Abstract: A computer method and system for mitigating Domain Name System (DNS) misuse using a probabilistic data structure, such as a cuckoo filter. Intercepted is network traffic flowing from one or more external hosts to a computer network, the intercepted network traffic including a DNS request that requests a Resource Record name in a DNS zone file. A determination is made as to whether the DNS request is requesting resolution at a protected DNS Name Server. A hash value is calculated for the requested Resource Record name if it is determined the DNS request is requesting resolution at the protected DNS Name Server. A determination is then made as to whether the calculated hash value for the requested Resource Record name is present in the probabilistic data structure. The DNS request is forwarded to the protected server if the requested Resource Record name is determined present in the probabilistic data structure.

Abstract: A system and computer-implemented method of managing botnet attacks to a computer network is provided. The system and method includes receiving a DNS request included in network traffic, each DNS request included in the network traffic and including a domain name of a target host and identifying a source address of a source host, wherein the translation of the domain name, if translated, provides an IP address to the source host that requested the translation. The domain name of the DNS request is compared to a botnet domain repository, wherein the botnet domain repository includes one or more entries, each entry having a confirmation indicator that indicates whether the entry corresponds to a confirmed botnet.

Abstract: A computer method and system for mitigating Domain Name System (DNS) misuse using a probabilistic data structure, such as a cuckoo filter. Intercepted is network traffic flowing from one or more external hosts to a computer network, the intercepted network traffic including a DNS request that requests a Resource Record name in a DNS zone file. A determination is made as to whether the DNS request is requesting resolution at a protected DNS Name Server. A hash value is calculated for the requested Resource Record name if it is determined the DNS request is requesting resolution at the protected DNS Name Server. A determination is then made as to whether the calculated hash value for the requested Resource Record name is present in the probabilistic data structure. The DNS request is forwarded to the protected server if the requested Resource Record name is determined present in the probabilistic data structure.

Abstract: A system and method for providing network bridge upstream connections by a network device using proxied network metrics. An upstream network bridge connection request is received in a network device (e.g., a bridge device) from first network component (e.g., a client device) for connecting to a second network component (e.g., a network server device). This upstream network bridge connection request is analyzed by the network bridge to determine if a network attack threat is associated with the client device requesting the upstream network bridge connection to the server device preferably by inspecting certain network metrics present in the downstream connection associated with the client device. If no network attack threat is determined, then a determination is made as to whether a preexisting upstream network bridge connection between the client device and the server device exists in a connection pool database.

Abstract: A computer method and system for mitigating Domain Name System (DNS) misuse using a probabilistic data structure, such as a cuckoo filter. Intercepted is network traffic flowing from one or more external hosts to a computer network, the intercepted network traffic including a DNS request that requests a Resource Record name in a DNS zone file. A determination is made as to whether the DNS request is requesting resolution at a protected DNS Name Server. A hash value is calculated for the requested Resource Record name if it is determined the DNS request is requesting resolution at the protected DNS Name Server. A determination is then made as to whether the calculated hash value for the requested Resource Record name is present in the probabilistic data structure. The DNS request is forwarded to the protected server if the requested Resource Record name is determined present in the probabilistic data structure.

Abstract: A computer-implemented method and a computer system are provided for selecting active or passive decryption mode when observing network traffic between a downstream client and an upstream server. The method includes selecting a decryption mode in an initial stage of setting up a secure session based on a determination of a most probable decryption mode based on decryption modes used for similar and/or past secure sessions, wherein the initial stage is when the client initiates a transport layer connection before the transport layer connection or the secure session is established. The method further includes validating the selected decryption mode at least once during the secure session based on whether the selected decryption mode is actually and/or is probably supported based on security algorithms supported by the client and/or server, and switching the decryption mode based on a result of validating the selected decryption mode.

Abstract: A computer method and system to determine one or more sub-groups of protected network servers for receiving common network filter settings for mitigating Denial of Services (Dos) attacks. Network traffic associated with the plurality of network servers is captured and collated for each of the plurality of network servers. The collated network traffic is then analyzed to determine a profile of one or more network services provided by each of the plurality of network servers. Each of the plurality of network servers is then tagged with one or more network services determined provided by each network server based upon analysis of the collated network traffic. Metadata is then determined from the collated network traffic that is associated with each of the plurality of network servers.

