Abstract: Arrangements for controlling access to a protected entity include receiving a redirected request of the client to access the protected entity that was denied by the protected entity; granting, in response to the received redirected request, access tokens of a first type to the client; identifying a conversion transaction identifying a request to convert the first type of access tokens with access tokens of a second type, wherein the transaction designates at least the protected entity; converting, based on a determined conversion value, a first sum of the first type of access tokens into a second sum of the second type of access tokens wherein the conversion value is determined based on at least one access parameter; and granting the client access to the protected entity when the sum of the second type of access tokens is received as a payment from the protected entity.

Abstract: The method and system for performing a completely automated public Turing test to tell computers and humans apart (CAPTCHA). The method comprises receiving by a server a request from a service server to initiate a CAPTCHA of a user node; generating an image of a path; generating at least one target to be placed upon the path; generating an object to be placed at a start point of the path; sending the generated path, the at least one generated target, and the object as a CAPTCHA challenge to the user node for display thereon; receiving, by the server, data respective of motion of the object with respect to the path and the at least one generated target; and issuing, based on analysis of the data received data, a pass indication upon determination that the user node is operative by a human.

Abstract: A method for protecting entities against bots is provided. The method includes identifying a request from a client to access a protected entity; selecting an access policy in response to the access request, wherein the access policy includes at least one challenge to be performed by the client; identifying results of the at least one challenge, wherein the results are provided by the client upon completion of the challenge; determining a bias of the client based on the completion results, wherein the determined bias is utilized for a cyber-security assessment of the client; and granting access to the protected entity by the client based on the determined bias.

Abstract: Arrangement for hardening cloud security policies of a cloud computing platform includes analyzing a plurality of permission usage maps, one for each cloud entity of a plurality of cloud entities included in the computing platform to discover at least one hardening gap, wherein each hardening gap is at least a difference between permissions granted and permissions used by one of the cloud entities, wherein each of the permission usage maps represents the permissions granted to a respective one of the cloud entities and the permissions used by that respective at least one of the cloud entities; for each discovered hardening gap, computing a risk score designating a potential risk reduction achieved by addressing the hardening gap; generating at least one hardening recommendation for the at least one hardening gap and its respective computed risk score; and applying the at least one hardening recommendation, thereby hardening the cloud computing platform.

Abstract: A system and method for detecting cyber-attacks using quantile regression analysis are disclosed. The method includes: identifying at least one hit quantile out of a plurality of quantiles, wherein the at least one identified hit quantile falls within quantile edges of a sample of traffic directed at a protected entity, wherein each of the plurality of quantiles is characterized by a probability distribution of at least one feature of a data stream, each of the plurality of quantiles having a respective probability estimate; updating the probability estimates of the plurality of quantiles when the at least one hit quantile has been identified; and when the probability estimate of the at least one hit quantile is above a threshold, taking an action to mitigate existence of a cyber-attack.

Abstract: A method and system for generating dynamic applicative signatures of by application layer flood attack tools are provided. The method includes determining a plurality of different attributes of requests received during an on-going DDoS attack; clustering at least one attribute of the plurality of different attributes, wherein the clustering is based on values of the plurality of different attributes; determining clusters of attributes representing most frequent structures of the requests received during the on-going DDoS attack; and generating, based on the determined clusters of attributes, signature of an application layer flood attack tool executing the on-going DDoS attack.

Abstract: A method and system for detecting client-side cross-site scripting exploitation attacks according to an embodiment are disclosed. The method includes downloading an access list from a remote server; capturing a request to access an external resource, wherein the request is initiated by a script executed over the web browser, wherein the external web resource is external to the web browser executed on a client device; determining, based on the access list, if the requested external web resource can be accessed; and applying a mitigation action on the request to access the external web resource when it is determined that the external web resource cannot be accessed.

Abstract: A method and system for detecting and mitigation a cyber-attack scanner are provided. The method includes determining if a source network address designated in a received packet is suspicious as of a cyber-attack scanner, wherein the determination is based on a likelihood that the source address was previously frequently encountered; upon determining that the source network address is suspicious, determining diversity of destination network addresses sent by a source having the suspicious network address; and upon determining that the destination network addresses are diversified, generating an alarm indicating that a source network address is a cyber-attack scanner, wherein a cyber-attack scanner is a device to identify destination network addresses in a protected entity that be exploit for at least a cyber-attack scanner.

Abstract: A method and system for characterizing application layer denial-of-service (DDoS) attacks are provided. The method includes generating a dynamic applicative signature by analyzing requests received during an on-going DDoS attack, wherein the dynamic applicative signature characterizes based on frequent applicative attributes appeared from the received; characterizing each incoming request based on the generated dynamic applicative signature, wherein the characterization provides an indication for each incoming request whether an incoming request is generated by an attack tool executing the on-going DDoS attributes; and causing a mitigation action on the incoming request generated by the attack tool based on the generated dynamic applicative signature.

Abstract: A method and system for characterizing application layer flood denial-of-service (DDoS) attacks are provided. The method includes receiving an indication on an on-going DDoS attack directed to a protected entity; generating a dynamic applicative signature by analyzing requests received during the on-going DDoS attack, wherein the dynamic applicative signature characterizes requests generated by an attack tool executing the on-going DDoS attack; and characterizing each incoming request based on the generated dynamic applicative signature, wherein the characterization provides an indication for each incoming request whether a request is generated by the attack tool.

