Abstract: A method is described for a proxy to mitigate attacks from web application clients based on context of web application layer requests. The method includes receiving a plurality of web application layer requests from a web application layer client; aggregating a first set of requests from the plurality of web application layer requests, wherein the first set of requests are part of a first session; determining a profile based on the first set of requests, wherein the profile describes a baseline of expected behavior for a user of the web application layer client; and determining a first threat value associated with the first set of requests based on the first set of requests and the profile, wherein the first threat value describes the likelihood that the first set of requests are part of an attack on one or more web application servers.

Abstract: A method for passively classifying data in a database based on event logs stored in an event log database is described. The method includes retrieving, by a classification server, a first event log from the event log database, wherein the first event log represents a transaction involving a client device and the database; extracting, by the classification server, one or more pieces of information from the first event log to generate classification data; generating, by the classification server, a set of sensitivity scores corresponding to the one or more pieces of information, wherein each sensitivity score indicates the level of sensitivity associated with a corresponding piece of information from the one or more pieces of information; and storing, by the classification server, the set of sensitivity scores in a score database.

Abstract: A method by one or more runtime agents protecting a web application for capturing contextual information for data accesses. The method includes determining first metadata associated with a web application layer request sent by a web application firewall to the web application, determining second metadata associated with the web application layer request based on information available to the web application, serializing the first metadata and the second metadata to generate serialized metadata, and adding the serialized metadata to a database query that is to be submitted by the web application to the database server, wherein execution of the database query that includes the serialized metadata by the database server is to cause the database activity monitor to store the serialized metadata and third metadata associated with the database query determined by the database activity monitor in a data storage.

Abstract: A method by a web application layer proxy for predictively activating security rules to protect one or more web application servers from attacks by one or more web application clients. The method includes applying a set of security rules to web application layer requests received from the one or more web application clients that are intended for the one or more web application servers, determining a set of recently triggered security rules, where the set of recently triggered security rules includes those security rules in the set of security rules that were triggered within a most recent period of time, applying a prediction model to the set of recently triggered security rules to determine one or more security rules that are predicted to be triggered, and activating the one or more security rules.

Abstract: A method by one or more network devices communicatively coupled to a web application layer proxy for profiling parameters of web application layer requests received by the web application layer proxy while preserving privacy. The method includes obtaining masked parameter values associated with a parameter in the web application layer requests, where the masked parameter values associated with the parameter are generated by the web application layer proxy based on masking parameter values associated with the parameter while preserving lengths of the parameter values associated with the parameter and character types of characters in the parameter values associated with the parameter, generating the profile of the parameter based on analyzing the masked parameter values associated with the parameter, and providing the profile of the parameter to the web application layer proxy.

Abstract: An analyzer module (AM) within a same protected network and on-premise with a server detects and distinguishes between types of Denial-of-Service (DoS) attacks. The AM tracks whether test messages, which include test request messages that a signal generation module (SGM) is configured to transmit to the server according to a predefined time schedule to allow the AM to detect and distinguish between types of DoS attacks, are timely received. The AM is aware of the predefined time schedule according to which the SGM is configured to transmit the test request messages to the server. The AM detects an occurrence of a DoS attack and identifies the type of the DoS attack based upon the result of the tracking indicating that a number of the test messages have not been timely received.

Abstract: A method by one or more network devices implementing a scrubbing center for mitigating distributed denial of service attacks, where the scrubbing center is communicatively coupled to a plurality of clients and one or more servers. The method includes determining a set of packet fingerprints seen in a set of packets sent between the plurality of clients and the one or more servers, assigning a risk value to each packet fingerprint in the set of packet fingerprints based on analyzing previous security decisions made for packets having that packet fingerprint, and responsive to detecting an occurrence of a potential distributed denial of service attack, activating a security measure for each of one or more packet fingerprints in the set of packet fingerprints based on the risk value assigned to that packet fingerprint.

Abstract: A query server identifies data collections of interest in a cloud store, and categorizes the collections based on an intended usage. Depending on the intended usage, the categorized data may be cataloged, indexed, or undergo a full intake into a column store. In a database of large data collections, some collections may experience sparse or indefinite usage. Cataloging or indexing position the collections for subsequent query access, but defers the computational burden. The full intake performs a columnar shredding of the collection for facilitating eminent and regular query access. Upon invocation of query activity, an instantiation of virtual machines provided by the cloud store vendor implements query logic, such that the VMs launch in conjunction with the cloud store having the collections. Collections therefore incur processing based on their expected usage-full intake for high query traffic collections, and reduced cataloging for maintaining accessibility of collections of indefinite query interest.

Abstract: A method for detecting anomalies in audit logs of database operations performed on databases. The method includes obtaining a first audit log of database operations performed on one or more databases, generating, for each of a plurality of attribute values associated with a designated attribute appearing in the first audit log, a profile of that attribute value that indicates expected attribute characteristics of one or more attributes when that attribute value is associated with the designated attribute, obtaining a second audit log of further database operations performed on the one or more databases, and detecting an anomaly responsive to a determination that a log entry in the second audit log includes an attribute value associated with the designated attribute but attributes in the log entry deviate from the expected attribute characteristics of the one or more attributes indicated by the profile of the attribute value associated with the designated attribute.

Abstract: A method by a security analysis server to generate a traffic monitoring rule. The method includes receiving, from a database agent because of a current configuration of the database agent, counts of an amount of traffic sent over a first set of one or more of the database connections being monitored by the database agent and generating a traffic monitoring rule that indicates database connections for which the database agent is to send counts of an amount of traffic, rather than all the traffic, sent over those database connections to the security analysis server because those database connections have been determined by the security analysis server to be of an application database connection type based on an analysis by the security analysis server of the counts. The method further includes applying the traffic monitoring rule by sending instructions to the database agent to alter the current configuration.

