Abstract: A system and method for generating insights on distributed denial of service (DDoS) attacks are provided. The method includes receiving a plurality of data feeds from a plurality of data sources; processing the plurality of received data feeds to generate enriched data sets; and analyzing the enriched data sets to generate insights information about a DDoS attack that have been participated in at least one DDoS attack.

Abstract: A method for detecting hypertext transfer protocol secure (HTTPS) flood denial-of-service (DDoS) attacks. The method estimating traffic telemetries of at least ingress traffic directed to a protected entity; providing at least one rate-base feature and at least one rate-invariant feature based on the estimated traffic telemetries, wherein the rate-base feature and the rate-invariant feature demonstrate a normal behavior of HTTPS traffic directed to the protected entity; evaluating the at least one rate-base feature and the at least one rate-invariant feature with respect to at least one baseline to determine whether the behavior of the at least HTTPS traffic indicates a potential HTTPS flood DDoS attack; and causing execution of a mitigation action when an indication of a potential HTTPS flood DDoS attack is determined.

Abstract: A method and system for generating an optimization instruction set based on communication between at least one server and at least one client are provided. The method includes aggregating a plurality of messages communicated from the at least one server to the at least one client; analyzing the plurality of messages to determine a plurality of resources to be consolidated; and generating an optimization instruction set for consolidating the determined plurality of resources, wherein the generated optimization instruction set comprises instructions for replacing the plurality of resources with the consolidated resources.

Abstract: A method and system for multi-layer traffic steering for enabling service chaining over a software defined network (SDN) are provided. The method is performed by a central controller of the SDN and includes receiving at least one service chaining rule defining at least one value-added service (VAS) to assign to an incoming traffic flow addressed to a destination server; analyzing each of the at least one received service chaining rule to determine if an application-layer steering is required; generating at least one application-layer steering rule, upon determining that an application-layer steering is required; generating at least one network-layer steering rule, upon determining that an application-layer steering is not required; and programming a multi-layer steering fabric with the generated at least one of network-layer steering rule and application-layer steering rule.

Abstract: A system and method for controlling authorization to a protected entity are provided. The method includes: receiving an access request for access to the protected entity, wherein the access request is received from a client device; in response to the access request, causing the client device to perform an admission process that includes performing at least one game; monitoring a distributed database to identify at least one admission transaction designating admission criteria; determining if the admission criteria satisfy a set of conditions for accessing the protected entity; identifying, on the distributed database, completion results of the at least one game, wherein whether the admission criteria satisfies the set of conditions for accessing the protected entity is determined based on the results of the at least one game; and granting access to the protected entity by the client device when the admission criteria satisfies the set of conditions.

Abstract: A method and system for configuring a web application firewall (WAF) device. The system includes continuously receiving events of an event log associated with a first web based application; generating for each event a signature using a local sensitive hash function; populating a Markov model based on signatures generated for the events, wherein each node in the Markov model corresponds to a generated signature; generating a first new signature for a first new received event, and a second new signature for a second new received event, wherein the second event is subsequent to the first event; determining a probability based on the Markov model that the second event is subsequent to the first event, by locating a first node corresponding to the first new signature and a second node corresponding to the second new signature; and authorizing a request associated with the second event, in response to determining that the determined probability exceeds a predefined threshold.

Abstract: A method and system for protecting a cloud computing platform against cyber-attacks are provided. The method includes gathering cloud logs from a cloud computing platform; analyzing, by a plurality of detectors, the cloud logs to detect at least one suspicious behavior, wherein each of the at least one suspicious behavior is identified by a suspect indicator; sequencing suspect indicators into attack sequences; scoring each of the attack sequences with an attack score, wherein each attack is scored using a scoring model; and alerting on each attack sequence having a score higher than a predefined threshold.

