloud network for security processing via an Interconnect that is configured for a compute region and an IP block and an Autonomous System Number (ASN) to advertise the IP block in Border Gateway Protocol (BGP); extracting contextual information associated with the SP data plane traffic to determine a security policy to apply to the SP data plane traffic; enforcing the security policy on the SP data plane traffic to provide secured SP data plane traffic using a Security Processing Node (SPN); and egressing the secured SP data plane traffic back to the SP backbone or to an external network.
In some embodiments, a system, process, and/or computer program product includes processing a Radius start message and populating 5G synchronized (sync) data with a 5G user identity and IP mapping using a 5G Secure Access Service Edge (SASE) service, wherein a service provider (SP) configures IMSI, IMEI, and APN information to identify UEs from each SP 5G network, and configures a security policy per user group and/or individual users for a 5G SASE service; extracting contextual information associated with monitored 5G SP data plane traffic to determine a security policy to apply to the 5G SP data plane traffic; enforcing the security policy on the 5G SP data plane traffic associated with a UE based on contextual information associated with the UE to provide secured 5G SP data plane traffic; and egressing the secured 5G SP data plane traffic back to an SP backbone or to an external network.
The present application discloses a method, system, and computer system for detecting malicious SQL or command injection strings. The method includes obtaining an SQL or command injection string and determining whether the command injection string is malicious based at least in part on a machine learning model.
In some embodiments, a system/process/computer program product for selective intelligent enforcement for mobile networks using a security platform includes monitoring network traffic in a core mobile network using a security platform executed on a network element in the core mobile network to identify a new session that attached to the core mobile network for mobile network communications; extracting meta information associated with the new session using the security platform executed on the network element in the core mobile network by performing inspection of PFCP messages over an N4 interface; applying selective intelligent enforcement using the security platform if the extracted meta information associated with the new session matches a selective intelligent enforcement policy, wherein the meta information includes RAT information; and offloading the session to bypass inspection by the security platform if the extracted meta information associated with the new session does not match the selective intelligent enforcement policy.
A network controller communicates a wildcard domain name defined by a tenant and IP addresses of data centers for which a tenant has configured that wildcard to network elements of a network fabric through which the data centers are accessible. Each network element creates a rule to forward DNS requests with FQDNs that match the wildcard to each data center IP address. When a network element receives a DNS request indicating a FQDN that matches the wildcard, the network element forwards the DNS request to each data center IP address. Each data center element associated with one of the IP addresses receives the DNS request and determines if the FQDN can be resolved to an IP address in that data center. Data center elements for which domain name resolution is successful notify the network controller, which onboards the resource corresponding to the FQDN in that data center.
H04L 61/4511 - Répertoires de réseauCorrespondance nom-adresse en utilisant des répertoires normalisésRépertoires de réseauCorrespondance nom-adresse en utilisant des protocoles normalisés d'accès aux répertoires en utilisant le système de noms de domaine [DNS]
H04L 61/5007 - Adresses de protocole Internet [IP]
09 - Appareils et instruments scientifiques et électriques
42 - Services scientifiques, technologiques et industriels, recherche et conception
Produits et services
Downloadable computer software for an enterprise browser for secure web browsing, internet access, and network security; downloadable software for cybersecurity, namely threat detection, malware prevention, data loss prevention, and secure remote access. Software as a service (SaaS) featuring software for an enterprise browser for secure web browsing, internet access, and network security; providing temporary use of non-downloadable software for cybersecurity, namely threat detection, malware prevention, data loss prevention, and secure remote access.
39.
COMBINED STRUCTURE AND IMPORT BEHAVIOR SIGNATURES BASED MALWARE LEARNING AND DETECTION
A system has been created that represents a binary file with a combination of signatures that account for both structure as expressed by control flow and an abstraction of functionality as expressed by import behavior. The system analyses intra-subroutine control flow and calls to import code units. The system generates structure signatures for the subroutines based on the intra-subroutine control flows. The system also generates an import behavior signature based on calls to import code units and caller-callee relationships between the subroutines and the import code units. The system uses the structure signatures to identify the caller subroutines in generating the import behavior signature. The combination of structure signatures and import behavior signature allows for accurate determination of code similarity without the noise of superficial variations in code organization and other mutations or alterations that facilitate avoiding malware detection.
Techniques for securing control and user plane separation in mobile networks (e.g., service provider networks for mobile subscribers, such as for 4G/5G networks) are disclosed. In some embodiments, a system/process/computer program product for securing control and user plane separation in mobile networks in accordance with some embodiments includes monitoring network traffic on a mobile network at a security platform to identify an Packet Forwarding Control Protocol (PFCP) message associated with a new session, in which the mobile network includes a 4G network or a 5G network; extracting a plurality of parameters from the PFCP message at the security platform; and enforcing a security policy at the security platform on the new session based on one or more of the plurality of parameters to secure control and user plane separation in the mobile network.
A system has been created to automatically expand CSPM coverage for an organization based on CSP offerings and organization usage of cloud resources. The system crawls API specifications of each CSP used by an organization to extract cloud resource metadata including attributes and attribute descriptions. The system classifies each discovered attribute as related to security or not related to security. The system then filters out those security related attributes that already have CSPM coverage. The system collects information across different data sources corresponding to CSPM for the organization, such as audit logs and ingestion requests. The system then prioritizes resource attributes for metadata ingestion based on configurable parameters that consider newly discovered CSP offerings represented by discovered security related attributes. According to the prioritization, the system generates templates to execute for ingestion.
A system, method, and device for domain-level sinkholing of network traffic. The method includes (i) obtaining network traffic, (ii) determining a client system or user associated with the network traffic, (iii) determining a domain for which the client system is attempting to access in connection with the network traffic, (iv) performing a sinkholing of the network traffic and/or traffic handling for automated analysis of vulnerable and/or malicious network traffic using one or more of a name-based virtual hosting or an IP-based virtual hosting.
