Abstract: A method and system for load balancing over a cluster of authentication, authorization and accounting (AAA) servers. The method performs a distribution of AAA requests among AAA servers having an active AAA connection with an AAA client. The method includes establishing TCP connections with a plurality of AAA servers, using a TCP connection request received from at least one AAA client; opening AAA connections with a plurality of AAA servers, using an AAA connection request received from at least one AAA client, and distributing AAA requests to AAA servers with an active AAA connection according to a predefined load balancing algorithm. The invention is further capable of multiplexing outbound messages and requests received from a plurality of AAA servers. The AAA protocol supported by the invention includes, but is not limited to, a Diameter protocol, a lightweight directory access protocol (LDAP), and the likes.

Abstract: A method and system for operating protection services to provide defense against cyber-attacks. The comprises generating a workflow scheme assigned to at least one protected entity, wherein the workflow scheme includes at least one operation regimen and triggering criteria associated with the at least one operation regimen; monitoring at least a plurality of protection resources to detect at least one trigger event; determining if the at least one detected trigger event satisfies the triggering criteria associated with the at least one operation regimen; and changing a state of the at least one operation regimen when the at least one detected trigger event satisfies the at least one triggering criterion, thereby causing provisioning and operating of at least one protection resource of the plurality of protection resources, wherein the provisioning is based on contents defined in the at least one operation regimen.

Abstract: A method, host machine, and a virtual network for distributing application delivery controller services in a virtual network are presented. The method includes activating a first application delivery controller (ADC) agent on at least a first host machine of a plurality of host machines included in the virtual network, wherein the first host machine is configured to host at least one client; intercepting, by the first ADC agent, a request from the at least one client, wherein the request is for a service provided by one server of a plurality of servers hosted by the plurality of host machines; selecting, by the first ADC agent, a server of the plurality of servers to serve the request; forwarding, by the first ADC agent, the intercepted request to the selected server; and relaying a response to the intercepted request received from the selected server to the at least one client.

Abstract: A method and system for an assisted live migration of virtual machines are provided. The method monitoring, by an advisory server, at least a workload of physical machines in a datacenter; determining if at least one physical machine is overloaded based on the monitored workload; for each of the at least one physical machine determined to be overloaded, selecting at least one virtual machine resides in the respective physical machine, wherein the selection is based at least on a current load of the virtual machine; and initiating a live migration of the selected virtual machine when the current load is lower than a comfort load level.

Abstract: A method and system for detecting attacks performed using a cryptographic protocol are presented. The method includes upon receiving an indication about a potential attack, establishing an encrypted connection with a client device using the cryptographic protocol; receiving an inbound traffic from the client device, wherein the inbound traffic is originally directed to a protected entity; analyzing the inbound traffic received on the encrypted connection to detect at least one encrypted attack; and causing to establish a new encrypted connection between the client device and the protected entity, when the at least one encrypted attack at the application layer has not been detected.

Abstract: A system and method for detecting abnormal traffic behavior. The method comprises: applying a task to an input data set to create an un-normalized cluster of traffic features, wherein the task defines a plurality of traffic features; computing a center point of the cluster of traffic features; computing a distance between the computed center point and a new sample, wherein the new sample includes traffic features defined in the task; and determining, based on the computed distance, whether the received new sample demonstrates abnormal behavior.

Abstract: A method for providing value added services (VAS) in a software defined network (SDN). The method comprises determining which value added services and their order should be assigned to an incoming traffic; determining for each of the one or more value added services their respective servers providing the value added services and assigning a unique diversion value to each server; instructing at least one peer network element to set a diversion field in each packet in the incoming traffic with a diversion value corresponding to a server providing a first value added service of the one or more value added services; and instructing each edge network element to set the diversion field of each packet output by the server to designate a destination node for the packet, wherein the destination node is any one of the destination server and a server providing a subsequent value added service.

Abstract: A method for spooling diameter transactions is provided. The method comprises receiving from a Diameter client a Diameter request message; determining based in part on a type of the received request message if the received request message should be spooled; determining if a current transaction rate exceeds a predefined spooling threshold, if the received request message should be spooled; and queuing the received request message if the current transaction rate exceeds the spooling threshold.

Abstract: Systems and methods for protecting at least one client from becoming part of at least one botnet by monitoring and analyzing botnet communications to and from criminal servers and identifying at least one botnet attack on at least one client. The system may comprise virtual machines deliberately infected with malicious content and operable to record botnet communications to and from criminal servers. The virtual machines are in communication with a processing unit configured to index data collected. Data related to the prevalence of cyber threats may be presented to users in response to queries.

Abstract: A method for predicative traffic steering over a software defined network (SDN). The method includes programming network elements in the SDN to forward an incoming traffic flow to an application-layer analysis device; receiving application-layer analysis results from the application-layer analysis device, wherein the application-layer analysis results provide association between at least one network-layer parameter, at least one application-layer parameter, and at least one application-layer service associated with the at least one application-layer parameter; and steering subsequent incoming traffic flows to at least one server configured to provide the at least one application-layer service based on the application-layer analysis results.

