Abstract: Described embodiments provide systems and methods for detecting autonomous programs is provided. A device, intermediary to a plurality of clients and a plurality of servers, can receive a first request from a first client of the plurality of clients to a server of the plurality of servers via a connection between the device and the first client. The device can include, into a response from the server to the first client, a uniform resource locator (URL) comprising one or more randomly generated characters within a predetermined character space. The device can determine that the first client has an autonomous program responsive to receiving a second request from the first client using the URL. The device can terminate, responsive to the determination, the connection to the first client.

Abstract: Described embodiments provide systems and methods for validating connections while mitigating cookie hijack attacks. A device intermediary between a client and a server can receive a request from the client to establish a connection. The device may send a cookie to the client, the cookie generated according to a connection identifier and a shared counter. The device may receive a response from the client that includes a client validation cookie for validating the request. The client validation cookie may be generated according to the cookie. The device may determine a candidate validation cookie according to a value of a counter range of the shared counter, that matches the client validation cookie. The device may validate the request responsive to the determination.

Abstract: A computer system is provided. The computer system includes a memory, a network interface, and a processor coupled to the memory and the network interface. The processor is configured to receive a response to a request to verify whether an ostensible client of a service is actually a client or a bot, the response including an indicator of whether the ostensible client is a client or a bot; receive information descriptive of interoperations between the ostensible client and the service that are indicative of whether the ostensible client is a client or a bot; and train a plurality of machine learning classifiers using the information and the indicator to generate a next generation of the plurality of machine learning classifiers.

Abstract: Described embodiments provide systems and methods for validating a request to access a resource. A device can receive a first request from a client that includes a first uniform resource locator (URL) of the server. The device may receive a response from the server that includes a second URL. The device may update the response by including the client identifier in a set-cookie field, and adding to the second URL a first value of a query parameter determined according to: a client identifier assigned by the device, a key, and the second URL. The device may receive a second request that includes the client identifier, and a third URL having the first value. The device may determine to allow the server to receive the second request when the first value matches a second value determined according to the client identifier from the second request, the third URL and the key.

Abstract: Reducing vulnerability to a server is provided. A device intermediary to a client and a server can receive a RPC message from the RPC based client to the RPC based server, the RPC message having a plurality of fields to execute one or more routines on the server. The device can detect that one or more fields of the plurality of fields exploits a vulnerability of the RPC based server. The device can modify the RPC message to remove the one or more fields from the RPC message. The device can forward the modified RPC message to the RPC server.

Abstract: Described embodiments provide systems and methods for validating connections while mitigating cookie hijack attacks. A device intermediary between a client and a server can receive a request from the client to establish a connection. The device may send a cookie to the client, the cookie generated according to a connection identifier and a shared counter. The device may receive a response from the client that includes a client validation cookie for validating the request. The client validation cookie may be generated according to the cookie. The device may determine a candidate validation cookie according to a value of a counter range of the shared counter, that matches the client validation cookie. The device may validate the request responsive to the determination.

Abstract: Described embodiments provide systems and methods for learning across multiple application delivery controllers and updating settings across the application delivery controllers. A profile can be generated based on selection of a set of intermediary devices managed by a device. The set of intermediary devices configured to load balance data of an application hosted in different computing environments. Activity can be identified at the intermediary devices with use of a firewall. The activity having an appearance of a malicious attack on at least one intermediary device of the set. The device can determine if the activity is permissible or a violation based on a comparison of an aggregation of data records for the identified activity and a threshold. The device can provide a notification to at least one intermediary device of the set to configure the at least one intermediary device to allow the activity or prevent the activity.

Abstract: Described embodiments provide systems and methods for morphing or regenerating validation information. A client can receive, via a device, an authentication cookie for access to a server. The device may maintain a sequence number and a cryptographic secret. The client may use the cryptographic secret and a cookie engine to generate validation cookie information with an updated sequence number. The client may send the authentication cookie to the device via a hypertext transfer protocol (HTTP) message to validate the authentication cookie.

Abstract: Described embodiments provide systems and methods for learning across multiple application delivery controllers and updating settings across the application delivery controllers. A profile can be generated based on selection of a set of intermediary devices managed by a device. The set of intermediary devices configured to load balance data of an application hosted in different computing environments. Activity can be identified at the intermediary devices with use of a firewall. The activity having an appearance of a malicious attack on at least one intermediary device of the set. The device can determine if the activity is permissible or a violation based on a comparison of an aggregation of data records for the identified activity and a threshold. The device can provide a notification to at least one intermediary device of the set to configure the at least one intermediary device to allow the activity or prevent the activity.

Abstract: Systems and methods for autonomous program management include a device which may receive a first request from a client for a server. The device may transmit one or more data packets to the client. The data packet(s) may include a response to the request from the server and an attribute collector script which executes on the client to automatically transmit one or more attributes corresponding to at least one of the client or a browser of the client to the device. The device may receive a second request from the client which includes one or more attributes collected using the attribute collector script. The device may determine whether the client is associated with an autonomous program using the attribute(s). The device may block one or more subsequent requests from the client to the server responsive to determining that the client is associated with an autonomous program.

