Abstract: A cybersecurity system and method for handling a cybersecurity event includes identifying a cybersecurity alert; selectively initializing automated threat intelligence workflows based on computing a cybersecurity alert type, wherein the automated threat intelligence workflows include a plurality of automated investigative tasks that, when executed by one or more computers, derive cybersecurity alert intelligence data; and executing the plurality of automated investigative tasks includes automatically sourcing a corpus of investigative data; deriving the cybersecurity alert intelligence data based on extracting selective pieces of data from the corpus of investigative data, wherein the cybersecurity alert intelligence data informs an inference of a cybersecurity alert severity of the cybersecurity alert; and automatically routing the cybersecurity alert to one of a plurality of distinct threat mitigation or threat disposal routes based on the cybersecurity alert severity of the cybersecurity alert.

Abstract: A system, method, and computer-readable medium are disclosed for performing an entity behavior cataloging operation. The entity behavior cataloging operation includes: identifying a security related activity, the security related activity being based upon an observable from an electronic data source; analyzing the security related activity, the analyzing identifying an event of analytic utility associated with the security related activity; generating entity behavior catalog data based upon the event of analytic utility associated with the security related activity; and, storing the entity behavior catalog data within an entity behavior catalog, the entity behavior catalog providing an inventory of entity behaviors for use when performing a security operation.

Abstract: A method, network system and computer storage medium for DDoS defence in a packet-switched network are provided. The method is performed by a network system and includes: measuring a plurality of network parameters in incoming network traffic; ranking the plurality of measured network parameters based on machine learning; measuring a subset of the plurality of network parameters in incoming network traffic; determining an incoming network packet to be part of a DDoS attack or not by machine learning of the subset of the plurality of network parameters; and blocking an incoming network packet when the incoming network packet is determined to be part of a DDoS attack.

Abstract: A system, method, and computer-readable medium are disclosed for performing an entity behavior cataloging operation. The entity behavior cataloging operation includes: identifying a plurality of security related activities, the plurality of security related activities being based upon an observable from an electronic data source; analyzing the plurality of security related activities, the analyzing identifying a plurality of events of analytic utility associated with the plurality of security related activities; generating a set of entity behavior catalog data based upon the event of analytic utility associated with the security related activity, the set of entity behavior catalog data comprising an associated group of behaviors; and, storing the set of entity behavior data and the associated group of behaviors within an entity behavior catalog, the entity behavior catalog providing an inventory of entity behaviors for use when performing a security operation.

Abstract: A bot characteristic detection method and apparatus, where the apparatus obtains a first dynamic behavior file and a second dynamic behavior file, where the first dynamic behavior file is a behavior file resulting from dynamic behavior detection performed on a malicious file in a first sandbox, and the second dynamic behavior file is a behavior file resulting from dynamic behavior detection performed on the malicious file in a second sandbox. The apparatus determines a bot characteristic of the malicious file based on a common characteristic of the first dynamic behavior file and the second dynamic behavior file.

Abstract: Solution management systems and methods are presently disclosed that enable receiving, compiling, and analyzing vendor solutions, determining the vendor solutions that address a target vulnerability of a client network and/or client devices, determining additional vulnerabilities of the client network and/or client devices that the vendor solutions address, and selecting a vendor solution to remediate the target vulnerability. The presently disclosed systems and methods also enable scoring, risk evaluation, and additional metrics to facilitate determining the vendor solution(s) that have the largest impact and/or benefit to the various vulnerabilities of the client network and/or client devices.

Abstract: Methods and systems for reliability prediction of security policies in a cloud computing environment are provided. An example method includes providing a graph database representing workloads of the cloud computing environment as nodes and relationships between the workloads as edges, the relationships being associated with points in time, receiving a security policy including rules for the relationships between the workloads, generating a plurality of earliest points in time based on the rules and the graph database, wherein generating the plurality of earliest points in time includes: determining, for each rule of the rules, a subset of the relationships in the graph database such that each of the subset of the relationships matches the rule, and selecting an earliest point in time from points in time associated with relationships from the subset, and analyzing the plurality of earliest points in time to determine a reliability score for the security policy.

Abstract: Disclosed is an electronic device including: an input unit provided with buttons; a plurality of sensors; and a controller configured to activate at least some of the plurality of sensors based on a received activation signal, generate authentication information based on at least one of the activated sensors, calculate a final security level score based on a security level score corresponding to the at least one authentication information, and determine whether a target service or a target external device is accessible, based on the calculated final security level score.

