Abstract: Methods, non-transitory computer readable media, and network traffic manager apparatus that assists with protecting a CPU during a DDOS attack includes monitoring network traffic data from plurality of client devices. Each of the plurality of client devices are classified as a valid device or a potential attacker device based on the monitoring. Next a determination of when CPU utilization of a network traffic manager apparatus is greater than a stored threshold value is made. The CPU utilization of the network traffic manager increases as a number of the plurality of client devices classified as the potential attacker device increases. One or more network actions are performed on the plurality of client devices classified as the potential attacker device to protect the CPU when the determination indicates the CPU utilization is greater than the stored threshold value.

Abstract: Methods, non-transitory computer readable media, network traffic manager apparatuses, and systems that assist with managing hypertext transfer protocol (HTTP) requests using extended SYN cookie includes establishing a network connection with a client without allocating a plurality of computing resources to the established network connection, in response to aa request to establish a connection from a client. Presence of a digital signature in a first data packet comprising a request for a webpage is determined. The digital signature is compared to a plurality of stored signatures to determine when the client is a nefarious computing device when the determination indicates that the received request includes the signature. The established network connection is terminated with the client without allocating the plurality of computing resources when the comparison indicates the client is the nefarious computing device.

Abstract: Network traffic management apparatuses, systems, methods, and computer-readable media for automatically detecting attack signatures and generating attack signature identifications, involving: collecting a stable dataset during a stable time; determining whether a cyber-attack is detected; when a cyber-attack is detected, periodically generating attack signatures and updating an enforcer with the attack signatures, the attack signatures representing dynamic rules to be enforced; validating the dynamic rules via a long-time validation mechanism, validating involving considering behavior of each dynamic rule after the cyber-attack and during a new cyber-attack and ranking each dynamic rule using the stable dataset, thereby generating persistent rules having a dynamic rule; exporting the persistent rules to a security enforcer; introducing the persistent rules to a persistent rule revocater; determining whether export of an unrevoked persistent rule is requested; and if requested, exporting the unrevoked persiste

Abstract: A method, non-transitory computer readable medium, security management apparatus, and network traffic management system that monitors received HTTP requests associated with a source IP address to obtain data for one or more signals. A value for one or more bins corresponding to one or more of the signals for individual behavioral histograms and a global behavioral histogram is updated based on the signal data. The individual behavioral histograms each correspond to one of the source IP addresses. A determination is made when a DDoS attack condition is detected. When the determining indicates that the DDoS attack condition is detected, an attack pattern is identified in the global behavioral histogram and a mitigation action is initiated for one of the source IP addresses based on a correlation of one of the individual behavioral histograms, which corresponds to the one of the source IP addresses, to the attack pattern.

Abstract: A method, non-transitory computer readable medium, and health analysis apparatus that monitors network traffic exchanged with a plurality of server devices in a server pool to obtain signal data regarding a plurality of signals associated with the network traffic. A determination is made when there is a sever health anomaly for one or more of the server devices based on an application of a server health prediction model to the signal data. The server health prediction model includes a plurality of predictive health targets each based at least in part on historical signal data for one or more of the signals and having an associated threshold value. A mitigation action is initiated when the determining indicates there is a sever health anomaly for one or more of the server devices.

Abstract: A method, non-transitory computer readable medium and device that assist with configuring adaptive rate limit based on server health and statistics includes obtaining server health data and a current response transmission rate associated with one of the plurality of servers. An adaptive rate limit is determined based on the obtained server health data and the current response transmission rate. An actual rate and the determined adaptive rate limit is compared to determine when the actual rate of transmission is greater than the determined adaptive rate limit. A plurality of network data packets is transmitted at the determined adaptive rate limit when the actual rate of transmission is determined to be greater than the determined adaptive rate limit.

Abstract: Network traffic management apparatuses, systems, methods, and computer-readable media for automatically detecting attack signatures and generating attack signature identifications, involving: collecting a stable dataset during a stable time; determining whether a cyber-attack is detected; when a cyber-attack is detected, periodically generating attack signatures and updating an enforcer with the attack signatures, the attack signatures representing dynamic rules to be enforced; validating the dynamic rules via a long-time validation mechanism, validating involving considering behavior of each dynamic rule after the cyber-attack and during a new cyber-attack and ranking each dynamic rule using the stable dataset, thereby generating persistent rules having a dynamic rule; exporting the persistent rules to a security enforcer; introducing the persistent rules to a persistent rule revocater; determining whether export of an unrevoked persistent rule is requested; and if requested, exporting the unrevoked persiste

Abstract: A method, non-transitory computer readable medium, and network security apparatus that monitors received network traffic to obtain signal data for signals associated with the network traffic in accordance with a stored configuration. A model and configuration update(s) are generated and the stored configuration is updated based on the configuration update(s). The model includes a threshold for at least one of the signals. A determination is made when there is an anomaly in the network traffic based on the application of the model to the signal data or a match of at least a portion of the signal data to an anomalous traffic pattern received from a centralized analytic server computing device. A mitigation action is initiated, when the determining indicates that there is an anomaly in the network traffic. Accordingly, this technology facilitates dynamic and adaptive network traffic analysis and anomaly detection including improvements thereto independent of human intervention.

Abstract: Methods, non-transitory computer readable media, application security management apparatuses, and network traffic management systems that obtain a reputation score for a client. A server is selected based on the reputation score and a session is established with the server. Interaction(s) with an application hosted by the server are monitored. The reputation score for the client is updated based on the interaction(s). A remote fingerprint database and client-side scripts and cookies can be used to obtain reputation scores generated in different domain(s). With this technology, reputations scores are used to direct sessions for relatively benign clients and relatively malicious clients to different server devices so that if the relatively malicious clients conduct a successful attack, only a subset of the servers will be unavailable, and the relatively benign clients will still have access to application(s) hosted by another subset of servers unaffected by the attack.

Abstract: A method, non-transitory computer readable medium and an multi-blade network traffic manager device that assists with aggregating per-session statistics on a clustered system includes receiving a request for a HTTP transaction. Presence of a cookie within the received request is determined. One or more actions is performed based on the determination of the presence of the cookie to prepare for aggregating session statistics within a clustered system. Session statistics information is aggregated upon performing the one or more actions and completing the request for the HTTP transaction.