Abstract: A system and method for generating insights on distributed denial of service (DDoS) attacks are provided. The method includes receiving a plurality of data feeds from a plurality of data sources; processing the plurality of received data feeds to generate enriched data sets; and analyzing the enriched data sets to generate insights information about a DDoS attack that have been participated in at least one DDoS attack.

Abstract: A system and method for out-of-path detection of cyber-attacks are provided. The method includes receiving, by a detector, a plurality of data feeds from a plurality of data sources, wherein the detector is communicatively connected to the plurality of data sources; processing, by the detector, the plurality of received data feeds to generate enriched Flow data sets; analyzing the enriched Flow data sets to detect a potential cyber-attack; and upon detection of a potential cyber-attack, providing indication to each network entity of the network entities that is under attack.

Abstract: A method and system for predicting subsequent cyber-attacks in attack campaigns are provided. The method includes receiving events data related to cyber-attacks occurring in a network during a predefined time window; extracting at least one sequence from the received events data at least one attack vector; generating a sequence signature for each of the at least one extracted sequence; comparing each sequence signature to a representation of historic sequence signatures to determine at least partially matching sequence signature; and based on the matching sequence, determining at least one subsequent cyber-attack in a respective sequence.

Abstract: A system and method for identifying botnets. The method includes determining a network event proximity based on collected network data, where the network data relates to at least one network device; determining time density of the network data; determining trend patterns of the network data; and determining, based on the network event proximity, time density, and trend patterns, when a botnet activity is present within the network data.

Abstract: A method and system for controlling multi-tiered mitigation of cyber-attacks.

Abstract: A system and method for detecting abnormal traffic behavior. The method comprises: applying a task to an input data set to create an un-normalized cluster of traffic features, wherein the task defines a plurality of traffic features; computing a center point of the cluster of traffic features; computing a distance between the computed center point and a new sample, wherein the new sample includes traffic features defined in the task; and determining, based on the computed distance, whether the received new sample demonstrates abnormal behavior.

Abstract: In a client/server environment, rendering of web-based content is separated into two phases, so as to improve the applicability of HTML response caching. Static portion(s) of a web page are cached and delivered immediately in response to an HTTP request, concurrently with sending a request for a full page and extracting dynamic portion(s) therefrom. Dynamic portion(s) are filled in at the client as they become available. The system and method of the present invention enable optimization of the user experience to occur without requiring any recoding of the original page content.

Abstract: A method and system for detecting domain name system (DNS) recursive cyber-attacks are presented. The system includes learning a plurality of baselines of at least rates and rate invariants of DNS features; monitoring DNS traffic directed to and from a DNS resolver, wherein the DNS resolver is communicatively connected between at least one client and at least one name server; analyzing the monitored DNS traffic using at least one detection function to detect an anomaly based in part on at least one baseline of the plurality of learnt baselines; and upon detection of at least one anomaly, performing at least one mitigation action to filter out incoming DNS queries to a domain name under attack.

Abstract: A method, host machine, and a virtual network for distributing application delivery controller services in a virtual network are presented. The method includes activating a first application delivery controller (ADC) agent on at least a first host machine of a plurality of host machines included in the virtual network, wherein the first host machine is configured to host at least one client; intercepting, by the first ADC agent, a request from the at least one client, wherein the request is for a service provided by one server of a plurality of servers hosted by the plurality of host machines; selecting, by the first ADC agent, a server of the plurality of servers to serve the request; forwarding, by the first ADC agent, the intercepted request to the selected server; and relaying a response to the intercepted request received from the selected server to the at least one client.

Abstract: A method and system for controlling multi-tiered mitigation of cyber-attacks.

Abstract: A method and system for mitigating of cyber-attacks in a software defined network (SDN) are presented. The method comprises operating a central controller and the SDN in a peace mode; monitoring traffic addressed to at least one destination server to detect at least an attack performed against the at least one destination server; switching an operation of the central controller to an attack mode, upon detection of an attack against the at least one destination server; and instructing, by the central controller, network elements of the SDN to divert all suspicious incoming traffic addressed to the at least one destination server to a security server, thereby mitigating the detected attack.

Abstract: A method, system and a platform for protecting against excessive utilization of at least one cloud service for operation of a cloud-hosted application. The method comprising receiving, at a defense platform deployed out-of-path of traffic between a plurality of end user devices and the cloud-hosted application, telemetries from a plurality of sources, wherein each source is configured to collect telemetries related to at least one of the at least one cloud service; detecting, based on the collected telemetries and a learned normal utilization behavior for the cloud-hosted application, excessive utilization of at least one of the at least one cloud service by the cloud-hosted application; and causing mitigation, at the defense platform, of the excessive utilization of each cloud service upon detection of the excessive utilization of the at least one cloud service by the cloud-hosted application.