Abstract: The application provides a method for attack detection in biometric authentication. The method may be implemented by a mobile terminal device, and comprises: obtaining sensor data of the mobile terminal device, wherein the sensor data is collected when the mobile terminal device performs biometric authentication, and the sensor data comprises acceleration sensor data of the mobile terminal device indicating accelerations of the mobile terminal device in x, y, and z axes of a three-dimensional space, and/or gyroscope data of the mobile terminal device indicating angular velocities in the x, y, and z axes of the three-dimensional space; and inputting the sensor data into an attack determination model to determine whether an attack occurs in the biometric authentication, wherein the attack determination model is trained by using sensor training data obtained based on sensor data of the mobile terminal device collected when the mobile terminal device performed biometric authentication historically.

Abstract: Examples described herein configure a network based on a centroid configuration of a group of network entities. Examples herein include classifying a plurality of network entities into a classification, wherein the network entities are configured on a plurality of network devices that are connected to the network. Examples herein include, based on the classification of the network entities, grouping the network entities into a plurality of groups. Examples herein include determining, for each of the groups, a centroid configuration of the network entities in the group. Examples herein include sending instructions to configure the network according to the centroid configuration of a selected one of the groups, wherein at least one network entity is configured according to the centroid configuration of the selected group in response to receiving the instructions.

Abstract: Systems and methods for automatically assessing and monitoring information security effectiveness using collected indicia of sensitive content and indicia of security measure information for a plurality of networked organizational assets/systems to provide respective asset/system value at risk ratings. Elements of the system include automated asset discovery, automated hosting provider and location discovery, collection of information harvested from public sources and, optionally non-public sources, analysis of the collected information against public, non-public, and proprietary sources, and/or mathematical models used to infer broader security program conclusions and to rank asset/system values at risk. Estimates of values at risk are used to prioritize allocation of security measures.

Abstract: A sandbox component, operatively coupled to a host and a guest container, the sandbox component securely extends systems data collection software with potentially untrusted third-party code. A secure environment is enabled where plugins will run inside a sidecar container that is separate from a guest container. A container consists of an entire runtime environment: an application, plus its dependencies, libraries and other binaries, and configuration files needed to run it, bundled into one package. A sidecar service is not necessarily part of the application but is connected to the guest container and follows the parent application. A sidecar is independent from its primary application in terms of runtime environment and programming language. The sidecar plugin will be given a sparse/limited set of privileges required to simply perform its intended function and the Linux kernel constructs will control data access and transfer.

Abstract: Systems and methods of managing fraudulent devices are provided. The system detects a request for a connection to communicatively couple a technician computing device with a receiver computing device. The system identifies connection data for the connection. The system requests, based on the connection data, a plurality of account values. Each of the plurality of account values is associated with an account that the technician computing device used to establish the connection. The system generates a score indicating a fraudulent level of the account based on the plurality of account values. The system terminates, responsive to a comparison of the score with a fraud threshold, the connection. The system transmits, to a ticketing system, a support ticket generated responsive to the comparison of the score with the fraud threshold.

Abstract: A cybersecurity assessment system is provided for monitoring, assessing, and addressing the cybersecurity status of a target network. The cybersecurity assessment system can analyze the scan data and determine a degree to which the current status of the target network satisfies a particular cybersecurity readiness standard, and how the status changes over time. The cybersecurity assessment system can also transform large amounts of vulnerability scan data into efficient representations for use in providing interactive presentations of the vulnerabilities detected on the target network. The cybersecurity assessment system can also provide information regarding cybersecurity events in substantially real time.

Abstract: In a wireless communication system, a secure communication link is provided by producing a set of reference symbols selected from a modulation symbol constellation; generating a data-bearing pre-coding transform from information to be transmitted to a receiver; applying the data-bearing pre-coding transform to the set of reference symbols, thereby distorting the reference symbols with respect to the information, to produce a linear transformation signal; and transmitting the linear transformation signal to the receiver. The reference symbols are known at the receiver. The receiver removes the reference symbols from the linear transformation signal and decodes the data-bearing pre-coding transform.

Abstract: Disclosed herein are representative embodiments of methods, apparatus, and systems for processing and managing information from a compliance and configuration control (“CCC”) tool and generating information for a security information and event management (“SIEM”) tool based on the information from the CCC tool. For example, in one exemplary embodiment, information from a CCC tool is transferred to a SIEM tool or logging tool by receiving the information from the CCC tool in a format that is not recognized by the SIEM tool or logging tool, and generating an output message in a message format that is recognized by the SIEM tool or logging tool. In particular embodiments, the message format is a customizable message format that is adaptable to multiple different SIEM tools or logging tools. In further embodiments, the data transferred to the SIEM tool comprises data indicative of compliance policy changes.

