Techniques for access point name and application identity based security enforcement in service provider networks (e.g., service provider networks for mobile subscribers) are disclosed. In some embodiments, a system/process/computer program product for access point name (e.g., APN) and application identity (e.g., application identifier) based security enforcement in service provider networks includes monitoring network traffic on a service provider network at a security platform to identify an access point name for a new session; determining an application identifier for user traffic associated with the new session at the security platform; and determining a security policy to apply at the security platform to the new session based on the access point name and the application identifier.

A system and methods of cybersecurity are provided, implementing: receiving multiple TCP/IP packets destined for a target host; determining from among the multiple TCP/IP packets, a subset of suspicious TCP/IP packets characterized by one or more suspicious traits; for each of the TCP/IP packets characterized by the one or more suspicious traits, extracting a TCP/IP timestamp header value and calculating a normalized timestamp value by subtracting a local system time from the TCP/IP timestamp header value; identifying a subgroup of the TCP/IP packets having a common normalized timestamp value indicative of generation by a common source host; receiving a subsequent TCP/IP packet destined for the target host; determining that the subsequent TCP/IP packet’s normalized timestamp value is the common normalized timestamp value; and responsively blocking the subsequent TCP/IP packet from reaching the target host.

A computer network security manager device connects to a first wireless router and then connects to a plurality of devices (e.g., a plurality of IoT devices). The computer network security manager device then performs device agnostic activation of the plurality of devices to enable the plurality of devices to perform respective functions of each device. The security manager device prevents the plurality of devices from connecting directly to the first wireless router and only allows other devices on the Internet to communicate with the plurality of devices according to specific firewall rules. In response to receiving an indication that the first wireless router to which the network security manager device is connected is out of service or no longer exists, the network security manager device prevents other devices on the Internet from being able to communicate with the plurality of devices.

At least one of a measure of trust or a measure of spoofing risk associated with a sender of a message is determined. A measure of similarity between an identifier of the sender of the message and an identifier of at least one trusted contact of a recipient of the message is determined. The measure of similarity is combined with at least one of the measure of trust or the measure of spoofing risk to at least in part determine a combined measure of risk associated with the message. Based at least in part on the combined measure of risk associated with the message, a verification action is performed including by automatically providing an inquiry message that requests a response to be provided.

Disclosed herein is a technique for detecting potential phishing attacks by monitoring outbound web traffic from an endpoint, along with inbound electronic mail traffic addressed to a user of the endpoint. With this information, a search can be performed for possible sources in the web traffic of a request for a hyperlink located in the inbound mail traffic, and when no source is located, phishing remediation can be performed, including restrictions on access to the hyperlink at an endpoint operated by the user.

Example methods and systems for a computer system to perform context-aware service query filtering are described. One example may involve a computer system intercepting a service query from a virtualized computing instance to pause forwarding of the service query towards a destination; and obtaining context information associated with an application running on the virtualized computing instance. In response to determination that the service query is a potential security threat based on the context information, service query filtering may be performed to inspect the service query for malicious activity. Otherwise, in response to determination that the service query is not a potential security threat based on the context information, the service query filtering may be skipped and the service query forwarded towards the destination.

Methods and systems are provided for facilitating access to a cloud-based logging service. According to one embodiment, access to a cloud-based logging service is integrated within a network security appliance by automatically configuring access settings for the logging service and creating an account for the security appliance with the logging service. A log is created within the logging service by making use of the automatically configured access settings and the account. A request is received by the security appliance to access data associated with the log. Responsive thereto and without requiring separate registration of a network administrator with the cloud-based logging service, the data is retrieved by the security appliance from the logging service and is presented via a graphical user interface of the security appliance.

Embodiments of the present disclosure relate to a method and apparatus for processing data. The method can include: receiving a SYN message with a destination address being a target IP; establishing a session based on a quadruple of the SYN message; and forwarding the SYN message to a server corresponding to the target IP.

A threat intelligence gateway (TIG) may protect TCP/IP networks from network (e.g., Internet) threats by enforcing certain policies on in-transit packets that are crossing network boundaries. The policies may be composed of packet filtering rules with packet-matching criteria derived from cyber threat intelligence (CTI) associated with Internet threats. These CTI-derived packet-filtering rules may be created offline by policy creation and management servers, which may distribute the policies to subscribing TIGs that subsequently enforce the policies on in-transit packets. Each packet filtering rule may specify a disposition that may be applied to a matching in-transit packet, such as deny/block/drop the in-transit packet or pass/allow/forward the in-transit packet, and also may specify directives that may be applied to a matching in-transit packet, such as log, capture, spoof-tcp-rst, etc. Often, however, the selection of a rule's disposition and directives that best protect the associated network may not be optimally determined before a matching in-transit packet is observed by the associated TIG. In such cases, threat context information that may only be available (e.g., computable) at in-transit packet observation and/or filtering time, such as current time-of-day, current TIG/network location, current TIG/network administrator, the in-transit packet being determined to be part of an active attack on the network, etc., may be helpful to determine the disposition and directives that may best protect the network from the threat associated with the in-transit packet. The present disclosure describes examples of methods, systems, and apparatuses that may be used for efficiently determining (e.g., accessing and/or computing), in response to the in-transit packet, threat context information associated with an in-transit packet. The threat context information may be used to efficiently determine the disposition and/or one or more directives to apply to the in-transit packet. This may result in dispositions and/or directives being applied to in-transit packets that better protect the network as compared with solely using dispositions and directives that were predetermined prior to receiving the in-transit packet.

A measure of similarity between an identifier of a sender of the message and each identifier of one or more identifiers of each trusted contact of a plurality of trusted contacts of a recipient of the message is determined. In the event the sender of the message is not any of the trusted contacts but at least one of the measure of similarity between the identifier of the sender of the message and a selected identifier of a selected trusted contact of the plurality of trusted contacts meets a threshold, the message is modified, if applicable, to alter content of a data field that includes an identification of the sender of the message. The data field is one of a plurality of data fields included in a header of the message.