Abstract: Provided are methods and systems for cluster-based mitigation of a network attack. A method for cluster-based mitigation of a network attack may commence with detecting an unusual pattern in network data traffic associated with data sources. The method may further include extracting signature parameters associated with the network data traffic. The signature parameters may be indicative of the network attack. The method may continue with assigning importance weights to the signature parameters based on historical signature data to generate weighted signature parameters. The method may further include building a decision tree for the data sources based on the weighted signature parameters. The method may continue with creating an optimal number of clusters for the data sources based on an analysis of the decision tree. The method may further include selectively taking at least one mitigating action with regard to the data sources within the clusters.

Abstract: Integrated techniques for computer bot detection and human user based access include determining if a client device has been identified as a computer bot based upon client information extracted from a service request and a service policy. The service policy is also utilized to determine if the client device is operating under control of a human user or operating autonomously based upon matching a captcha response to an expected captcha response.

Abstract: Provided are methods and systems for a Transmission Control Protocol (TCP) state handoff of a data traffic flow. A method for a TCP state handoff of a data traffic flow comprises determining a TCP state at predetermined times by a state machine unit. The TCP state includes data concerning a session between a client and a server. The TCP state for the predetermined times is stored to a database. A request to apply a predetermined policy to the session is received by a transaction processing unit and, in response to the request, a session request associated with the session between the client and the server is sent to an access control unit. The session request is processed by the access control unit based on the TCP state and according to the predetermined policy.

Abstract: Integrated techniques for computer bot detection and human user based access include determining if a client device has been identified as a computer bot based upon client information extracted from a service request and a service policy. The service policy is also utilized to determine if the client device is operating under control of a human user or operating autonomously based upon matching a captcha response to an expected captcha response.

Abstract: Provided are methods and systems for cluster-based mitigation of a network attack. A method for cluster-based mitigation of a network attack may commence with detecting an unusual pattern in network data traffic associated with data sources. The method may further include extracting signature parameters associated with the network data traffic. The signature parameters may be indicative of the network attack. The method may continue with assigning importance weights to the signature parameters based on historical signature data to generate weighted signature parameters. The method may further include building a decision tree for the data sources based on the weighted signature parameters. The method may continue with creating an optimal number of clusters for the data sources based on an analysis of the decision tree. The method may further include selectively taking at least one mitigating action with regard to the data sources within the clusters.

Abstract: Provided are methods and systems for cluster-based determination of signatures for detection of anomalous data traffic. An example method may include capturing, by a network module, data packets routed to a destination. The method may further include grouping, by at least one processor in communication with the network module, the data packets into clusters. The method may also include detecting, by the processor, an anomaly in the data packets and, in response to the detection, determining, by the processor and based on the clusters, one or more signatures associated with the data packets. The method may further include generating, by the processor and based on the signatures, one or more rules for allowing the data packets. The method may further include providing, by the processor, the one or more rules to a policy enforcement point associated with the destination.

Abstract: A security platform running on a server includes (a) protocol stacks each configured to receive and to transmit IP data packets over a network interface, wherein the protocol stacks have predetermined performance characteristics that are different from each other and wherein each protocol stack includes one or more program interfaces to allow changes to its performance characteristics; (b) application programs each configured to receive and transmit payloads of the IP data packets, wherein at least two of the application programs are customized to handle different content types in the payloads and wherein each application program accesses the program interface of at least one protocol stack to tune performance characteristics of the protocol stack; (c) classifiers configured to inspect at a given time IP data packets then received in the network interface to select one of the protocol stack and one of the application programs to service the data packets; and (d) a control program to load and run the selected

Abstract: Provided are methods and systems for mitigating a distributed denial of service (DDoS) event. The method may commence with sending a request to a health monitor concerning a state of a network. The method may continue with attributing a lack of response to the request from the health monitor to be an indication of a collapse of a collapsible virtual data circuit associated with network data traffic. The collapsible virtual data circuit may be designed to collapse in response to the DDoS event in the network. The method may include redirecting the network data traffic associated with the collapsible virtual data circuit based on the indication of the collapse of the collapsible virtual data circuit.

Abstract: Provided are methods and systems for a Transmission Control Protocol (TCP) state handoff of a data traffic flow. A method for a TCP state handoff of a data traffic flow comprises determining a TCP state at predetermined times by a state machine unit. The TCP state includes data concerning a session between a client and a server. The TCP state for the predetermined times is stored to a database. A request to apply a predetermined policy to the session is received by a transaction processing unit and, in response to the request, a session request associated with the session between the client and the server is sent to an access control unit. The session request is processed by the access control unit based on the TCP state and according to the predetermined policy.

Abstract: Provided are methods and systems for a Transmission Control Protocol (TCP) state handoff of a data traffic flow. A method for a TCP state handoff of a data traffic flow comprises determining a TCP state at predetermined times by a state machine unit. The TCP state includes data concerning a session between a client and a server. The TCP state for the predetermined times is stored to a database. A request to apply a predetermined policy to the session is received by a transaction processing unit and, based on the request, a session request associated with the session between the client and the server is sent to an access control unit. The session request is processed by the access control unit based on the TCP state and according to the predetermined policy.