Abstract: A method by a security system for selectively triggering different ones of a plurality of database assessment scans for a database and detecting when non-compliant database configurations of the database are being used. The method includes monitoring for occurrences of a first class of database operations, responsive to detecting an occurrence of one or more database operations of the first class, selecting one or more subsets of the plurality of database assessment scans to be rerun, triggering performance of only the selected one or more of the subsets, identifying one or more non-compliant database configurations of the database based on accessing results of the selected one or more of the subsets, determining one or more security rules for detecting occurrences of database operations that make use of the identified one or more non-compliant database configurations, and applying the determined one or more security rules.

Abstract: A botnet identification module identifies members of one or more botnets based upon network traffic destined to one or more servers over time, and provides sets of botnet sources to a traffic monitoring module. Each set of botnet sources includes a plurality of source identifiers of end stations acting as part of a corresponding botnet. A traffic monitoring module receives the sets of botnet sources from the botnet identification module, and upon a receipt of traffic identified as malicious that was sent by a source identified within one of the sets of botnet sources, activates a protection mechanism with regard to all traffic from all of the sources identified by the one of the sets of botnet sources for an amount of time.

Abstract: A log message classifier employs machine learning for identifying a corresponding parser for interpreting the incoming log message and for retraining a classification logic model processing the incoming log messages. Voluminous log messages generate a large amount of data, typically in a text form. Data fields are parseable from the message by a parser that knows a format of the message. The classification logic is trained by a set of messages having a known format for defining groups of messages recognizable by a corresponding parser. The classification logic is defined by a random forest that outputs a corresponding group and confidence value for each incoming message. Groups may be split to define new groups based on a recurring matching tail (latter portion) of the incoming messages. A trend of decreased confidence scores triggers a periodic retraining of the random forest, and may also generate an alert to operators.

Abstract: A method by a web application layer proxy for dynamically creating counters during runtime based on actual web application layer requests received by the web application layer proxy. The method includes installing a counting rule in the web application layer proxy, where the counting rule specifies a set of parameters based upon which to create counters, receiving a web application layer request generated by a web application client that is intended for a web application server, determining a set of parameter values associated with the web application layer request that corresponds to the set of parameters specified by the counting rule, and creating a counter associated with the set of parameter values associated with the web application layer request in response to a determination that a counter associated with the set of parameter values associated with the web application layer request does not exist.

Abstract: A method by a network device for generating audit logs. The method includes obtaining a first set of application programming interface (API) responses from an endpoint of an API, generating a profile for the endpoint of the API based on analyzing the first set of API responses, where the profile of the endpoint indicates an expected structure of API responses and expected data types associated with data fields included in API responses, obtaining a second set of API responses, using the API profile to determine, for each API response in the second set of API responses, data types of data values included in that API response, and generating an audit log that logs information regarding the data types of the data values included in the second set of API responses.

Abstract: A method by a network device for providing contextual information for database logs. The method includes detecting that a process executing on the network device has created a database connection to a database server, determining a process ID of the process that created the database connection to the database server, determining contextual information using the process ID of the process, generating a key associated with the database connection based on information that is known to be included in a database log of the database, and providing the key and the contextual information to a correlator component, which is to correlate information included in the database log of the database with the contextual information based on the key to generate an enriched database log that correlates the information included in the database log with the contextual information.

Abstract: A method by one or more network devices for providing obfuscated code to web application clients. The method includes determining a configuration utilized by a web application client based on a header of a web application layer request generated by the web application client, selecting, for providing to the web application client with a web application layer response corresponding to the web application layer request, an obfuscated code from a plurality of obfuscated codes for the configuration utilized by the web application client, where the plurality of obfuscated codes for the configuration utilized by the web application client provide the same intended functionality but are obfuscated differently from each other, and providing the selected obfuscated code to the web application client with the web application response.

Abstract: A botnet identification module identifies members of one or more botnets based upon network traffic destined to one or more servers over time, and provides sets of botnet sources to a traffic monitoring module. Each set of botnet sources includes a plurality of source identifiers of end stations acting as part of a corresponding botnet. A traffic monitoring module receives the sets of botnet sources from the botnet identification module, and upon a receipt of traffic identified as malicious that was sent by a source identified within one of the sets of botnet sources, activates a protection mechanism with regard to all traffic from all of the sources identified by the one of the sets of botnet sources for an amount of time.

Abstract: A method by a security system for selectively triggering different ones of a plurality of database assessment scans for a database and detecting when non-compliant database configurations of the database are being used. The method includes monitoring for occurrences of a first class of database operations, responsive to detecting an occurrence of one or more database operations of the first class, selecting one or more subsets of the plurality of database assessment scans to be rerun, triggering performance of only the selected one or more of the subsets, identifying one or more non-compliant database configurations of the database based on accessing results of the selected one or more of the subsets, determining one or more security rules for detecting occurrences of database operations that make use of the identified one or more non-compliant database configurations, and applying the determined one or more security rules.

Abstract: A method by a security system implemented by one or more electronic for detecting attacks on one or more databases. The method includes analyzing database logs of one or more databases to determine transaction characteristics of each of the one or more databases, selecting, for each of a plurality of database accesses to the one or more databases, one or more security rules to apply to that database access, wherein different security rules are selected for different ones of the plurality of database accesses depending on the determined transaction characteristics of the database being accessed, and causing, for each of the plurality of database accesses, the one or more security rules selected for that database access to be applied to that database access.