Abstract: Methods, systems, and computer program products for anomaly and mode inference from time series data are provided herein. A computer-implemented method includes receiving time-series sensor data for each one of a group of devices; extracting a set of states for each device in the group from the time-series sensor data; constructing a state-transition graph for each of the devices, wherein each of the state-transition graphs comprises nodes corresponding to each state in the set and edges corresponding to a probability of transition between the extracted states over time; identifying, for each set, a given state as one of: a mode, a normal state and an anomalous state based on the state-transition graph; and detecting one or more anomalous devices in the group by computing similarities between different devices in the group, based at least in part on the determined state-transition graphs.

Abstract: This application discloses a network attack determination method, a secure network data transmission method, and a corresponding apparatus. In this application, a browser client terminal obtains attack rules formulated by a rule configuration server, and after obtaining feedback information that is returned by a network according to a webpage browsing request, determines, according to a comparison result between the attack rules and the feedback information, whether the webpage browsing request encounters a network attack, thereby resolving a problem in the prior art that a network attack cannot be identified. In addition, after determining that a network attack is encountered, the browser client terminal performs network data transmission in a secure manner, which can avoid impact from the network attack, and improve security of network data transmission.

Abstract: Disclosed herein are system, method, and computer program product embodiments for propagating taint information for strings using metadata. Taint information for a string is encoded using taint ranges. When an operation is performed on the string, the operation and any additional taint information corresponding to the operation is encoded into a delta layer of the metadata. Rather than immediately obtaining taint information for a result string when the operation is performed on the string, the delta layer stores the taint information for the operation, and any subsequent operation, until it is needed. Once the taint information is needed, then the delta layers are collapsed into base layer taint information in order to resolve taint information for a result string.

Abstract: A plurality of sensors are operably coupled to a system controller. Each sensor includes a detection mode in which the sensor applies one or more detection algorithms to sensor data generated by the corresponding sensor to detect a possible event and to report the possible event to the system controller, but does not report the system data to the system controller. Each sensor also includes a sensor data mode in which the sensor data is reported to the system controller. When one of the plurality of sensors reports a possible event to the system controller, the system controller instructs one or more of the plurality of sensors to switch from the detection mode to the sensor data mode. The system controller is configured to receive the sensor data and to process the received sensor data to confirm or otherwise provide a measure of confidence in the reported possible event.

Abstract: The disclosed computer-implemented method may include initializing a server instance using a specified network address and an associated set of credentials, logging the network address of the initialized server instance as well as the associated set of credentials in a data log, analyzing network service requests to determine that a different server instance with a different network address is requesting a network service using the same set of credentials, accessing the data log to determine whether the second server instance is using a network address that is known to be valid within the network and, upon determining that the second server instance is not using a known network address, preventing the second server instance from performing specified tasks within the network. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Methods, systems and computer program products are provided for detection of slow brute force attacks based on user-level time series analysis. A slow brute force attack may be detected based on one or more anomalous failed login events associated with a user, alone or in combination with one or more post-login anomalous activities associated with the user, security alerts associated with the user, investigation priority determined for the user and/or successful logon events associated with the user. An alert may indicate a user is the target of a successful or unsuccessful slow brute force attack. Time-series data (e.g., accounted for in configurable time intervals) may be analyzed on a user-by-user basis to identify localized anomalies and global anomalies, which may be scored and evaluated (e.g., alone or combined with other information) to determine an investigation priority and whether and what alert to issue for a user.

Abstract: Disclosed is a system for forwarding traffic of an endpoint. The system includes the endpoint configured to transmit traffic generated by an application to a server and a security gateway configured to receive the traffic from the endpoint and analyzes data related to information security of secure sockets layer (SSL) traffic among the traffic. Here, the endpoint includes a local redirection module configured to store redirection information including server connection information for transmitting the traffic to the server and to perform redirection related to transmission of the traffic and a local proxy module configured to decode the data with respect to the SSL traffic among the traffic received from the local redirection module and then to forward the decoded SSL traffic to the security gateway according to the redirection of the local redirection module.

Abstract: Methods and systems for cyber-hacking detection are provided. One method includes generating, by a processor, one or more artificial accounts for a type of actual account, learning one or more hacking behaviors for the type of actual account, and detecting cyber-hacks in activity in the one or more artificial accounts based on the one or more hacking behaviors. Systems and computer program products for performing the above method are also provided.