A cloud misconfiguration remediation application (“remediation application”) has been created that generates a remediation action for a resource misconfiguration detected with a CSPM policy. The remediation application includes a conversation agent that interacts with the foundation model according to a chain of prompts/input sequences. The conversation agent constructs the chain of prompts based on a template, the CSPM policy, metadata about the CSPM policy and the misconfigured cloud resource, and responses from the foundation model. The foundation model is implemented with retrieval augmented generation (RAG) that uses an embedding database built with remediation documentation of the CSP. Prompts from the conversation agent are augmented based on the implemented RAG. The remediation application aggregates the responses into a remediation action that can either be automatically performed or presented for consideration by a user.
An offline collection system comprises a pipeline for storing metadata of user interface (UI) elements at web pages of a web application. The pipeline comprises crawling uniform resource locators (URLs) of web pages of the web application for content and rendering screenshots of the web pages. The pipeline then prompts a multimodal large language model (LLM) to generate database entries for the web pages comprising UI element metadata derived from the crawled content and rendered screenshots. A response system receives user queries to navigate the web application and augments prompts to an LLM to respond to the user queries with metadata of UI elements relevant to the user queries stored by the offline collection system.
Techniques for grammar powered retrieval augmented generation for domain specific languages are disclosed. In some embodiments, a system, a process, and/or a computer program product for grammar powered retrieval augmented generation for domain specific languages includes automatically generating a seed dataset for a domain specific language (DSL) (e.g., a resource query language (RQL), and wherein the RQL is generated for RQL for multi-domain security applications); expanding the seed dataset for the DSL using a Large Language Model (LLM); and validating the seed dataset for the DSL, wherein the seed dataset for the DSL is input to the LLM for fine tune training of the LLM (e.g., fine-tuned for a cloud security application).
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
46.
AI-POWERED MACROS TO PROCESS COMPLEX NLP QUERIES ACROSS DOMAINS
Techniques for AI-powered macros to process complex natural language processing (NLP) across domains are disclosed. In some embodiments, a system, a process, and/or a computer program product for AI-powered macros to process complex NLP across domains includes processing a natural language query; performing a cross-domain search to generate a search result using a plurality of data source domains using a resource query language (RQL) and a Large Language Model (LLM); and outputting the search result.
A method for cybersecurity includes receiving a corpus of cyber incidents, each including (i) one or more alerts indicative of suspicious activities in one or more computer systems, and (ii) one or more features characterizing the cyber incident. Binary labels respectively assigned to the cyber incidents of the corpus are further received, each of the binary labels having a first value indicating the cyber incident is benign, or a second value indicating the cyber incident is malicious. Predefined labeling rules that map the binary labels to respective soft labels that are indicative of suspiciousness levels of the cyber incidents are held. The binary labels are mapped to respective soft labels, based at least on the predefined labeling rules. The cyber incidents of the corpus and the respective soft labels are provided for training a machine learning model that, when trained, predicts risk scores for cyber incidents outside the corpus.
A data packet is received. It is determined whether the data packet is encapsulated. One or more security policies are applied to the data packet based on whether the data packet is encapsulated.
A code sample rewrite pipeline has been created that augments training data for training malicious code detection models to learn functionality/execution behavior of malicious code and increase detection capability despite evasion techniques. The code sample rewrite pipeline ingests a set of malicious code samples. For each of the malicious code samples, the code sample rewrite pipeline prompts a language model to rewrite the malicious code sample with obfuscating transformations. The code sample rewrite pipeline evaluates output of the language model to determine whether the output is valid program code and whether it maintains functionality of the original malicious code sample. If the rewritten malicious code sample is valid and maintains functionality of the original malicious code sample, then the rewritten malicious code sample can be incorporated into training data for malicious code detection models.
A configuration of a cloud application exposed via a public IP address is duplicated with modifications to include a private IP address to expose the application internally. The original configuration is updated so that external network traffic sent to the application is redirected to and distributed across agents running on nodes of a cloud cluster by which web application firewalls (WAFs) are implemented. A set of agents for which the respective WAFs should inspect the redirected network traffic are selected based on cluster metrics, such as network and resource utilization metrics. The redirected network traffic targets a port allocated to the agents that is unique to the application, where ports are allocated on a per-application basis so each of the agents can support WAF protection for multiple applications. Network traffic which a WAF allows to pass is directed from the agent to the application via its private IP address.
The detection of phishing Portable Document Format (PDF) files using an image-based deep learning approach is disclosed. A PDF document is received. A likelihood that the received PDF document represents a threat is determined, at least in part, by using an image based model that was previously trained, at least in part, using a plurality of images that were generated using one or more tools that collectively convert a set of given PDF document files to the respective plurality of images. A verdict for the PDF document is provided as output based at least in part on the determined likelihood.
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
09 - Appareils et instruments scientifiques et électriques
42 - Services scientifiques, technologiques et industriels, recherche et conception
Produits et services
Downloadable computer software for computer network security protection; Downloadable computer software for comprehensive security platform protection; Downloadable computer software for cybersecurity protection Software as a service (SAAS) services featuring software for use in computer network security protection; Software as a service (SAAS) services featuring software for comprehensive AI security platform protection; Software as a service (SAAS) services featuring software for comprehensive a AI security platform protection featuring software for AI model scanning, posture management, AI red teaming, runtime security, and AI agent security; Software as a service (SAAS) services featuring software for comprehensive AI security platform protection featuring software for monitoring of computer systems for security purposes in the nature of cybersecurity, unauthorized access, data breach, cloud detection and response
53.
