A method of authenticating a user is disclosed. An authentication request is sent to a hot prevention service. The authentication request includes a device identification, a secondary form of user authentication, and an IP address. The authentication request excludes at least a portion of personally identifiable information associated with a user. A human verification test is received from the bot prevention service. The human verification test is performed. An answer associated with the test is sent to the bot prevention. service. An authentication approval or a failure of the authentication approval is received from the bot prevention service.

A suspicious packet detection device and a suspicious packet detection method thereof are provided. The suspicious packet detection device captures an HTTP packet transmitted from an internal network to an external network, and based on an HTTP header of the HTTP packet, determines that the HTTP packet belongs to one of a browser category and an application category and identifies the HTTP packet as one of a normal packet and a suspicious packet. When the HTTP packet is identified as the normal packet, the suspicious packet detection device further verifies whether the HTTP packet is the suspicious packet or not by comparing the HTTP header with relevance information or by using a URL classification model.

In one embodiment, a device including a processor, and a memory to store data used by the processor, wherein the processor is operative to run a manufacturer usage description (MUD) controller operative to obtain a MUD profile of an Internet of Things (IoT) device from a MUD server, the MUD profile of the IoT device including: access rights of the IoT device, and any one or more of the following a default device username and/or a default device password of the IoT device, a recommended/required device password complexity of the IoT device, at least one service that should be enabled/disabled on the IoT device, and/or allowed security protocols and/or ciphers for communication to and/or from the IoT device, enforce security of the IoT device according to the MUD profile of the IoT device. Related apparatus and methods are also described.

The present disclosure is directed to a method of identifying an infected network node. The method includes identifying a first network node as infected. The method includes collecting a first set of network data from the first network node including anomalous activities performed by the first network node. The method includes generating an anomalous behavior model using the first set of network data. The method includes collecting a second set of network data from a second network node including anomalous activities performed by the second network node. The method includes comparing the second set of data to the generated anomalous behavior model. The method includes determining, from the comparison, that a similarity between first characteristics and second characteristics exceeds a predefined threshold. The method includes ascertaining, based on the determination, the second network node as an infected network node.

Disclosed herein are systems, methods, and software for managing bot detection in a content delivery network (CDN). In one implementation, a cache node in a CDN may obtain a content request without a valid token for content not cached on the cache node and, in response to the content request, generate a synthetic response for the content request, wherein the synthetic response comprises a request for additional information from the end user device associated with the content request. The cache node further may obtain a response from the end user device and determine whether to satisfy the request based on whether the response from the end user device indicates that it is a bot.

In one embodiment, a device in a network receives traffic data regarding a plurality of observed traffic flows. The device maps one or more characteristics of the observed traffic flows from the traffic data to traffic characteristics associated with a targeted deployment environment. The device generates synthetic traffic data based on the mapped traffic characteristics associated with the targeted deployment environment. The device trains a machine learning-based traffic classifier using the synthetic traffic data.

System, device, and method for behaviorally validated link analysis, session linking, transaction linking, transaction back-coloring, transaction forward-coloring, fraud detection, and fraud mitigation. A method includes: receiving an indicator of a seed transaction known to be fraudulent; selecting, from a database of transactions, multiple transactions that share at least one common property with the seed transaction; generating a list of candidate fraudulent transactions; filtering the candidate fraudulent transactions, by applying a transaction filtering rule that is based on one or more behavioral characteristics; and generating a filtered list of candidate fraudulent transactions.

A method for automated determination of IP address information of malicious attacks. An intrusion detection system may receive an index tree for storing IP addresses in one or more nodes of the index tree in a predefined sorting order. The instruction detection system may receive a data structure including a first set of one or more IP addresses from a honeypot system. The intrusion detection may receive unstructured data indicative of a second set of one or more IP addresses from a predefined data source. The intrusion detection system may process the unstructured data to determine the second set of one or more IP addresses. The intrusion detection system may insert each IP address of the first and second sets of one or more IP addresses into one or more nodes of the index tree.

Embodiments described herein provide systems, methods, and computer storage media for detecting spam using by comparing hash values of content. In embodiments, hash values are generated based on the type of content and compared to other hash values in storage buckets. The similarity of content is determined by calculating the distance between two hash values and determining whether the distance exceeds a distance index. Counter values associated with hash values in storage are incremented when the distances between hash values exceed the distance index. Spam indications are communicated when the counter values for associated with hash values exceed a count threshold.

The disclosure includes a method that includes receiving network traffic having a first plurality of packets that each indicate a first packet source and a first packet destination; determining an analysis host destination for each of the first plurality of packets such that the packets are distributed among a plurality of analysis hosts with communications between a given source-destination pair being sent to the same analysis host; encapsulating the first plurality of packets to generate a second plurality of encapsulated packets having the first plurality of packets as a second packet payload; and sending the second plurality of encapsulated packets to respective analysis host destinations.