Systems and methods for monitoring malicious software engaging in online advertising fraud or other form of deceit are disclosed herein. An example method includes identifying a communication process used by a compromised computing device to communicate with a control server, the control server providing access to advertising weblinks, the compromised computing device associated with malicious software, directing, by an instruction executed by a processor, the compromised computing device to communicate with an uncompromised computing device by re-routing of packets used for communication between the compromised computing device and the control server, the uncompromised computing device is configured to mimic communications between the compromised computing device and the control server using the communication processes, storing information from one or more packets transmitted from the uncompromised computing device, and creating a profile of the malicious software based on the stored information.

Systems, methods, apparatuses, and software for a content delivery network that caches content for delivery to end user devices is presented. In one example, a content delivery network (CDN) is presented having a plurality of cache nodes that cache content for delivery to end user devices. The CDN includes an anonymization node configured to establish anonymized network addresses for transfer of content to cache nodes from one or more origin servers that store the content before caching by the CDN. The anonymization node is configured to provide indications of relationships between the anonymized network addresses and the cache nodes to a routing node of the CDN. The routing node is configured to route the content transferred by the one or more origin servers responsive to content requests of the cache nodes based on the indications of the relationships between the anonymous network addresses to the cache nodes.

A server interacts with a bot detection service to provide bot detection as a requesting client interacts with the server. In an asynchronous mode, the server injects into a page a data collection script configured to record interactions at the requesting client, to collect sensor data about the interactions, and to send the collected sensor data to the server. After the client receives the page, the sensor data is collected and forwarded to the server through a series of posts. The server forwards the posts to the detection service. During this data collection, the server also may receive a request from the client for a protected endpoint. When this occurs, and in a synchronous mode, the server issues a query to the detection service to obtain a threat score based in part on the collected sensor data that has been received and forwarded by the server. Based on the threat score returned, the server then determines whether the request for the endpoint should be forwarded onward for handling.

Methods, apparatus and computer software products implement embodiments of the present invention that include protecting a computer system, by collecting information from data traffic transmitted between multiple local nodes on a private data network and public IP addresses corresponding to multiple remote nodes on a public data network. DNS resolutions are detected in the collected information, each DNS resolution identifying a local node requesting the resolution with respect to a URI and a public IP address corresponding to the URI. Transmissions from the local nodes to the public IP addresses are detected in the collected information at respective times, and the detected DNS resolutions are compared to the detected transmissions so as to identify the transmissions from the local notes to the public IP addresses that were not resolved by the DNS resolutions. Finally, a protective action is initiated with respect to at least some of the identified transmissions.

A method and network are provided for monitoring a network during a DDoS attack. The method includes establishing a flow record for flows designated for tarpitting and a state machine, each state of multiple states of the state machine having an associated handler function. The handler function associated with a current state of a state machine associated with a flow is invoked to perform one or more actions associated with the flow or the flow record for applying at least one tarpitting technique of one or more candidate tarpitting techniques associated with the flow record, and return a next state, which is used to update the current state of the state machine. The handler function associated with the current state of the state machine is repeatedly invoked, wherein each invocation of the handler function potentially applies different tarpitting techniques.

A method of delaying computer network clients from sending DNS queries. The method includes receiving a DNS query from a client and consulting a client record in a client record database and/or a flow record in a flow record database storing information about the flow including about one or more previous DNS queries and/or responses in the flow. The method further includes formulating a response to the DNS query as a function of the information about the client and/or the information about the flow, updating the client record with information about the client and/or the flow record with information about the DNS query and the response as formulated, and transmitting the response as formulated to the client. The DNS query includes a question and the response is intentionally defective or incomplete and causes the client to be delayed in sending another DNS query as part of an attack.

Systems, methods, and apparatuses for authenticating requests to access one or more accounts over a network using authenticity evaluations of two or more automated decision engines are discussed. A login request for access to a user account may be submitted to multiple decision engines that each apply different rulesets for authenticating the login request, and output an evaluation of the authenticity of the login request. Based on evaluations from multiple automated decision engines, the login request may be allowed to proceed to validation of user identity and, if user identity is validated, access to the user account may be authorized. Based on the evaluations, the login attempt may also be rejected. One or more additional challenge question may be returned to the computing device used to request account access, and the login request allowed to proceed to validation of identity if the response to the challenge question is deemed acceptable.

The present invention relates to management of network security of a computing environment. The method may include; utilizing an Artificial intelligence (AI) node to enable management of one or more physical assets and one or more digital assets of the CE, wherein the management comprises automatic control of at least one task related to access of data and communications thereof, wherein the at least one task is selected from: locking, unlocking, encryption, decryption, activation, and deactivation; detecting a non-desired event, which occurred at one or more physical assets and one or more digital assets; analysing the detected non-desired event through a machine learning technique to determine a customized recovery plan and a tailored protection protocol against the detected non-desired event.

Example methods and systems for a computer system to perform security threat detection are described. In one example, a computer system may intercept an egress packet from a virtualized computing instance to pause forwarding of the egress packet towards a destination and obtain process information associated a process from which the egress packet originates. The computer system may initiate security analysis based on the process information. In response to determination that the process is a potential security threat based on the security analysis, the egress packet may be dropped, and a remediation action performed. Otherwise, the egress packet may be forwarded towards the destination.

Described are techniques for differentiating humans from bots. The techniques including a computer-implemented method comprising presenting a motion-based challenge-response instruction to a user via a user interface of a first device of a plurality of devices associated with the user and communicatively coupled to one another by a network, where the motion-based challenge-response instruction describes at least one motion that is performable by the user and detectable by at least one of the plurality of devices, and where the motion-based challenge-response instruction is configured to differentiate humans from bots. The method further comprises determining that device data from one or more of the plurality of devices matches the at least one motion. The method further comprises authenticating the first device in response to determining that the device data matches the at least one motion, where authenticating the first device indicates that the user is a human.