Abstract: A method of characterization of requests using dynamic applicative signatures. The method comprises determining a plurality of different attributes of requests received during an on-going DDOS attack; clustering at least one attribute of the plurality of different attributes, wherein the clustering is based on values of the plurality of different attributes; obtaining at least one dynamic applicative signature characterizing operation of an application layer flood attack tool; matching the cluster of the at least one attribute to each of the at least one obtained dynamic applicative signature; and causing a mitigation action when there is a match to the at least one obtained dynamic applicative signature.

Abstract: The various disclosed embodiments include a method and system for generating application-layer signatures characterizing advanced application-layer attacks are provided. The method includes determining applicative baseline distributions of attributes included in transactions directed to a protected entity during peacetime; determining attack distributions of applicative attributes included in transactions directed to a protected entity during an on-going application-layer attack; determining, based on the applicative baseline distributions and the attack distributions of applicative attributes, a probability of an attacker executing the on-going application-layer attack to generate an attack using at least one attribute; and generating an application-layer signature designating applicative attributes determined to be eligible based on their respective probabilities, wherein the application-layer signature characterizes behavior of the attacker executing the on-going application-layer attack.

Abstract: A system and method for detecting cyber-attacks using quantile regression analysis are disclosed. The method includes: identifying at least one hit quantile out of a plurality of quantiles, wherein the at least one identified hit quantile falls within quantile edges of a sample of traffic directed at a protected entity, wherein each of the plurality of quantiles is characterized by a probability distribution of at least one feature of a data stream, each of the plurality of quantiles having a respective probability estimate; updating the probability estimates of the plurality of quantiles when the at least one hit quantile has been identified; and when the probability estimate of the at least one hit quantile is above a threshold, taking an action to mitigate existence of a cyber-attack.

Abstract: A system and method for identity-based access admission are provided. The method includes generating in a browser of a client device a unique identity key for the browser, wherein the identity key is generated in an internal frame (iFrame) thread, is executed in a main thread of the browser, and wherein the identity key includes a fingerprint characterizing in part the browser and the client device, an internet protocol address of the client device, and a public-encryption key; and registering the identity key with an admission controller, wherein access to a protected entity by the client device is enforced using the identity key.

Abstract: A system and method for learning attack-safe baseline are provided. The method includes receiving application-layer transactions directed to a protected entity; measuring values of a rate-based attribute and a rate-invariant attribute from the received application-layer transactions; determining, based on the measured rate-based attribute, if the received application-layer transactions represent a normal behavior; computing at least one baseline using application-layer transactions determined to represent the normal behavior; and validating the at least one computed baseline using the measured rate-invariant attribute and rate-based attribute.

Abstract: A method and system for detecting application layer flood denial-of-service (DDoS) attacks carried by attackers utilizing advanced application layer flood attack tools are provided.

Abstract: A method and system for protecting cloud-hosted applications against application-layer slow DDoS attacks are provided. The system include a processing circuitry; and a memory connected to the processor, the memory contains instructions that when executed by the processing circuitry, configure the system to: collect telemetries from a plurality of sources deployed in a plurality of public cloud computing platforms, wherein each of the plurality of public cloud computing platforms hosts an instance of a protected cloud-hosted application; provide a set of rate-based and rate-invariant features based on the collected telemetries; evaluate each feature in the set of rate-based and rate-invariant features to determine whether a behavior of each feature and a behavior of the set of rate-based and rate-invariant features indicate a potential application-layer slow DDoS attack; and cause execution of a mitigation action, when an indication of a potential application-layer slow DDoS attack is determined.

Abstract: A system and method for configuring a web application firewall (WAF) is provided. The method includes continuously receiving requests related to a first WAF, each request indicative of network traffic directed to a web application protected by the WAF; enriching each received request by associating each event with information from an enrichment source; periodically analyzing the enriched requests; generating at least one network traffic rule based on periodically generated analysis; and configuring at least a second WAF to perform the network traffic rule.

Abstract: A system and method for detecting HTTPS flood cyber-attacks. A method includes deriving traffic features from incoming traffic directed to a protected entity; determining if the derived traffic features represent at least one traffic anomaly, wherein the traffic anomaly is a deviation from at least one baseline, wherein the baseline is a normal distribution of traffic features of legitimate incoming traffic; upon determining that the derived traffic features represent at least one anomaly, determining if the anomaly characterizes an on-going HTTPS flood cyber-attack; upon determining that there is the on-going HTTPS flood cyber-attack, populating a list of suspect source internet protocol (IP) addresses of devices triggered detection of the anomaly; challenging each device in the list of suspect source IP addresses to determine if a challenged device is an attack tool; and causing execution of a mitigation action on each client device determined to be an attack tool.

Abstract: A system and method for controlling authorization to a protected entity are provided. The method includes: receiving an access request for access to the protected entity, wherein the access request is received from a client device; in response to the access request, causing the client device to perform an admission process that includes performing at least one game; monitoring a distributed database to identify at least one admission transaction designating admission criteria; determining if the admission criteria satisfy a set of conditions for accessing the protected entity; identifying, on the distributed database, completion results of the at least one game, wherein whether the admission criteria satisfies the set of conditions for accessing the protected entity is determined based on the results of the at least one game; and granting access to the protected entity by the client device when the admission criteria satisfies the set of conditions.

