Disclosed are systems and methods that require/force bots to access and interact with webpages at a similar level to humans, by including an executable script that generates/updates a test value for a webpage. The client devices must perform certain processing and/or rendering of the webpage to call the computations necessary for generating the updated test value. The script must be executed as a function of processing and/or rendering the webpage. The script may be retrieved from the webserver as a function of processing and/or rendering the webpage. When the browser executes this script, the browser generates the updated test value. At some point, the client device submits a request for certain process with the updated test value. The server compares the inbound test value from the client device against an initial/previously received test value or an expected test value to determine whether the browser is being operated by a human.

A method and apparatus for data collection to facilitate bot detection. According to this approach, and in lieu of conventional user agent-based fingerprinting, a client script is executed to attempt to identify one or more Javascript “landmark” features. In one embodiment, a landmark Javascript feature is a Javascript implementation that exists in a first browser type but not a second browser type distinct from the first browser type, and that also exists in one or more releases of the first browser type, but not in one or more other releases of the first browser type. By testing against landmark Javascript features as opposed to an unconstrained set of API calls and the like, the technique herein provides for much more computationally-efficient client-side operation.

A method and system for detecting and mitigating a malicious bot is disclosed. Address information is obtained from a third-party threat intelligence provider, the address information corresponding to network traffic that has been identified as malicious network traffic. Network traffic originating on a networked device is inspected in search of packets that correspond to the obtained address information. A check is performed to determine if a given one of the searched packets corresponds to an address associated with the address information and, responsive to the check indicating that the given one of the searched packets corresponds to the address associated with the address information, a managed router service is configured to mitigate the malicious network traffic.

Embodiments described herein provide systems, methods, and computer storage media for detecting spam using by comparing hash values of content. In embodiments, hash values are generated based on the type of content and compared to other hash values in storage buckets. The similarity of content is determined by calculating the distance between two hash values and determining whether the distance exceeds a distance index. Counter values associated with hash values in storage are incremented when the distances between hash values exceed the distance index. Spam indications are communicated when the counter values for associated with hash values exceed a count threshold.

A system and method for detecting interactive network of automated accounts, the interactive network of automated accounts comprising a plurality of automated accounts posting to a social media channel, the system comprising: an ingestion engine operated by a computational device for connecting to the social media channel and receiving a plurality of social media postings from a plurality of posting entities; a bot model operated by a computational device for determining whether at least one posting entity is a suspected bot; and a computer network for communication between said computational devices.

A method and a system for detecting an unauthorized activity at a user device are provided. The method comprises: analyzing a first request from the user device, the first request including original client cookie; in response to the original client cookie meeting a predetermined threshold: causing the user device to receive a Java Script Module, thereby enabling the user device to generate a second request, by: receiving server cookie indicative of a given activity associated with the user device being one of: a user activity and a bot activity; generating the second request including first client cookie and the server cookie; determining if the second request is to be transmitted to a web content server associated with the first web page; in response to the server cookie data being indicative of the bot activity: the second request is blocked.

Disclosed herein are systems and methods for using machine learning for geographic analysis of access attempts. In an embodiment, a trained machine-learning model classifies source IP addresses of login attempts to a system as either blacklisted or allowed based on a set of aggregated features that correspond to login attempts to the system from the source IP addresses. The set of aggregated features includes, in association with each respective source IP address, a geographical login-attempt failure rate of login attempts to the system from each of one or more geographical areas that each correspond to the respective source IP address. Source IP addresses that are classified by the machine-learning model as blacklisted are added to a system blacklist, such that the system will disallow login attempts from such source IP addresses.

A server interacts with a bot detection service to provide bot detection as a requesting client interacts with the server. In an asynchronous mode, the server injects into a page a data collection script configured to record interactions at the requesting client, to collect sensor data about the interactions, and to send the collected sensor data to the server. After the client receives the page, the sensor data is collected and forwarded to the server through a series of posts. The server forwards the posts to the detection service. During this data collection, the server also may receive a request from the client for a protected endpoint. When this occurs, and in a synchronous mode, the server issues a query to the detection service to obtain a threat score based in part on the collected sensor data that has been received and forwarded by the server. Based on the threat score returned, the server then determines whether the request for the endpoint should be forwarded onward for handling.

A computer implemented method for resolving a Domain Name System, DNS, query received at a third party cloud computing environment comprises: receiving a DNS query at the third party cloud computing environment. The DNS query is forwarded to a sinkhole DNS server if the DNS query comprises an unauthorised domain name. The DNS query is forwarded to a default DNS server of the third party cloud computing environment if the DNS query does not comprise an unauthorised domain name.

A process for monitoring network behaviour of IoT devices, which includes: monitoring a communication network traffic to identify TCP and UDP traffic flows to and from each of one or more IoT devices; processing the identified traffic flows to generate a corresponding data structure representing the identified network traffic flows of the IoT device in terms of, for each of local and internet networks, one or more identifiers of respective hosts and/or devices that had a network connection with the IoT device, source and destination ports and network protocols; and comparing the generated data structure for each IoT device to corresponding data structures representing predetermined manufacturer usage description (MUD) specifications of known types of IoT devices to generate quantitative measures of similarity of the traffic flows of the IoT device to traffic flows defined by the predetermined MUD specifications to identify the type of the IoT device