According to an embodiment, a method receives one or more messages associated with connecting a client and a first host. At least one of the messages comprises an encrypted portion indicating the first host and at least one of the messages comprises a cleartext portion indicating a second host. The method determines first and second sets of links associated with the first and second host, respectively. The first set is determined based on monitoring a result of connecting the client and the first host. The second set is determined based on observing behavior associated with connecting to the second host. The method detects domain fronting in response to determining, based on comparing the first set of links and the second set of links, that the first host differs from the second host.

A method including retrieving, by a processor associated with a virtual private network (VPN) server, an initial operating system stored in a non-volatile memory, the initial operating system being associated with the VPN server providing VPN services; storing, by the processor, the initial operating system in a volatile memory; executing, by the processor, the initial operating system from the volatile memory to obtain a VPN operating system; storing, by the processor, the VPN operating system in the volatile memory; and executing, by the processor, the VPN operating system from the volatile memory to provide the VPN services. Various other aspects are contemplated.

A communication/collaboration system enables a first user at a first entity to define a collaboration object, and to invite a second entity to collaborate on the collaboration object in accordance with a hierarchy with corresponding permissions. A second user at a second entity is enabled to collaborate on the collaboration object. A communications log regarding the collaboration between the first user and the second user is maintained. A communications log between the first user and other users at the first entity is maintained. A communication interface is displayed on the first user computer system that displays the log of communications between the first user and the second user on the collaboration object, together with the log of communications regarding the collaboration object between the first user and other users at the first entity, and excluding communications regarding the collaboration object between the second user and other users at the second entity.

A method and apparatus for providing IP address filtering. The method identifies one or more suspicious Uniform Resource Locators (URLs) and resolves the one or more suspicious URLs to one or more suspicious IP addresses. A suspicious IP address list is created containing the one or more suspicious IP addresses. The suspicious IP address list may be used to facilitate a security response to filter one or more of the IP addresses in the suspicious IP address list.

Domain Name System (DNS) security using process information is provided. An application accessing an internet service using a domain name is determined. Process information associated with the application along with an associated DNS query to identify an IP address associated with the domain name are identified. The process information and the associated DNS query to a DNS security service are sent. An action based on a response from the DNS security service is performed.

Facilitating web page spectroscopy in a communications network is provided herein. A system can comprise a processor and a memory that stores executable instructions that, when executed by the processor, facilitate performance of operations. The operations can comprise receiving first data that describes a first communication packet flow and second data that describes a second communication packet flow. The operations can also comprise training a model based on the first data and the second data, as a result of which the model is trained to detect respective behaviors represented by the first data and the second. Further, the operations can comprise extracting a common parameter from third data that describes a third communication packet flow and fourth data that describes a fourth communication packet flow based on the model.

A distributed identity system with local identification includes an identity system device and at least one local electronic device. The local electronic device locally stores at least a portion of identity information and the biometric identification information stored by the identity system device. The local electronic device determines identities by comparing received digital representations of biometrics with locally stored biometric identification information, performs actions using locally stored identity information included in the local copy, and uploads data related to the actions to the identity system device upon occurrence of an upload condition.

A method for protecting against exposure to content violating a content policy, the method including receiving a number of content items including a first set of content items associated with a content group, determining a measurement associated with an amount of the first set of content items belonging to a specific content category, assigning one or more of the number of content items to be categorized by at least one of the machine learning algorithm or a manual review process, automatically applying the specific content category to one or more other content items of the content group such that the one or more other content items are not reviewed by the manual review process, and transmitting at least one of the number of content items, wherein the content category of each of the number of content items indicates whether the specific content item violates any content policies.

An illustrative computing system for a weblink content scanning system scans an electronic message for the presence of one or more weblinks. The computing system accesses, in a sandbox computing environment, content linked to the one or more weblinks. The computing system generates a hash of the accessed content and/or content linked to weblinks accessible via the accessed content. The computing system scans the content accessed via the one or more weblinks for a presence of malicious content and categorizes the scanned content accessed via the one or more weblinks (e.g., safe, malicious, and the like), associates the categorization with each corresponding hash, and saves such information to a data store for future analysis. Based on a result of this analysis, the computing system allows delivery of the original electronic message or generates a modified electronic message for delivery to a recipient device.

A computer implemented method to detect a data breach in a network-connected computing system including generating, at a trusted secure computing device, a copy of data distributed across a network; the computing device accessing sensitive information for the network-connected computer system and searching for at least part of the sensitive information in the copy of the data; in response to an identification of sensitive information in the copy of the data identifying the sensitive information as compromised sensitive information.