Abstract: A defense platform for protecting a cloud-hosted application against distributed denial-of-services (DDoS) attacks, wherein the defense platform is deployed out-of-path of incoming traffic of the cloud-hosted application hosted in a plurality of cloud computing platforms, comprising: a detector; a mitigator; and a controller communicatively connected to the detector and the mitigator; wherein the detector is configured to: receive telemetries related to behavior of the cloud-hosted application from sources deployed in the plurality of cloud computing platforms; and detect, based on the telemetries, a potential DDoS attack; wherein, the controller, upon detection of a potential DDoS attack, is configured to: divert traffic directed to the cloud-hosted application to the mitigator; cause the mitigator to perform at least one mitigation action to remove malicious traffic from the diverted traffic; and cause injection of clean traffic to at least one of the plurality of cloud computing platforms hosting the cloud

Abstract: A method and system for protecting cloud-hosted applications against application-layer slow distributed denial-of-service (DDoS) attacks. The comprising collecting telemetries from a plurality of sources deployed in at least one cloud computing platform hosting a protected cloud-hosted application; providing a set of rate-based and rate-invariant features based on the collected telemetries; evaluating each feature in the set of rate-based and rate-invariant features to determine whether a behavior of each feature and a behavior of the set of rate-based and rate-invariant features indicate a potential application-layer slow DDoS attack; and causing execution of a mitigation action, when an indication of a potential application-layer slow DDoS attack is determined.

Abstract: A system and method for protecting cloud-hosted applications against hypertext transfer protocol (HTTP) flood distributed denial-of-service (DDoS) attacks are provided. The method includes collecting telemetries from a plurality of sources deployed in at least one cloud computing platform hosting a protected cloud-hosted application; providing at least one rate-based feature and at least one rate-invariant feature based on the collected telemetries, wherein the rate-based feature and the rate-invariant feature demonstrate behavior of at least HTTP traffic directed to the protected cloud-hosted application; evaluating the at least one rate-based feature and the at least one rate-invariant feature to determine whether the behavior of the at least HTTP traffic indicates a potential HTTP flood DDoS attack; and causing execution of a mitigation action when an indication of a potential HTTP flood DDoS attack is determined.

Abstract: A method and system for operating protection services to provide defense against cyber-attacks. The comprises generating a workflow scheme assigned to at least one protected entity, wherein the workflow scheme includes at least one operation regimen and triggering criteria associated with the at least one operation regimen; monitoring at least a plurality of protection resources to detect at least one trigger event; determining if the at least one detected trigger event satisfies the triggering criteria associated with the at least one operation regimen; and changing a state of the at least one operation regimen when the at least one detected trigger event satisfies the at least one triggering criterion, thereby causing provisioning and operating of at least one protection resource of the plurality of protection resources, wherein the provisioning is based on contents defined in the at least one operation regimen.

Abstract: A method and system for generating an optimization instruction set based on communication between at least one server and at least one client are provided. The method includes aggregating a plurality of messages communicated from the at least one server to the at least one client; analyzing the plurality of messages to determine a plurality of resources to be consolidated; and generating an optimization instruction set for consolidating the determined plurality of resources, wherein the generated optimization instruction set comprises instructions for replacing the plurality of resources with the consolidated resources.

Abstract: A method and system for perimeter defense of a network are provided. The method comprises receiving, at a system deployed in a perimeter of the network, traffic to or from the network, wherein the network includes a plurality of protection resources; determining, based on the received traffic, at least one potential cyber-attack; and upon determining the at least one potential cyber-attack, causing a mitigation reconfiguration of at least one protection resource of the plurality of protection resources, wherein the mitigation reconfiguration includes reconfiguring each of the at least one protection resource to mitigate the at least one potential cyber-attack.

Abstract: A method and system for matching event sequences for predictive detection of cyber-attacks are discussed. The method comprises receiving a reference event sequence and a query event sequence; converting the reference event sequence to a first step-value list and the query event sequence to a second step-value list; and matching the first and second step-value lists to identify at least one optimal common pattern.

Abstract: A method for a predictive detection of cyber-attacks are provided. In an embodiment, the method includes receiving security events; matching each received security event to a plurality of previously generated event sequences to result in at least one matched event sequence; comparing each of the at least one matched event sequence to a plurality of previously identified attack patterns to result in at least one matched attack pattern; for each matched attack pattern, computing a risk score potentially indicating a cyber-attack; and causing execution of a mitigation action based on the risk score.