In one implementation, a network device is configured to monitor communications associated with an endpoint and identify domain name service messages in the communications. Subsequently, the network device receives a hypertext transfer protocol (HTTP) request and determines whether a destination internet protocol (IP) address of the HTTP request is present in or absent from the domain name service messages. When the IP address is absent from the domain name service messages, the HTTP request is modified to trigger increased security.

Systems and methods for autonomous program management include a device which may receive a first request from a client for a server. The device may transmit one or more data packets to the client. The data packet(s) may include a response to the request from the server and an attribute collector script which executes on the client to automatically transmit one or more attributes corresponding to at least one of the client or a browser of the client to the device. The device may receive a second request from the client which includes one or more attributes collected using the attribute collector script. The device may determine whether the client is associated with an autonomous program using the attribute(s). The device may block one or more subsequent requests from the client to the server responsive to determining that the client is associated with an autonomous program.

A malicious encrypted traffic inhibitor connected to a computer network is disclosed. A method for inhibiting malicious encrypted network traffic communicated via a computer network also is disclosed.

An identifying device monitors malware to be analyzed and acquires, as log data, the malware, download data downloaded from a communication destination, and a relation of data transfer performed with the malware or the communication destination of the download data. Then, the identifying device creates, by using the acquired log data, a dependency relation graph that is a digraph in which the malware, download data, and communication destination are set as nodes and a dependency relation of each node is set as an edge. Then, the identifying device detects a malicious node by collating the respective nodes of the created dependency relation graph with the known maliciousness information, and traces an edge in a direction from a terminal point to a start point while setting the malicious node as a base point, and then identifies the traced node as a new malicious node.

A system detects human activity through browser canvas events to mitigate the effects of an attack on a host, such as an application layer (layer 7) DDoS attack. A proxy, such as a HTTP/HTTPS “HTTP(S)” proxy server, configured to handle network traffic between a host and clients challenges clients engaging the host. The proxy challenges the clients by injecting code into the content received from the host prior to transmission of the client. The code, when executed by the client, is configured to monitor user interactions (or lack thereof) with the content at the client in order to determine whether there is human activity at the client. The proxy receives and analyzes the information about interactions (or lack thereof) to determine whether a client is malicious (e.g., non-human activity) or non-malicious (e.g., human activity).

Domain classification based on domain co-occurrence information derived from client request behavior is provided. The network requests of clients are analyzed to determine domain and time information. Distance information is generated based on the time between requests for a plurality of domains. The distance information for individual clients is combined to generate distance information for domain pairs. The distance information represents an amount of time or other measurement between queries associated with the two domains of the pair. By examining the client requests, a measure of the distance or relatedness of two domains may be determined. Co-occurrence information for a first set of domains is generated based on the co-occurrence of domains in the first set with domains in a second set of domains. Based on the co-occurrence information, a domain classification can be generated for domains in the first set of domains.

In one embodiment, a node in a network detects an anomaly in the network based on a result of a machine learning-based anomaly detector analyzing network traffic. The node determines a packet capture policy for the anomaly by applying a machine learning-based classifier to the result of the anomaly detector. The node selects a set of packets from the analyzed traffic based on the packet capture policy. The node stores the selected set of packets for the detected anomaly.

In one embodiment, a device in a network receives anomaly data regarding an anomaly detected by a machine learning-based anomaly detection mechanism of a first node in the network. The device matches the anomaly data to threat intelligence feed data from one or more threat intelligence services. The device determines whether to provide threat intelligence feedback to the first node based on the matched threat intelligence feed data and one or more policy rules. The device provides threat intelligence feedback to the first node regarding the matched threat intelligence feed data, in response to determining that the device should provide threat intelligence feedback to the first node.

In one embodiment, a device in a network receives an indication that a network anomaly detected by an anomaly detector of a first node in the network is associated with scanning activity in the network. The device receives labeled traffic data associated with the detected anomaly that identifies whether the traffic data is associated with legitimate or illegitimate scanning activity. The device trains a machine learning-based classifier using the labeled traffic data to distinguish between legitimate and illegitimate scanning activity in the network. The device deploys the trained classifier to the first node, to distinguish between legitimate and illegitimate scanning activity in the network.

Devices, systems, and methods of contextual mapping of web-page elements and other User Interface elements, for the purpose of differentiating between fraudulent transactions and legitimate transactions, or for the purpose of distinguishing between a fraudulent user and a legitimate user. User Interface elements of a website or webpage or application or other computerized service, are contextually analyzed. A first User Interface element is assigned a low fraud-relatedness score-value, since user engagement with the first User Interface element does not create a security risk or a monetary exposure. A second, different, User Interface element is assigned a high fraud-relatedness score-value, since user engagement with the second User Interface element creates a security risk or a monetary exposure. The fraud-relatedness score-values are taken into account, together with user-specific behavioral characteristics, in order to determine whether to generate a possible-fraud notification, or as part of generating a possible-fraud score for a particular set-of-operations.