Abstract: A method performed by one or more computing devices to discover endpoints of a web service. The method includes obtaining a plurality of web service requests, determining levels of similarities between pairs of web service requests, grouping the plurality of web service requests into a plurality of groups based on the levels of similarities, responsive to a determination that the URL paths of the web service requests included in a first group do not include a parameter, determining that each of the URL paths of the web service requests included in the first group refer to separate endpoints of the web service, and responsive to a determination that the URL paths of the web service requests included in a second group include a parameter, determining that the URL paths of the web service requests included in the second group refer to a single endpoint of the web service.

Abstract: A method implemented by a network device is disclosed to detect and mitigate account takeover attempts. The method includes generating a site profile for a site based on analyzing historical login requests to the site, wherein the site profile for the site includes information regarding legitimate login requests to the site and information regarding attacker login requests to the site, intercepting a login request to the site, determining whether the login request is legitimate for the site based on comparing the login request to the site profile for the site, assigning a risk score to the login request based at least in part on a result of the determination of whether the login request is legitimate for the site, determining a mitigation strategy to apply to the login request based on the risk score assigned to the login request, and causing the mitigation strategy to be applied to the login request.

Abstract: A method by one or more computing devices functioning as a ticket master for a website that has a virtual waiting room, wherein the ticket master is communicatively coupled to a plurality of proxies controlling access to the website. When the ticket master is in a relaxed mode (as opposed to a pressure mode), the method includes pre-allocating a number of tickets to the plurality of proxies for a first upcoming time period and setting a queue head for the first upcoming time period to a ticket number of a last ticket created, wherein the number of tickets that are pre-allocated for the first upcoming time period is greater than a target number of users allowed to enter the website during the first upcoming time period but less than a predefined maximum sudden spike number.

Abstract: A method for handing of injection attacks in requests for computer services is disclosed. The method includes receiving request data that represents a service to be provided by a server computer, parsing a data element from the request data wherein the data element includes a data key and a data value, determining whether the data key is one of one or more predetermined allowed data keys, and upon a condition in which the data key is not one of the predetermined allowed data keys, disabling any injection attacks in the request data before processing the request data by performing the service.

Abstract: Disclosed herein is a method by a computing system to classify network entities. The method includes receiving, by a first stage classifier, database logs and enterprise directory information, attempting to classify, by the first stage classifier during a first stage, a plurality of network entities appearing in the database logs into network entity types based on analyzing the database logs and the enterprise directory information, clustering, by a clustering component, the plurality of network entities into groups based on host name, classifying, by a second stage classifier during a second stage, one or more network entities of the plurality of network entities that were not able to be classified during the first stage into network entity types based on group types of the groups that the one or more network entities were clustered into, and outputting a network entity type of each of the plurality of network entities.

Abstract: Embodiments of the present disclosure provide a method for detecting security incidents in an object store by aggregating log files generated by a monitoring program of the object store and monitoring the aggregated log data. A processing device may periodically execute database operations to access data stored in the object store. In response to each database operation, an access log set may be generated and stored in an access log storage. The processing device may periodically aggregate access log data from a plurality of access log sets currently stored in the access log storage to generate aggregated log data. The processing device may then monitor the aggregated log data over time to identify one or more security incidents of the object store.

Abstract: A method performed by a cloud computing platform of a cloud service is disclosed to assess a data security of a database deployed in a cloud environment associated with a user of the cloud service. The method includes creating a sandbox environment in the cloud environment associated with the user, loading scanner code in the sandbox environment, wherein the scanner code includes code for performing a data security assessment, loading and restoring a snapshot of the database in the sandbox environment, setting a unique password for admin access to the restored snapshot of the database, executing the scanner code in the sandbox environment to perform the data security assessment on the restored snapshot of the database, and tearing down the sandbox environment in response to a determination that the scanner code has finished execution.

Abstract: A method of providing infrastructure protection for a server of a network organization, the method including announcing, as an internet protocol (IP) address associated with a server of a plurality of servers, a first anycast IP address, the first anycast IP address being one of a plurality of anycast IP addresses that each serve as an anycast address for a scrubbing center network. Each of the plurality of anycast IP addresses is allocated to a respective server of the plurality of servers by the scrubbing center network. The scrubbing center network may receive an incoming network packet intended for the server, the incoming network packet identified using the first anycast IP address. The scrubbing center network may determine whether the incoming network packet is legitimate and if so, the incoming network packet may be routed to the server using a generic routing encapsulation (GRE) tunnel.

Abstract: A method by one or more network devices implementing a scrubbing center for mitigating distributed denial of service attacks, where the scrubbing center is communicatively coupled to a plurality of clients and one or more servers. The method includes determining a set of packet fingerprints seen in a set of packets sent between the plurality of clients and the one or more servers, assigning a risk value to each packet fingerprint in the set of packet fingerprints based on analyzing previous security decisions made for packets having that packet fingerprint, and responsive to detecting an occurrence of a potential distributed denial of service attack, activating a security measure for each of one or more packet fingerprints in the set of packet fingerprints based on the risk value assigned to that packet fingerprint.