Abstract: Provided are methods and systems for cluster-based determination of signatures for detection of anomalous data traffic. An example method may include capturing, by a network module, data packets routed to a destination. The method may further include grouping, by at least one processor in communication with the network module, the data packets into clusters. The method may also include detecting, by the processor, an anomaly in the data packets and, in response to the detection, determining, by the processor and based on the clusters, one or more signatures associated with the data packets. The method may further include generating, by the processor and based on the signatures, one or more rules for allowing the data packets. The method may further include providing, by the processor, the one or more rules to a policy enforcement point associated with the destination.

Abstract: Client profile and service policy based captcha techniques. In one embodiment, a method comprises receiving a service request from a client device. A captcha is selected based upon the client information and a client policy in response to the service request. Captcha instructions and expected captcha response are generated for the selected captcha. The captcha instructions are sent to the client device for processing thereby. In response to the captcha instruction, a captcha response from the client device may be received. The captcha response is compared to the expected response to determine based on the service policy if the client device is operating under control of a user or operating autonomously.

Abstract: A security platform running on a server includes (a) protocol stacks each configured to receive and to transmit IP data packets over a network interface, wherein the protocol stacks have predetermined performance characteristics that are different from each other and wherein each protocol stack includes one or more program interfaces to allow changes to its performance characteristics; (b) application programs each configured to receive and transmit payloads of the IP data packets, wherein at least two of the application programs are customized to handle different content types in the payloads and wherein each application program accesses the program interface of at least one protocol stack to tune performance characteristics of the protocol stack; (c) classifiers configured to inspect at a given time IP data packets then received in the network interface to select one of the protocol stack and one of the application programs to service the data packets; and (d) a control program to load and run the selected

Abstract: User authentication techniques based on geographical locations associated with a client device are provided. An example method for authentication of the client device includes receiving an authentication request from the client device. The method may include establishing current geographical location of the client device. The method may further include establishing a trusted tolerance geographical area associated with the client device. After establishing the trusted tolerance geographical area, the method may proceed with determining whether the current geographical location of the client device is within the trusted tolerance geographical area. The method may further include authenticating the client device based on the determination that the current geographical location of the client device is within the trusted tolerance geographical area.

Abstract: Provided are methods and systems for mitigating a distributed denial of service (DDoS) event. The method may commence with sending a request to a health monitor concerning a state of a network. The method may continue with attributing a lack of response to the request from the health monitor to be an indication of a collapse of a collapsible virtual data circuit associated with network data traffic. The collapsible virtual data circuit may be designed to collapse in response to the DDoS event in the network. The method may include redirecting the network data traffic associated with the collapsible virtual data circuit based on the indication of the collapse of the collapsible virtual data circuit.

Abstract: User authentication techniques based on geographical locations associated with a client device are provided. An example method for authentication of the client device includes receiving an authentication request from the client device. The method may include establishing current geographical location of the client device. The method may further include establishing a trusted tolerance geographical area associated with the client device. After establishing the trusted tolerance geographical area, the method may proceed with determining whether the current geographical location of the client device is within the trusted tolerance geographical area. The method may further include authenticating the client device based on the determination that the current geographical location of the client device is within the trusted tolerance geographical area.

Abstract: Captcha risk or score technique systems and methods are presented. A method can begin with extracting client information from the service request. The extracted client information may be used to determine if the client device has been identified as a computer bot. A captcha is also selected in response to the service request. Captcha instructions and expected captcha response are generated for the selected captcha. The captcha instructions are sent to the client device for processing and a captcha response from the client device may be received, which is compared to the expected response to determine based on the service policy if the client device is operating under control of a human user or operating autonomously. Risk levels may be associated with likelihood of the client device being a bot computer and operating autonomously or operating under control of a human user.

Abstract: Provided are methods and systems for mitigating a DDoS event. The method may comprise receiving an indication of a collapse of a collapsible virtual data circuit associated with network data traffic. In response to the received indication of the collapse, the collapse may be attributed to the DDoS event. Furthermore, the method may comprise redirecting the network data traffic to one or more DDoS mitigation services. The method may further comprise mitigating the DDoS event by the one or more DDoS mitigation services.

Abstract: User authentication techniques based on geographical locations associated with a client device are provided. An example method for authentication of the client device includes receiving an authentication request from the client device. The method may include establishing current geographical location of the client device based on metadata received from the client device. The method may further include establishing a trusted tolerance geographical area based on historical location area associated with the client device. After establishing the trusted tolerance geographical area, the method may proceed with determining whether the current geographical location of the client device is within the trusted tolerance geographical area. The method may further include authenticating the client device based on the determination that the current geographical location of the client device is within the trusted tolerance geographical area.

Abstract: Provided are methods and systems for mitigating a DDoS event. The method may comprise receiving an indication of a collapse of a collapsible virtual data circuit associated with network data traffic. In response to the received indication of the collapse, the collapse may be attributed to the DDoS event. Furthermore, the method may comprise redirecting the network data traffic to one or more DDoS mitigation services. The method may further comprise mitigating the DDoS event by the one or more DDoS mitigation services.