Abstract: Method for orchestrating wireless sensors, including registering each of a plurality of monitoring sensors that are attached to a respective plurality of wireless hosting equipment, with an orchestrator, generating, for each sensor, a monitoring plan including a description of wireless channels/protocols for the sensor to monitor, and amounts of time that the sensor should spend monitoring each channel/protocol prior to advancing to a next channel/protocol, wherein the monitoring plan for a sensor includes directives that instruct the sensor what to do when a monitoring period for a channel/protocol is interrupted before its intended monitoring time is finished, attempting, by the sensors, to monitor the channels/protocols specified in the sensor's monitoring plan in accordance with the time specified in the sensor's monitoring plan, and generating, by each sensor, an execution report including time spent at each channel/protocol, amount of data collected from each channel/protocol, and data captured from eac

Abstract: A method by one or more network devices communicatively coupled to a web application layer proxy for profiling parameters of web application layer requests received by the web application layer proxy while preserving privacy. The method includes obtaining masked parameter values associated with a parameter in the web application layer requests, where the masked parameter values associated with the parameter are generated by the web application layer proxy based on masking parameter values associated with the parameter while preserving lengths of the parameter values associated with the parameter and character types of characters in the parameter values associated with the parameter, generating the profile of the parameter based on analyzing the masked parameter values associated with the parameter, and providing the profile of the parameter to the web application layer proxy.

Abstract: A method by one or more electronic devices to notify an administrator when it is safe to mitigate a non-compliant database configuration of a database. The method includes responsive to identifying the non-compliant database configuration of the database, applying a security rule that detects occurrences of database operations that make use of the non-compliant database configuration and responsive to a determination that the security rule has not been invoked for at least a threshold length of time, causing a notification to be sent to the administrator that indicates that it is safe for the administrator to mitigate the non-compliant database configuration.

Abstract: A method by a computing device implementing an attack analyzer for processing malicious events. The method includes determining a first set of features describing a malicious event detected by a firewall, determining a set of distances using a non-Euclidean distance function and the first set of features, wherein the non-Euclidean distance function is used to determine geographic origin similarity between different Internet Protocol addresses included in the first and second set of features, generating a statistical distribution object using the set of distances, wherein the statistical distribution object includes information describing a cluster that includes at least the malicious event and one or more other malicious events that are determined to be similar to the malicious event in terms of geographic origin, and transmitting information describing the cluster to a management console for presentation to an administrator on a graphical user interface.

Abstract: A method in a cloud network to detect compromises within an enterprise network based on tokens tunneled outside of the enterprise network to the cloud network. The method includes receiving, at a tunnel gateway server within the cloud network, a first set of packets via a tunnel across a public network from a first server within the enterprise network, where the first set of packets were generated responsive to the first server receiving a second set of packets that originated from within the enterprise network and that included data and a source enterprise network address, where the first set of packets does not include the source enterprise network address and the data includes a token. The method further includes transmitting, by the tunnel gateway server, the data within a third set of packets to a second server that acts as if it were an enterprise server within the enterprise network.

Abstract: A wireless security method performed by a network monitoring system for a wireless station, the method maintaining continuous wireless service, the method including identifying a desired network, to which the wireless station is currently connected vis a legitimate access point, as having become an undesirable network, based on a network security policy, and based on network variables, activate the legitimate access point to create a desired network, comprising changing network variables of the undesired network, and maintaining the wireless station connection to the network, based on the security policy.