Abstract: A method for protecting entities against bots is provided. The method includes identifying a request from a client to access a protected entity; selecting an access policy in response to the access request, wherein the access policy includes at least one challenge to be performed by the client; identifying results of the at least one challenge, wherein the results are provided by the client upon completion of the challenge; determining a bias of the client based on the completion results, wherein the determined bias is utilized for a cyber-security assessment of the client; and granting access to the protected entity by the client based on the determined bias.

Abstract: A method for characterizing application layer denial-of-service (DDoS) attacks comprises generating a plurality of dynamic applicative signatures by analyzing at the application layer application layer requests received during an on-going DDoS attack, a dynamic applicative signature characterizing each received request based on frequent application layer attributes appearing in the received requests, wherein the requests are represented as a set of paraphrases, each paraphrase representing a specific aspect of a request's structure, the frequent application layer attributes being determined based on frequency of paraphrases in the set; characterizing each of the received requests based on one of the dynamic applicative signatures, the characterization providing an indication for each request whether a request is generated by an attack tool executing the on-going DDoS attack; and causing a mitigation action on the received request generated by the attack tool based on the generated dynamic applicative signatur

Abstract: Arrangements for controlling access to a protected entity include receiving a redirected client request to access the protected entity that includes a public key of the client; granting, in response to the received redirected request, access tokens of a first type to a client using the public key of the client; identifying a conversion transaction identifying a request to convert the first type of access tokens with access tokens of a second type, the transaction designating the protected entity; determining a conversion value for converting the first-type access tokens into second-type access tokens based on at least one access parameter; converting, using the conversion value, a first sum of the first-type access tokens into a second sum of second-type access tokens; and granting the client access to the protected entity when the sum of second-type of access tokens is received as a payment from the protected entity.

Abstract: A method and system for mitigating of randomized denial-of-service (DDoS) attacks directed against a protected entity during an attack time period are provided. The method includes receiving a packet during the attack time period; selecting a cluster defining legitimacy characteristics from at least one cluster of packets that best fits the received packet, wherein legitimacy characteristics of a cluster are learned during a peacetime period; determining a legitimacy score for the received packet based on the legitimacy characteristics of the selected cluster; determining based on the legitimacy score if the received packet is not legitimate; and applying a mitigation action on the received packet upon determination that the packet is not legitimate.

Abstract: A method and system for generating dynamic applicative signatures of by application layer flood attack tools are provided. The method includes determining a plurality of different attributes of requests received during an on-going DDoS attack; clustering at least one attribute of the plurality of different attributes, wherein the clustering is based on values of the plurality of different attributes; determining clusters of attributes representing most frequent structures of the requests received during the on-going DDoS attack; and generating, based on the determined clusters of attributes, signature of an application layer flood attack tool executing the on-going DDoS attack.

Abstract: Arrangements for controlling access to a protected entity include receiving a redirected request of the client to access the protected entity that was denied by the protected entity; granting, in response to the received redirected request, access tokens of a first type to the client; identifying a conversion transaction identifying a request to convert the first type of access tokens with access tokens of a second type, wherein the transaction designates at least the protected entity; converting, based on a determined conversion value, a first sum of the first type of access tokens into a second sum of the second type of access tokens wherein the conversion value is determined based on at least one access parameter; and granting the client access to the protected entity when the sum of the second type of access tokens is received as a payment from the protected entity.

Abstract: A method and system for characterizing application layer denial-of-service (DDoS) attacks are provided. The method includes generating a dynamic applicative signature by analyzing requests received during an on-going DDoS attack, wherein the dynamic applicative signature characterizes based on frequent applicative attributes appeared from the received; characterizing each incoming request based on the generated dynamic applicative signature, wherein the characterization provides an indication for each incoming request whether an incoming request is generated by an attack tool executing the on-going DDoS attributes; and causing a mitigation action on the incoming request generated by the attack tool based on the generated dynamic applicative signature.

Abstract: The method and system for performing a completely automated public Turing test to tell computers and humans apart (CAPTCHA). The method comprises receiving by a server a request from a service server to initiate a CAPTCHA of a user node; generating an image of a path; generating at least one target to be placed upon the path; generating an object to be placed at a start point of the path; sending the generated path, the at least one generated target, and the object as a CAPTCHA challenge to the user node for display thereon; receiving, by the server, data respective of motion of the object with respect to the path and the at least one generated target; and issuing, based on analysis of the data received data, a pass indication upon determination that the user node is operative by a human.

Abstract: A device and method for configuring a web application firewall (WAF) based on characterization of web attacks are provided. The method includes receiving a plurality of hypertext transfer protocol transactions (HTTP) entities; tokenizing the received plurality of HTTP entities based on at least one delimiter; analyzing statistical distribution of each of the at least one delimiter in the tokenized HTTP entities; training a model based on an analysis of the tokenized HTTP entities, when a sufficient number of HTTP entities have been analyzed; and configuring, based on the trained model, the WAF with at least one detection rule to detect at least malicious HTTP transactions.

Abstract: A method for operating at least one log-analytics detection platform for detecting security threats associated with a client network, comprising: obtaining, via a communication network, log files from a client network, each log file comprising a log record associated with a channel and including an outbound communications log; extracting a channel feature set for said channels from said log files, said channel feature set comprises data pertaining to an associated entity, at least one channel feature being behavior of communication over a channel; aggregating said channel associated features for each of the channels into a data repository; generating a risk factor characterized by an entity score for said least one entity associated with entities of said channels; and blocking of communication for said entity when said risk factory is indicative of said entity being a security threat.