Abstract: A method includes identifying, from online clustering data, an internet protocol (IP) pair. The method further includes determining, by a processing device during an offline process, that the IP pair is part of a botnet. The method further includes, in response to the determining, appending data associated with the botnet to the online clustering data.

Abstract: A method by a service worker firewall middleware component is disclosed. The method includes causing a service worker firewall associated with a web site to be installed on a web browser, obtaining one or more rules in response to receiving a request from the service worker firewall for rules to be applied by the service worker firewall, sending a response to the service worker firewall, wherein the response includes the one or more rules, a digital signature for the one or more rules, and an indication of when the digital signature expires, wherein the digital signature is generated using a private key associated with the website, and receiving a rules violation report from the service worker firewall, wherein the rules violation report was generated as a result of the service worker firewall applying the one or more rules to cross-origin requests.

Abstract: A method by one or more computing devices to detect anomalous accesses to a system. The method includes generating a technical maturity profile of a system user based on analyzing historical commands submitted by the system user to the system and determining whether an access by the system user to the system is anomalous based on determining technical maturity attributes of a command submitted by the system user to perform the access and comparing the technical maturity attributes of the command to the technical maturity profile of the system user.

Abstract: Embodiments of the present disclosure relate to systems and methods for installing a program within a CICS region without an antecedent program. A CICS region where the program is to be installed may detect an initiating event, the CICS region executing logical units of work that each corresponds to a task of a host operating system (OS). The initiating event may generate a first logical unit of work to intercept service calls made by the CICS region. In response to the first logical unit of work intercepting a first service call, control of execution of the first service call may be transitioned from the host OS to a CICS execution API. The CICS execution API may issue one or more API calls related to installation of the program, wherein the CICS execution API executes the one or more API calls as if they are part of the first service call.

Abstract: Embodiments of the present disclosure relate to utilizing an existing login process of a data repository to enable the data repository to delegate MFA functionality to an external MFA system. When a purported user attempts to log in to the data repository, a delegation module within the login process may insert a record into a table associated with the login process. A program executing on a security device external to the data repository may periodically poll the table for new records and upon detecting the new record, may call the external MFA system to verify the login attempt. The external MFA system may indicate to the program whether the login attempt was verified and the program may update the table with the indication. Upon detecting the indication, the delegation module may complete or terminate the login attempt based on the indication.

Abstract: Disclosed herein is a method by a computing system to classify network entities. The method includes receiving, by a first stage classifier, database logs and enterprise directory information, attempting to classify, by the first stage classifier during a first stage, a plurality of network entities appearing in the database logs into network entity types based on analyzing the database logs and the enterprise directory information, clustering, by a clustering component, the plurality of network entities into groups based on host name, classifying, by a second stage classifier during a second stage, one or more network entities of the plurality of network entities that were not able to be classified during the first stage into network entity types based on group types of the groups that the one or more network entities were clustered into, and outputting a network entity type of each of the plurality of network entities.

Abstract: A method for handing of injection attacks in requests for computer services is disclosed. The method includes receiving request data that represents a service to be provided by a server computer, parsing a data element from the request data wherein the data element includes a data key and a data value, determining whether the data key is one of one or more predetermined allowed data keys, and upon a condition in which the data key is not one of the predetermined allowed data keys, disabling any injection attacks in the request data before processing the request data by performing the service.

Abstract: A method implemented by a network device is disclosed to detect and mitigate account takeover attempts. The method includes generating a site profile for a site based on analyzing historical login requests to the site, wherein the site profile for the site includes information regarding legitimate login requests to the site and information regarding attacker login requests to the site, intercepting a login request to the site, determining whether the login request is legitimate for the site based on comparing the login request to the site profile for the site, assigning a risk score to the login request based at least in part on a result of the determination of whether the login request is legitimate for the site, determining a mitigation strategy to apply to the login request based on the risk score assigned to the login request, and causing the mitigation strategy to be applied to the login request.

Abstract: A method by one or more computing devices functioning as a ticket master for a website that has a virtual waiting room, wherein the ticket master is communicatively coupled to a plurality of proxies controlling access to the website. When the ticket master is in a relaxed mode (as opposed to a pressure mode), the method includes pre-allocating a number of tickets to the plurality of proxies for a first upcoming time period and setting a queue head for the first upcoming time period to a ticket number of a last ticket created, wherein the number of tickets that are pre-allocated for the first upcoming time period is greater than a target number of users allowed to enter the website during the first upcoming time period but less than a predefined maximum sudden spike number.

Abstract: Systems and methods for analyzing SQL queries for constraint violations for injection attacks. Tokenizing a SQL query generates a token stream. A parse tree is constructed by iterating over lexical nodes of the token stream. The parse tree is compared to a SQL schema and access configuration for a database in order to analyze the SQL query for constraint violations. Evaluation flaws are also detected. A step-wise, bottom-up approach is employed to walk through the parse tree to detect types and to ascertain from those types whether the condition for SQL execution is static or dynamic. SQL request security engine logic refers to predetermined protective action data and takes the particular type of action specified by the predetermined protective action data. Security is further enhanced by limiting service of requests to requests of one or more specific, accepted data types. Each request is parsed into individual data elements, each an associated key-value pair.