Abstract: An out-of-path defense platform protecting against excessive utilization of a cloud service providing a cloud hosted application comprising a controller communicatively coupled to a detector and a mitigator; wherein the detector receives telemetries from sources that are configured to collect telemetries related to the traffic between end user devices and an edge network that distributes traffic for the cloud hosted application, the telemetries being out-of-path information for traffic to and from the cloud-hosted application, wherein a portion of the telemetries relate to operation of a portion of a cloud computing platform hosting the cloud-hosted application, and detects, using the collected telemetries and a learned normal utilization behavior of each cloud service for the cloud-hosted application, excessive utilization of a cloud service by the cloud hosted application; and wherein the controller, upon detection of the excessive utilization, causes mitigation, by the mitigator, of the excessive utilizati

Abstract: A system and method for blockchain-based access authorization to a protected entity. The method includes: receiving, by the protected entity, an access request to a protected entity, wherein the access request is received from a client device; extracting a unique client identifier from the received access request; causing the client device to perform an admission process; monitoring a blockchain network to identify at least one admission transaction, wherein the at least one admission transaction designates admission criteria; determining if the admission criteria satisfy a set of conditions for accessing the protected entity; and granting access to the client device when the admission criteria satisfies the set of conditions, wherein the access is access to the protected entity.

Abstract: A method and system for predicting subsequent cyber-attacks in attack campaigns are provided. The method includes receiving events data related to cyber-attacks occurring in a network during a predefined time window; extracting at least one sequence from the received events data at least one attack vector; generating a sequence signature for each of the at least one extracted sequence; comparing each sequence signature to a representation of historic sequence signatures to determine at least partially matching sequence signature; and based on the matching sequence, determining at least one subsequent cyber-attack in a respective sequence.

Abstract: A system, and method therefor for disaggregated detection denial-of-service (DDoS) are provided. The system includes a plurality of detectors deployed on a plurality of network nodes, wherein each network node is connected to an edge network, wherein one detector of the plurality of detectors is deployed in each of the plurality of network nodes, wherein each of the plurality of detectors is configured to detect and characterize at least a DDoS attack by analyzing telemetries received by the respective network node in which the detector is deployed.

Abstract: A method and system for continuously configuring a web application firewall (WAF) are provided. The method includes receiving a request directed at a protected web application, wherein the request is received from a client device associated with a trusted user account, and wherein the protected web application is protected by the WAF; validating the received request based on at least a signature included in a header of the received request; when the received request is validated, generating an authorization rule based on the received request, wherein the authorization rule allows access to a resource of the protected web application designated in the received request, wherein the generated authorization rule is included in at least one whitelist the WAF is configured with; and configuring the WAF with the generated authorization rule to allow the received request and subsequent request to be directed to the resource of the protected web application.

Abstract: A system and method for detecting anomalous hypertext transfer protocol secure (HTTPS) traffic are provided. The method includes receiving samples of at least rate-base features, wherein the rate-base features demonstrate a normal behavior of at least HTTPS traffic directed to a protected entity; computing a short-term baseline and a long-term baseline based on the received samples, wherein the short-term baseline is adapted to relatively rapid changes in the HTTPS traffic and the long-term baseline is adapted to relatively slow changes in the HTTPS traffic; computing at least one short-term threshold respective of the short-term baseline and at least one long-term threshold respective of the long-term baseline; evaluating each of the at least one threshold against real-time samples of HTTPS traffic to determine whether behavior of the HTTPS traffic is anomalous; and generating alarm when anomaly is detected.

Abstract: A system and method for configuring a web application firewall (WAF) is provided. The method includes continuously receiving requests related to a first WAF, each request indicative of network traffic directed to a web application protected by the WAF; enriching each received request by associating each event with information from an enrichment source; periodically analyzing the enriched requests; generating at least one network traffic rule based on periodically generated analysis; and configuring at least a second WAF to perform the network traffic rule.

