A proxy server receives from a client device a request for a network resource that is hosted at an origin server for a domain. The request is received at the proxy server as a result of a DNS request for the domain resolving to the proxy server. The origin server is one of multiple origin servers that belong to different domains that resolve to the proxy server and are owned by different entities. The proxy server retrieves the requested network resource. The proxy server determines that the requested resource is an HTML page. The proxy server scans the HTML page to locate one or more modification tokens that each indicates content that is subject to being modified. For at least one of the located modification tokens, the proxy server automatically modifies at least a portion of the content of the HTML page that corresponds to that modification token. The proxy server then transmits the modified HTML page to the client device.

A proxy server in a cloud-based proxy service receives a message that indicates that a domain, whose traffic passes through the proxy server, may be under a denial-of-service (DoS) attack. The proxy server enables a rule for the domain that specifies that future requests for resources at that domain are subject to at least initially passing a set of one or more challenges. In response to receiving a request for a resource of that domain from a visitor, the proxy server presents the set of challenges that, if not passed, are an indication that that the visitor is part of the DoS attack. If the set of challenges are passed, the request may be processed. If the set of challenges are not passed, the request may be dropped.

A system including a guest virtual machine with one or more virtual machine measurement points configured to collect virtual machine operating characteristics metadata and a hypervisor control point configured to receive virtual machine operating characteristics metadata from the virtual machine measurement points. The hypervisor control point is further configured to send the virtual machine operating characteristics metadata to a hypervisor associated with the guest virtual machine. The system further includes the hypervisor configured to receive the virtual machine operating characteristics metadata and to forward the virtual machine operating characteristics metadata to a hypervisor device driver in a virtual vault machine. The system further includes the virtual vault machine configured to determine a classification for the guest virtual machine based on the virtual machine operating characteristics metadata and to send the determined classification to a vault management console.

Some examples relate generally to managing and storing data, and more specifically to the real-time detection of ransomware, system (or insider) threats, or the misappropriation of credentials by using file system audit events.

A method may include obtaining a request to unblock a predetermined website in a network and that is associated with a predetermined list. The predetermined list may be used to determine whether a respective user device among various user devices can access one or more websites. The method may further include determining an impact level of the predetermined website for an organization using a machine-learning algorithm and website gateway data. The method may further include determining a probability of a security breach using the machine-learning algorithm and threat data. The method may further include determining whether to unblock the predetermined website based on the impact level and the probability of a security breach. The method may further include transmitting, in response to determining that the predetermined website should be unblocked, a command that modifies the predetermined list to enable the respective user device to access the predetermined website.

A method of identifying risky user behaviors in computer networks includes determining behavior data of a user. The behavior data describes user activities of the user using a computer network. A particular event chain is identified from the behavior data. The particular event chain includes one or more events of the user activities. A risk coefficient of the particular event chain is determined. Based on the risk coefficient, whether the particular event chain represents a risky user behavior is determined.

A storage intelligence server including a collector component to receive trace data related to data requests from agent applications executing on computerized devices, a storage component within which the trace data is stored, an analytics component to analyze the trace data to identify a malicious data request in real-time, defining an identified malicious data request, and a controller component having stored thereon a plurality of rules that can update a rule of the plurality of rules or generate a new rule for inclusion in the plurality of rules responsive to the identified malicious data request, defining an active rule, and transmit the active rule to at least one of the firewall and the router.

In an embodiment, a computer implemented method receives flow data for a network flows. The method extracts a tuple from the flow data and calculates long-term and short-term trends based at least in part on the tuple. The long-term and short-term trends are compared to determine whether a potential network anomaly exists. If a potential network anomaly does exist, the method initiates a heavy hitter detection algorithm. The method forms a low-complexity intermediate stage of processing that enables a high-complexity heavy hitter detection algorithm to execute when heavy hitters are likely to be detected.

A method of processing a new visitor session to a web-based system, the method including: for each of a plurality of web requests made to the web-based system in the new visitor session, determining a request vector corresponding to the web request, wherein each request vector is derived from the learned parameters of a trained artificial neural network configured to determine a plurality of probabilities from an input web request or an input sequence of web requests, wherein each of the plurality of probabilities represents a likelihood that, within a session containing the input web request of sequence of web requests, a respective one of a plurality of possible web requests will be requested at one or more predetermined locations before or after the input web request or sequence of web requests; and combining the request vectors to obtain a session vector which characterizes the new visitor session.

A framework for security information and event management (SIEM), the framework includes a first data store; a data router; one or more parsing mechanisms; one or more correlation machines; and one or more workflow engines, wherein said framework performs SIEM on behalf of multiple subscribers to said framework.