Abstract: A method by a security analysis server to generate a traffic monitoring rule. The method includes receiving, from a database agent because of a current configuration of the database agent, counts of an amount of traffic sent over a first set of one or more of the database connections being monitored by the database agent and generating a traffic monitoring rule that indicates database connections for which the database agent is to send counts of an amount of traffic, rather than all the traffic, sent over those database connections to the security analysis server because those database connections have been determined by the security analysis server to be of an application database connection type based on an analysis by the security analysis server of the counts. The method further includes applying the traffic monitoring rule by sending instructions to the database agent to alter the current configuration.

Abstract: A method by one or more computing devices functioning as a ticket master for a website that has a virtual waiting room, wherein the ticket master is communicatively coupled to a plurality of proxies controlling access to the website. When the ticket master is in a relaxed mode (as opposed to a pressure mode), the method includes pre-allocating a number of tickets to the plurality of proxies for a first upcoming time period and setting a queue head for the first upcoming time period to a ticket number of a last ticket created, wherein the number of tickets that are pre-allocated for the first upcoming time period is greater than a target number of users allowed to enter the website during the first upcoming time period but less than a predefined maximum sudden spike number.

Abstract: A method includes monitoring web traffic until a threshold of network traffic is collected. The method further includes determining a number of location characteristics corresponding to the network traffic. The method further includes monitoring traffic information corresponding to the number of location characteristics until a threshold of traffic information is collected. The method further includes determining a number of location content flags corresponding to the traffic information. The method further includes generating, by a processing device, a location profile based on the number of location characteristics and the number of content flags. The method further includes blocking impermissible web traffic from reaching a client device based on the location profile.

Abstract: Embodiments of the present disclosure relate to generating a high level security policy for a data repository without knowledge of the access control, entitlement, and other models of the data repository. A set of abstractions that define a security policy language may be generated based on data in a data repository collection. The set of abstractions may define a security policy language, which may be provided to a security administrator who can define a security policy with the security policy language. The security policy may be translated into a common physical language to generate a common physical policy. The processing device may then translate the common physical policy into a set of commands for each of one or more data repositories that the data repository collection is comprised of.

Abstract: Techniques for detecting suspicious data object access requests indicative of potential insider threats are described. A suspicious access detection module (SADM) determines, based on access data describing a access requests issued on behalf of multiple users, groups of the users having similar patterns of accesses to resource groups, a set of the resource groups accessed by each of the user groups, and ones of the user groups that are to be considered nearby others of the user groups based on having a threshold amount of resource group access similarities. The SADM causes an alert to be generated responsive to a determination that a subsequent access request is suspicious because it accesses a data object of a resource group that is not within the set of accessed resource groups of the issuing user's user group, and because the resource group is not within the sets of accessed resource groups of any nearby user groups.

Abstract: A method by one or more computing devices for obfuscating challenge code. The method includes obtaining challenge code for interrogating a client, inserting, into the challenge code, code for obfuscating outputs that are to be generated by the client, where the code for obfuscating the outputs includes code for applying a first chain of reversible transformations to the outputs using client-generated random values, interning strings appearing in the challenge code with obfuscated strings, inserting code for deobfuscating the obfuscated strings into the challenge code, inlining function calls in the challenge code, removing function definitions that are unused in the challenge code due to the inlining, reordering the challenge code without changing the functionality of the challenge code, and providing the challenge code for execution by the client.

Abstract: A technique for accelerating dynamic content delivery in a content delivery network. In some embodiments of the invention, responsive to a request that is sent by a client and that is for dynamic content, a client-proxy hosted in a datacenter of a CDN sends the request to a “forwarder-proxy” hosted in another datacenter of the same CDN. The forwarder-proxy, responsive to the request for dynamic content, forwards the request to an origin server and does not cache the dynamic content. The datacenter selected for the forwarder-proxy is one that is “close” to the origin server in terms of round-trip time (RTT) to improve network performance for requests for dynamic content.

Abstract: A runtime application self protection (RASP) plug-in logic monitors for, and prevents, outbound network connections that are initiated by server application logic and that are not intended by the application logic. The RASP plug-in has access to information generally available only to the application logic and identifies specific vulnerabilities within the application logic that can be patched. The vulnerabilities are identified by (i) data identifying the portion(s) of the application logic that is the source of the vulnerability and (ii) data identifying the authenticated user, if any, that is the source of the attack. The RASP plug-in catches and identifies specific attacks on the application logic in real-world, production operation.

Abstract: A method by a network device for detecting data in a data stream. The method includes receiving the data stream, where the data stream includes a sequence of original characters, generating a sequence of type-mapped characters corresponding to the sequence of original characters, converging each of two or more consecutive occurrences of a first character in the sequence of type-mapped characters into a single occurrence of the first character, searching for occurrences of one or more predefined sequences of characters in the sequence of type-mapped characters, and responsive to finding an occurrence of any of the one or more predefined sequences of characters, extracting a sequence of characters in the sequence of original characters corresponding to the occurrence of the predefined sequence of characters found in the sequence of type-mapped characters.

Abstract: A method by a web application layer proxy communicatively coupled between a client and an origin server for performing automated POST resubmission. The method includes intercepting a request by the client for a resource provided by the origin server, obtaining an interstitial page in response to receiving an indication from a bot detector component that the client needs to be identified, where the interstitial page includes challenge code for interrogating the client and code for automatically submitting a form included in the interstitial page if the client successfully acquires a token, encrypting a payload of the request, adding the encrypted payload to a hidden input field of the form included in the interstitial page, and sending the interstitial page with the encrypted payload added to the hidden input field of the form to the client as a response to the request.