One example method includes deploying a group of bots in a computing environment that includes a group of nodes, each of the bots having an associated attack vector with respect to one or more of the nodes, receiving, from each of the bots, a report that identifies a node attacked by that bot, and a result of the attack, and adjusting, based on the bot reports, a confidence score of one or more of the attacked nodes.

A system comprises an enterprise network system and engine. The engine has a discovery module coupled to a switch device, an AI and machine learning based monitoring and detection module coupled to the switch device, and a remediation module coupled to the switch device. The remediation module is configured to initiate a remediation process based upon the detection of at least one of the bot anomalies from the flow of data.

Systems and methods for security and control of Internet of Things (IOT) and ZeroConf devices using cloud services. The present disclosure uses an application that runs on a user device in a promiscuous mode to look for potentially vulnerable and compromised machines on the local network. Specifically, the user device can fingerprint ZeroConf and IOT networks based on their static and dynamic behavior. The application discovers all hosts on the network and uses a cloud service such as via a cloud-based system to detect potentially malicious IOTs with known vulnerabilities. Based on an enterprise policy or user's preferences, the solution can alert if any IOT device tries to communicate with the user's device or if the user's device itself broadcasts services running on the device such as screen sharing/file sharing.

Techniques for code modification for detecting abnormal activity are described. Web code is obtained. Modified web code is generated by changing a particular programmatic element to a modified programmatic element throughout the web code. Instrumentation code is generated configured to monitor and report on one or more interactions with versions of the particular programmatic element. The instrumentation code is caused to be provided in association with the modified web code to the first client device in response to the first request from the first client device. Report data generated by the instrumentation code is received. The report data describes abnormal activity at the first client device, the abnormal activity comprising an interaction with a version of the particular programmatic element that does not exist in the modified web code. Based on the report, it is determined that the first client device is likely controlled by malware.

Systems and methods for monitoring malicious software engaging in online advertising fraud or other form of deceit are disclosed herein. An example method for automated categorization of binary code for identifying malicious software engaging in online advertising fraud disclosed herein includes collecting data defining behavior of the binary code using sensors from a plurality of sandboxes, categorizing the binary code using a behavior signature, the behavior signature including a selector and a filter, the behavior signature defining a signature category based on actions associated with the binary code, wherein a match with the filter removes the binary code from the signature category, and wherein a match with the selector adds the binary code to the signature category, identifying the binary code as malicious software engaging in online advertising targeted behavior based on the signature category, and mimicking a communication associated with the binary code to identify a control server associated the binary code in response to identifying the binary code as malicious software.

A method for transmitting data in a computer network is provided, which comprises, at a first node of the network: receiving a computing puzzle from a puzzle server node of the network distinct from the first node; determining a solution to the puzzle for transmitting a message to a second node of the network distinct from the puzzle server node; and transmitting data to the second node, wherein the transmitted data comprises a message and the determined solution to the puzzle.

A method of bot detection in a computer network leverages a machine learning system. The machine learning system receives a fingerprint derived at a server, the server having extracted a set of transport layer security parameters received from a client and processed the set parameters into the fingerprint. Based at least in part on the fingerprint, the learning system determines whether the client is likely to be a bot as opposed to a human user. The system generates and returns to the server as score having a first value when the fingerprint is determined to be associated with a good client, and having a second value when the fingerprint is determined to be associated with a bot. Based on the score received from the machine learning system, the server takes a configured action with respect to the client.

A bot characteristic detection method and apparatus, where the apparatus obtains a first dynamic behavior file and a second dynamic behavior file, where the first dynamic behavior file is a behavior file resulting from dynamic behavior detection performed on a malicious file in a first sandbox, and the second dynamic behavior file is a behavior file resulting from dynamic behavior detection performed on the malicious file in a second sandbox. The apparatus determines a bot characteristic of the malicious file based on a common characteristic of the first dynamic behavior file and the second dynamic behavior file.

A process for monitoring network behaviour of IoT devices, which includes: monitoring a communication network traffic to identify TCP and UDP traffic flows to and from each of one or more IoT devices; processing the identified traffic flows to generate a corresponding data structure representing the identified network traffic flows of the IoT device in terms of, for each of local and internet networks, one or more identifiers of respective hosts and/or devices that had a network connection with the IoT device, source and destination ports and network protocols; and comparing the generated data structure for each IoT device to corresponding data structures representing predetermined manufacturer usage description (MUD) specifications of known types of IoT devices to generate quantitative measures of similarity of the traffic flows of the IoT device to traffic flows defined by the predetermined MUD specifications to identify the type of the IoT device

A method of detecting bots, preferably in an operating environment supported by a content delivery network (CDN) that comprises a shared infrastructure of distributed edge servers from which CDN customer content is delivered to requesting end users (clients). The method begins as clients interact with the edge servers. As such interactions occur, transaction data is collected. The transaction data is mined against a set of “primitive” or “compound” features sets to generate a database of information. In particular, preferably the database comprises one or more data structures, wherein a given data structure associates a feature value with its relative percentage occurrence across the collected transaction data. Thereafter, and upon receipt of a new transaction request, primitive or compound feature set data derived from the new transaction request are compared against the database. Based on the comparison, an end user client associated with the new transaction request is then characterized, e.g., as being associated with a human user, or a bot.