Abstract: Method for orchestrating wireless sensors, including registering each of a plurality of monitoring sensors that are attached to a respective plurality of wireless hosting equipment, with an orchestrator, generating, for each sensor, a monitoring plan including a description of wireless channels/protocols for the sensor to monitor, and amounts of time that the sensor should spend monitoring each channel/protocol prior to advancing to a next channel/protocol, wherein the monitoring plan for a sensor includes directives that instruct the sensor what to do when a monitoring period for a channel/protocol is interrupted before its intended monitoring time is finished, attempting, by the sensors, to monitor the channels/protocols specified in the sensor's monitoring plan in accordance with the time specified in the sensor's monitoring plan, and generating, by each sensor, an execution report including time spent at each channel/protocol, amount of data collected from each channel/protocol, and data captured from eac

Abstract: A method for protecting information from databases includes a web application firewall and a database activity monitor. According to one aspect, a web gateway receives a request from a client device and provides the request to an application server to query a database. The web gateway receives sensitive data information describing requested data output by the database. The sensitive data information may include, for example, hints for detecting a type or structure of sensitive data output by the database. Additionally, the web gateway receives response data from the application server. The web gateway identifies sensitive data within the response data based on the sensitive data information. The web gateway protects the sensitive data to be provided to the client device using one or more data protection operations, which may include alerts, blocking policies, masking, or anomaly detection using machine learning algorithms.

Abstract: Orchestrating wireless monitoring sensors, including registering each sensor with an orchestrator, generating, by the orchestrator for each sensor, a monitoring plan including a description of wireless channels and protocols for the sensor to monitor, and amounts of time that the sensor should spend monitoring each channel/protocol, attempting, by each of the sensors, to monitor the channels/protocols specified in the sensor's monitoring plan in accordance with the amounts of time specified in the monitoring plan, generating, by each sensor, an execution report including, for each channel/protocol monitored by the sensor, the actual time spent at the channel/protocol, the actual amount of data collected from the channel/protocol, and data captured from the channel/protocol, generating, by the orchestrator, a current coverage map indicating coverage of each channel over space and time, and further generating, by the orchestrator, one or more respective updated monitoring plans, based on the current coverage ma

Abstract: A method by a computing device implementing an attack analyzer for processing malicious events. The method includes determining a first set of features describing a malicious event detected by a firewall, determining a set of distances using a non-Euclidean distance function and the first set of features, wherein the non-Euclidean distance function is used to determine geographic origin similarity between different Internet Protocol addresses included in the first and second set of features, generating a statistical distribution object using the set of distances, wherein the statistical distribution object includes information describing a cluster that includes at least the malicious event and one or more other malicious events that are determined to be similar to the malicious event in terms of geographic origin, and transmitting information describing the cluster to a management console for presentation to an administrator on a graphical user interface.

Abstract: A method of processing malicious events in a network infrastructure determines features of malicious events detected by a firewall of an attack analyzer. Example features may indicate an origin of an attack, a target of the attack, or a type of a malicious event. The attack analyzer determines distances, e.g., using a non-Euclidean distance function, between features of a given malicious event and features of statistical distribution objects (SDOs). The SDOs describe clusters of previously detected malicious events. The attack analyzer may select one of the SDOs that has features similar to those of the given malicious event. The attack analyzer can update the SDOs by including an alert of the given malicious event with an existing cluster or generating a new cluster including the alert. The attack analyzer may transmit information describing the clusters of the SDOs to a management console.

Abstract: A method by one or more electronic devices to notify an administrator when it is safe to mitigate a non-compliant database configuration of a database. The method includes responsive to identifying the non-compliant database configuration of the database, applying a security rule that detects occurrences of database operations that make use of the non-compliant database configuration and responsive to a determination that the security rule has not been invoked for at least a threshold length of time, causing a notification to be sent to the administrator that indicates that it is safe for the administrator to mitigate the non-compliant database configuration.

Abstract: According to one embodiment, a web application layer attack detector (AD) is coupled between an HTTP client and a web application server. Responsive to receipt of a set of packets from the HTTP client carrying a web application layer message that violates a condition of a security rule, the AD transmits an alert package to an automatic attribute value generation and rule feedback module (AVGRFM). The AVGRFM uses the alert package, and optionally other alert packages from the same AD or other ADs, to automatically generate a new set of attribute values for each of a set of attribute identifiers for use, by the AD or other ADs, in a different security rule than the violated security rule. The new set of attribute values may be used in an attack specific rule to detect a previously unknown web application layer attack.

