Abstract: A computer method and system for detecting a Denial of Service (DoS) attack by detecting changes in recent cardinality of a network traffic flow. Packet traffic flows are received from external device (networks), and a cardinality estimation is then performed on a received packet traffic flow. A series of cardinalities is maintained for prior packet traffic flows. Changes in cardinalities associated with prior packet traffic flows are detected when compared to cardinalities of a current packet traffic flow. An alert condition for the network traffic flow is generated regarding a suspected DoS attack based upon the detected changes in cardinalities regarding comparison of the cardinalities associated with prior packet traffic flows compared to cardinalities of a current packet traffic flow.

Abstract: A computer method and system for detecting and preventing over-mitigation of network attacks (e.g., Denial of Service (DoS) attacks) upon a protected computer network by a network security element. A determination is made as to whether captured data packets transmitting to a protected network are associated with legitimate network traffic (e.g., non-attack traffic). A matching pattern of the captured data packets determined legitimate network traffic is generated and test traffic packets utilizing the matching pattern of the captured data packets are then generated. The generated test traffic packets are then injected into the network security element/filter. A determination is then made as to whether if the injected test traffic packets are treated as a malicious traffic (e.g., a DoS attack), or as legitimate traffic, by the network security filter. If treated as malicious traffic (e.g.

Abstract: The method and system are provided for monitoring a protected network for strain. The method includes receiving a learned model having clusters of learning requests of learning network traffic observed during non-strain operation of the protected network, observing network traffic, classifying each of the traffic requests with one of the clusters based on fields of the traffic request and fields used for clustering the learning requests, determining an analysis response time for respective traffic requests associated with the classified traffic requests, determining an analysis response time characteristic per cluster based on an analysis response time associated with the respective classified traffic requests classified with the cluster, determining a difference per cluster between the analysis response time and the learning response times associated with the cluster, and notifying a mitigation device when the difference determined for enough of the clusters exceeds a predetermined threshold.

Abstract: A logical expression engine and computer-implemented method for optimizing evaluation of a logical expression is provided. The method includes receiving an original logical expression to be applied by a computer program for processing input information, the original logical expression having at least one operator and a subexpression disposed on each side of a related operator of the at least one related operator. The method further includes receiving statistics accumulated about how the computer program applies the subexpressions of the original logical expression for processing the input information received by the computer program, using the accumulated statistics to optimize the order in which the subexpressions would be applied by the computer program, and outputting for application by the computer program an optimized logical expression having the subexpressions ordered in accordance with the optimized order.

Abstract: A system and method for detecting a Denial of Service (DoS) attack. A number of evaluator elements (M) is determined for DoS analysis for network connection requests wherein each evaluator element is preferably associated with a component of the analyzed connection request. A DoS evaluator element score is determined for an evaluator element of the connection request by analyzing the evaluator element. DoS mitigation actions may be performed on the connection request if the determined evaluator element score is indicative of a DoS attack. An evaluator consolidated score (which may be weighted) is then calculated preferably consisting of one or more of the respective DoS evaluator element scores. Next, a determination is made as to whether each evaluator element of the M evaluator elements has been analyzed for determining a respective DoS evaluator element score. If no, a DoS evaluator element score for a succeeding evaluator element to be analyzed is then determined.

Abstract: A method of monitoring a network is provided. The method includes receiving a packet of network traffic, determining a source IP address of the packet, consulting a database of source IP addresses, each source IP address having an associated probability of threat indicator (PTI) that indicates a probability of threat posed by the source IP address. The packet's source IP address' PTI is assigned to the packet as the packet's PTI, and one or more inspection checks are selected to be performed on the packet, wherein the selection of the inspection checks is a function of the packet's source IP address PTI. The method further includes performing the selected inspection checks, assigning treatment of the packet based on a result of the inspection checks performed, and adjusting the packet's source IP address' PTI or the packet's PTI based on the result of the one or more inspection checks performed.