Abstract: A method is provided for inspecting network traffic. The method, performed in a single contained device, includes receiving network traffic inbound from an external host that is external to the protected network flowing to a protected host of the protected network, wherein the network traffic is transported by a secure protocol that implements ephemeral keys that endure for a limited time. The method further includes performing a first transmission control protocol (TCP) handshake with the external host, obtaining source and destination data during the first TCP handshake, the source and destination data including source and destination link and internet addresses obtained, caching the source and destination data, and using the cached source and destination data to obtain a Layer-7 request from the external host to the protected host and to pass a Layer-7 response from the protected host to the external host.

Abstract: A method and system are provided for monitoring a protected network. The method includes, in a scoring phase, receiving a learned model having clusters of learning requests of learning network traffic observed during non-strain operation of the protected network, wherein each cluster has an associated characteristic learning response time. The method further includes receiving a score request to score a network service request of the network traffic, classifying the network service request with one of the clusters by comparing fields of the network service request to fields used for clustering the learning requests with the cluster, calculating a score based on the characteristic learning response times generated for the learned cluster to which the network service request is classified, and adjusting supportive handling of the network service request based on the score.

Abstract: A method of monitoring network traffic for cryptojacking activity is provided. A request is received from a protected host. It is determined whether the request is a cryptocurrency request based on whether the request uses a protocol specified for requests belonging to the cryptocurrency communication. In response to a determination that the request is a cryptocurrency request for the cryptocurrency, a second request is submitted to a destination indicated by the request, wherein the second request is formatted as a cryptocurrency request for the cryptocurrency. A determination is made whether a reply to the second request from the destination is a cryptocurrency response for the cryptocurrency based on whether the response uses a protocol specified for a response that belongs to communication associated with the cryptocurrency. An intervention action is caused in response to a determination that the reply to the second request from the destination is a cryptocurrency response for the cryptocurrency.

Abstract: A method and system for automatically classifying protected devices of a protected network to protection groups providing customized protection. The method includes accessing network flow information that includes network statistics processed from observed data obtained by packet interception devices, accessing at least one model that was trained using machine learning and a training data set of the network flow information to classify protected devices having addresses that correspond to destination addresses associated with the training data set to respective protection groups as a function of the network statistics that correspond to the training data set, and classifying a protected device that has an address that corresponds to a destination address associated with a portion of the network flow information to at least one of the protection groups using the at least one model and machine learning and as a function of the network statistics that correspond to the portion of the network flow information.

Abstract: The method and system are provided for monitoring a protected network for strain. The method includes receiving a learned model having clusters of learning requests of learning network traffic observed during non-strain operation of the protected network, observing network traffic, classifying each of the traffic requests with one of the clusters based on fields of the traffic request and fields used for clustering the learning requests, determining an analysis response time for respective traffic requests associated with the classified traffic requests, determining an analysis response time characteristic per cluster based on an analysis response time associated with the respective classified traffic requests classified with the cluster, determining a difference per cluster between the analysis response time and the learning response times associated with the cluster, and notifying a mitigation device when the difference determined for enough of the clusters exceeds a predetermined threshold.

Abstract: A system and method for detecting a Denial of Service (DoS) attack. A number of evaluator elements (M) is determined for DoS analysis for network connection requests wherein each evaluator element is preferably associated with a component of the analyzed connection request. A DoS evaluator element score is determined for an evaluator element of the connection request by analyzing the evaluator element. DoS mitigation actions may be performed on the connection request if the determined evaluator element score is indicative of a DoS attack. An evaluator consolidated score (which may be weighted) is then calculated preferably consisting of one or more of the respective DoS evaluator element scores. Next, a determination is made as to whether each evaluator element of the M evaluator elements has been analyzed for determining a respective DoS evaluator element score. If no, a DoS evaluator element score for a succeeding evaluator element to be analyzed is then determined.

