Abstract: Apparatus for filtering transactions transmitted from a source to a protected entity, comprising: a transaction filter enforcer which receives a layer 7 transaction destined for a protected application prior to the transaction possibly being supplied to the protected entity; and an evaluator receiving the transaction from the enforcer; the enforcer routing the transaction to the protected entity when the transaction does not receive a determination as being malicious from the evaluator; the evaluator including at least a model that determines a score indicative of the maliciousness of the transaction based on input from at least one trained model, the transaction being supplied to each of the at least one trained model, each of which is a model from a set of model types, the model types including an anomaly model and an attack model; the enforcer operating in real-time and the evaluator operating in at least near real-time.

Abstract: A system and method for detecting document object model cross-site scripting (DOM-XSS) vulnerability. The method includes identifying at least one data flow in a client-side code, wherein each of the at least one data flow is between an attacker-controllable source and a security sensitive sink, wherein the client-side code includes a DOM representation of a web page; injecting an indicator string in the attacker-controllable source of the client-side code; executing an injected client-side code, wherein the injected client-side code includes the indicator string; detecting the indicator string in the security sensitive sink of the at least one data flow; and performing mitigation action upon detecting the indicator string.

Abstract: A method and system for detecting domain name system (DNS) recursive cyber-attacks are presented. The system includes learning a plurality of baselines of at least rates and rate invariants of DNS features; monitoring DNS traffic directed to and from a DNS resolver, wherein the DNS resolver is communicatively connected between at least one client and at least one name server; analyzing the monitored DNS traffic using at least one detection function to detect an anomaly based in part on at least one baseline of the plurality of learnt baselines; and upon detection of at least one anomaly, performing at least one mitigation action to filter out incoming DNS queries to a domain name under attack.

Abstract: Arrangements for controlling access to a protected entity include receiving a redirected request of the client to access the protected entity that was denied by the protected entity; granting, in response to the received redirected request, access tokens of a first type to the client; identifying a conversion transaction identifying a request to convert the first type of access tokens with access tokens of a second type, wherein the transaction designates at least the protected entity; converting, based on a determined conversion value, a first sum of the first type of access tokens into a second sum of the second type of access tokens wherein the conversion value is determined based on at least one access parameter; and granting the client access to the protected entity when the sum of the second type of access tokens is received as a payment from the protected entity.

Abstract: Arrangement for hardening cloud security policies of a cloud computing platform includes analyzing a plurality of permission usage maps, one for each cloud entity of a plurality of cloud entities included in the computing platform to discover at least one hardening gap, wherein each hardening gap is at least a difference between permissions granted and permissions used by one of the cloud entities, wherein each of the permission usage maps represents the permissions granted to a respective one of the cloud entities and the permissions used by that respective at least one of the cloud entities; for each discovered hardening gap, computing a risk score designating a potential risk reduction achieved by addressing the hardening gap; generating at least one hardening recommendation for the at least one hardening gap and its respective computed risk score; and applying the at least one hardening recommendation, thereby hardening the cloud computing platform.

Abstract: A method for characterizing application layer denial-of-service (DDoS) attacks comprises generating a plurality of dynamic applicative signatures by analyzing at the application layer application layer requests received during an on-going DDoS attack, a dynamic applicative signature characterizing each received request based on frequent application layer attributes appearing in the received requests, wherein the requests are represented as a set of paraphrases, each paraphrase representing a specific aspect of a request's structure, the frequent application layer attributes being determined based on frequency of paraphrases in the set; characterizing each of the received requests based on one of the dynamic applicative signatures, the characterization providing an indication for each request whether a request is generated by an attack tool executing the on-going DDoS attack; and causing a mitigation action on the received request generated by the attack tool based on the generated dynamic applicative signatur

Abstract: A method and device for finetuning application-layer signatures are provided. The method includes operating a false negative (FN) feedback process to finetune the application-layer signature; and operating a false positive (FP) feedback process on the application-layer signature finetuned by the FN feedback process to generate a finetuned application-layer signature to reduce a false negative rate, wherein the finetune feedback process is performed while reducing estimated egress traffic below a predefined threshold and an imposed FP rate below a pre-defined FP rate threshold.

Abstract: A method and device for generating application-layer signatures characterizing advanced application-layer attacks are provided. The method includes computing, based on applicative peacetime baseline distributions and attack distributions of applicative attributes included in application-layer transactions directed to a protected entity, an attacker probability of an attacker executing an ongoing application-layer attack; comparing the attacker probability computed for each of the applicative attributes to a dynamic attacker probability threshold; and including in an application-layer signature eligible applicative attributes having an attacker probability higher than the dynamic attacker threshold, wherein the application-layer signature includes an inclusive section and an exclusive section, and wherein the application-layer signature is indicative of an ongoing attack based on one of the exclusive section and the inclusive section.

Abstract: A system and method for learning attack-safe baselines are provided. The method includes receiving application-layer transactions directed to a protected entity; measuring values of a rate-based attribute and a rate-invariant attribute from the received application-layer transactions; determining, based on the measured rate-based attribute, if the received application-layer transactions represent a normal behavior; computing at least one baseline using application-layer transactions determined to represent the normal behavior; validating the at least one computed baseline using the measured rate-invariant attribute and rate-based attribute; and building a set of baselines based on the at least one validated baseline, wherein the set of baselines are utilized for characterization of DDoS attacks.

Abstract: A method of characterization of requests using dynamic applicative signatures. The method comprises determining a plurality of different attributes of requests received during an on-going DDOS attack; clustering at least one attribute of the plurality of different attributes, wherein the clustering is based on values of the plurality of different attributes; obtaining at least one dynamic applicative signature characterizing operation of an application layer flood attack tool; matching the cluster of the at least one attribute to each of the at least one obtained dynamic applicative signature; and causing a mitigation action when there is a match to the at least one obtained dynamic applicative signature.

