In one aspect, a computerized method for implementing dual-layer computer-system security in a private enterprise computer network includes the step of generating a user profile, wherein the user has access to the private enterprise computer network, wherein the wherein the user profile comprises an information comprises a specified user usage of the private enterprise computer network. The computerized method includes the step of setting a specified trigger value with respect to the specified user usage of the private enterprise computer network. The computerized method includes the step of detecting that the user usage exceeds the trigger value. The computerized method includes the step of modifying an access privilege of the user to the private enterprise computer network.

Systems, methods, and other embodiments are disclosed that are configured to generate a hierarchy of access rules in a protocol stack. Access rules corresponding to a first layer in a protocol stack are analyzed. The access rules determine, at the first layer, whether network sources are permitted access to a computing device. Dependent access rules are generated based at least in part on a combination of the access rules from the first layer. The dependent access rules are pushed down to a second layer in the protocol stack by implementing the dependent access rules at the second layer to determine, at the second layer, whether the network sources are permitted access to the computing device.

Disclosed is a platform for providing computational resources at and/or near a mobile network perimeter. The platform may be used to provide computational resources adjacent a small cell radio via at least one Mobile Edge Compute (“MEC”) Appliance and at least one MEC Controller. The MEC Appliance can serve as the data plane to support data flow traffic. The MEC Controller can provide a micro-services architecture designed for resiliency, scalability, and extensibility. The platform can be used to de-centralize the mobile network operator's core network and/or associated macro-cell network topologies, generating a platform with enhanced flexibility, reliability, and performance. The platform can include a security architecture for effective privacy and access within a distributed topology of the network at and/or near the edge of the mobile network perimeter.

Systems, methods, and computer-readable media for annotating process and user information for network flows. In some embodiments, a capturing agent, executing on a first device in a network, can monitor a network flow associated with the first device. The first device can be, for example, a virtual machine, a hypervisor, a server, or a network device. Next, the capturing agent can generate a control flow based on the network flow. The control flow may include metadata that describes the network flow. The capturing agent can then determine which process executing on the first device is associated with the network flow and label the control flow with this information. Finally, the capturing agent can transmit the labeled control flow to a second device, such as a collector, in the network.

A system and method for determining human keystrokes in a secure shell (SSH) session from SSH session data traffic provides insight and evidence of an intrusion into a computer network. In one embodiment, the presence of human keystroke(s) in an SSH session may be inferred using a sensor appliance. In one embodiment, the SSH data traffic is encoded in a vector, one or more communication patterns are identified in the vector and the presence of human keystrokes may be inferred from the one or more communication patterns.

One embodiment of the invention is a system that stores a characteristic “modus operandi” for each type of computer attack that has historically been encountered or that could potentially be encountered on a computer network. In this embodiment, the system uses criteria derived from a modus operandi to query an event data store, identifying entities (host computers, user credentials, or malicious software objects) on the network that meet those criteria. The system also queries a flow data store to identify network connections among the identified entities that meet the criteria for the modus operandi. The identified entities and network connections are then analyzed to determine whether an attack matching the modus operandi is underway. If so, the system transmits a notification to permit the attack to be thwarted before it is completed (i.e., before exfiltration of sensitive stolen data occurs).

At least one security policy is obtained from a policy creator at a controller in an SDN network. The security policy is implemented in the SDN network, via the controller,based on one or more attributes specifying a characteristic of the security policy, a role of the creator of the security policy, and a security privilege level of the role of the creator of the security policy.

According to one embodiment, a web application layer attack detector (AD) is coupled between an HTTP client and a web application server. Responsive to receipt of a set of packets from the HTTP client carrying a web application layer message that violates a condition of a security rule, the AD transmits an alert package to an automatic attribute value generation and rule feedback module (AVGRFM). The AVGRFM uses the alert package, and optionally other alert packages from the same AD or other ADs, to automatically generate a new set of attribute values for each of a set of attribute identifiers for use, by the AD or other ADs, in a different security rule than the violated security rule. The new set of attribute values may be used in an attack specific rule to detect a previously unknown web application layer attack.

Certain embodiments described herein are generally directed to performing receive side scaling at a virtual network interface card for encapsulated encrypted data packets based on an security parameter index value of the encapsulated encrypted data packets.

A method provides for receiving network traffic from a host having a host IP address and operating in a data center, and analyzing a malware tracker for IP addresses of hosts having been infected by a malware to yield an analysis. When the analysis indicates that the host IP address has been used to communicate with an external host infected by the malware to yield an indication, the method includes assigning a reputation score, based on the indication, to the host. The method can further include applying a conditional policy associated with using the host based on the reputation score. The reputation score can include a reduced reputation score from a previous reputation score for the host.