Abstract: A method and system for blockchain-based access to a protected entity are provided. The method includes granting access tokens of a first-type to a client; identifying, in a blockchain network, a conversion transaction identifying a request to convert the first-type of access tokens with access tokens of a second-type, wherein the transaction designates at least the protected entity; determining a conversion value for converting the first-type of access tokens into the second-type of access tokens, wherein the conversion value is determined based on at least one access parameter; converting, based on the determined conversion value, a first sum of the first-type of access tokens into a second sum of the second-type of access-tokens; and granting the client access to the protected entity when the sum of the second-type of access tokens is received as a payment from the protected entity.

Abstract: A method and system for protecting cloud-hosted applications against application-layer slow DDoS attacks are provided. The system include a processing circuitry; and a memory connected to the processor, the memory contains instructions that when executed by the processing circuitry, configure the system to: collect telemetries from a plurality of sources deployed in a plurality of public cloud computing platforms, wherein each of the plurality of public cloud computing platforms hosts an instance of a protected cloud-hosted application; provide a set of rate-based and rate-invariant features based on the collected telemetries; evaluate each feature in the set of rate-based and rate-invariant features to determine whether a behavior of each feature and a behavior of the set of rate-based and rate-invariant features indicate a potential application-layer slow DDoS attack; and cause execution of a mitigation action, when an indication of a potential application-layer slow DDoS attack is determined.

Abstract: A method and system for controlling access to a protected entity. The method includes receiving a redirected client request to access the protected entity that the protected entity denied; granting, in response to the received redirected request, access tokens of a first type to a client; identifying a conversion transaction identifying a request to convert the first type of access tokens with access tokens of a second type, the transaction designating the protected entity; determining a conversion value for converting first-type access tokens into second-type of access tokens, the conversion value being based on at least one access parameter; converting, using the conversion value, a first sum of the first-type access tokens into a second sum of second-type access tokens; and granting the client access to the protected entity when the sum of second-type of access tokens is received as a payment from the protected entity.

Abstract: A method and system for protecting against quick UDP Internet connection (QUIC) based denial-of-service (DDoS) attacks. The system comprises extracting traffic features from at least traffic directed to a protected entity, wherein the traffic features demonstrate behavior of QUIC user datagram protocol (UDP) traffic directed to the protected entity, wherein the extract traffic features include at least one rate-base feature and at least one rate-invariant feature, and wherein the at least traffic includes QUIC packets; computing at least one baseline for each of the at least one rate-base feature and the at least one rate-invariant feature; and analyzing real-time samples of traffic directed to the protected entity to detect a deviation from each of the at least one computed baseline, wherein the deviation is indicative of a detected QUIC DDoS attack; and causing execution of at least one mitigation action when an indication of the detected QUIC DDoS attack is determined.

Abstract: A method, system and a platform for protecting against excessive utilization of at least one cloud service for operation of a cloud-hosted application. The method comprising receiving, at a defense platform deployed out-of-path of traffic between a plurality of end user devices and the cloud-hosted application, telemetries from a plurality of sources, wherein each source is configured to collect telemetries related to at least one of the at least one cloud service; detecting, based on the collected telemetries and a learned normal utilization behavior for the cloud-hosted application, excessive utilization of at least one of the at least one cloud service by the cloud-hosted application; and causing mitigation, at the defense platform, of the excessive utilization of each cloud service upon detection of the excessive utilization of the at least one cloud service by the cloud-hosted application.

Abstract: A method and system for detecting and mitigation recursive domain name system (DNS) cyber-attacks are disclosed. The method includes receiving DNS queries directed to a DNS resolver, wherein the DNS resolver is communicatively connected between at least one client and at least one name server; parsing each received DNS query to extract a hostname identified therein; updating at least one array of Bloom filters using the extracted hostname; computing a ratio of an unrecognized hostnames per sample (UPS) based on the contents of the at least one array; and determining if the UPS ratio is abnormal, wherein an abnormal UPS ratio is an indication of an attack.