Abstract: A method by one or more network devices communicatively coupled to a web application layer proxy for profiling parameters of web application layer requests received by the web application layer proxy while preserving privacy. The method includes obtaining masked parameter values associated with a parameter in the web application layer requests, where the masked parameter values associated with the parameter are generated by the web application layer proxy based on masking parameter values associated with the parameter while preserving lengths of the parameter values associated with the parameter and character types of characters in the parameter values associated with the parameter, generating the profile of the parameter based on analyzing the masked parameter values associated with the parameter, and providing the profile of the parameter to the web application layer proxy.

Abstract: An analyzer module (AM) within a same protected network and on-premise with a server detects and distinguishes between types of Denial-of-Service (DoS) attacks. The AM tracks whether test messages, which include test request messages that a signal generation module (SGM) is configured to transmit to the server according to a predefined time schedule to allow the AM to detect and distinguish between types of DoS attacks, are timely received. The AM is aware of the predefined time schedule according to which the SGM is configured to transmit the test request messages to the server. The AM detects an occurrence of a DoS attack and identifies the type of the DoS attack based upon the result of the tracking indicating that a number of the test messages have not been timely received.

Abstract: A method by a security system for selectively triggering different ones of a plurality of database assessment scans for a database and detecting when non-compliant database configurations of the database are being used. The method includes monitoring for occurrences of a first class of database operations, responsive to detecting an occurrence of one or more database operations of the first class, selecting one or more subsets of the plurality of database assessment scans to be rerun, triggering performance of only the selected one or more of the subsets, identifying one or more non-compliant database configurations of the database based on accessing results of the selected one or more of the subsets, determining one or more security rules for detecting occurrences of database operations that make use of the identified one or more non-compliant database configurations, and applying the determined one or more security rules.

Abstract: A botnet identification module identifies members of one or more botnets based upon network traffic destined to one or more servers over time, and provides sets of botnet sources to a traffic monitoring module. Each set of botnet sources includes a plurality of source identifiers of end stations acting as part of a corresponding botnet. A traffic monitoring module receives the sets of botnet sources from the botnet identification module, and upon a receipt of traffic identified as malicious that was sent by a source identified within one of the sets of botnet sources, activates a protection mechanism with regard to all traffic from all of the sources identified by the one of the sets of botnet sources for an amount of time.

Abstract: A botnet identification module identifies members of one or more botnets based upon network traffic destined to one or more servers over time, and provides sets of botnet sources to a traffic monitoring module. Each set of botnet sources includes a plurality of source identifiers of end stations acting as part of a corresponding botnet. A traffic monitoring module receives the sets of botnet sources from the botnet identification module, and upon a receipt of traffic identified as malicious that was sent by a source identified within one of the sets of botnet sources, activates a protection mechanism with regard to all traffic from all of the sources identified by the one of the sets of botnet sources for an amount of time.

Abstract: A method by a security system for selectively triggering different ones of a plurality of database assessment scans for a database and detecting when non-compliant database configurations of the database are being used. The method includes monitoring for occurrences of a first class of database operations, responsive to detecting an occurrence of one or more database operations of the first class, selecting one or more subsets of the plurality of database assessment scans to be rerun, triggering performance of only the selected one or more of the subsets, identifying one or more non-compliant database configurations of the database based on accessing results of the selected one or more of the subsets, determining one or more security rules for detecting occurrences of database operations that make use of the identified one or more non-compliant database configurations, and applying the determined one or more security rules.

Abstract: A method by a security system for detecting malicious attempts to access a decoy database object in a database. The database includes database objects accessible by clients of the database called database clients. The method includes detecting access to a decoy database object of the database is being attempted by a database client over a connection to the database, where the decoy database object is a database object that is created for the purpose of deceiving an attacker as opposed to being a legitimate database object, determining that the connection is of an application connection type, where the application connection type is a type of connection over which queries generated by a database client are submitted, and responsive to the determination that the connection is of the application connection type, causing an alert to be generated.