A network monitoring, reporting and risk mitigation system collects events at a computing device within the local network to provide improved network security. The events are aggregated into alerts, which may be processed according to triggering definitions in order to create ARO (action, recommendations and observations) reports providing required or recommended actions to take or observations to a network administrator. The ARO reports may be processed by a remote server in order to generate contextual feedback for updating the triggering definitions.

A method for training a machine learning model using information pertaining to characteristics of upload activity performed at one or more client devices includes generating first training input including (i) information identifying first amounts of data uploaded during a specified time interval for one or more of multiple application categories, and (ii) information identifying first locations external to a client device to which the first amounts of data are uploaded. The method includes generating a first target output that indicates whether the first amounts of data uploaded to the first locations correspond to malicious or non-malicious upload activity. The method includes providing the training data to train the machine learning model on (i) a set of training inputs including the first training input, and (ii) a set of target outputs including the first target output.

According to an embodiment, a method receives one or more messages associated with connecting a client and a first host. At least one of the messages comprises an encrypted portion indicating the first host and at least one of the messages comprises a cleartext portion indicating a second host. The method determines first and second sets of links associated with the first and second host, respectively. The first set is determined based on monitoring a result of connecting the client and the first host. The second set is determined based on observing behavior associated with connecting to the second host. The method detects domain fronting in response to determining, based on comparing the first set of links and the second set of links, that the first host differs from the second host.

A method and apparatus for providing IP address filtering. The method identifies one or more suspicious Uniform Resource Locators (URLs) and resolves the one or more suspicious URLs to one or more suspicious IP addresses. A suspicious IP address list is created containing the one or more suspicious IP addresses. The suspicious IP address list may be used to facilitate a security response to filter one or more of the IP addresses in the suspicious IP address list.

A system, device and method for secure message thread communication is provided. The device comprises a communication interface; a display device; and, a controller configured to: generate, at the display device, a plurality of message threads, the plurality of message threads associated with different incident reports; receive multimedia data for transmission in a first message thread of the plurality of message threads; compare the multimedia data with data from the different incident reports; and when an association is determined between the multimedia data and respective data from an incident report associated with a second message thread, of the plurality of message threads: transmit, using the communication interface, the multimedia data in the second message thread, and not the first message thread.

System and methods are described for efficient monitoring of network traffic in a public cloud computing environment. In one implementation, a method comprises: generating flow log records of network traffic in the public cloud computing environment; identifying a data packet that presents a potential security risk; identifying a captured data packet (PCAP) record corresponding to the identified data packet; and transmitting the PCAP record to a computing device for network traffic analysis.

Requests are received for handling by a cloud computing environment which are then executed by the cloud computing environment. While each request is executing, performance metrics associated with the request are monitored. A vector is subsequently generated that encapsulates information associated with the request including the text within the request and the corresponding monitored performance metrics. Each request is then assigned (after it has been executed) to either a normal request cluster or an abnormal request cluster based on which cluster has a nearest mean relative to the corresponding vector. In addition, data can be provided that characterizes requests assigned to the abnormal request cluster. Related apparatus, systems, techniques and articles are also described.

A system, a method, and a computer program are provided for securely connecting a main network to one or more subnetworks in an enterprise network through a group of enterprise routers has all data traffic routed between the main network and the subnetwork through an encrypted virtual private network (VPN) tunnel. The data traffic is monitored for a cyberthreat indication in the enterprise network, and any cyberthreat indication is has the cyberthreat remediated by modifying a policy in a firewall or one of the group of enterprise routers to stop routing exchange or cease encryption or transmission of data between the main network and the one or more subnetworks. In part, a key server and each router and the group of enterprise routers is configured with an Internet Protocol address, a group security association value, and a group profile which are employed by the technological solution for secure enterprise connectivity.

A computer device may include a memory storing instructions and processor configured to execute the instructions to host a network function container that implements a microservice for a network function in a wireless communications network, wherein the network function container is deployed by a container orchestration platform; host a service proxy container associated with the network function container, wherein the service proxy container is deployed by the container orchestration platform; and configure the hosted service proxy container to apply a wireless network policy to the microservice for the network function. The processor may be further configured to intercept messages associated with the microservice for the network function using the configured service proxy container; and apply the wireless network policy to the intercepted messages using the configured service proxy container.

Techniques and systems to provide a more intuitive user overview of events data by mapping unbounded incident scores to a fixed range and aggregating incident scores by different schemes. The system may detect possible malicious incidents associated with events processing on a host device. The events data may be gathered from events detected on the host device. The incident scores for incidents may be determined from the events data. The incident scores may be mapped to bins of a fixed range to highlight the significance of the incident scores. For instance, a first score mapped to a first bin may be insignificant while a second score mapped to a last bin may require urgent review. The incident scores may also be aggregated at different levels (e.g., host device, organization, industry, global, etc.) and at different time intervals to provide insights to the data.