Identifying Internet of Things (IoT) devices with packet flow behavior including by using machine learning models is disclosed. Information associated with a network communication of an IoT device is received. A determination of whether the IoT device has previously been classified is made. In response to determining that the IoT device has not previously been classified, a determination is made that a probability match for the IoT device against a behavior signature exceeds a threshold. Based at least in part on the probability match, a classification of the IoT device is provided to a security appliance configured to apply a policy to the IoT device.

A method of determining that a client is likely engaged in the sending of spam emails via a network node. The method comprises, at the network node, defining a message size threshold and a message sending rate threshold, detecting the opening of Simple Mail Transfer Protocol, SMTP connections between a client device and an email server, identifying messages sent from the client over the SMTP connections which exceed said message size threshold and counting the identified messages to determine a client email message sending rate. The method further comprises making an assumption that the client is engaged in the sending of spam emails if the client message sending rate exceeds said message sending rate threshold.

Systems and methods are disclosed for flexibly applying a query term to heterogeneous data. A query system can receive a query that includes a data-determinant query term. As the system executes the query it can generate interim search results. As the system query processes the interim search results based on the query, it can apply the data-determinant query term to records of the interims search results based on the structure of the records.

Disclosed is a technique that can be performed by a server computer system. The technique can include obtaining data from each of multiple endpoint devices to form global data. The global data can be generated by the endpoint devices in accordance with local instructions in each of the endpoint devices. The technique further includes generating global instructions based on the global data and sending the global instructions to a particular endpoint device. The global instructions configure the particular endpoint device to perform a data analytic operation that analyzes events. The events can include raw data generated by a sensor of the particular endpoint device.

Disclosed is a technique that can be performed by a server computer system. The technique can include obtaining data from each of multiple endpoint devices to form global data. The global data can be generated by the endpoint devices in accordance with local instructions in each of the endpoint devices. The technique further includes generating global instructions based on the global data and sending the global instructions to a particular endpoint device. The global instructions configure the particular endpoint device to perform a data analytic operation that analyzes events. The events can include raw data generated by a sensor of the particular endpoint device.

A visibility platform can be used to monitor traffic traversing private cloud infrastructures and/or public cloud infrastructures. In some instances, the traffic is provided to a set of network services that are accessible to the visibility platform. These network services can be provisioned in a serial or parallel fashion. Network service chaining can be used to ensure that traffic streams skip unnecessary network services and receive only those network services that are needed. For example, an email service chain can include virus, spam, and phishing detection, while a video streaming service chain can include traffic shaping policies to satisfy quality of service (QoS) guarantees. When the visibility platform is represented as a graph that makes use of action sets, network service chains can be readily created or destroyed on demand.

A visibility platform can be used to monitor traffic traversing private cloud infrastructures and/or public cloud infrastructures. In some instances, the traffic is provided to a set of network services that are accessible to the visibility platform. These network services can be provisioned in a serial or parallel fashion. Network service chaining can be used to ensure that traffic streams skip unnecessary network services and receive only those network services that are needed. For example, an email service chain can include virus, spam, and phishing detection, while a video streaming service chain can include traffic shaping policies to satisfy quality of service (QoS) guarantees. When the visibility platform is represented as a graph that makes use of action sets, network service chains can be readily created or destroyed on demand.

Methods and apparatus to determine main pages from network traffic are disclosed. A disclosed example non-transitory computer readable medium includes instructions which, when executed, cause at least one processor to determine patterns of uniform resource identifiers (URIs) with corresponding main pages, parse data from network traffic, identify at least one of the main pages from the data based on the patterns, and provide the identified at least one of the main pages for crediting thereof.

Methods and apparatus to determine main pages from network traffic are disclosed. A disclosed example non-transitory computer readable medium includes instructions which, when executed, cause at least one processor to determine patterns of uniform resource identifiers (URIs) with corresponding main pages, parse data from network traffic, identify at least one of the main pages from the data based on the patterns, and provide the identified at least one of the main pages for crediting thereof.

A computer-implemented method for data leakage protection is disclosed. A monitoring template corresponding to the cloud application is selected based upon communication between a user and a cloud application and from a plurality of monitoring templates. A monitor is generated using the selected monitoring template. Identifying information of content shared between the user and the cloud application is obtained using the generated monitor. Data about the shared content for security analysis is obtained according to the identifying information of the shared content.