Abstract: Examples in this application disclose data check computer-implemented methods, media, and systems. One example computer-implemented method includes retrieving, by a trusted execution environment (TEE), a check-triggering instruction from a server, where the check-triggering instruction is configured to trigger the TEE to perform a consistency check on basic data of a user to be identified, in response to the check-triggering instruction, retrieving, by the TEE, encrypted standard basic data of the user from a trusted institution, retrieving, by the TEE, encrypted basic data of the user from a first institution, retrieving, by the TEE, the basic data of the user by decrypting the encrypted basic data, performing, by the TEE, the consistency check on the basic data of the user based on the encrypted standard basic data to obtain a check result, and sending, from the TEE, the check result to a second institution.

Abstract: Methods and systems for detecting and preventing malicious software activity are presented. In one embodiment, a method is presented that includes monitoring network communications on a network. The method may also include detect a suspect network communication associated with a suspect network activity and, in response, determine an originating machine based on the suspect network activity. The method may further suspend network communications for the originating machine. A forensics software agent may then be selected based on the suspect network activity. Then, the forensics software agent may be deployed on the originating machine. After deployment, the forensics software agent may fetch computer forensics data from the originating machine. Once the computer forensics data is fetched, a response action may be selected and executed based on said computer forensics data.

Abstract: Providing an isolation system that allows analysts to analyze suspicious information in way that aids in preventing harmful information from spreading to other applications and systems on a network. A plurality of virtual containers may be used by analysts to analyze suspicious information. The suspicious information may first be hashed before being analyzed by the analyst. The hash for the suspicious information may be compared to stored hashes. When the hash meets a stored harmful hash the suspicious information may be determined to include harmful information without having to be further analyzed. When the hash meets a stored acceptable hash the suspicious information may be determined to be acceptable information without having to be further analyzed. Should the hash for the suspicious information fail to meet any stored hashes, then the suspicious information may be analyzed for harmful information within the virtual container.

Abstract: An information processing apparatus includes a request reception unit configured to receive a request for executing an execution module, a first alteration detection unit configured to detect an alteration of a white list upon reception of the execution request, a second alteration detection unit configured to detect an alteration of an execution module which has issued the execution request, by using a white list determined to have no alteration by the first alteration detection unit, and an error control unit configured to, upon detection of an alteration by the second alteration detection unit, select and control whether to deactivate a system of the information processing apparatus or to inhibit only execution of the execution module which has issued the execution request, depending on a current activation mode of the information processing apparatus and an activation mode using the execution module which has issued the execution request.

Abstract: Methods, systems and computer readable media for protecting networks and devices from network security attack using physical communication layer characteristics are described.

Abstract: An Active Intelligence method and system are provided for detecting malicious servers using an automated machine-learning active intelligence manager. The Active Intelligence method and system automatically and covertly extract forensic data and intelligence related to a selected server in real time to determine whether the server is part of a cybercrime infrastructure. An automated machine-learning active intelligence manager is provided that collects or gathers one or more types of forensic intelligence related to the operation of the server under investigation. The active intelligence manager combines the collected one or more types of forensic intelligence, extracts features from the combined forensic intelligence, and classifies the server as malicious or benign based on the extracted features.

Abstract: A variety of methods are provided for an application or operating system (OS) kernel intrusion detection and prevention, based on usage of existing vulnerability fixes and their transformation into honeypot detectors. A honeypot patch may be generated for a computing system associated with a software vulnerability in software installed on the computing system. The honeypot patch, when used to modify the installed software, can convert the computing system into a honeypot system configured to detect attempts to exploit the software vulnerability of the software, and in response, generate a security event associated with the software vulnerability.

Abstract: A method may include collecting a plurality of computer-readable source code from an application programming interface (API) repository. The method may also include performing API call code slicing on the computer-readable source code. The method may also include extracting an API host and an endpoint for each of the API call codes identified in the API call code slicing. The method may also include compiling an API mashup database based on the extracted API host and endpoints. Furthermore, the method may also include providing a recommended API mashup of the API mashup database in a user interface.

Abstract: Described herein are systems, methods, and software to enhance the management of responses to incidents in an information technology (IT) environment. In one example, a management system identifies an incident in an IT environment, identifies an initial status for the incident for an analyst of the IT environment, and provides the initial status for display to the analyst. The management system further monitors state information for the incident in the IT environment, identifies a second status of the incident based on the monitored state, and provides the second status for display to the analyst.