NATURAL LANGUAGE QUERY TO DOMAIN-SPECIFIC DATABASE QUERY CONVERSION WITH LANGUAGE MODELS
A natural language to database query converter (converter) receives a natural language query from a user (i.e., a user utterance) and identifies a cybersecurity domain related to intent of the natural language query. The converter then generates a database query for a query language of the cybersecurity domain corresponding to the natural language query with a large language model (LLM). An initial prompt to the LLM generated by the converter specifies a grammar of the query language and instructs the LLM to generate an initial database query that functions like the natural language query and satisfies the grammar. If a lint program determines that the initial database query is not valid for the query language, the converter generates a follow-up prompt to the LLM that indicates valid database queries from which to generate a follow-up database query. A query parser retrieves data that satisfy the initial or follow-up database query and a visualization/summarization module generates graph visualizations and summaries of the retrieved data.
A communications system for providing secure access to a digital resource of a group of digital resources accessible via the internet, the system comprising: a data processing hub accessible via an IP (internet protocol) address; and a plurality of user equipment (UEs) useable to communicate via the internet, each configured to have a cyber secure isolated environment (CISE) isolated from ambient software in the UE, and comprising a secure web browser (SWB); wherein the hub and CISE are configured so that digital resources in motion and at rest in CISE are visible to the hub.
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
G06F 16/955 - Recherche dans le Web utilisant des identifiants d’information, p. ex. des localisateurs uniformisés de ressources [uniform resource locators - URL]
G06F 21/44 - Authentification de programme ou de dispositif
G06F 21/53 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p. ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par exécution dans un environnement restreint, p. ex. "boîte à sable" ou machine virtuelle sécurisée
H04L 41/16 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p. ex. des réseaux de commutation de paquets en utilisant l'apprentissage automatique ou l'intelligence artificielle
H04L 67/125 - Protocoles spécialement adaptés aux environnements propriétaires ou de mise en réseau pour un usage spécial, p. ex. les réseaux médicaux, les réseaux de capteurs, les réseaux dans les véhicules ou les réseaux de mesure à distance en impliquant la commande des applications des terminaux par un réseau
A communications system for providing secure access to a digital resource of a group of digital resources accessible via the internet, the system comprising: a data processing hub accessible via an IP (internet protocol) address; and a plurality of user equipment (UEs) useable to communicate via the internet, each configured to have a cyber secure isolated environment (CISE) isolated from ambient software in the UE, and comprising a secure web browser (SWB); wherein the hub and CISE are configured so that digital resources in motion and at rest in CISE are visible to the hub.
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
G06F 16/955 - Recherche dans le Web utilisant des identifiants d’information, p. ex. des localisateurs uniformisés de ressources [uniform resource locators - URL]
G06F 21/44 - Authentification de programme ou de dispositif
G06F 21/53 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p. ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par exécution dans un environnement restreint, p. ex. "boîte à sable" ou machine virtuelle sécurisée
H04L 41/16 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p. ex. des réseaux de commutation de paquets en utilisant l'apprentissage automatique ou l'intelligence artificielle
H04L 67/125 - Protocoles spécialement adaptés aux environnements propriétaires ou de mise en réseau pour un usage spécial, p. ex. les réseaux médicaux, les réseaux de capteurs, les réseaux dans les véhicules ou les réseaux de mesure à distance en impliquant la commande des applications des terminaux par un réseau
An indication of an application to be installed on a local device is received. A request is transmitted to a remote server for information associated with the application. In some cases, in response to the receipt of a report from the remote server, a set of rules restricting behaviors of the application is implemented at the local device. In some cases, in response to the receipt of a report from the remote server, the installation of the application on the local device is prevented.
G06F 21/56 - Détection ou gestion de programmes malveillants, p. ex. dispositions anti-virus
G06F 21/50 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
57.
BROWSER ACTIVITY MANAGEMENT WITH ACTIONS BASED ON CONTEXT OF TRIGGERING EVENTS
A method for providing secure access to digital resources, the method comprising: monitoring communications between a website and a user using a web browser comprised in a user equipment (UE) that is useable to access the digital resources; processing the monitored communications to determine: a set (WVF) of website vulnerability features comprising features which as a result of the user connecting to the website render a digital resource of the digital resources with which the user communicates vulnerable to cyber damage; and a set of user browsing behaviour features (BHF) comprising features that characterize the user browsing behaviour and internet use pattern which render the digital resource vulnerable to cyber damage; determining based on the website vulnerability factors and the user profile a security risk indicator (SRI) having a value that provides an estimate of a cyber damage risk to the digital resource resulting from the user connecting to the website and the digital resource; and based on the SRI value determining whether or not to permit the user to access the website.
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
G06F 16/955 - Recherche dans le Web utilisant des identifiants d’information, p. ex. des localisateurs uniformisés de ressources [uniform resource locators - URL]
G06F 21/44 - Authentification de programme ou de dispositif
G06F 21/53 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p. ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par exécution dans un environnement restreint, p. ex. "boîte à sable" ou machine virtuelle sécurisée
H04L 41/16 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p. ex. des réseaux de commutation de paquets en utilisant l'apprentissage automatique ou l'intelligence artificielle
H04L 67/125 - Protocoles spécialement adaptés aux environnements propriétaires ou de mise en réseau pour un usage spécial, p. ex. les réseaux médicaux, les réseaux de capteurs, les réseaux dans les véhicules ou les réseaux de mesure à distance en impliquant la commande des applications des terminaux par un réseau
A method, system, and device for identifying network incident risk. The method includes (i) determining a set of incident scores for a set of incidents on a network, (ii) generating a security rating for an attack surface for the network, wherein the security rating is an aggregation of the incident risk scores associated with a subset of risks on the network, and (iii) providing the security rating.