Abstract: A computer method and system for determining common network security filter settings for one or more clusters of network servers. Network traffic samples are captured which are associated with a plurality of network servers. The captured network traffic samples are collated with regards to each of the plurality of network servers. The collated network traffic is analyzed for each of the plurality of network servers for determining suggested network security filter settings for each network server. One or more clusters of network servers are determined contingent upon the determined suggested network security filter settings for each of the plurality of network servers. Common network security group filter settings are determined for each determined cluster of network servers.

Abstract: A method of monitoring network traffic for cryptojacking activity is provided. A request is received from a protected host. It is determined whether the request is a cryptocurrency request based on whether the request uses a protocol specified for requests belonging to the cryptocurrency communication. In response to a determination that that the request is a cryptocurrency request for the cryptocurrency, a second request is submitted to a destination indicated by the request, wherein the second request is formatted as a cryptocurrency request for the cryptocurrency. A determination is made whether a reply to the second request from the destination is a cryptocurrency response for the cryptocurrency based on whether the response uses a protocol specified for a response that belongs to communication associated with the cryptocurrency.

Abstract: A computer method and system for mitigating a Session Level Attack (SLA) upon one or more internet hosted sought user accounts. A login request for a sought user account is received and Layer 3 information regarding the login request is utilized to determine existence of a SLA threat. One or more mitigations actions is performed on the login request to determine if a SLA threat exists based upon the utilization of Layer 3 information. Next, Layer 7 information regarding the login request is utilized to determine existence of a SLA threat wherein the Layer 7 information is only utilized to determine the existence of a SLA threat when no SLA threat was determined through utilization of the Layer 3 information. One or more mitigations actions is performed on the HTTP login request if the existence of a SLA threat exists based upon the utilization of the Layer 7 information.

Abstract: A computer method and system for determining common network security filter settings for one or more clusters of network servers. Network traffic samples are captured which are associated with a plurality of network servers. The captured network traffic samples are collated with regards to each of the plurality of network servers. The collated network traffic is analyzed for each of the plurality of network servers for determining suggested network security filter settings for each network server. One or more clusters of network servers are determined contingent upon the determined suggested network security filter settings for each of the plurality of network servers. Common network security group filter settings are determined for each determined cluster of network servers.

Abstract: A system and method for detecting a Denial of Service (DoS) attack. A number of evaluator elements (M) is determined for DoS analysis for network connection requests wherein each evaluator element is preferably associated with a component of the analyzed connection request. A DoS evaluator element score is determined for an evaluator element of the connection request by analyzing the evaluator element. DoS mitigation actions may be performed on the connection request if the determined evaluator element score is indicative of a DoS attack. An evaluator consolidated score (which may be weighted) is then calculated preferably consisting of one or more of the respective DoS evaluator element scores. Next, a determination is made as to whether each evaluator element of the M evaluator elements has been analyzed for determining a respective DoS evaluator element score. If no, a DoS evaluator element score for a succeeding evaluator element to be analyzed is then determined.

Abstract: A method is provided for inspecting network traffic. The method, performed in a single contained device, includes receiving network traffic inbound from an external host that is external to the protected network flowing to a protected host of the protected network, wherein the network traffic is transported by a secure protocol that implements ephemeral keys that endure for a limited time. The method further includes performing a first transmission control protocol (TCP) handshake with the external host, obtaining source and destination data during the first TCP handshake, the source and destination data including source and destination link and internet addresses obtained, caching the source and destination data, and using the cached source and destination data to obtain a Layer-7 request from the external host to the protected host and to pass a Layer-7 response from the protected host to the external host.

Abstract: A computer method and system for mitigating a Session Level Attack (SLA) upon one or more internet hosted sought user accounts. A login request for a sought user account is received and Layer 3 information regarding the login request is utilized to determine existence of a SLA threat. One or more mitigations actions is performed on the login request to determine if a SLA threat exists based upon the utilization of Layer 3 information. Next, Layer 7 information regarding the login request is utilized to determine existence of a SLA threat wherein the Layer 7 information is only utilized to determine the existence of a SLA threat when no SLA threat was determined through utilization of the Layer 3 information. One or more mitigations actions is performed on the HTTP login request if the existence of a SLA threat exists based upon the utilization of the Layer 7 information.