Abstract: A method and system for detecting impersonated network traffic by a protected computing device and a network protection system. The method includes the computing device receiving installation of a browser application, the browser application configured to generate requests to communicate with other computers via the World Wide Web and receiving a configuration for the browser application. The browser application is configured to obtain a short-lived password (SLP) in coordination with generating a request and insert the short-lived password into the generated request before transmitting the request. The SLP is synchronized with an expected value generated by the network protection system. The transmitted request is passed to the network protection system and treated as legitimate network traffic by the network protection system only if the network protection system detects and verifies the SLP.

Abstract: A method for configuring a network monitoring device is provided. A plurality of flow records is received. The plurality of flow records is analyzed according to user-specified criteria to identify one or more network traffic patterns. A plurality of network entities associated with the one or more identified network traffic patterns is identified. A managed object including the identified plurality of network entities is generated.

Abstract: A computer method and system for determining common network security filter settings for one or more clusters of network servers. Network traffic samples are captured which are associated with a plurality of network servers. The captured network traffic samples are collated with regards to each of the plurality of network servers. The collated network traffic is analyzed for each of the plurality of network servers for determining suggested network security filter settings for each network server. One or more clusters of network servers are determined contingent upon the determined suggested network security filter settings for each of the plurality of network servers. Common network security group filter settings are determined for each determined cluster of network servers.

Abstract: A method of detecting patterns for automated filtering of data is provided. The method includes receiving network traffic including bad traffic and good traffic, wherein an attack is known to be applied to the bad traffic, and the good traffic is known to be free of an applied attack. Processing the good and bad traffic includes generating, for each unique packet, each potential unique combination of the packet's fields, storing each combination with associated bad match and good match counters, and incrementing a combination's respective good and bad match counters for each occurrence it matches one of the packets of the respective good and bad traffic. The combinations are sorted based on the good match counter associated with each combination, a number of fields in each combination, and the bad match counter associated with each combination. One or more combination is selected based on results of the sorting for provision to a network traffic filtering component.

Abstract: A method of automated filtering includes receiving a network traffic snapshot having packets with data stored in respective fields, generating a statistical data structure storing each potential unique combination of data stored in respective fields with an associated counter that is incremented for each occurrence that the combination matches one of the packets of the network traffic snapshot and one or more observation timestamps. Determining an observed vector from the statistical data structure, wherein the observed vector has associated attribute/value pairs and counters that satisfy a predetermined criterion. The observed vector's attribute/value pairs are compared to known attribute/value pairs associated with known DDoS attack vectors of an attack vector database.

Abstract: A method includes receiving summary messages summarizing respective aggregated traffic metadata packets output from the at least one traffic management device and an engine. Each summary message identifies an origination pair having a traffic management device and an aggregation engine and a sequence number. The method further includes tracking per subinterval of a series of sub-intervals, highest and lowest sequence numbers and a count of summary messages received for each unique origination pair from the beginning of the subinterval. The method further includes accumulating, per interval, accumulated highest and lowest sequence numbers and an accumulated count of summary messages for each unique origination pair from the beginning of the interval and for all previous subintervals for tracking dropped aggregated traffic metadata packets for the interval.

Abstract: A method of monitoring network traffic for cryptojacking activity is provided. A request is received from a protected host. It is determined whether the request is a cryptocurrency request based on whether the request uses a protocol specified for requests belonging to the cryptocurrency communication. In response to a determination that that the request is a cryptocurrency request for the cryptocurrency, a second request is submitted to a destination indicated by the request, wherein the second request is formatted as a cryptocurrency request for the cryptocurrency. A determination is made whether a reply to the second request from the destination is a cryptocurrency response for the cryptocurrency based on whether the response uses a protocol specified for a response that belongs to communication associated with the cryptocurrency.

Abstract: A computer method and system for determining common network security filter settings for one or more clusters of network servers. Network traffic samples are captured which are associated with a plurality of network servers. The captured network traffic samples are collated with regards to each of the plurality of network servers. The collated network traffic is analyzed for each of the plurality of network servers for determining suggested network security filter settings for each network server. One or more clusters of network servers are determined contingent upon the determined suggested network security filter settings for each of the plurality of network servers. Common network security group filter settings are determined for each determined cluster of network servers.