A service detects bot activity or malicious C2 activity based on data known to be associated with bot and C2 activity for supported web applications and that can be identified from network traffic corresponding to the web application for multiple communication protocols. Such data can include API endpoints known to be associated with C2 activity, malicious users/accounts associated with the web application, and malicious activity patterns. Whether the detection service can detect bot activity that may potentially correspond to C2 activity or malicious C2 activity itself is dependent on whether the obtained network traffic data are decrypted. When network traffic data are encrypted, detection service can detect bot activity by analyzing DNS and SSL/TLS traffic. When network traffic data are decrypted, the detection service can obtain the decrypted network traffic data comprising HTTP traffic and perform further analysis for detection of C2 activity reflected in HTTP traffic.
Techniques for supporting overlapping network addresses universally are disclosed. A system, process, and/or computer program product for supporting overlapping network addresses universally includes generating at least two virtual routers for a cloud security service, the at least two virtual routers including a first virtual router and a second virtual router, routing cloud security service packets using the first virtual router, and routing enterprise subscriber packets using the second virtual router.
A system and methods for protecting a serverless application, the system including: (a) a serverless application firewall configured to inspect input of the serverless function so as to ascertain whether the input contains malicious, suspicious or abnormal data; and (b) a behavioral protection engine configured to monitor behaviors and actions of the serverless functions during execution thereof.
A method, system, and device for managing just-in-time access to a protected resource(s). The method includes (i) receiving from a user a request for access permission for the protected resource, (ii) prompting an administrator of the protected resource to process the request for access permission, (iii) receiving from the administrator an instruction for processing the request for access permission, and (iv) in response to determining that the instruction for processing the request is to grant access, granting the user access to the protected resource.
42 - Services scientifiques, technologiques et industriels, recherche et conception
Produits et services
platform as a service (PAAS) featuring computer software platforms for managing unified data in the field of cybersecurity; Electronic data lake storage; Cloud storage services for electronic data lakes; all excluding licensing of intellectual property relating to integrated circuits, microprocessors, and microprocessor cores
42 - Services scientifiques, technologiques et industriels, recherche et conception
Produits et services
Platform as a service (PAAS) featuring computer software platforms for managing unified data in the field of cybersecurity; Electronic data lake storage; Cloud storage services for electronic data lakes; all excluding licensing of intellectual property relating to integrated circuits, microprocessors, and microprocessor cores.
65.
CYBERSECURITY ALERT RESPONSE CHATBOT VIA LARGE LANGUAGE MODELS AND NATURAL LANGAUGE ALERT DESCRIPTORS
As cybersecurity alerts are detected and logged as formatted descriptors across an organization, a text converter converts the formatted descriptors into natural language descriptors by extracting and inserting metadata fields into natural language templates corresponding to user personas for the organization. In response to an alert-based query from a user, a persona classifier predicts a persona of the user from historical chat logs and retrieves natural language descriptors for alerts related to the user and predicted persona. A prompt generator receives the retrieved natural language descriptors and generates a prompt that instructs a large language model (LLM) to respond to the user with data from the natural language descriptors. Once prompted, the LLM establishes a conversation with the user via an interface for alert resolution.
42 - Services scientifiques, technologiques et industriels, recherche et conception
Produits et services
Providing temporary use of online non-downloadable cloud
native software application protection platform for early
unauthorized access and early threat detection and
prevention system to ensure security, visibility, and
control of software applications throughout the entire
application life cycle process, including securing code,
infrastructure, workloads, data, networks, cloud identities,
web applications, and application programming interfaces
across cloud-native environments, under a single unified
user interface.
67.
CLIENT ORIGINATED CACHE KEY MODIFIERS IN EDGE CACHING SYSTEMS
Cache keys are modified according to a criterion specified by a requestor that communicates with an edge cache. The requestor determines a cache key modifier based on the criterion and incorporates the cache key modifier into a request for a resource. Determining the cache key modifier based on the criterion can include determining the cache key modifier based on a current time or a “fingerprint” of a previously obtained response. After receiving a request for a resource that indicates the cache key modifier, the edge cache determines a cache key for a lookup in cache memory for the resource and modifies the cache key with the cache key modifier. Modification of a cache key computed for a resource can be achieved with a cache key prefix, infix, or suffix.
G06F 12/0891 - Adressage d’un niveau de mémoire dans lequel l’accès aux données ou aux blocs de données désirés nécessite des moyens d’adressage associatif, p. ex. mémoires cache utilisant des moyens d’effacement, d’invalidation ou de réinitialisation
An anomalous device detection service performs two-stage detection of anomalous devices in a network with verification of detected anomalies to reduce the incidence of false positive detections. The detection service generates a dual embedding for each device profile. The dual embedding comprises a sentence embedding and a character-based embedding that have been concatenated. The detection service clusters the dual embeddings and, from the resulting cluster(s), identifies outliers that correspond to candidate anomalous device profiles. The outliers are referred to as candidates at this stage because the detection service then verifies the verdicts of anomalousness resulting from clustering using an LLM was adapted to predict if a device profile is actually anomalous based on examples of anomalous and non-anomalous device profiles that were provided to the LLM with few-shot prompting. Devices corresponding to profiles that the LLM predicts are anomalous are flagged for further investigation and/or remediation.
H04L 41/16 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p. ex. des réseaux de commutation de paquets en utilisant l'apprentissage automatique ou l'intelligence artificielle
69.
IDENTIFYING VULNERABILITIES IN BINARY FILES USING A CODE SIGNATURE
Techniques for identifying vulnerabilities in binary files using a code signature are disclosed. In some embodiments, a system, a process, and/or a computer program product for identifying vulnerabilities in binary files using a code signature includes collecting a plurality of binary files associated with a vulnerability (e.g., a known vulnerability); determining a function in the plurality of binary files that includes the vulnerability; and automatically generating a code signature (e.g., including wildcarding one or more instructions of the function) for detecting the vulnerability in the plurality of binary files.
