Abstract: A logical expression engine and computer-implemented method for optimizing evaluation of a logical expression is provided. The method includes receiving an original logical expression to be applied by a computer program for processing input information, the original logical expression having at least one operator and a subexpression disposed on each side of a related operator of the at least one related operator. The method further includes receiving statistics accumulated about how the computer program applies the subexpressions of the original logical expression for processing the input information received by the computer program, using the accumulated statistics to optimize the order in which the subexpressions would be applied by the computer program, and outputting for application by the computer program an optimized logical expression having the subexpressions ordered in accordance with the optimized order.

Abstract: A method of monitoring a network is provided. The method includes receiving a packet of network traffic, determining a source IP address of the packet, consulting a database of source IP addresses, each source IP address having an associated probability of threat indicator (PTI) that indicates a probability of threat posed by the source IP address. The packet's source IP address' PTI is assigned to the packet as the packet's PTI, and one or more inspection checks are selected to be performed on the packet, wherein the selection of the inspection checks is a function of the packet's source IP address PTI. The method further includes performing the selected inspection checks, assigning treatment of the packet based on a result of the inspection checks performed, and adjusting the packet's source IP address' PTI or the packet's PTI based on the result of the one or more inspection checks performed.

Abstract: A method of detecting patterns for automated filtering of data is provided. The method includes receiving network traffic including bad traffic and good traffic, wherein an attack is known to be applied to the bad traffic, and the good traffic is known to be free of an applied attack. Processing the good and bad traffic includes generating, for each unique packet, each potential unique combination of the packet's fields, storing each combination with associated bad match and good match counters, and incrementing a combination's respective good and bad match counters for each occurrence it matches one of the packets of the respective good and bad traffic. The combinations are sorted based on the good match counter associated with each combination, a number of fields in each combination, and the bad match counter associated with each combination. One or more combination is selected based on results of the sorting for provision to a network traffic filtering component.

Abstract: A method of automated filtering includes receiving a network traffic snapshot having packets with data stored in respective fields, generating a statistical data structure storing each potential unique combination of data stored in respective fields with an associated counter that is incremented for each occurrence that the combination matches one of the packets of the network traffic snapshot and one or more observation timestamps. Determining an observed vector from the statistical data structure, wherein the observed vector has associated attribute/value pairs and counters that satisfy a predetermined criterion. The observed vector's attribute/value pairs are compared to known attribute/value pairs associated with known DDoS attack vectors of an attack vector database.

Abstract: A computer method and system for detecting denial of service network attacks by analyzing intercepted data packets on a network to determine a user account associated with a preselected target host sought to be accessed via a user account login attempt. Determine if the login attempt exceeds a predetermined login value for previous failed login attempts associated with the user account sought to be accessed. Determine a geographic location associated with the login attempt if determined the login attempt exceeded the predetermined login value. Determine if a prior login attempt to the user account sought to be accessed was successful from the determined geographic location. Authenticate the login attempt to the user account sought to be accessed in the event it was determined a prior successful login attempt was made to the user account from the determined geographic location or no prior login attempts originated from the determined geographic location.

Abstract: A computer method and system for detecting and preventing over-mitigation of network attacks (e.g., Denial of Service (DoS) attacks) upon a protected computer network by a network security element. A determination is made as to whether captured data packets transmitting to a protected network are associated with legitimate network traffic (e.g., non-attack traffic). A matching pattern of the captured data packets determined legitimate network traffic is generated and test traffic packets utilizing the matching pattern of the captured data packets are then generated. The generated test traffic packets are then injected into the network security element/filter. A determination is then made as to whether if the injected test traffic packets are treated as a malicious traffic (e.g., a DoS attack), or as legitimate traffic, by the network security filter. If treated as malicious traffic (e.g.

Abstract: A method of detecting patterns for automated filtering of data is provided. The method includes receiving network traffic including bad traffic and good traffic, wherein an attack is known to be applied to the bad traffic, and the good traffic is known to be free of an applied attack. Processing the good and bad traffic includes generating, for each unique packet, each potential unique combination of the packet's fields, storing each combination with associated bad match and good match counters, and incrementing a combination's respective good and bad match counters for each occurrence it matches one of the packets of the respective good and bad traffic. The combinations are sorted based on the good match counter associated with each combination, a number of fields in each combination, and the bad match counter associated with each combination. One or more combination is selected based on results of the sorting for provision to a network traffic filtering component.

Abstract: A system and computer-implemented method of monitoring a network is provided. The method includes receiving a packet of network traffic, wherein the packet has an associated source and destination address pair, where this pair constitutes a connection pair. The method further includes comparing the packet to a plurality of patterns and/or compare a source or destination address of the packet to known malicious addresses, and upon determining that the packet matches a pattern of the plurality of patterns or the source or destination address of the packet matches a known malicious address. The method further includes deploying a honeypot in a container for the pattern matching the packet, if not yet deployed, and forwarding all network traffic for the connection pair to the honeypot.

Abstract: A logical expression engine and computer-implemented method for optimizing evaluation of a logical expression is provided. The method includes receiving an original logical expression to be applied by a computer program for processing input information, the original logical expression having at least one operator and a subexpression disposed on each side of a related operator of the at least one related operator. The method further includes receiving statistics accumulated about how the computer program applies the subexpressions of the original logical expression for processing the input information received by the computer program, using the accumulated statistics to optimize the order in which the subexpressions would be applied by the computer program, and outputting for application by the computer program an optimized logical expression having the subexpressions ordered in accordance with the optimized order.

