Abstract: The disclosed embodiments provide a system for detecting abusive requests. During operation, the system generates, based on one or more primary signals, a first set of clusters of network requests spanning a first period and a second set of clusters of requests spanning a second period. Next, the system stores, in a snapshot, a signature representing primary signal values and a first distribution of secondary signals in a first cluster in the first set of clusters. The system matches primary signal values from a second cluster in the second set of clusters to the signature and calculates a divergence score representing a deviation of a second distribution of secondary signals in the second cluster from the first distribution. When the divergence score violates a threshold, the system generates output for identifying additional network requests that contain one or more primary and secondary signal values in the second cluster.

Abstract: The disclosed embodiments provide a system for detecting abusive requests. During operation, the system generates, based on one or more primary signals, a first set of clusters of network requests spanning a first period and a second set of clusters of requests spanning a second period. Next, the system stores, in a snapshot, a signature representing primary signal values and a first distribution of secondary signals in a first cluster in the first set of clusters. The system matches primary signal values from a second cluster in the second set of clusters to the signature and calculates a divergence score representing a deviation of a second distribution of secondary signals in the second cluster from the first distribution. When the divergence score violates a threshold, the system generates output for identifying additional network requests that contain one or more primary and secondary signal values in the second cluster.

Abstract: The disclosed embodiments provide a system for mitigating a distributed denial-of-service (DDoS) attack. During operation, the system analyzes application layer data in historical traffic to an online system to determine a historical volume of member traffic from an Internet Protocol (IP) address to the online system, wherein the member traffic is generated by members of the online system. Next, the system calculates a rate limit for a set of requests from the IP address to the online system based on the historical volume of member traffic from the IP address. During a DDoS attack, the system outputs the rate limit for use in blocking a subset of the requests from the IP address to the online system.

Abstract: In one embodiment, a network security device monitors network communications between a computer and another computer. A periodicity of transmissions made by one computer to the other computer is determined, with the periodicity being used to identify candidate time point pairs having intervals that match the periodicity. A graph is constructed with time points of the candidate time point pairs as nodes and with intervals of time point pairs as edges. A longest path that continuously links one time point to another time point on the graph is compared to a threshold length to verify that the transmissions are periodic, and are thus potentially indicative of malicious network communications.

Abstract: In one embodiment, local begin and end tags are detected by a network security device to determine a local context of a network traffic flow, and a local feature vector is obtained for that local context. At least one triggering machine learning model is applied by the network security device to the local feature vector, and the result determines whether or not deeper analysis is warranted. In most cases, very substantial resources are not required because deeper analysis is not indicated. If deeper analysis is indicated, one or more deeper machine learning model may then be applied to global and local feature vectors, and regular expressions may be applied to packet data, which may include the triggering data packet and one or more subsequent data packets. Other embodiments, aspects and features are also disclosed.

Abstract: The disclosed embodiments provide a system for mitigating a distributed denial-of-service (DDoS) attack. During operation, the system analyzes application layer in historical traffic to an online system to determine historical volumes of member traffic from a set of regions to the online system, wherein the member traffic is generated by members of the online system. Next, the system calculates allocations of query rates for the set of regions based on the historical volumes of member traffic from the set of regions. During a DDoS attack, the system outputs the allocations of the query rates for use in blocking different portions of the requests from different regions in the set of regions to the online system.

Abstract: The disclosed embodiments provide a system for mitigating a distributed denial-of-service (DDoS) attack. During operation, the system analyzes application layer data in historical traffic to an online system to determine a historical volume of member traffic from an Internet Protocol (IP) address to the online system, wherein the member traffic is generated by members of the online system. Next, the system calculates a rate limit for a set of requests from the IP address to the online system based on the historical volume of member traffic from the IP address. During a DDoS attack, the system outputs the rate limit for use in blocking a subset of the requests from the IP address to the online system.

Abstract: In one embodiment, local begin and end tags are detected by a network security device to determine a local context of a network traffic flow, and a local feature vector is obtained for that local context. At least one triggering machine learning model is applied by the network security device to the local feature vector, and the result determines whether or not deeper analysis is warranted. In most cases, very substantial resources are not required because deeper analysis is not indicated. If deeper analysis is indicated, one or more deeper machine learning model may then be applied to global and local feature vectors, and regular expressions may be applied to packet data, which may include the triggering data packet and one or more subsequent data packets. Other embodiments, aspects and features are also disclosed.