Systems and method of detecting and blocking malicious attacks on a computer network, including: receiving, by a memory constrained gateway in communication with the computer network, a communication request from at least one device, identifying the type of the at least one device based on the received communication request, verifying that the device is of an allowed type from a predetermined list of allowed device types, checking at least one signature of the received communication request of the allowed device to detect malicious signatures, and blocking communication requests from devices with at least one malicious signature.

An example network device receives an encapsulated network packet via a network tunnel; extracts IPv6 header information from the encapsulated network packet; extracts IPv4 header information from the encapsulated network packet; determines that the encapsulated network packet is a spoofed network packet based on the IPv6 header information and the IPv4 header information; and in response to detecting the spoofed network packet, transmits a message to a Tunnel Entry Point (TEP) device, the message including data representing the IPv6 header information and IPv4 header information. A tunnel entry point (TEP) device may receive the message and use the message to detect spoofed IPv6 traffic, e.g., when an IPv6 header and an IPv4 header of an encapsulated packet matches the IPv6 header and the IPv4 header specified in the message. In this manner, the TEP device may block, rate limit, or redirect spoofed network traffic.

A network monitoring device may receive flow-tap information that identifies a traffic flow characteristic and a signed URL associated with a signed URL platform from a mediation device. The network device may map the traffic flow characteristic to the signed URL in an entry of a flow-tap filter that is maintained within a data structure of the network device. The network device may analyze, using the flow-tap filter, network traffic of the network to detect a traffic flow that is associated with the traffic flow characteristic. The network device may generate, based on detecting the traffic flow in the network traffic, a traffic flow copy that is associated with the traffic flow. The network device may provide, based on the signed URL, the traffic flow copy to the signed URL platform, wherein the traffic flow copy is to be accessible to an authorized user device via the signed URL.

Systems, methods and/or computer program products for managing and dynamically automating service mesh communications between microservices, eliminating unnecessary exposure of microservice ports and increasing security between microservices of the service mesh. The control plane collects data describing communications between microservices and tracks the frequency at which microservices communicate. Collected data is fed to machine learning models which outputs a forecast predicting future communication interactions between microservices. Using the predicted requirements for facilitating communications between microservices of the service mesh, an allowed list of communications can be generated describing the microservices allowed to send and receive communications, duration of communications allowed, when such communications are allowed, and the ports that will be used for facilitating the communication between microservices. Administrators of the service mesh may manually override the one or more approved aspects of the dynamically generated allowed list configured automatically by the service mesh.

Data are sent from an internal data processing system of an industrial plant to an external data processing system of the industrial plant by generating with an industrial edge device data packets from data related to an industrial machine, and generating therefrom signed data packets signed with a first digital signature. While the signed data packet are read, a user-defined data filter is applied, which lets either pass or rejects the signed data packets. The data packets that passed the user-defined data filter are then sent to the external data processing system.

Disclosed are a service detection method and apparatus, a device, and a non-transitory computer-readable storage medium. The service detection method may includes: determining a service time interval between service data; determining a matching result of the service time interval according to a set period value and a set jitter value in a preset periodicity judgment parameter; and determining that the service data is periodic service data in response to determining that the matching result of the current service time interval meets a periodicity condition according to a minimum number of matching time intervals and a maximum number of matching time intervals in the periodicity judgment parameter.

Systems and methods include operating a local security agent that is configured to allow or block flows based on security policies, to implement microsegmentation; and, responsive to a block of a flow, creating a synthetic audit event that reflects what the flow would have been had it not been blocked. The steps can include creating a packet for the flow and transmitting the packet with an indicator that it represents the synthetic audit event. The steps can include receiving the security policies which include an indicator on which blocks to create the synthetic audit event.

A cybersecurity appliance monitoring application traffic to a web application programming interface (API) dynamically updates tree structures for the web API using the application traffic. An API tree generator generates batches of API trees from paths indicated in the application traffic. An API tree merger/pruner updates the generated batches of API trees with various merging, pruning, compacting, and malicious detection operations on the generated batches of API trees. The cybersecurity appliance implements the updated API trees with an API agent that filters the application traffic prior to processing by the web API.

A software-defined wide area network (SD-WAN) environment that leverages network virtualization management deployment is provided. Edge security services managed by the network virtualization management deployment are made available in the SD-WAN environment. Cloud gateways forward SD-WAN traffic to managed service nodes to apply security services. Network traffic is encapsulated with corresponding metadata to ensure that services can be performed according to the desired policy. Point-to-point tunnels are established between cloud gateways and the managed service nodes to transport the metadata to the managed service nodes using an overlay logical network. Virtual network identifiers (VNIs) in the metadata are used by the managed service nodes to identify tenants/policies. A managed service node receiving a packet uses provider service routers (T0-SR) and tenant service routers (T1-SRs) based on the VNI to apply the prescribed services for the tenant, and the resulting traffic is returned to the cloud gateway that originated the traffic.

This document describes a network policy evaluation platform that evaluates, validates, and troubleshoots network policy configurations. In one aspect, a method includes obtaining a first network policy applied by a container orchestration platform for managing network traffic for a cluster of container workloads. First network rules are extracted from the first network policy. A canonical rule model is generated for the first network rule(s). A second network policy applied by a network provider plugin configured to run within the cluster and to manage the network traffic for the cluster of container workloads is obtained. Second network rules are extracted from the second network policy. A canonical rule model is generated for the one or more second network rules. One or more conflicts between the first network policy and the second network policy are detected based on an evaluation of each first canonical rule model and each second canonical rule model.