Abstract: According to some embodiments of the disclosure, a method includes receiving an electronic communication directed to a data resource, determining, by a machine learning (ML) web application firewall (WAF), an attack probability of the electronic communication based on a plurality of features, wherein subsets of the plurality of features are arranged in a plurality of feature groups, adjusting the attack probability based on respective feature weights of the plurality of feature groups.

Abstract: A method is described for a proxy to mitigate attacks from web application clients based on context of web application layer requests. The method includes receiving a plurality of web application layer requests from a web application layer client; aggregating a first set of requests from the plurality of web application layer requests, wherein the first set of requests are part of a first session; determining a profile based on the first set of requests, wherein the profile describes a baseline of expected behavior for a user of the web application layer client; and determining a first threat value associated with the first set of requests based on the first set of requests and the profile, wherein the first threat value describes the likelihood that the first set of requests are part of an attack on one or more web application servers.

Abstract: A computing device is described that is coupled to a set of web application layer attack detectors (ADs), which are coupled between clients and web application servers. The ADs apply security rules to traffic between clients and servers and send alert packages to the computing device in response to triggering one or more security rules, which identify web application layer attacks. The computing device automatically generates attribute identifier-value pairs based on alert packages and uses the attribute identifier-value pairs along with collection rule templates to generate collection rules, which are used to inspect traffic for additional analysis. The ADs apply the collection rules to traffic and send collection packages to the computing device in response to triggering one or more collection rules.

Abstract: A method is described for a proxy to mitigate attacks from web application clients based on context of web application layer requests. The method includes receiving a plurality of web application layer requests from a web application layer client; aggregating a first set of requests from the plurality of web application layer requests, wherein the first set of requests are part of a first session; determining a profile based on the first set of requests, wherein the profile describes a baseline of expected behavior for a user of the web application layer client; and determining a first threat value associated with the first set of requests based on the first set of requests and the profile, wherein the first threat value describes the likelihood that the first set of requests are part of an attack on one or more web application servers.

Abstract: A computing device is described that is coupled to a set of web application layer attack detectors (ADs), which are coupled between clients and web application servers. The ADs apply security rules to traffic between clients and servers and send alert packages to the computing device in response to triggering one or more security rules, which identify web application layer attacks. The computing device automatically generates attribute identifier-value pairs based on alert packages and uses the attribute identifier-value pairs along with collection rule templates to generate collection rules, which are used to inspect traffic for additional analysis. The ADs apply the collection rules to traffic and send collection packages to the computing device in response to triggering one or more collection rules.

Abstract: Techniques related to virtual encryption patching are described. A security gateway includes multiple Transport Layer Security Implementations (TLSI) that can be used for creating secure communications channels to carry application-layer traffic between one or more clients and one or more server applications. In some embodiments, upon determining that one of the multiple TLSIs contains a security vulnerability, that TLSI can be disabled, leaving one or more others of the multiple TLSIs enabled and available to be used to carry traffic of new connections between the clients and server applications.

Abstract: Techniques related to virtual encryption patching are described. A security gateway includes multiple Transport Layer Security Implementations (TLSI) that can be used for creating secure communications channels to carry application-layer traffic between one or more clients and one or more server applications. In some embodiments, upon determining that one of the multiple TLSIs contains a security vulnerability, that TLSI can be disabled, leaving one or more others of the multiple TLSIs enabled and available to be used to carry traffic of new connections between the clients and server applications.