Abstract: A method for detecting patterns using statistical analysis is provided. The method includes receiving a subset of structured data having a plurality of fields. A plurality of value combinations is generated for the plurality of fields using a statistical combination function. Each combination of the generated plurality of value combinations is stored as a separate entry in a results table. The entry in the results table includes a counter associated with the stored combination. A value of the counter is incremented for every occurrence of the stored combination in the generated plurality of value combinations. The results table is sorted based on the counters' values and based on a number of fields in each combination. One or more entries having highest counter values are identified in the results table.

Abstract: A system and computer-implemented method to detect a slowloris-type network attack, wherein the method includes receiving data gathered by a server of a network over time, the data received including data about timing of requests from a plurality of clients received by the server, tracking the data about timing of requests over time, determining one or more characteristics about distribution of the data tracked, tracking the one or more characteristics to determine whether there is an increase in time for reading, by the server, a larger portion of requests tracked, identifying a change in the characteristics that indicates the presence of a slowloris-type network attack, and performing an action, in response to the change, to at least one of generate an alert about the slowloris-type network attack, request mitigation of the slowloris-type network attack, and mitigate the slowloris-type network attack.

Abstract: A method, system, and computer-implemented method to manage blacklists used for mitigating network traffic is provided. The method includes monitoring a first blacklist and a second blacklist, wherein the first blacklist is used by a first mitigation process applied to network traffic that is performed upstream along a communication path of the network traffic relative to a second mitigation process that is performed using the second blacklist. The method further includes moving at least one entry from one of the first and second blacklists to the other of the first and second blacklist based on a result of the monitoring.

Abstract: A system and method are provided for enabling querying of a large set, including accessing a data structure associated with a metadata parameter and configured to store partial information associated with the data set in a plurality of bins. Each bin, associated with a unique time interval, is configured to store a plurality of entries associated with identified respective members of the metadata parameter's that have a detection time included in the bin's time interval. Each entry has at least one of an updated maximum and minimum possible count value determined using a probabilistic algorithm.

Abstract: A method, system, and computer-implemented method to manage threats to a network is provided. The method includes receiving volume threat data that indicates a volume of threat data that needs to be managed by a threat management system having a plurality of threat management devices, determining a volume range from a plurality of volume ranges to which the received volume threat data belongs, determining a number of threat management devices of the plurality of threat devices needed to manage threat traffic associated with the volume range determined, and determining whether the number of threat management devices needed is different than a number of threat management devices currently being used to manage threat traffic.

Abstract: A computer-implemented method to sample a large data set of traffic records, including receiving a traffic record associated with a traffic flow from a source of a large data set of traffic records, incrementing a flow counter representing a number of traffic flows received for one address of a pair of addresses identified by a traffic record, adding a traffic size of the traffic flow associated with the received traffic record to a total traffic size of all flows received in previous iterations. If the flow counter is less than a predetermined sampling threshold, then storing a traffic record sample associated with the traffic record. If the flow counter is more than the predetermined sampling threshold, then determining whether or not to sample the received traffic record by applying an exponentially decreasing probability function. Storing the traffic record sample as sampled data associated with the traffic record only if the determination is to sample the received traffic record.

Abstract: A method is provided to monitor network traffic, including reserving a portion of a system memory for short-term storage of copied network traffic, wherein the system memory is volatile, receiving copied packets of intercepted network traffic traversing a network, wherein the packets are associated with a plurality of respective traffic streams included in the network traffic, storing the copied packets in the portion of the system memory, maintaining an ordered list per traffic stream of copied packets that are stored, removing copied packets selected, based on their positions in their respective ordered lists, from the portion of the system memory based on a storage constraint, receiving an attack alert identifying a packet that is involved in a network attack, identifying the traffic stream that includes the packet identified, and transferring stored copied packets that are included in the identified traffic stream from the portion of the system memory to a long-term storage device.

Abstract: A system for mitigating network attacks includes a protected network and one or more attack mitigation devices communicatively coupled to the protected network. The attack mitigation devices are configured to receive a request from a host having an IP address and determine whether the IP address is included in a first probabilistic data structure representing addresses of hosts having failed to authenticate using a first authentication procedure. The attack mitigation devices are also configured to perform the first authentication procedure, responsive to a determination that the IP address of the host is not included in the first data structure. The attack mitigation devices are yet further configured to allow the host to access the protected network, responsive to successful completion of the first authentication procedure and to update the first data structure to include the IP address of the host, responsive to unsuccessful completion of the first authentication procedure.

Abstract: A system and computer-implemented method for mitigating a malicious network attack. The method includes receiving an attack alert that a network attack has been detected, saving a sample of captured network traffic in response to the attack alert, playing back the sample while applying a playback countermeasure to the captured network traffic to block sample segments from the sample, analyzing at least one of the blocked sample segments and throughput sample segments that are not blocked, and adjusting the playback countermeasure in response to a result of the analyzing.

Abstract: A network management system is provided in which a processing device coupled to a network performs operations to identify an interface accordance with a rule and associate the identified interface with a category in accordance with the rule. The interface is coupled between a managed device and the network. The rule is based on a name associated with the interface, wherein the name indicates semantic information about data transmitted via the interface. Upon detection of transmission of data via the interface, the processor further performs operations to determine an action associated with the category and apply the action to the data.