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
G06F 21/56 - Détection ou gestion de programmes malveillants, p. ex. dispositions anti-virus
A communications system for providing secure access to a digital resource of a group of digital resources accessible via the internet, the system comprising: a data processing hub accessible via an IP (internet protocol) address; and a plurality of user equipment (UEs) useable to communicate via the internet, each configured to have a cyber secure isolated environment (CISE) isolated from ambient software in the UE, and comprising a secure web browser (SWB); wherein the hub and CISE are configured so that digital resources in motion and at rest in CISE are visible to the hub.
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
G06F 16/955 - Recherche dans le Web utilisant des identifiants d’information, p. ex. des localisateurs uniformisés de ressources [uniform resource locators - URL]
G06F 21/44 - Authentification de programme ou de dispositif
G06F 21/53 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p. ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par exécution dans un environnement restreint, p. ex. "boîte à sable" ou machine virtuelle sécurisée
H04L 41/16 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p. ex. des réseaux de commutation de paquets en utilisant l'apprentissage automatique ou l'intelligence artificielle
H04L 67/125 - Protocoles spécialement adaptés aux environnements propriétaires ou de mise en réseau pour un usage spécial, p. ex. les réseaux médicaux, les réseaux de capteurs, les réseaux dans les véhicules ou les réseaux de mesure à distance en impliquant la commande des applications des terminaux par un réseau
A method and system for detecting shadowed domains is provided. New hostnames are collected for a predetermined period of time. Candidate shadowed domains are selected from the new hostnames. Classification of the candidate shadowed domains is performed based on a plurality of features relating to the candidate shadowed domains to output a set of identified shadowed domains. An action is performed based on the set of identified shadowed domains.
H04L 41/16 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p. ex. des réseaux de commutation de paquets en utilisant l'apprentissage automatique ou l'intelligence artificielle
72.
MALWARE ANALYSIS OF DATA/FILES PRIOR TO STORAGE IN ISOLATED SECURE ENVIRONMENT
A communications system for providing secure access to a digital resource of a group of digital resources accessible via the internet, the system comprising: a data processing hub accessible via an IP (internet protocol) address; and a plurality of user equipment (UEs) useable to communicate via the internet, each configured to have a cyber secure isolated environment (CISE) isolated from ambient software in the UE, and comprising a secure web browser (SWB); wherein the hub and CISE are configured so that digital resources in motion and at rest in CISE are visible to the hub.
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
G06F 16/955 - Recherche dans le Web utilisant des identifiants d’information, p. ex. des localisateurs uniformisés de ressources [uniform resource locators - URL]
G06F 21/44 - Authentification de programme ou de dispositif
G06F 21/53 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p. ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par exécution dans un environnement restreint, p. ex. "boîte à sable" ou machine virtuelle sécurisée
H04L 41/16 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p. ex. des réseaux de commutation de paquets en utilisant l'apprentissage automatique ou l'intelligence artificielle
H04L 67/125 - Protocoles spécialement adaptés aux environnements propriétaires ou de mise en réseau pour un usage spécial, p. ex. les réseaux médicaux, les réseaux de capteurs, les réseaux dans les véhicules ou les réseaux de mesure à distance en impliquant la commande des applications des terminaux par un réseau
A shift left security policy translator “translates” runtime security policies into build-time security policies. The translating involves constructing build-time security policies based on runtime security policies at rule granularity. Natural language processing (NLP) is leveraged for the system to learn fields of build-time security policies and natural language descriptions of the fields. With a runtime security rule, the shift left security policy translator extracts fields of the runtime security rule and retrieves descriptions of the extracted fields from specifications. The shift left security policy translator then determines descriptions of build-time fields most similar to the descriptions of the extracted runtime fields. The shift left security policy translator constructs a build-time rule with build-time fields corresponding to the build-time field descriptions most similar to the extracted runtime field descriptions. The shift left security policy translator then predicts values for the build-time fields and evaluates validity of the predicted values.
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
74.
ENABLING DEVICE CONTEXT AWARENESS, DATA INGESTION AND REAL-TIME ACTIONS IN MOBILE NETWORKS
Techniques for data ingestion enabling context awareness and real-time actions in mobile networks are disclosed. In some embodiments, a system, a process, and/or a computer program product for data ingestion enabling context awareness and real-time actions in mobile networks includes extracting a plurality of parameters from a mobile core network entity using an application programming interface (API) call, messages over a message broker, and/or logs from the mobile core network entity; determining a context for a session using one or more of the plurality of parameters associated with a mobile device communicating over the mobile core network; and applying a security policy using a security platform to the session based on the context.
Techniques for data ingestion enabling context awareness and real-time actions in mobile networks are disclosed. In some embodiments, a system, a process, and/or a computer program product for data ingestion enabling context awareness and real-time actions in mobile networks includes extracting a plurality of parameters from a mobile core network entity using an application programming interface (API) call, messages over a message broker, and/or logs from the mobile core network entity; determining a context for a session using one or more of the plurality of parameters associated with a mobile device communicating over the mobile core network; and applying a security policy using a security platform to the session based on the context.
H04L 61/503 - Adresses de protocole Internet [IP] en utilisant un protocole d'authentification, d'autorisation et de traçabilité [AAA], p. ex. service d'authentification à distance des utilisateurs entrants [RADIUS] ou Diamètre
A communications system for providing secure access to a digital resource of a group of digital resources accessible via the internet, the system comprising: a data processing hub accessible via an IP (internet protocol) address; and a plurality of user equipment (UEs) useable to communicate via the internet, each configured to have a cyber secure isolated environment (CISE) isolated from ambient software in the UE, and comprising a secure web browser (SWB); wherein the hub and CISE are configured so that digital resources in motion and at rest in CISE are visible to the hub.
