Abstract: A method and system for mitigating of randomized denial-of-service (DDoS) attacks directed against a protected entity during an attack time period are provided. The method includes receiving a packet during the attack time period; selecting a cluster defining legitimacy characteristics from at least one cluster of packets that best fits the received packet, wherein legitimacy characteristics of a cluster are learned during a peacetime period; determining a legitimacy score for the received packet based on the legitimacy characteristics of the selected cluster; determining based on the legitimacy score if the received packet is not legitimate; and applying a mitigation action on the received packet upon determination that the packet is not legitimate.

Abstract: A device and method for configuring a web application firewall (WAF) based on characterization of web attacks are provided. The method includes receiving a plurality of hypertext transfer protocol transactions (HTTP) entities; tokenizing the received plurality of HTTP entities based on at least one delimiter; analyzing statistical distribution of each of the at least one delimiter in the tokenized HTTP entities; training a model based on an analysis of the tokenized HTTP entities, when a sufficient number of HTTP entities have been analyzed; and configuring, based on the trained model, the WAF with at least one detection rule to detect at least malicious HTTP transactions.

Abstract: A method for operating at least one log-analytics detection platform for detecting security threats associated with a client network, comprising: obtaining, via a communication network, log files from a client network, each log file comprising a log record associated with a channel and including an outbound communications log; extracting a channel feature set for said channels from said log files, said channel feature set comprises data pertaining to an associated entity, at least one channel feature being behavior of communication over a channel; aggregating said channel associated features for each of the channels into a data repository; generating a risk factor characterized by an entity score for said least one entity associated with entities of said channels; and blocking of communication for said entity when said risk factory is indicative of said entity being a security threat.

Abstract: Arrangement for hardening cloud security policies of a cloud computing platform includes analyzing a plurality of permission usage maps, one for each cloud entity of a plurality of cloud entities included in the computing platform to discover at least one hardening gap, wherein each hardening gap is at least a difference between permissions granted and permissions used by one of the cloud entities, wherein each of the permission usage maps represents the permissions granted to a respective one of the cloud entities and the permissions used by that respective at least one of the cloud entities; for each discovered hardening gap, computing a risk score designating a potential risk reduction achieved by addressing the hardening gap; generating at least one hardening recommendation for the at least one hardening gap and its respective computed risk score; and applying the at least one hardening recommendation, thereby hardening the cloud computing platform.

Abstract: A method and system for hardening cloud security policies of a cloud computing platform are presented.

Abstract: A method for operating at least one log-analytics detection platform for detecting security threats associated with a client network, comprising: obtaining, via a communication network, log files from a client network, each log file comprising a log record associated with a channel and including an outbound communications log; extracting a channel feature set for said channels from said log files, said channel feature set comprises data pertaining to an associated entity, at least one channel feature being behavior of communication over a channel; aggregating said channel associated features for each of the channels into a data repository; generating a risk factor characterized by an entity score for said least one entity associated with entities of said channels; and blocking of communication for said entity when said risk factory is indicative of said entity being a security threat.

Abstract: Log based analysis systems and methods for protecting computers and networks from malicious communications and malware attacks by analyzing log data obtained from client networks having network entities representing business units or customers. The system may further comprise a plurality of client asset machines, each operable to execute a security product associated with a security product vendor and log associated information of the network entities into at least one log file. The log files may be uploaded onto a log-analytics detection platform for analysis using learning algorithms operable to generate a risk factor attribute for at least one entity.

Abstract: A method and system for protecting a cloud computing platform against cyber-attacks are provided. The method includes gathering cloud logs from a cloud computing platform; analyzing, by a plurality of detectors, the cloud logs to detect at least one suspicious behavior, wherein each of the at least one suspicious behavior is identified by a suspect indicator; sequencing suspect indicators into attack sequences; scoring each of the attack sequences with an attack score, wherein each attack is scored using a scoring model; and alerting on each attack sequence having a score higher than a predefined threshold.

Abstract: A method and system for predicting subsequent cyber-attacks in attack campaigns are provided. The method includes receiving events data related to cyber-attacks occurring in a network during a predefined time window; extracting at least one sequence from the received events data at least one attack vector; generating a sequence signature for each of the at least one extracted sequence; comparing each sequence signature to a representation of historic sequence signatures to determine at least partially matching sequence signature; and based on the matching sequence, determining at least one subsequent cyber-attack in a respective sequence.

Abstract: A method and system for modeling and processing vehicular traffic data and information, comprising: (a) transforming a spatial representation of a road network into a network of spatially interdependent and interrelated oriented road sections, for forming an oriented road section network; (b) acquiring a variety of the vehicular traffic data and information associated with the oriented road section network, from a variety of sources; (c) prioritizing, filtering, and controlling, the vehicular traffic data and information acquired from each of the variety of sources; (d) calculating a mean normalized travel time (NTT) value for each oriented road section of said oriented road section network using the prioritized, filtered, and controlled, vehicular traffic data and information associated with each source, for forming a partial current vehicular traffic situation picture associated with each source; (e) fusing the partial current traffic situation picture associated with each source, for generating a single co

Abstract: A method and system for hardening cloud security policies of a cloud computing platform are presented.