Abstract: Anomalies can be identified within a network. For example, a system can automatically detect anomalous network-activity using a machine-learning model that can analyzing how network configurations change over time. The machine-learning model may detect anomalies by comparing current and anticipated rates of change and/or types of topological changes in the network.

Abstract: Integrity verification of a containerized application using a block device signature is described. For example, a container deployed to a host system is signed with a single block device signature. The operating system of the host system implements an integrity policy to verify the integrity of the container when the container is loaded into memory and when its program code executes. During such events, the operating system verifies whether the block device signature is valid. If the block device signature is determined to be valid, the operating system enables the program code to successfully execute. Otherwise, the program code is prevented from being executed. By doing so, certain program code or processes that are not properly signed are prevented from executing, thereby protecting the host system from such processes. Moreover, by using a single block device signature for a container, the enforcement of the integrity policy is greatly simplified.

Abstract: To determine whether an IoT system connected with a network environment (e.g., the internet) is compromised, a networked Trust as a Service (TaaS) server receives system data indicative of various characteristics of the IoT system, wherein the system data is harvested by a software agent installed on the IoT system. The TaaS server initially establishes a baseline characteristics profile for the IoT system, such that subsequently received system data from the software agent may be compared against the baseline characteristics profile to quickly identify discrepancies between the originally established baseline characteristics profile and current operating characteristics of the system. Such discrepancies may be caused by desirable software updates, in which case the discrepancies may be integrated into the baseline characteristics profile, or the discrepancies may result from the IoT system being undesirably compromised.

Abstract: A method for managing alarms in a virtual machine environment includes receiving alarm data related to a process and storing the alarm data in a database, where the alarm data comprises one or more features. The method further includes retrieving intended state information for the process and comparing the one more features of the alarm data to the intended state information to determine whether the alarm is an outlier. The method also includes computing a normal score for the alarm if the alarm is not an outlier, and computing an abnormal score for the alarm if the alarm is an outlier. The method also includes sending a notification for the alarm and the computed score.

Abstract: A system for optimization of data transmission, comprising a content protection extraction system configured to operate on a remote processor and to extract content protection data associated with a data file and to transmit the content protection data to a central processor and a content protection confirmation system configured to operate on the central processor and to receive the content protection data and to verify whether the content protection data is associated with an authenticated data file.

Abstract: Disclosed herein is a system for providing a test environment, composed of one or more virtual machines, to a developer instantly in response to a checkout request from the developer. To do this, a sandbox service implements a smart, tiered approach to creating and provisioning virtual machines that compose the test environments. The approach is flexible and elastic in nature, so that the developers do not have to wait an extended period of time for a test environment, yet the costs associated with configuring the virtual machines (e.g., storage and compute costs) are minimized. For example, the sandbox service can use historical data to predict a number of checkout requests expected for a first time interval (e.g., one day), a second time interval (e.g., thirty minutes), and a third time interval (e.g., five minutes). The sandbox service can then configure virtual machines into different states based on the predicted numbers.

Abstract: Techniques are provided for selective snapshot creation using source tagging of input-output (I/O) operations. One method comprises receiving an I/O operation; obtaining an I/O tag associated with the I/O operation indicating a source of the I/O operation (e.g., a source application or a source virtual machine); updating a cumulative I/O tag value associated with the I/O tag that indicates an amount of activity associated with the I/O tag; and initiating a snapshot of at least a portion of a storage system that stores data associated with the I/O operation in response to the cumulative I/O tag value satisfying a corresponding threshold value. A source device associated with the I/O operation may associate the I/O tag with the I/O operation and send the I/O operation with the I/O tag to the storage system.

Abstract: Apparatus, systems, methods, and articles of manufacture for fingerprinting and classifying application behaviors using telemetry are disclosed. An example apparatus includes a trace processor to process events in a processor trace to capture application execution behavior; a fingerprint extractor to extract a first fingerprint from the captured application execution behavior and performance monitor information; a fingerprint clusterer to, in a training mode cluster the first fingerprint and the second fingerprint into a cluster of fingerprints to be stored in a fingerprint database with a classification; and a fingerprint classifier to, in a deployed mode, classify a third fingerprint, the fingerprint classifier to trigger a remedial action when the classification is malicious.

Abstract: A cybersecurity system includes sensors that detect and report computer security events. Collected reports of computer security events are formed into state sequences, which are used as training data to train and build a prediction model. A current computer security event is detected and used as an input to the prediction model, which provides a prediction of a next computer security event. A monitoring level of a cybersecurity sensor is adjusted in accordance with the predicted next computer security event.

