A method includes accessing a first intelligence feed including a plurality of cybersecurity incidents. A second intelligence feed is generated including a plurality of technical indicators defined on one or more virtual private network internet point of presence (“VPN internet PoP”) that connects a plurality of VPN tunnels to an internet. The first and second intelligence feeds are compared, a particular incident is determined, and a time frame of the particular incident is determined. Use of a particular VPN internet PoP by a plurality of sources including a plurality of clients is monitored to determine a plurality of time-based behaviors. The plurality of time-based behaviors are compared to the particular incident and to the time frame to determine a match. A particular source is blocked at the particular VPN internet PoP based on the determination of the match.

In one embodiment, a networking device in a network detects an traffic flow conveyed in the network via the networking device. The networking device generates flow data for the traffic flow. The networking device performs a classification of the traffic flow using the flow data as input to a machine learning-based classifier. The networking device performs a mediation action based on the classification of the traffic flow.

Systems and methods for filtering data network communications using a demilitarized zone (DMZ) are provided. One embodiment includes receiving a first communication from an untrusted network for delivery to a computing device on a trusted network, where the first communication includes a payload and a header. In some embodiments, the method includes filtering the header to determine an internet protocol (IP) address of a remote computing device of the first communication and to determine whether the IP address is associated with an approved remote computing device. Some embodiments include determining whether the header identifies an approved TCP port and/or an approved UDP port. Some embodiments include terminating transmission of the first communication and examining the first communication to determine whether the first communication includes malware. Embodiments may also include maintaining legitimate session records and ensuring the first communication originated from a trusted data source.

A method of managing a local area communication network comprising at least one access equipment for accessing the network is disclosed. At least one communicating object is connected to the network. In one aspect, the method comprises upon detecting connection of a new communicating object to the network and/or upon detecting installation of new firmware on the at least one communicating object connected to the network, a learning phase involving observing interactions of the communicating object with at least one other equipment of the local area network and/or at least one equipment of a wide area communication network accessible via the access equipment. In addition, at least one security rule associated with the communicating object on the basis of the observed interactions is disclosed.

Systems and methods to manage and regulate the requests of multiple proxy clients are disclosed. In one aspect, the system and methods disclosed herein aids in configuring proxy server(s) with a rate-limit functionality. Configuration of the rate-limit functionality may be realized by, but not limited to, installing configuration file(s) and/or software application(s) on the proxy server(s). The configuration provides information about the list of restricted and unrestricted domains and their respective request limit specification in a given time frame. Therefore, each time before a proxy server forwards the clients' requests to a target domain, the proxy server checks and ensures that the request count to the particular target domain is well within the limit specified in the request limit specification. Thus, the embodiments described herein aid in preventing the IP addresses of proxy service providers from being blocked or denied from the target websites.

Multi-tenant cloud-based firewall systems and methods are described. The firewall systems and methods can operate overlaid with existing branch office firewalls or routers as well as eliminate the need for physical firewalls. The firewall systems and methods can protect users at user level control, regardless of location, device, etc., over all ports and protocols (not only ports 80/443) while providing administrators a single unified policy for Internet access and integrated reporting and visibility. The firewall systems and methods can eliminate dedicated hardware at user locations, providing a software-based cloud solution. The firewall systems and methods support application awareness to identify application; user awareness to identify users, groups, and locations regardless of physical address; visibility and policy management providing unified administration, policy management, and reporting; threat protection and compliance to block threats and data leaks in real-time; high performance through an in-line cloud-based, scalable system; etc.

FlowSpec is a mechanism for distributing rules to routers in a network. Such rules may be used, for example, to drop traffic associated with a distributed denial of service attack. However, a malformed or incorrect FlowSpec announcement may, if distributed in the network, cause legitimate traffic to be dropped, degrading the service experienced by legitimate users. As such, systems and methods for avoiding the distribution of malformed FlowSpec announcements are provided.

A method may include a processing system having at least one processor obtaining a first plurality of domain name system traffic records, generating an input aggregate vector from the first plurality of domain name system traffic records, where the input aggregate vector comprises a plurality of features derived from the first plurality of domain name system traffic records, and applying an encoder-decoder neural network to the input aggregate vector to generate a reconstructed vector, where the encoder-decoder neural network is trained with a plurality of aggregate vectors generated from a second plurality of domain name system traffic records. In one example, the processing system may then calculate a distance between the input aggregate vector and the reconstructed vector, and apply at least one remedial action associated with the first plurality of domain name system traffic records when the distance is greater than a threshold distance.

Example method includes: receiving a plurality of intent-based network policies in a network, wherein each intent-based policy comprises at least a rule and an action to be performed by a network function on a network packet in response to the rule being matched; identifying a set of header address spaces comprising a plurality of addresses that match to a same set of rules and actions; creating an atomic address object representing the identified set of header address spaces; and verifying the plurality of intent-based network policies using the atomic address object.

A network apparatus detects connection requests and extracts related data. The data is analyzed to determine whether the host is in an active state, whether the host matches a domain referrer and an amount of time from a last connection request. If it is detected that the host is not in an active state, the host is not matching the domain referrer and the amount of time from the last connection request exceeds a predetermined new session threshold, then a connection request is classified as a main request. If the amount of time from the last connection request is below a predetermined continuous session threshold, then any connection requests following the main request are classified as sub-requests. If the domain of host in the active state does not match current host for a sub-request, the sub-request is classified as a third-party request.