Abstract: A method and system for protecting a cloud computing platform against cyber-attacks are provided. The method includes gathering cloud logs from a cloud computing platform; analyzing, by a plurality of detectors, the cloud logs to detect at least one suspicious behavior, wherein each of the at least one suspicious behavior is identified by a suspect indicator; sequencing suspect indicators into attack sequences; scoring each of the attack sequences with an attack score, wherein each attack is scored using a scoring model; and alerting on each attack sequence having a score higher than a predefined threshold.

Abstract: A method for automatically translating a banner information, the method may include receiving by a computer the banner information, wherein the banner information is included in at least one banner and describes an identity of a software product; and translating by the computer the banner information into a unique software product identifier using a content of knowledgebase that comprises an attributes schema and translation rules; wherein each software product is associated with a single unique software product identifier; wherein the unique software product identifier comprises a structured set of attributes; wherein at least one translation rule is a pattern based translation rule; wherein the attributes schema specifies a set of allowable attributes and of allowable values of the attributes.

Abstract: A crowdsourcing log analysis system and methods for protecting computers and networks from malware attacks by analyzing data log information obtained from a plurality of client network. The client networks are associated with a set of network entities representing a plurality of business units or customers. The system may further comprise a plurality of server machines, each operable to execute a security product associated with a security product vendor and log associated information of at the network entities into at least one log file. The log files may be uploaded onto a breach detection platform for analysis based upon crowdsourcing principles and is operable to generate a risk factor attribute for at least one suspect entity.

Abstract: A method and system for predicting subsequent cyber-attacks in attack campaigns are provided. The method includes receiving events data related to cyber-attacks occurring in a network during a predefined time window; extracting at least one sequence from the received events data at least one attack vector; generating a sequence signature for each of the at least one extracted sequence; comparing each sequence signature to a representation of historic sequence signatures to determine at least partially matching sequence signature; and based on the matching sequence, determining at least one subsequent cyber-attack in a respective sequence.

Abstract: A method and system for modeling and processing vehicular traffic data and information, comprising: (a) transforming a spatial representation of a road network into a network of spatially interdependent and interrelated oriented road sections, for forming an oriented road section network; (b) acquiring a variety of the vehicular traffic data and information associated with the oriented road section network, from a variety of sources; (c) prioritizing, filtering, and controlling, the vehicular traffic data and information acquired from each of the variety of sources; (d) calculating a mean normalized travel time (NTT) value for each oriented road section of said oriented road section network using the prioritized, filtered, and controlled, vehicular traffic data and information associated with each source, for forming a partial current vehicular traffic situation picture associated with each source; (e) fusing the partial current traffic situation picture associated with each source, for generating a single co

Abstract: A method and system for modeling and processing vehicular traffic data and information, comprising: (a) transforming a spatial representation of a road network into a network of spatially interdependent and interrelated oriented road sections, for forming an oriented road section network; (b) acquiring a variety of the vehicular traffic data and information associated with the oriented road section network, from a variety of sources; (c) prioritizing, filtering, and controlling, the vehicular traffic data and information acquired from each of the variety of sources; (d) calculating a mean normalized travel time (NTT) value for each oriented road section of said oriented road section network using the prioritized, filtered, and controlled, vehicular traffic data and information associated with each source, for forming a partial current vehicular traffic situation picture associated with each source; (e) fusing the partial current traffic situation picture associated with each source, for generating a single co

Abstract: A method for automatically translating a banner information, the method may include receiving by a computer the banner information, wherein the banner information is included in at least one banner and describes an identity of a software product; and translating by the computer the banner information into a unique software product identifier using a content of knowledgebase that comprises an attributes schema and translation rules; wherein each software product is associated with a single unique software product identifier; wherein the unique software product identifier comprises a structured set of attributes; wherein at least one translation rule is a pattern based translation rule; wherein the attributes schema specifies a set of allowable attributes and of allowable values of the attributes.

Abstract: A method and system for modeling and processing vehicular traffic data and information, comprising: (a) transforming a spatial representation of a road network into a network of spatially interdependent and interrelated oriented road sections, for forming an oriented road section network; (b) acquiring a variety of the vehicular traffic data and information associated with the oriented road section network, from a variety of sources; (c) prioritizing, filtering, and controlling, the vehicular traffic data and information acquired from each of the variety of sources; (d) calculating a mean normalized travel time (NTT) value for each oriented road section of said oriented road section network using the prioritized, filtered, and controlled, vehicular traffic data and information associated with each source, for forming a partial current vehicular traffic situation picture associated with each source; (e) fusing the partial current traffic situation picture associated with each source, for generating a single co

Abstract: A method and system for modeling and processing vehicular traffic data and information, comprising: (a) transforming a spatial representation of a road network into a network of spatially interdependent and interrelated oriented road sections, for forming an oriented road section network; (b) acquiring a variety of the vehicular traffic data and information associated with the oriented road section network, from a variety of sources; (c) prioritizing, filtering, and controlling, the vehicular traffic data and information acquired from each of the variety of sources; (d) calculating a mean normalized travel time (NTT) value for each oriented road section of said oriented road section network using the prioritized, filtered, and controlled, vehicular traffic data and information associated with each source, for forming a partial current vehicular traffic situation picture associated with each source; (e) fusing the partial current traffic situation picture associated with each source, for generating a single co