Abstract: A selection apparatus includes a macro analysis unit that acquires a macro feature amount from a macro in a document file to which the macro is added, a text analysis unit that acquires a text feature amount from text in the document file, a cluster analysis unit that performs clustering using the macro feature amount and the text feature amount, and a selection unit that selects an analysis target document file based on a cluster analysis result, and is able to efficiently and accurately select the macro-added document file to be analyzed.

Abstract: Systems and methods for targeted attack detection. A protection system intercepts traffic destined for a protected system and only traffic identified as non-malicious is allowed to pass thereto. Data collection agents (DCAs) instantiated at protected systems report information concerning protected system resources to the protection system, which creates from that information a set of threat attack detection metrics (TADMs) by which it evaluates payloads of the intercepted traffic. In particular, the intercepted traffic is assessed using conventional threat detection approaches to identify suspect payloads. The suspect payloads are additionally evaluated against the TADMs to determine if they contain any references to specific resources of the protected system. For those of the suspect payloads for which the TADM evaluation reveals positive results, the protection system provides an alert that a targeted attack has been recognized.

Abstract: A transfer of master data is executed in a backend computing system. The master data includes user data and system data. The transfer of master data includes receiving user data associated with a particular user identifier in the backend computing system, transferring the received user data to an event stream processor, receiving system data associated with a particular log providing computing system in the backend computing system, transferring the received user data to the event stream processor, and executing a transfer of log data associated with logs of computing systems connected to the backend computing system.

Abstract: Methods, apparatuses, and storage media storing instructions for scanning electronically-stored files are provided. A file stored in a computer-readable storage medium is scanned. Based on the scanning, a common analysis is performed on the file for two or more software functions. Based on the scanning, a software function-specific analysis is performed on the file for a respective software function. Two or more decisions on the file is made for the two or more software functions based on the common analysis and the software function-specific analysis.

Abstract: An information processing device collects information used for analyzing communication performed in an in-vehicle network by ECUs including an ECU which performs predetermined control related to a function of an ADAS. The information processing device includes a receiver, a determiner, and a processor. The receiver receives a plurality of items of communication data sequentially transmitted over the in-vehicle network. The determiner detects a control end time which is a time at which the predetermined control ends, and determine an analysis target period including the control end time. The processor classifies the plurality of items of communication data received by the receiver into analysis target communication data received within the analysis target period and non-analysis target communication data received outside the analysis target period. The processor further performs predetermined processing for analysis of the analysis target communication data based on the classification result.

Abstract: Techniques are disclosed which can provide an orchestrated response to a cybersecurity threat. This orchestrated response may be based upon, at least in part, a reputation score. Threat model(s) may be received that identify cybersecurity threat(s). An indication of observations, false positives, and/or page views for the threat may be obtained. Data feeds may be received including known good data feeds, known bad data feeds, and enrichment data feeds. The data feeds may provide information about one or more indicators of compromise (IOC). For each IOC, a weighted criticality score may be determined. The weighted criticality score may be mapped to a corresponding point value. An aggregated score may be determined based upon at least the corresponding point value. A reputation score may be computed, and in some configurations, provided to a user.

Abstract: A method including collecting and aligning raw data from a plurality of network nodes, wherein dissimilar data types are aligned as input events; filtering the input events by discarding events and/or parts of events that are detected to be equal or similar to previously observed events or events and/or parts of events found to be redundant by using predetermined criteria; separating processing of the input events into event aggregation and event enrichment processes, wherein the event aggregation process includes processing all the input events for generating aggregated events, and the event enrichment process includes processing only events passed by the filtering and the aggregated events from the event aggregation process; and analysing the data received from the event enrichment process for generating a security related decision.

Abstract: A server interacts with a bot detection service to provide bot detection as a requesting client interacts with the server. In an asynchronous mode, the server injects into a page a data collection script configured to record interactions at the requesting client, to collect sensor data about the interactions, and to send the collected sensor data to the server. After the client receives the page, the sensor data is collected and forwarded to the server through a series of posts. The server forwards the posts to the detection service. During this data collection, the server also may receive a request from the client for a protected endpoint. When this occurs, and in a synchronous mode, the server issues a query to the detection service to obtain a threat score based in part on the collected sensor data that has been received and forwarded by the server. Based on the threat score returned, the server then determines whether the request for the endpoint should be forwarded onward for handling.