Abstract: A system for mitigating network attacks within encrypted network traffic is provided. The system includes a protected network including a plurality of devices. The system further includes attack mitigation devices communicatively coupled to the protected network and to a cloud platform. The attack mitigation devices are configured and operable to decrypt the encrypted traffic received from the cloud platform and destined to the protected network to form a plurality of decrypted network packets and analyze the plurality of decrypted network to detect attacks. The attack mitigation devices are further configured to generate, in response to detecting the attacks, attack signatures corresponding to the detected attacks and configured to send the generated attack signatures to attack mitigation services provided in the cloud platform. The attack mitigation services are configured and operable to drop encrypted network traffic matching the attack signatures received from the attack mitigation devices.

Abstract: A system for mitigating network attacks includes a protected network including a plurality of devices. The system further includes attack mitigation devices communicatively coupled to the protected network. The mitigation devices are configured to receive network data packets from external devices attempting to access protected devices in the protected network. The attack mitigation devices are further configured to periodically analyze effectiveness of each of a plurality of packet analysis sections. Each of the plurality of packet analysis sections includes a plurality of packet analysis instructions and is associated with a counter configured to count number of packets dropped by a corresponding analysis section. The attack mitigation devices are further configured to disable one or more of the plurality of packet analysis sections responsive to the performed analysis and to analyze the received network data packets by utilizing only enabled one or more of the plurality of the packet analysis sections.

Abstract: A system for mitigating network attacks is provided. The system includes a protected network including a plurality of devices. The system further includes one or more attack mitigation devices communicatively coupled to the protected network. The attack mitigation devices are configured and operable to employ a recurrent neural network (RNN) to obtain probability information related to a request stream. The request stream may include a plurality of at least one of: HTTP, RTSP and/or DNS messages. The attack mitigation devices are further configured to analyze the obtained probability information to detect one or more atypical requests in the request stream. The attack mitigation services are also configured and operable to perform, in response to detecting one or more atypical requests, mitigation actions on the one or more atypical requests in order to block an attack.

Abstract: A system and method are provided to select mitigation parameters. The method includes receiving selection of at least one mitigation parameter, accessing a selected portion of stored network traffic or associated summaries that corresponds to a selectable time window, applying a mitigation to the selected portion of the stored network traffic or associated summaries using the selected at least one mitigation parameter, and outputting results of the applied mitigation.

Abstract: A system and method are provided for enabling querying of a large set, including accessing a data structure associated with a metadata parameter and configured to store partial information associated with the data set in a plurality of bins. Each bin, associated with a unique time interval, is configured to store a plurality of entries associated with identified respective members of the metadata parameter's that have a detection time included in the bin's time interval. Each entry has at least one of an updated maximum and minimum possible count value determined using a probabilistic algorithm.

Abstract: An on-premises network protection system and method for providing on-premises network protection are provided. The system includes a memory configured to store instructions and a processor disposed in communication with the memory, wherein the processor upon execution of the instructions is configured to receive notification that a characteristic of premises-based network traffic associated with at least one identified target of a network attack exceeds a predetermined threshold, and submit, based on the notification, a request, that identifies the at least one identified target, to a cloud-based protection system to provide cloud-based threat mitigation for a portion of network traffic associated with the at least one identified target.

Abstract: A computer-implemented method to sample a large data set of traffic records, including receiving a traffic record associated with a traffic flow from a source of a large data set of traffic records, incrementing a flow counter representing a number of traffic flows received for one address of a pair of addresses identified by a traffic record, adding a traffic size of the traffic flow associated with the received traffic record to a total traffic size of all flows received in previous iterations. If the flow counter is less than a predetermined sampling threshold, then storing a traffic record sample associated with the traffic record. If the flow counter is more than the predetermined sampling threshold, then determining whether or not to sample the received traffic record by applying an exponentially decreasing probability function. Storing the traffic record sample as sampled data associated with the traffic record only if the determination is to sample the received traffic record.

Abstract: A method, system, and computer-implemented method to manage threats to a network is provided. The method includes receiving volume threat data that indicates a volume of threat data that needs to be managed by a threat management system having a plurality of threat management devices, determining a volume range from a plurality of volume ranges to which the received volume threat data belongs, determining a number of threat management devices of the plurality of threat devices needed to manage threat traffic associated with the volume range determined, and determining whether the number of threat management devices needed is different than a number of threat management devices currently being used to manage threat traffic.

Abstract: A method for monitoring traffic flow in a network is provided. A network monitoring probe monitors one or more network traffic flow parameters to detect a denial of service attack. In response to detecting the denial of service attack, a first set of data representing the denial of service attack alert is displayed. Filtering criteria are received from a user. The filtering criteria include at least one of the network flow parameters identified as legitimate network traffic. A second set of data is generated and displayed based on the filtering criteria.

Abstract: A method for automatically detecting and configuring Virtual Private Network (VPN) sites is provided. A Border Gateway Protocol (BGP) message is received from a Provider Edge (PE) router. The BGP message includes one or more attributes. The VPN site is identified based on the one or more attributes. Such attributes may include extended community attributes.