Abstract: The various disclosed embodiments include a method and system for generating application-layer signatures characterizing advanced application-layer attacks are provided. The method includes determining applicative baseline distributions of attributes included in transactions directed to a protected entity during peacetime; determining attack distributions of applicative attributes included in transactions directed to a protected entity during an on-going application-layer attack; determining, based on the applicative baseline distributions and the attack distributions of applicative attributes, a probability of an attacker executing the on-going application-layer attack to generate an attack using at least one attribute; and generating an application-layer signature designating applicative attributes determined to be eligible based on their respective probabilities, wherein the application-layer signature characterizes behavior of the attacker executing the on-going application-layer attack.

Abstract: A system and method for detecting cyber-attacks using quantile regression analysis are disclosed. The method includes: identifying at least one hit quantile out of a plurality of quantiles, wherein the at least one identified hit quantile falls within quantile edges of a sample of traffic directed at a protected entity, wherein each of the plurality of quantiles is characterized by a probability distribution of at least one feature of a data stream, each of the plurality of quantiles having a respective probability estimate; updating the probability estimates of the plurality of quantiles when the at least one hit quantile has been identified; and when the probability estimate of the at least one hit quantile is above a threshold, taking an action to mitigate existence of a cyber-attack.

Abstract: A system and method for learning attack-safe baseline are provided. The method includes receiving application-layer transactions directed to a protected entity; measuring values of a rate-based attribute and a rate-invariant attribute from the received application-layer transactions; determining, based on the measured rate-based attribute, if the received application-layer transactions represent a normal behavior; computing at least one baseline using application-layer transactions determined to represent the normal behavior; and validating the at least one computed baseline using the measured rate-invariant attribute and rate-based attribute.

Abstract: A method and system for detecting application layer flood denial-of-service (DDoS) attacks carried by attackers utilizing advanced application layer flood attack tools are provided.

Abstract: A system and method for detecting HTTPS flood cyber-attacks. A method includes deriving traffic features from incoming traffic directed to a protected entity; determining if the derived traffic features represent at least one traffic anomaly, wherein the traffic anomaly is a deviation from at least one baseline, wherein the baseline is a normal distribution of traffic features of legitimate incoming traffic; upon determining that the derived traffic features represent at least one anomaly, determining if the anomaly characterizes an on-going HTTPS flood cyber-attack; upon determining that there is the on-going HTTPS flood cyber-attack, populating a list of suspect source internet protocol (IP) addresses of devices triggered detection of the anomaly; challenging each device in the list of suspect source IP addresses to determine if a challenged device is an attack tool; and causing execution of a mitigation action on each client device determined to be an attack tool.

Abstract: A method for characterizing application layer denial-of-service (DDoS) attacks comprises generating a plurality of dynamic applicative signatures by analyzing at the application layer application layer requests received during an on-going DDoS attack, a dynamic applicative signature characterizing each received request based on frequent application layer attributes appearing in the received requests, wherein the requests are represented as a set of paraphrases, each paraphrase representing a specific aspect of a request's structure, the frequent application layer attributes being determined based on frequency of paraphrases in the set; characterizing each of the received requests based on one of the dynamic applicative signatures, the characterization providing an indication for each request whether a request is generated by an attack tool executing the on-going DDoS attack; and causing a mitigation action on the received request generated by the attack tool based on the generated dynamic applicative signatur

Abstract: A method and system for mitigating of randomized denial-of-service (DDoS) attacks directed against a protected entity during an attack time period are provided. The method includes receiving a packet during the attack time period; selecting a cluster defining legitimacy characteristics from at least one cluster of packets that best fits the received packet, wherein legitimacy characteristics of a cluster are learned during a peacetime period; determining a legitimacy score for the received packet based on the legitimacy characteristics of the selected cluster; determining based on the legitimacy score if the received packet is not legitimate; and applying a mitigation action on the received packet upon determination that the packet is not legitimate.

Abstract: Arrangements for controlling access to a protected entity include receiving a redirected request of the client to access the protected entity that was denied by the protected entity; granting, in response to the received redirected request, access tokens of a first type to the client; identifying a conversion transaction identifying a request to convert the first type of access tokens with access tokens of a second type, wherein the transaction designates at least the protected entity; converting, based on a determined conversion value, a first sum of the first type of access tokens into a second sum of the second type of access tokens wherein the conversion value is determined based on at least one access parameter; and granting the client access to the protected entity when the sum of the second type of access tokens is received as a payment from the protected entity.

Abstract: The method and system for performing a completely automated public Turing test to tell computers and humans apart (CAPTCHA). The method comprises receiving by a server a request from a service server to initiate a CAPTCHA of a user node; generating an image of a path; generating at least one target to be placed upon the path; generating an object to be placed at a start point of the path; sending the generated path, the at least one generated target, and the object as a CAPTCHA challenge to the user node for display thereon; receiving, by the server, data respective of motion of the object with respect to the path and the at least one generated target; and issuing, based on analysis of the data received data, a pass indication upon determination that the user node is operative by a human.

Abstract: A method for protecting entities against bots is provided. The method includes identifying a request from a client to access a protected entity; selecting an access policy in response to the access request, wherein the access policy includes at least one challenge to be performed by the client; identifying results of the at least one challenge, wherein the results are provided by the client upon completion of the challenge; determining a bias of the client based on the completion results, wherein the determined bias is utilized for a cyber-security assessment of the client; and granting access to the protected entity by the client based on the determined bias.