Abstract: A method and system for generating optimization instructions for accelerating traffic between a client and a server. The method includes receiving intercepted responses, wherein each intercepted response is sent by the server in response to a request for content from the client; analyzing the received responses to determine at least a context of each response; compiling at least one optimization instruction based on the determined contexts of the responses; and saving the compiled at least one optimization instruction in a storage device.

Abstract: A system and method for stateless distribution of bidirectional flows with network address translation (NAT). The method comprises: determining an original source port for a first packet of a front-end received from a client device, wherein the original source port is associated with a processing core; selecting a new source port for a back-end flow, wherein the new source port is selected such that the back-end flow is returned to the processing core of the front-end flow; replacing the original source port with the new source port; and transmitting the incoming flow to a destination server.

Abstract: A central controller and a method for separation of traffic processing in a software defined network (SDN). The method comprises: identifying, based on at least one zoning trigger parameter, a potential cyber-attack; triggering a zoning mode for mitigating the potential cyber-attack; dynamically allocating, based on a load profile, a first group of computing resources of a computing farm to a trusted zone and a second group of computing resources to an un-trusted zone; assigning the computing resources in the first group with a first address and the computing resources in the second group with a second address, wherein only the second address is advertised; and causing at least one network element in the SDN to divert incoming traffic to the first group and to the second group of computing resources based on a plurality of zoning rules implemented by the at least one network element.

Abstract: HTTP responses are accelerated to optimize performance and response time when presenting content in a client/server environment. An optimization technique allows a client to begin requesting additional resources and/or rendering content before the entire response is completed on the server. When a request is received at a proxy device, the proxy device transmits, to the client, links to external resources that will be needed to render the page. This allows the client to begin obtaining external resources before the remaining content is sent to the client, and even before the content has been fully composed by the server, thus improving response time and overall performance.

Abstract: Viewing of web pages is improved by prioritizing image rendering based on positioning of images within a web page. For example, for images that are likely to be initially viewable upon presentation of the web page (i.e., prior to scrolling), compressed proxy versions are made available so that the images can be transferred and rendered more quickly. These compressed proxy images are later replaced with better quality renderings of the same images. Fetching of images that are not initially visible can be deferred until after other, more important page resources are loaded. Prioritization of page loading in this manner helps to ensure that the page becomes operational earlier, resulting in improved perceived speed and responsiveness, and greater ease of navigation.

Abstract: A system and method for managing an application delivery controller (ADC) cluster including a plurality of ADCs are provided. The method includes creating a hash table including a plurality of buckets, wherein a number of the plurality of buckets is a multiple of a maximum number of active ADCs that can be supported by the ADC cluster; allocating, to each active ADC of the ADC cluster, one of the plurality of buckets; and instructing at least one network element to distribute traffic to and from the active ADCs based on the hash table.

Abstract: A method and system for mitigating of cyber-attacks in a software defined network (SDN) are presented. The method comprises operating a central controller and the SDN in a peace mode; monitoring traffic addressed to at least one destination server to detect at least an attack performed against the at least one destination server; switching an operation of the central controller to an attack mode, upon detection of an attack against the at least one destination server; and instructing, by the central controller, network elements of the SDN to divert all suspicious incoming traffic addressed to the at least one destination server to a security server, thereby mitigating the detected attack.

Abstract: A method and system for detecting an access to a protected resource by headless browser bots are provided. The method includes receiving a request from a client machine; generating an anti-headless browser bot (AHBB) challenge, wherein the AHBB challenge comprises at least a headless browser identifying characteristic; receiving a response to the AHBB challenge; comparing the response to the AHBB challenge to at least a challenge requirement to determine any one of: a pass result, and a fail result; and upon determining a pass result, granting the client machine access to the protected resource.

Abstract: A virtualized application delivery controller (ADC) device operable in a communication network comprises a hardware infrastructure including at least a memory, a plurality of core processors, and a network interface; a plurality of instances of virtual ADCs (vADCs), the plurality of vADCs are executed over the hardware infrastructure, each of the plurality of vADCs utilizes a portion of hardware resources of the hardware infrastructure, the portion of hardware resources are determined by at least one ADC capacity unit allocated for each of the plurality of the vADCs; a management module for at least creating the plurality of instances of the vADCs; and a traffic distributor for distributing incoming traffic to one of the plurality of vADCs and scheduling execution of the plurality of vADCs on the plurality of core processors, wherein each of the plurality of vADCs is independently executed on at least one of the plurality of core processors.

Abstract: A system and method for accelerating content deliver over a content delivery network (CDN) are provided. In an embodiment, the method includes determining, based on a received hypertext transfer protocol (HTTP) request, a PUSH list, wherein the PUSH list includes at least one resource that can be immediately provided to a web browser without requesting the at least one resource from an origin server; and issuing, based on the PUSH list, at least one PUSH resource designator to an edge proxy, wherein each PUSH resource designator indicates one of the at least one resource, wherein the edge proxy is commutatively connected in geographic proximity to a client running the web browser, wherein the origin server and the edge proxy communicate over the CDN.