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
G06F 16/955 - Recherche dans le Web utilisant des identifiants d’information, p. ex. des localisateurs uniformisés de ressources [uniform resource locators - URL]
G06F 21/44 - Authentification de programme ou de dispositif
G06F 21/53 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p. ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par exécution dans un environnement restreint, p. ex. "boîte à sable" ou machine virtuelle sécurisée
H04L 41/16 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p. ex. des réseaux de commutation de paquets en utilisant l'apprentissage automatique ou l'intelligence artificielle
H04L 67/125 - Protocoles spécialement adaptés aux environnements propriétaires ou de mise en réseau pour un usage spécial, p. ex. les réseaux médicaux, les réseaux de capteurs, les réseaux dans les véhicules ou les réseaux de mesure à distance en impliquant la commande des applications des terminaux par un réseau
Techniques for applying a quantum ready intelligent security gateway are disclosed. In some embodiments, a system/process/computer program product for applying a quantum ready intelligent security gateway (e.g., a quantum ready intelligent security gateway that supports quantum key distribution (QKD) and/or post-quantum cryptography (PQC) for providing a secure tunnel to the mobile network) includes monitoring network traffic on a mobile network at a security gateway to identify a new session; determining meta information associated with the new session by extracting the meta information from the network traffic via one or more interfaces; and enforcing a security policy on the new session at the security gateway based on the meta information to apply context-based security in the mobile network.
Techniques for interworking of STUN and application-layer gateway (ALG) technologies are disclosed. In some embodiments, a system, a process, and/or a computer program product for interworking of STUN and ALG technologies includes monitoring network traffic at an application-layer gateway (ALG) entity (e.g., a firewall, such as a next generation firewall (NGFW)); processing a Layer 7 payload at the ALG entity to extract an IP address to be translated using network address translation (NAT); performing a lookup in a NAT table to determine if the IP address has been previously translated through a Session Traversal Utilities for NAT (STUN); and automatically generating a pinhole based on the original non-NATed address and the NATed address if the IP address was previously translated through STUN.
H04L 61/2575 - Traversée NAT en utilisant la récupération de correspondance d'adresses, p. ex. traversée simple du protocole de datagramme utilisateur via des utilitaires NAT [STUN] de session de traversée d'adresse réseau
A communications system for providing secure access to a digital resource of a group of digital resources accessible via the internet, the system comprising: a data processing hub accessible via an IP (internet protocol) address; and a plurality of user equipment (UEs) useable to communicate via the internet, each configured to have a cyber secure isolated environment (CISE) isolated from ambient software in the UE, and comprising a secure web browser (SWB); wherein the hub and CISE are configured so that digital resources in motion and at rest in CISE are visible to the hub.
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
G06F 16/955 - Recherche dans le Web utilisant des identifiants d’information, p. ex. des localisateurs uniformisés de ressources [uniform resource locators - URL]
G06F 21/44 - Authentification de programme ou de dispositif
G06F 21/53 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p. ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par exécution dans un environnement restreint, p. ex. "boîte à sable" ou machine virtuelle sécurisée
H04L 41/16 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p. ex. des réseaux de commutation de paquets en utilisant l'apprentissage automatique ou l'intelligence artificielle
H04L 67/125 - Protocoles spécialement adaptés aux environnements propriétaires ou de mise en réseau pour un usage spécial, p. ex. les réseaux médicaux, les réseaux de capteurs, les réseaux dans les véhicules ou les réseaux de mesure à distance en impliquant la commande des applications des terminaux par un réseau
Identifying Internet of Things (IoT) devices with packet flow behavior including by using machine learning models is disclosed. A set of training data associated with a plurality of IoT devices is received. The set of training data includes, for at least some of the exemplary IoT devices, a set of time series features for applications used by the IoT devices. A model is generated, using at least a portion of the received training data. The model is usable to classify a given device.
A policy mapping module maintains and distributes policy maps indicating recommended security categories/category attributes for endpoint devices managed by a server device. Based on detecting a login event at an endpoint device, the policy mapping module communicates parameters of the updated policy map to the server device. The server device communicates the policy map to the endpoint device that deploys the policy map on a corresponding probing agent. The probing agent communicates reports of changes to categories/category attributes from the policy map to the server device, and the server device enforces its security policy based on evaluating the changes against security policies at the server device.
Techniques for enforcing policies on Internet of Things (IoT) device communications are disclosed. Information associated with a network communication of an IoT device is received. The received information is used to determine a device profile, including a device type, to associate with the IoT device. A recommended security policy to be applied to the IoT device by a security appliance is generated.
H04W 8/18 - Traitement de données utilisateur ou abonné, p. ex. services faisant l'objet d'un abonnement, préférences utilisateur ou profils utilisateurTransfert de données utilisateur ou abonné
09 - Appareils et instruments scientifiques et électriques
42 - Services scientifiques, technologiques et industriels, recherche et conception
Produits et services
Downloadable computer software for computer network security; Downloadable computer software for comprehensive security platform; Downloadable computer software for cybersecurity Software as a service (SAAS) services featuring software for use in computer network security; Software as a service (SAAS) services featuring software for comprehensive AI security platform; Software as a service (SAAS) services featuring software for comprehensive AI security platform featuring software for AI model scanning, posture management, AI red teaming, runtime security, and AI agent security; Software as a service (SAAS) services featuring software for comprehensive AI security platform featuring software for monitoring of computer systems for security purposes in the nature of cybersecurity, unauthorized access, data breach, cloud detection and response
84.
AUTHENTICATION TOKEN WITH PROOF OF POSSESSION FOR GP PROXY SUPPORT
A method, system, and device for authenticating traffic for a web service. The method includes (i) generating a request for a first token for a user based at least in part on providing to a security portal to authenticate the user, (ii) obtaining a context structure comprising user information, a nonce, and a timestamp, (iii) intercepting a connection request on a local proxy listener, and (iv) generating an updated authentication token based at least in part on adding the first token and a proof of possession token to the connection request, wherein the proof of possession token is validated by a cloud service based at least in part on information comprised in the first token.