Abstract: A network security system and method provide dynamic access control for a protected resource using a client-initiated ticket generation scheme. A client application receives, from an access control manager, a limited-use access ticket and may include the limited-use access ticket within application program interface (API) calls to a service application. The service application may forward the limited-use access ticket as a service access ticket to a ticket-based access control layer. A transaction monitor monitors run-time transaction information generated by the API calls to the service application and if the limited-use access ticket is detected in the run-time transaction information, forward the limited-use access ticket to the access control manager to perform validation of the limited-use access ticket.

Abstract: A method by one or more computing devices to classify data values into data types. The method includes receiving a data value to be classified, determining one or more features of the data value, generating feature information associated with the data value that includes information regarding the determined one or more features of the data value, performing one or more matching operations for the data value, generating match information associated with the data value that includes information regarding results of performing the one or more matching operations for the data value, and providing the feature information associated with the data value and the match information associated with the data value to a content-based data type classifier that is to classify the data value based on analyzing the feature information associated with the data value and the match information associated with the data value.

Abstract: Embodiments of the present disclosure relate to detecting new attack vectors in web application servers based on analyzing requests (e.g., HTTP/S requests) that were flagged as attacks by a machine learning web application firewall (ML WAF) but not by a rule-based WAF. Such requests may be grouped together using a clustering algorithm, and the features that are determined as being high contributors to an overall attack probability in a threshold number of such requests may be used to determine new attack vectors.

Abstract: According to some embodiments of the disclosure, a method includes receiving an electronic communication directed to a data resource, determining, by a machine learning (ML) web application firewall (WAF), an attack probability of the electronic communication based on a plurality of features, wherein subsets of the plurality of features are arranged in a plurality of feature groups, adjusting the attack probability based on respective feature weights of the plurality of feature groups.

Abstract: A method includes identifying, from online clustering data, an internet protocol (IP) pair. The method further includes determining, by a processing device during an offline process, that the IP pair is part of a botnet. The method further includes, in response to the determining, appending data associated with the botnet to the online clustering data.

Abstract: A method by a service worker firewall middleware component is disclosed. The method includes causing a service worker firewall associated with a web site to be installed on a web browser, obtaining one or more rules in response to receiving a request from the service worker firewall for rules to be applied by the service worker firewall, sending a response to the service worker firewall, wherein the response includes the one or more rules, a digital signature for the one or more rules, and an indication of when the digital signature expires, wherein the digital signature is generated using a private key associated with the website, and receiving a rules violation report from the service worker firewall, wherein the rules violation report was generated as a result of the service worker firewall applying the one or more rules to cross-origin requests.

Abstract: A method by one or more computing devices to detect anomalous accesses to a system. The method includes generating a technical maturity profile of a system user based on analyzing historical commands submitted by the system user to the system and determining whether an access by the system user to the system is anomalous based on determining technical maturity attributes of a command submitted by the system user to perform the access and comparing the technical maturity attributes of the command to the technical maturity profile of the system user.

Abstract: Embodiments of the present disclosure relate to systems and methods for installing a program within a CICS region without an antecedent program. A CICS region where the program is to be installed may detect an initiating event, the CICS region executing logical units of work that each corresponds to a task of a host operating system (OS). The initiating event may generate a first logical unit of work to intercept service calls made by the CICS region. In response to the first logical unit of work intercepting a first service call, control of execution of the first service call may be transitioned from the host OS to a CICS execution API. The CICS execution API may issue one or more API calls related to installation of the program, wherein the CICS execution API executes the one or more API calls as if they are part of the first service call.

Abstract: Embodiments of the present disclosure relate to utilizing an existing login process of a data repository to enable the data repository to delegate MFA functionality to an external MFA system. When a purported user attempts to log in to the data repository, a delegation module within the login process may insert a record into a table associated with the login process. A program executing on a security device external to the data repository may periodically poll the table for new records and upon detecting the new record, may call the external MFA system to verify the login attempt. The external MFA system may indicate to the program whether the login attempt was verified and the program may update the table with the indication. Upon detecting the indication, the delegation module may complete or terminate the login attempt based on the indication.

Abstract: Disclosed herein is a method by a computing system to classify network entities. The method includes receiving, by a first stage classifier, database logs and enterprise directory information, attempting to classify, by the first stage classifier during a first stage, a plurality of network entities appearing in the database logs into network entity types based on analyzing the database logs and the enterprise directory information, clustering, by a clustering component, the plurality of network entities into groups based on host name, classifying, by a second stage classifier during a second stage, one or more network entities of the plurality of network entities that were not able to be classified during the first stage into network entity types based on group types of the groups that the one or more network entities were clustered into, and outputting a network entity type of each of the plurality of network entities.

Abstract: A method for handing of injection attacks in requests for computer services is disclosed. The method includes receiving request data that represents a service to be provided by a server computer, parsing a data element from the request data wherein the data element includes a data key and a data value, determining whether the data key is one of one or more predetermined allowed data keys, and upon a condition in which the data key is not one of the predetermined allowed data keys, disabling any injection attacks in the request data before processing the request data by performing the service.