The present invention relates to a method and a detection device for detecting a DGA domain generation algorithm in a computer communication network (106) comprising at least one server (104) for resolving DNS requests from at least one client terminal (102). The computer communication network (106) further includes a detection module (108) coupled to the resolution server (104) and configured to analyse DNS queries according to the following steps: for each DNS request, associate the requested domain name and the identity of the requesting client terminal to form a tuple; combine tuples into homogeneous partitions according to the tuple community detection technique; and deduce for each homogeneous partition all the client terminals using a same DGA.

A method for protecting entities against bots is provided. The method includes identifying a request from a client to access a protected entity; selecting an access policy in response to the access request, wherein the access policy includes at least one challenge to be performed by the client; identifying results of the at least one challenge, wherein the results are provided by the client upon completion of the challenge; determining a bias of the client based on the completion results, wherein the determined bias is utilized for a cyber-security assessment of the client; and granting access to the protected entity by the client based on the determined bias.

Systems and methods for detecting and mitigating attacks that exploit vulnerabilities of a website are provided, according to various embodiments described below and herein. A computing device issues a request for a web page that is stored on a server. The server receives a request and issues a response that includes the requested web page and interceptor code injected into the response. The computing device receives the response, renders the web content and generates an interceptor from the interceptor code. The interceptor intercepts requests, responses to dynamically update the webpage and responses containing a challenge. When a computing device issues a request to the server to dynamically update the webpage, the server issues a response to the computing device that includes a challenge. Once computing device issues a request that includes an answer to the challenge, the server validates the answer and issues a response that dynamically updates the webpage.

A method by one or more computing devices for obfuscating challenge code. The method includes obtaining challenge code for interrogating a client, inserting, into the challenge code, code for obfuscating outputs that are to be generated by the client, where the code for obfuscating the outputs includes code for applying a first chain of reversible transformations to the outputs using client-generated random values, interning strings appearing in the challenge code with obfuscated strings, inserting code for deobfuscating the obfuscated strings into the challenge code, inlining function calls in the challenge code, removing function definitions that are unused in the challenge code due to the inlining, reordering the challenge code without changing the functionality of the challenge code, and providing the challenge code for execution by the client.

A computer-implemented method, a computer system and a computer program product use artificial intelligence (AI) to extract information from a phisher. The method may include identifying a malicious email on a server. The malicious email comprises an attempt by the phisher to compromise a user. The method may also include generating an automated conversational agent that poses as the user. The method may further include transmitting a message to the phisher by the automated conversational agent. The message indicates that the user has been compromised. In addition, the method may include receiving a response from the phisher. Lastly, the method may include determining an intent of the phisher based on the response.

In one embodiment, a device in a network receives an attack mitigation request regarding traffic in the network. The device causes an assessment of the traffic, in response to the attack mitigation request. The device determines that an attack detector associated with the attack mitigation request incorrectly assessed the traffic, based on the assessment of the traffic. The device causes an update to an attack detection model of the attack detector, in response to determining that the attack detector incorrectly assessed the traffic.

In one embodiment, a device in a network receives an attack mitigation request regarding traffic in the network. The device causes an assessment of the traffic, in response to the attack mitigation request. The device determines that an attack detector associated with the attack mitigation request incorrectly assessed the traffic, based on the assessment of the traffic. The device causes an update to an attack detection model of the attack detector, in response to determining that the attack detector incorrectly assessed the traffic.

Disclosed, in one general aspect, is a network security system that includes a network traffic analysis tool operative to extract information about traffic with suspected attack support infrastructure addresses. An automated traffic pattern recognition tool is responsive to information extracted by the network traffic analysis tool and to enrichment data, and is operative to detect patterns in the extracted traffic information. An identification tool is responsive to the pattern recognition tool to identify victims associated with the suspected attack support infrastructure addresses based on patterns detected in the extracted traffic information. And the system includes storage that is responsive to the identification tool for storing the recorded suspected attack support infrastructure addresses and identified victims on an ongoing basis.

A threat response platform to act as a bridge between non-inline security programs and inline security programs. The threat response platform receives event reports, relating to client devices, from the non-inline security programs and creates incident reports for a user. The incident reports describe the event report and also additional data gathered by an active correlation system of the threat response platform. The active correlation system automatically gathers various types of data that are potentially useful to a user in determining whether the reported event is an incidence of malware operating on the client device or a false positive. The active correlation system places a temporary agent on the client device to identify indications of compromise.

This specification generally relates to methods and systems for applying network policies to devices based on their current access network. One example method includes identifying a proxy connection request sent from a particular client device to a proxy server over a network, the proxy connection request including a hostname and configured to direct the proxy server to establish communication with the computer identified by the hostname on behalf of the client device; determining an identity of the client device based on the proxy connection request; identifying a domain name system (DNS) response to a DNS request including the hostname from the proxy connection request; and updating DNS usage information for the particular client based on the identified DNS response including the hostname from the proxy connection request.