A signature generator has been designed that can create a malicious campaign signature with substantial coverage of malicious campaign behavior without impeding benign traffic. The malicious campaign signature generator uses data of multiple, known malicious campaigns to identify abused, benign network entities. The signature generator builds a graph data structure for each malicious campaign that represents the abused network entities. The relationships encoded in the graph data structure indicate the use of the combination of abused network entities in the campaign. The signature generator aggregates the graph data structures and identifies a combination of the benign network entities that were highly abused across the multiple malicious campaigns with respect to all of the abused network entities represented in the graph data structures. A signature is then created from the identifiers of this combination of highly abused network entities.
A cache manager tracks activity of cached resources and evicts those that are deemed inactive. The cache manager maintains a timestamp in cache memory for each cached resource and maintains an update threshold that indicates how often the last access time of a resource should be updated in storage. Upon receiving a request for a cached resource, the cache manager determines if a difference between the current time and the timestamp maintained for the resource in memory exceeds the threshold. If so, the cache manager updates the last access time of the resource in storage and updates the corresponding timestamp in cache memory. Additionally, a background process periodically iterates through cached resources maintained in storage and evaluates their last access times based on an inactivity threshold. Cached resources that have not been accessed within the inactivity threshold as determined based on the last access times are evicted from storage.
G06F 12/0891 - Adressage d’un niveau de mémoire dans lequel l’accès aux données ou aux blocs de données désirés nécessite des moyens d’adressage associatif, p. ex. mémoires cache utilisant des moyens d’effacement, d’invalidation ou de réinitialisation
87.
ADAPTIVE RATE LIMITER BASED ON TRANSACTIONAL HEURISTICS AND ARTIFICIAL INTELLIGENCE
A system, method, and device for adaptively limiting web requests is disclosed. The method includes (i) receiving a request at a proxy for an authentication service, (ii) determining whether the request is trusted based at least in part on a classification obtained from a classifier, and (iii) handling the request according to a determination of whether the request is trusted.
Techniques for beacon and threat intelligence based Advanced Persistent Threat (APT) detection are disclosed. In some embodiments, a system/process/computer program product for beacon and threat intelligence based APT detection includes collecting firewall log data from monitored network traffic; analyzing the firewall log data at a cloud security service to identify beacon traffic based on a plurality of heuristics; performing a risk evaluation of the beacon traffic to detect malicious beacon traffic; and performing an action in response to detecting the malicious beacon traffic.
Various techniques for LLM powered detection reasoning solutions are disclosed. In some embodiments, a system, a process, and/or a computer program product for an LLM powered detection reasoning solution includes monitoring network traffic at a security platform, wherein the security platform generates a sample based on the monitored network traffic; sending the sample to a security service to generate a Large Language Model (LLM) powered detection and reason, wherein the LLM is prompted to automatically generate a malware or benign verdict and a reason for explaining the verdict; and reporting the LLM powered detection and reason.
H04L 41/16 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p. ex. des réseaux de commutation de paquets en utilisant l'apprentissage automatique ou l'intelligence artificielle
90.
COMBINED INLINE CACHE PURGING AND PERIODIC HARD PURGING IN A CACHE SERVER
A cache server maintains and updates purge request counters per resource to be purged and a captured counter value per cached resource initialized with a default value. The cache server tracks resources to be purged in a purge request table, where each entry indicates a resource(s) and a purge request counter that is updated on receiving a purge request indicating the resource(s). Upon receipt of a fetch request for a resource, the cache server determines how to fulfill the request by comparing the captured counter value and the current value of the counter (if any) corresponding to the resource to determine if the resource was cached before a purge request for the resource was received. If so, the cache server refreshes the cached resource and updates the captured counter value with the value of the counter from the table. The cache server also periodically performs hard purges as a background process to remove stale cached resources.
A communications system for providing secure access to a digital resource of a group of digital resources accessible via the internet, the system comprising: a data processing hub accessible via an IP (internet protocol) address; and a plurality of user equipment (UEs) useable to communicate via the internet, each configured to have a cyber secure isolated environment (CISE) isolated from ambient software in the UE, and comprising a secure web browser (SWB); wherein the hub and CISE are configured so that digital resources in motion and at rest in CISE are visible to the hub.
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
G06F 16/955 - Recherche dans le Web utilisant des identifiants d’information, p. ex. des localisateurs uniformisés de ressources [uniform resource locators - URL]
G06F 21/44 - Authentification de programme ou de dispositif
G06F 21/53 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p. ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par exécution dans un environnement restreint, p. ex. "boîte à sable" ou machine virtuelle sécurisée
H04L 41/16 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p. ex. des réseaux de commutation de paquets en utilisant l'apprentissage automatique ou l'intelligence artificielle
H04L 67/125 - Protocoles spécialement adaptés aux environnements propriétaires ou de mise en réseau pour un usage spécial, p. ex. les réseaux médicaux, les réseaux de capteurs, les réseaux dans les véhicules ou les réseaux de mesure à distance en impliquant la commande des applications des terminaux par un réseau
A system generates vector representations of entries of traffic logs generated by a firewall. A first model learns contexts of values recorded in the logs during training, and the system extracts vector representations of the values from the trained model. For each log entry, vectors created for the corresponding values are combined to create a vector representing the entry. Cluster analysis of the vector representations can be performed to determine clusters of similar traffic and outliers indicative of potentially anomalous traffic. The system also generates a formal model representing firewall behavior which comprises formulas generated from the firewall rules. Proposed traffic scenarios not recorded in the logs can be evaluated based on the formulas to determine actions which the firewall would take in the scenarios. The combination of models which implement machine learning and formal techniques facilitates evaluation of both observed and hypothetical network traffic based on the firewall rules.