Abstract: A method is provided for inspecting network traffic. The method, performed in a single contained device, includes receiving network traffic inbound from an external host that is external to the protected network flowing to a protected host of the protected network, wherein the network traffic is transported by a secure protocol that implements ephemeral keys that endure for a limited time. The method further includes performing a first transmission control protocol (TCP) handshake with the external host, obtaining source and destination data during the first TCP handshake, the source and destination data including source and destination link and internet addresses obtained, caching the source and destination data, and using the cached source and destination data to obtain a Layer-7 request from the external host to the protected host and to pass a Layer-7 response from the protected host to the external host.

Abstract: A computer method and system for mitigating a Session Level Attack (SLA) upon one or more internet hosted sought user accounts. A login request for a sought user account is received and Layer 3 information regarding the login request is utilized to determine existence of a SLA threat. One or more mitigations actions is performed on the login request to determine if a SLA threat exists based upon the utilization of Layer 3 information. Next, Layer 7 information regarding the login request is utilized to determine existence of a SLA threat wherein the Layer 7 information is only utilized to determine the existence of a SLA threat when no SLA threat was determined through utilization of the Layer 3 information. One or more mitigations actions is performed on the HTTP login request if the existence of a SLA threat exists based upon the utilization of the Layer 7 information.

Abstract: A system and method for detecting a Denial of Service (DoS) attack. A number of evaluator elements (M) is determined for DoS analysis for network connection requests wherein each evaluator element is preferably associated with a component of the analyzed connection request. A DoS evaluator element score is determined for an evaluator element of the connection request by analyzing the evaluator element. DoS mitigation actions may be performed on the connection request if the determined evaluator element score is indicative of a DoS attack. An evaluator consolidated score (which may be weighted) is then calculated preferably consisting of one or more of the respective DoS evaluator element scores. Next, a determination is made as to whether each evaluator element of the M evaluator elements has been analyzed for determining a respective DoS evaluator element score. If no, a DoS evaluator element score for a succeeding evaluator element to be analyzed is then determined.

Abstract: A computer implemented method and system for determining malicious activity in a monitored network using clustering algorithmic techniques in which a source of known malicious network entities and known legitimate network entities associated with network traffic flow are provided. A dataset is generated consisting of a plurality of known malicious network entities and a plurality of known legitimate network entities. Network related attributes are identified associated with each of the plurality of malicious network entities and the plurality of legitimate network entities contained in the generated dataset. A predetermined number (X) of clusters is generated based upon the plurality of malicious (bad) and legitimate (good) network entities. A generated cluster is tagged with a bad, good or an unknown tag.

Abstract: A computer method and system for mitigating a Session Level Attack (SLA) upon one or more internet hosted sought user accounts. A login request for a sought user account is received and Layer 3 information regarding the login request is utilized to determine existence of a SLA threat. One or more mitigations actions is performed on the login request to determine if a SLA threat exists based upon the utilization of Layer 3 information. Next, Layer 7 information regarding the login request is utilized to determine existence of a SLA threat wherein the Layer 7 information is only utilized to determine the existence of a SLA threat when no SLA threat was determined through utilization of the Layer 3 information. One or more mitigations actions is performed on the HTTP login request if the existence of a SLA threat exists based upon the utilization of the Layer 7 information.

Abstract: A computer method and system for detecting denial of service network attacks by analyzing intercepted data packets on a network to determine a user account associated with a preselected target host sought to be accessed via a user account login attempt. Determine if the login attempt exceeds a predetermined login value for previous failed login attempts associated with the user account sought to be accessed. Determine a geographic location associated with the login attempt if determined the login attempt exceeded the predetermined login value. Determine if a prior login attempt to the user account sought to be accessed was successful from the determined geographic location. Authenticate the login attempt to the user account sought to be accessed in the event it was determined a prior successful login attempt was made to the user account from the determined geographic location or no prior login attempts originated from the determined geographic location.