An approach for establishing a priority ranking for endpoints in a network. This can be useful when triaging endpoints after an endpoint becomes compromised. Ensuring that the most critical and vulnerable endpoints are triaged first can help maintain network stability and mitigate damage to endpoints in the network after an endpoint is compromised. The present technology involves determining a criticality ranking and a secondary value for a first endpoint in a datacenter. The criticality ranking and secondary value can be combined to form priority ranking for the first endpoint which can then be compared to a priority ranking for a second endpoint to determine if the first endpoint or the second endpoint should be triaged first.

Systems, methods, and computer-readable media for managing compromised sensors in multi-tiered virtualized environments. In some embodiments, a system can receive, from a first capturing agent deployed in a virtualization layer of a first device, data reports generated based on traffic captured by the first capturing agent. The system can also receive, from a second capturing agent deployed in a hardware layer of a second device, data reports generated based on traffic captured by the second capturing agent. Based on the data reports, the system can determine characteristics of the traffic captured by the first capturing agent and the second capturing agent. The system can then compare the characteristics to determine a multi-layer difference in traffic characteristics. Based on the multi-layer difference in traffic characteristics, the system can determine that the first capturing agent or the second capturing agent is in a faulty state.

Systems, methods, and computer-readable media for hierarchichal sharding of flows from sensors to collectors. A first collector can receive a first portion of a network flow from a first capturing agent and determine that a second portion of the network flow was not received from the first capturing agent. The first collector can then send the first portion of the network flow to a second collector. A third collector can receive the second portion of the network flow from a second capturing agent and determine that the third collector did not receive the first portion of the network flow. The third collector can then send the second portion of the network flow to the second collector. The second collector can then aggregate the first portion and second portion of the network flow to yield the entire portion of the network flow.

A method includes capturing first data associated with a first packet flow originating from a first host using a first capture agent deployed at the first host to yield first flow data, capturing second data associated with a second packet flow originating from the first host from a second capture agent deployed on a second host to yield second flow data and comparing the first flow data and the second flow data to yield a difference. When the difference is above a threshold value, the method includes determining that the second packet flow was transmitted by a component that bypassed an operating stack of the first host or a packet capture agent at the device to yield a determination, detecting that hidden network traffic exists, and predicting a malware issue with the first host based on the determination.

A method for preventing Medium Access Control (MAC) spoofing attacks in a communication network may include obtaining, by a protection layer, a connecting request for connecting a terminal to the communication network. The method may include issuing, by the protection layer, a MAC authentication request to a Network Access Control (NAC) server, the MAC authentication request may be a request to determine whether a MAC address of the terminal is whitelisted. The method may include responding, by the NAC server, to the MAC authentication request of the protection layer by allowing the terminal to join the communication network based on whether the MAC address of the terminal is whitelisted. The method may include sending, by the NAC server, a log message to a log analyzer server, the log message including a result identifying whether the MAC address of the terminal is whitelisted.

This disclosure generally relates to a method and system for generating a communication graph of a network using an application dependency mapping (ADM) pipeline. In one aspect of the disclosure, the method comprises receiving network data (e.g., flow data and process information at each node) from a plurality of sensors associated with a plurality of nodes of the network, determining a plurality of vectors and an initial graph of the plurality of nodes based upon the network data, determining similarities between the plurality of vectors, clustering the plurality of vectors into a plurality of clustered vectors based upon the similarities between the plurality of vectors, and generating a communication graph of the network system based upon the plurality of clustered vectors.

The invention is a method for managing a tamper-proof device comprising a plurality of software containers and an operating system. The operating system is able to handle a set of communication protocols with external entities. The operating system accesses a pairing data in which each communication protocol of said set has been associated with a single software container and upon receipt of a message from one of the external entities, the operating system uses the pairing data to route the message to the software container associated with the communication protocol used to convey the message.

The invention is a method for managing a tamper-proof device comprising a processor and an operating system able to handle a set of communication protocols with external entities. The operating system accesses a ruling data specifying for each communication protocol of the set whether Card Lock, Card Terminate and Final Application privileges as defined by GlobalPlatform Card Specification (V2.3) are authorized or forbidden. Upon receipt of a command from one of said external entities, the operating system uses the ruling data to deny or to authorize execution of the command based on the communication protocol used to convey the command.

Methods, systems, and apparatus, including computer programs encoded on computer storage media, for creating secure browser cookies. One of the methods includes providing an encrypted cookie request that requests encryption of a cookie of the digital component provider and includes a digital component request identifier; receiving an encrypted cookie generated by encrypting the cookie using the digital component request identifier and an encryption key, wherein the encrypted cookie is configured for inclusion in a request for digital components from the digital component provider for presentation on the webpage; generating a digital component request for digital components that includes the encrypted cookie and requests identification of a digital component selected for presentation on the webpage using the encrypted cookie; and transmitting the digital component request that includes the encrypted cookie and requests identification of a digital component selected for presentation on the webpage using the encrypted cookie.

Data is received that characterizes a computing architecture including at least one web-based server and an associated cryptographic web protocol to be implemented on such computing architecture according to a desired formal specification. Thereafter, a plurality of inattentive variants complying with the web protocol are generated without associated security checks. Messages to and from each inattentive variant are then monitored while executing the associated security checks. At least one security monitor is generated based on the monitored messages that is configured to address security vulnerabilities in the computing architecture relative to the formal specification. At least one generated security monitor can be later deployed in the computing architecture. Related apparatus, systems, techniques and articles are also described.