Abstract: A computer system is provided. The computer system includes a memory, a network interface, and a processor coupled to the memory and the network interface. The processor is configured to receive a response to a request to verify whether an ostensible client of a service is actually a client or a bot, the response including an indicator of whether the ostensible client is a client or a bot; receive information descriptive of interoperations between the ostensible client and the service that are indicative of whether the ostensible client is a client or a bot; and train a plurality of machine learning classifiers using the information and the indicator to generate a next generation of the plurality of machine learning classifiers.

Abstract: Described embodiments provide systems and methods for detecting autonomous programs is provided. A device, intermediary to a plurality of clients and a plurality of servers, can receive a first request from a first client of the plurality of clients to a server of the plurality of servers via a connection between the device and the first client. The device can include, into a response from the server to the first client, a uniform resource locator (URL) comprising one or more randomly generated characters within a predetermined character space. The device can determine that the first client has an autonomous program responsive to receiving a second request from the first client using the URL. The device can terminate, responsive to the determination, the connection to the first client.

Abstract: The present disclosure is directed towards systems and methods for detecting anomalous network traffic. Network traffic corresponding to an application executed by a server can be received. Application characteristics of the application can be identified to select an anomaly detection profile. The anomaly detection profile can be selected based on the identified application characteristics. The anomaly detection profile can include a set of detection features for the anomaly and one or more predetermined threshold values of the detection features. One or more feature values of the set of one or more detection features can be determined. An anomaly in the network traffic can be detected responsive to comparing the feature values and the predetermined threshold values of the detection features.

Abstract: The present disclosure is directed towards systems and methods for detecting anomalous network traffic. Network traffic corresponding to an application executed by a server can be received. Application characteristics of the application can be identified to select an anomaly detection profile. The anomaly detection profile can be selected based on the identified application characteristics. The anomaly detection profile can include a set of detection features for the anomaly and one or more predetermined threshold values of the detection features. One or more feature values of the set of one or more detection features can be determined. An anomaly in the network traffic can be detected responsive to comparing the feature values and the predetermined threshold values of the detection features.

Abstract: Systems and methods for protection against session stealing is described. In embodiments of the present solution, a device intermediary to the client and the server may identify first properties of the client and associate the first properties with the session key. When the device receives subsequent request comprising the session key, the device matches the associated first properties with second properties of the second device that is sending the subsequent request. If there is a match, the subsequent request transmitted to the server. Otherwise, the subsequent request is rejected.

Abstract: The present disclosure is directed towards systems and methods for improving anomaly detection using injected outliers. A normalcy calculator of a device may include a set of outliers into a training dataset of data points. The normalcy calculator, using a K-means clustering algorithm applied on the training dataset, identify at least a first cluster of data points. The normalcy calculator of the device may determine a region with a center and an outer radius that covers at least a spatial extent of the first cluster of data points. The normalcy calculator may determine a first normalcy radius for the first cluster by reducing the region around the center until a point at which all artificial outliers are excluded from a region defined by the first normalcy radius. An outlier detector of the device may use the region defined by the first normalcy radius to determine whether a new data point is normal or abnormal.

Abstract: The present disclosure is directed towards systems and methods for characterizing anomalous network traffic. The system includes a device intermediary to clients and servers. The device includes a network traffic engine to receive network traffic including an anomaly. The device includes a univariate policy manager to determine whether the network traffic satisfies at least one of the rules of a univariate policy based on a respective single independent network traffic feature. The device includes a multivariate policy manager to determine, responsive to determining that the network traffic does not satisfy the rules of the univariate policy, that the network satisfies a multivariate policy including a plurality of anomaly explanation tests. The device includes an anomaly explanation selector to select, responsive to determining that the network traffic satisfies the multivariate policy, an anomaly explanation.

Abstract: The present disclosure is directed towards systems and methods for detecting anomalous network traffic. Network traffic corresponding to an application executed by a server can be received. Application characteristics of the application can be identified to select an anomaly detection profile. The anomaly detection profile can be selected based on the identified application characteristics. The anomaly detection profile can include a set of detection features for the anomaly and one or more predetermined threshold values of the detection features. One or more feature values of the set of one or more detection features can be determined. An anomaly in the network traffic can be detected responsive to comparing the feature values and the predetermined threshold values of the detection features.

Abstract: The present disclosure is directed towards systems and methods for characterizing anomalous network traffic. The system includes a device intermediary to clients and servers. The device includes a network traffic engine to receive network traffic including an anomaly. The device includes a univariate policy manager to determine whether the network traffic satisfies at least one of the rules of a univariate policy based on a respective single independent network traffic feature. The device includes a multivariate policy manager to determine, responsive to determining that the network traffic does not satisfy the rules of the univariate policy, that the network satisfies a multivariate policy including a plurality of anomaly explanation tests. The device includes an anomaly explanation selector to select, responsive to determining that the network traffic satisfies the multivariate policy, an anomaly explanation.

Abstract: The present disclosure is directed towards systems and methods for improving anomaly detection using injected outliers. A normalcy calculator of a device may include a set of outliers into a training dataset of data points. The normalcy calculator, using a K-means clustering algorithm applied on the training dataset, identify at least a first cluster of data points. The normalcy calculator of the device may determine a region with a center and an outer radius that covers at least a spatial extent of the first cluster of data points. The normalcy calculator may determine a first normalcy radius for the first cluster by reducing the region around the center until a point at which all artificial outliers are excluded from a region defined by the first normalcy radius. An outlier detector of the device may use the region defined by the first normalcy radius to determine whether a new data point is normal or abnormal.