A bot characteristic detection method and apparatus, where the apparatus obtains a first dynamic behavior file and a second dynamic behavior file, where the first dynamic behavior file is a behavior file resulting from dynamic behavior detection performed on a malicious file in a first sandbox, and the second dynamic behavior file is a behavior file resulting from dynamic behavior detection performed on the malicious file in a second sandbox. The apparatus determines a bot characteristic of the malicious file based on a common characteristic of the first dynamic behavior file and the second dynamic behavior file.

A method of processing web requests directed to a website, the method including: (i) receiving a plurality of web requests directed to the website; (ii) for each of the plurality of web requests, identifying a source from which the web request has originated; (iii) for at least one web request identified as having originated from a given source: determining whether the source is a bot or a non-bot based on the at least one web request; if the source is determined to be a bot, using a machine learning engine to assign one of a plurality of predetermined bot categories to the source based on the at least one web request.

A computer implemented method to determine whether a target virtual machine (VM) in a virtualized computing environment is susceptible to a security attack, the method comprising: training a machine learning algorithm as a classifier based on a plurality of training data items, each training data item corresponding to a training VM and including a representation of parameters for a configuration of the training VM and a representation of characteristics of security attacks for the training VM; generating a data structure for storing one or more relationships between VM configuration parameters and attack characteristics, wherein the data structure is generated by sampling the trained machine learning algorithm to identify the relationships; determining a set of configuration parameters for the target VM; and identifying attack characteristics in the data structure associated with configuration parameters of the target VM as characteristics of attacks to which the target VM is susceptible.

A system for identifying attacks against a customer in a social network includes a conversation monitor, a user type detector and an attack identifier. The conversation monitor discovers a plurality of users participating in a discourse related to the customer. The user type detector identifies the type of each user that can be real or fake and the attack identifier identifies an attack according to the type of the users. A method for identifying a fake user in a social network includes evaluating an authenticity of a user by applying a set of tests, each test in the set includes one or more rules on one or more parameters associated with the user, each test creating a weighted score. The method also includes calculating a weighted average score from the weighted scores and determining if a user is fake according to the weighted average score compared to a configured threshold.

The disclosure is related to computer-implemented methods for domain name scoring. In one example, the method includes receiving a request to provide a reputation score of a domain name, receiving input data associated with the domain name, extracting a plurality of features from the input data and the domain name, generating a feature vector based on the plurality of features, and calculating the reputation score of the domain name by a machine-learning classifier based on a graph database, which includes feature vectors associated with at least a plurality of reference domain names, a plurality of servers, a plurality of domain name owners, and so forth. In another example, the method can calculate the reputation score by finding a similarity between the feature vector and one of domain name clusters in the graph database. The reputation score represents a probability that the domain name is associated with malicious activity.

A method and a trust broker system for blockchain-based anti-bot protection are provided. The method includes identifying, on a blockchain network, a request from a client to access a protected entity; selecting an access policy in response to the access request, wherein the access policy includes at least one game to be performed by the client; causing execution of the at least one game defined in the access policy; identifying, on the blockchain network, results of the at least one game, wherein the results are deposited by the client upon completion of the game; determining a bias of the client based on the completion results, wherein the determined bias is utilized for a cyber-security assessment of the client, wherein the determined bias for the client is maintained on the blockchain network; and granting or denying access to the protected entity by the client based on the determined bias.

A system detects human activity through browser canvas events to mitigate the effects of an attack on a host, such as an application layer (layer 7) DDoS attack. A proxy, such as a HTTP/HTTPS HTTP(S) proxy server, configured to handle network traffic between a host and clients challenges clients engaging the host. The proxy challenges the clients by injecting code having a beacon and a shared encryption key into the content received from the host prior to transmission of the client. The code, when executed by the client, is configured to monitor user interactions (or lack thereof) with the content at the client in order to determine whether there is human activity at the client. The proxy receives and analyzes the information about interactions (or lack thereof) to determine whether a client is malicious (e.g., non-human activity) or non-malicious (e.g., human activity).

Creation of new edges in a network may be used as an indication of a potential attack on the network. Historical data of a frequency with which nodes in a network create and receive new edges may be analyzed. Baseline models of behavior among the edges in the network may be established based on the analysis of the historical data. A new edge that deviates from a respective baseline model by more than a predetermined threshold during a time window may be detected. The new edge may be flagged as potentially anomalous when the deviation from the respective baseline model is detected. Probabilities for both new and existing edges may be obtained for all edges in a path or other subgraph. The probabilities may then be combined to obtain a score for the path or other subgraph. A threshold may be obtained by calculating an empirical distribution of the scores under historical conditions.

In one embodiment, a device in a network receives an attack mitigation request regarding traffic in the network. The device causes an assessment of the traffic, in response to the attack mitigation request. The device determines that an attack detector associated with the attack mitigation request incorrectly assessed the traffic, based on the assessment of the traffic. The device causes an update to an attack detection model of the attack detector, in response to determining that the attack detector incorrectly assessed the traffic.

Computerized methods and systems identify malware enabled by automatically generated domain names. An agent executes a malware, in a controlled environment, at a first temporal input value and a second temporal input value. A first set of domain names is generated in response to the execution at the first temporal input value. A second set of domain names is generated in response to the execution at the second temporal input value. The agent compares the first set of domain names with the second set of domain names to produce a comparison output metric.