Abstract: A method and system for protecting against quick UDP Internet connection (QUIC) based denial-of-service (DDoS) attacks. The system comprises extracting traffic features from at least traffic directed to a protected entity, wherein the traffic features demonstrate behavior of QUIC user datagram protocol (UDP) traffic directed to the protected entity, wherein the extract traffic features include at least one rate-base feature and at least one rate-invariant feature, and wherein the at least traffic includes QUIC packets; computing at least one baseline for each of the at least one rate-base feature and the at least one rate-invariant feature; and analyzing real-time samples of traffic directed to the protected entity to detect a deviation from each of the at least one computed baseline, wherein the deviation is indicative of a detected QUIC DDoS attack; and causing execution of at least one mitigation action when an indication of the detected QUIC DDoS attack is determined.

Abstract: A method and system for characterizing application layer flood denial-of-service (DDoS) attacks carried by advanced application layer flood attack tools. The method comprises receiving an indication on an on-going DDoS attack directed toward a protected entity; analyzing requests received during the on-going DDoS attack to determine a plurality of different attributes of the received requests; generating a dynamic applicative multi-paraphrase signature by clustering at least one value of the plurality of different attributes, wherein the multi-paraphrase signature characterizes requests with different attributes as generated by an advanced application layer flood attack tool executing the on-going DDoS attack; and characterizing each incoming request based on the multi-paraphrase signature, wherein the characterization provides an indication for each incoming request whether a request is generated by the attack tool.

Abstract: Arrangements for controlling access to a protected entity include receiving a redirected client request to access the protected entity that includes a public key of the client; granting, in response to the received redirected request, access tokens of a first type to a client using the public key of the client; identifying a conversion transaction identifying a request to convert the first type of access tokens with access tokens of a second type, the transaction designating the protected entity; determining a conversion value for converting the first-type access tokens into second-type access tokens based on at least one access parameter; converting, using the conversion value, a first sum of the first-type access tokens into a second sum of second-type access tokens; and granting the client access to the protected entity when the sum of second-type of access tokens is received as a payment from the protected entity.

Abstract: A system and method for detecting anomalous hypertext transfer protocol secure (HTTPS) traffic are provided. The method includes receiving samples of at least rate-based features, wherein the rate-based features demonstrate a normal behavior of at least HTTPS traffic directed to a protected entity; computing a short-term baseline and a long-term baseline based on the received samples, wherein the short-term baseline is adapted to relatively rapid changes in the HTTPS traffic and the long-term baseline is adapted to relatively slow changes in the HTTPS traffic; computing at least one short-term threshold respective of the short-term baseline and at least one long-term threshold respective of the long-term baseline; evaluating each of the at least one threshold against real-time samples of HTTPS traffic to determine whether behavior of the HTTPS traffic is anomalous; and generating alarm when anomaly is detected.

Abstract: A method and system for matching event sequences for predictive detection of cyber-attacks are discussed. The method comprises receiving a reference event sequence and a query event sequence; converting the reference event sequence to a first step-value list and the query event sequence to a second step-value list; and matching the first and second step-value lists to identify at least one optimal common pattern.

Abstract: A system and method for bot detection utilizing storage variables are presented. The storage variables generated is used to analyze user behavior and distinguish human traffic from bot traffic. The system for detecting bot traffic using storage variables includes a client application, a computer network, a bot detector, a bot computer, a storage variable generator, and a server. The client device enables a user to access information through the client application. The storage variable generator is configured to generates a plurality of storage variables including counter storage variable. The bot detector analyses the presence of bots in incoming traffic.

Abstract: A method and system for controlling access to a protected entity. The method includes receiving a redirected client request to access the protected entity that the protected entity denied; granting, in response to the received redirected request, access tokens of a first type to a client; identifying a conversion transaction identifying a request to convert the first type of access tokens with access tokens of a second type, the transaction designating the protected entity; determining a conversion value for converting first-type access tokens into second-type of access tokens, the conversion value being based on at least one access parameter; converting, using the conversion value, a first sum of the first-type access tokens into a second sum of second-type access tokens; and granting the client access to the protected entity when the sum of second-type of access tokens is received as a payment from the protected entity.

Abstract: A method and system for configuring a web application firewall (WAF) device. The system includes continuously receiving events of an event log associated with a first web based application; generating for each event a signature using a local sensitive hash function; populating a Markov model based on signatures generated for the events, wherein each node in the Markov model corresponds to a generated signature; generating a first new signature for a first new received event, and a second new signature for a second new received event, wherein the second event is subsequent to the first event; determining a probability based on the Markov model that the second event is subsequent to the first event, by locating a first node corresponding to the first new signature and a second node corresponding to the second new signature; and authorizing a request associated with the second event, in response to determining that the determined probability exceeds a predefined threshold.

Abstract: A defense platform for protecting a cloud-hosted application against distributed denial-of-services (DDoS) attacks, wherein the defense platform is deployed out-of-path of incoming traffic of the cloud-hosted application hosted in a plurality of cloud computing platforms, comprising: a detector; a mitigator; and a controller communicatively connected to the detector and the mitigator; wherein the detector is configured to: receive telemetries related to behavior of the cloud-hosted application from sources deployed in the plurality of cloud computing platforms; and detect, based on the telemetries, a potential DDoS attack; wherein, the controller, upon detection of a potential DDoS attack, is configured to: divert traffic directed to the cloud-hosted application to the mitigator; cause the mitigator to perform at least one mitigation action to remove malicious traffic from the diverted traffic; and cause injection of clean traffic to at least one of the plurality of cloud computing platforms hosting the cloud

Abstract: A method for stateless distribution of bidirectional flows with network address translation (NAT) comprises: determining an original source port for a first packet of a front-end received from a client device, wherein the original source port is associated with a processing core; selecting a new source port for a back-end flow, wherein the new source port is selected such that the back-end flow is returned to the processing core of the front-end flow; replacing the original source port with the new source port; and transmitting the incoming flow to a destination server.