Abstract: A computer method and system for detecting denial of service network attacks by analyzing intercepted data packets on a network to determine a user account associated with a preselected target host sought to be accessed via a user account login attempt. Determine if the login attempt exceeds a predetermined login value for previous failed login attempts associated with the user account sought to be accessed. Determine a geographic location associated with the login attempt if determined the login attempt exceeded the predetermined login value. Determine if a prior login attempt to the user account sought to be accessed was successful from the determined geographic location. Authenticate the login attempt to the user account sought to be accessed in the event it was determined a prior successful login attempt was made to the user account from the determined geographic location or no prior login attempts originated from the determined geographic location.

Abstract: Detecting a Denial of Service (DoS) attack in a network by a network edge router device whereby network traffic flows from the edge router to a core router in the network. Storing DoS attack traffic information in storage associated with the edge router which receives network traffic. Determining in the edge router if a portion of the received network traffic matches at least a portion of the stored DoS attack information. Determining in the edge router an alert condition exists if a portion of the received network traffic is determined to match at least a portion of the stored DoS attack information. Send an alert signal from the edge router to an attack mitigation device if it is determined an alert condition exists causing the attack mitigation device to transition to a mitigation state for mitigating effects of a DoS attack upon the network.

Abstract: A system and computer-implemented method of managing botnet attacks to a computer network is provided. The system and method includes receiving a DNS request included in network traffic, each DNS request included in the network traffic and including a domain name of a target host and identifying a source address of a source host, wherein the translation of the domain name, if translated, provides an IP address to the source host that requested the translation. The domain name of the DNS request is compared to a botnet domain repository, wherein the botnet domain repository includes one or more entries, each entry having a confirmation indicator that indicates whether the entry corresponds to a confirmed botnet.

Abstract: A system and computer-implemented method to monitor network traffic for a protected network using a block of IP addresses including an IP address for a server. The method includes selecting one or more green addresses, each being a different IP address from the block of IP addresses, associating the green addresses with the IP address of the server, and receiving a packet of the internet traffic from a client directed to an IP address of the block of IP addresses prior to any performance of DPI on the packet. It is determined whether the destination address matches the one or more green addresses or is a yellow address (which belongs to the block of IP addresses, but is not a green address). When determined that the destination address matches the one or more green addresses, the method the packet is sent to the IP address associated with the matching green address, bypassing any DPI.

Abstract: A method, system, and computer-implemented method to manage threats to a network is provided. The method includes receiving volume threat data that indicates a volume of threat data that needs to be managed by a threat management system having a plurality of threat management devices, determining a volume range from a plurality of volume ranges to which the received volume threat data belongs, determining a number of threat management devices of the plurality of threat devices needed to manage threat traffic associated with the volume range determined, and determining whether the number of threat management devices needed is different than a number of threat management devices currently being used to manage threat traffic.

Abstract: A method, system, and computer-implemented method to manage blacklists used for mitigating network traffic is provided. The method includes monitoring a first blacklist and a second blacklist, wherein the first blacklist is used by a first mitigation process applied to network traffic that is performed upstream along a communication path of the network traffic relative to a second mitigation process that is performed using the second blacklist. The method further includes moving at least one entry from one of the first and second blacklists to the other of the first and second blacklist based on a result of the monitoring.

Abstract: A system and computer-implemented method for mitigating a malicious network attack. The method includes receiving an attack alert that a network attack has been detected, saving a sample of captured network traffic in response to the attack alert, playing back the sample while applying a playback countermeasure to the captured network traffic to block sample segments from the sample, analyzing at least one of the blocked sample segments and throughput sample segments that are not blocked, and adjusting the playback countermeasure in response to a result of the analyzing.

Abstract: A system for mitigating network attacks includes a protected network including a plurality of devices. The system further includes attack mitigation devices communicatively coupled to the protected network. The mitigation devices are configured to receive network data packets from external devices attempting to access protected devices in the protected network. The attack mitigation devices are further configured to periodically analyze effectiveness of each of a plurality of packet analysis sections. Each of the plurality of packet analysis sections includes a plurality of packet analysis instructions and is associated with a counter configured to count number of packets dropped by a corresponding analysis section. The attack mitigation devices are further configured to disable one or more of the plurality of packet analysis sections responsive to the performed analysis and to analyze the received network data packets by utilizing only enabled one or more of the plurality of the packet analysis sections.

Abstract: A method, system, and computer-implemented method to manage threats to a network is provided. The method includes receiving volume threat data that indicates a volume of threat data that needs to be managed by a threat management system having a plurality of threat management devices, determining a volume range from a plurality of volume ranges to which the received volume threat data belongs, determining a number of threat management devices of the plurality of threat devices needed to manage threat traffic associated with the volume range determined, and determining whether the number of threat management devices needed is different than a number of threat management devices currently being used to manage threat traffic.

Abstract: A system and computer-implemented method for mitigating a malicious network attack. The method includes receiving an attack alert that a network attack has been detected, saving a sample of captured network traffic in response to the attack alert, playing back the sample while applying a playback countermeasure to the captured network traffic to block sample segments from the sample, analyzing at least one of the blocked sample segments and throughput sample segments that are not blocked, and adjusting the playback countermeasure in response to a result of the analyzing.

Abstract: A method, system, and computer-implemented method to manage blacklists used for mitigating network traffic is provided. The method includes monitoring a first blacklist and a second blacklist, wherein the first blacklist is used by a first mitigation process applied to network traffic that is performed upstream along a communication path of the network traffic relative to a second mitigation process that is performed using the second blacklist. The method further includes moving at least one entry from one of the first and second blacklists to the other of the first and second blacklist based on a result of the monitoring.