Abstract: A method by one or more electronic devices for identifying and classifying community attacks. The method includes determining, for each of a plurality of enterprise networks, one or more incidents occurring in that enterprise network based on analyzing security alerts generated by a web application layer attack detector used to protect a web application hosted in that enterprise network, where each incident represents a group of security alerts that have been determined as being associated with the same security event, grouping incidents occurring across the plurality of enterprise networks into groups of incidents, where incidents that are determined as having similar features are grouped into the same group of incidents, and classifying each of one or more of the groups of incidents as being an industry-based attack or a spray-and-pray attack based on industry classifications of incidents within that group of incidents.

Abstract: A method includes identifying, from online clustering data, an internet protocol (IP) pair. The method further includes determining, by a processing device during an offline process, that the IP pair is part of a botnet. The method further includes, in response to the determining, appending data associated with the botnet to the online clustering data.

Abstract: A method by one or more electronic devices for identifying and classifying community attacks. The method includes determining, for each of a plurality of enterprise networks, one or more incidents occurring in that enterprise network based on analyzing security alerts generated by a web application layer attack detector used to protect a web application hosted in that enterprise network, where each incident represents a group of security alerts that have been determined as being associated with the same security event, grouping incidents occurring across the plurality of enterprise networks into groups of incidents, where incidents that are determined as having similar features are grouped into the same group of incidents, and classifying each of one or more of the groups of incidents as being an industry-based attack or a spray-and-pray attack based on industry classifications of incidents within that group of incidents.