42 - Services scientifiques, technologiques et industriels, recherche et conception
Produits et services
(1) Providing temporary use of online non-downloadable cloud native software application protection platform for early unauthorized access and early threat detection and prevention system to ensure security, visibility, and control of software applications throughout the entire application life cycle process, including securing code, infrastructure, workloads, data, networks, cloud identities, web applications, and application programming interfaces across cloud-native environments, under a single unified user interface.
94.
Automated service worker installation for client-initiated user identification and DLP scanning
A cybersecurity appliance orchestrates registration and installation of a service worker by a web browser. The service worker intercepts and modifies requests sent by the web browser for a SaaS application with tenant/user information and/or DLP scanning results. The cybersecurity appliance orchestrates the service worker registration and installation by modifying responses to requests sent by the web browser. Once installed, the service worker determines the logged in user for the session and modifies outbound requests to attach the user information (e.g., account name/email address) thereto. The service worker can also or alternatively monitor for input of data into web pages, designate the data for data loss prevention (DLP) scanning, and modify outbound requests to attach the DLP scanning result. The cybersecurity appliance receives the user information and/or DLP scanning results with requests sent by the web browser since the user information and/or results were attached to the requests client-side.
In some embodiments, a system, process, and/or computer program product includes encapsulating an original traffic header for a monitored flow from/to an entity in a virtualized environment; rerouting the flow from the entity in the virtualized environment to a security platform of a security service, wherein the security platform includes a virtualized firewall; performing security analysis at the security platform using the original traffic header; and rerouting the flow back to the entity in the virtualized environment for routing to an original destination based on the original traffic header, wherein the flow is rerouted over a network tunneling protocol to the security platform of the security service to isolate and protect workloads, application stacks, and/or services, and wherein an enforcement point is remote from a decision point using distributed traffic steering and enforcement via a distributed set of virtualized firewalls provided by the security service to facilitate application level segmentation.
G06F 11/14 - Détection ou correction d'erreur dans les données par redondance dans les opérations, p. ex. en utilisant différentes séquences d'opérations aboutissant au même résultat
A system and method for performing automated learning of an Internet-of-Things (IoT) application are disclosed. The automated learning is based on generation of application-agnostic events, allowing the automated learning to be performed without prior knowledge of the IoT application.
H04L 41/0604 - Gestion des fautes, des événements, des alarmes ou des notifications en utilisant du filtrage, p. ex. la réduction de l’information en utilisant la priorité, les types d’éléments, la position ou le temps
H04L 41/0631 - Gestion des fautes, des événements, des alarmes ou des notifications en utilisant l’analyse des causes profondesGestion des fautes, des événements, des alarmes ou des notifications en utilisant l’analyse de la corrélation entre les notifications, les alarmes ou les événements en fonction de critères de décision, p. ex. la hiérarchie ou l’analyse temporelle ou arborescente
H04L 41/069 - Gestion des fautes, des événements, des alarmes ou des notifications en utilisant des journaux de notificationsPost-traitement des notifications
H04L 41/16 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p. ex. des réseaux de commutation de paquets en utilisant l'apprentissage automatique ou l'intelligence artificielle
H04L 41/5022 - Pratiques de respect de l’accord du niveau de service en donnant des priorités, p. ex. en attribuant des classes de service
H04L 43/028 - Capture des données de surveillance en filtrant
A host with a firewall and an offload device can be configured/programmed to balance security and cost. Services are instantiated on the firewall and on the offload device. The service on the firewall maintains data for offloaded flows that indicate the next-hops for the offloaded flows when offloaded. The service on the offload device periodically copies samples from offloaded flows and communicates the samples to the service on the firewall. The service on the firewall determines a next-hop for the copied samples according to the firewall's routing information. If the determined next-hop has changed from what is indicated in the offloaded flows data, then the service on the firewall updates the offloaded flows data and communicates the next-hop change to the service on the offload device which causes an update to the flow table on the offload device for relevant offloaded flows.
Techniques for an enhanced internal host detection protocol are disclosed. In some embodiments, a system, a process, and/or a computer program product for an enhanced internal host detection protocol includes sending a response to a get configuration query from a portal for a cloud security service to an endpoint agent; routing a DNS reverse lookup query to a predetermined IP address associated with a DNS proxy associated with the cloud security service; sending a response to the DNS reverse lookup query from the DNS proxy associated with the cloud security service; and verifying that the response to the DNS reverse lookup query is not spoofed based on a match with the response to the get configuration query.
A system, method, and device for classifying traffic is disclosed. The method includes (i) correlating a plurality of network traffic sessions with same source indicators to obtain correlated network traffic, (ii) classifying the plurality of network traffic sessions based at least in part on a plurality of first-layer classifiers to obtain a set of first-layer classifications, wherein the plurality of first-layer classifiers are respectively associated with a plurality of protocols, and (iii) determining a second-layer classification for the correlated network traffic based at least in part on the set of first-layer classifications.
H04L 41/16 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p. ex. des réseaux de commutation de paquets en utilisant l'apprentissage automatique ou l'intelligence artificielle
H04L 69/18 - Gestionnaires multi-protocoles, p. ex. dispositifs uniques capables de gérer plusieurs protocoles
H04L 41/00 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p. ex. des réseaux de commutation de paquets
G06N 5/025 - Extraction de règles à partir de données
A context-based chat message data loss prevention system (“DLP system”) detects sensitive chat messages communicated via Software-as-a-Service (“SaaS”) applications. The DLP system receives chat messages via SaaS connectors and buffers the chat messages in sliding windows that correspond to context of chat messages within UIs of the SaaS application. The DLP system then filters messages in the sliding windows and classifies the filtered messages with a language model. The resulting sensitive/non-sensitive classifications by the language model thus incorporate chat context for corresponding SaaS applications.
