A method and associated systems for isolating a source of an attack that originates from a shared computing environment. A computer-security system tags outgoing packets originating from within the shared computing environment in a tamper-proof manner in order to identify which tenant of the shared environment is the true source of each packet. If one of those tenants transmits malicious packets to an external recipient, either because the tenant has malicious intent or becomes infected with malware, the transmitted malicious packets' tags allow the recipient to determine which tenant is the source of the unwanted transmissions. The recipient may then block further communications from the problematic tenant without blocking communications from other tenants of the shared environment.

In one aspect, a computerized method useful for a detecting a data-center bot interacting with an audio or video streaming source includes the step of inserting a code within the audio or video streaming source. The method includes the step of detecting that the audio or video streaming source is visited by a machine, where in the machine is running a web browser to access the audio or video streaming source. The method includes the step of rendering and loading the audio or video streaming source with the code in the web browser of the machine. The method includes the step of, with the code, creating a hidden canvas element.

Mitigation of bot networks in wireless networks and/or on mobile devices is provided. A botnet detection component is provided that inspects data traffic and data flows on the wireless network to identify mobile devices that are suspected of behaving as bots. A traffic profile of the suspected bot behavior can be generated and forwarded to the mobile devices that are suspected of behaving as bots. The mobile device can correlate data traffic on the device to the traffic profile in order to identify applications responsible for the suspected bot behavior, and remove the identified applications.

In one embodiment, a centralized controller maintains a plurality of hierarchical behavioral modules of a behavioral model, and distributes initial behavioral modules to data plane entities to cause them to apply the initial behavioral modules to data plane traffic. The centralized controller may then receive data from a particular data plane entity based on its having applied the initial behavioral modules to its data plane traffic. The centralized controller then distributes subsequent behavioral modules to the particular data plane entity to cause it to apply the subsequent behavioral modules to the data plane traffic, the subsequent behavioral modules selected based on the previously received data from the particular data plane entity. The centralized controller may then iteratively receive data from the particular data plane entity and distribute subsequently selected behavioral modules until an attack determination is made on the data plane traffic of the particular data plane entity.

A threat response platform to act as a bridge between non-inline security programs and inline security programs. The threat response platform receives event reports, relating to client devices, from the non-inline security programs and creates incident reports for a user. The incident reports describe the event report and also additional data gathered by an active correlation system of the threat response platform. The active correlation system automatically gathers various types of data that are potentially useful to a user in determining whether the reported event is an incidence of malware operating on the client device or a false positive. The active correlation system places a temporary agent on the client device to identify indications of compromise.

Systems and methods are disclosed for identifying human users on a network. One method includes receiving network data comprising data transmitted over a network over predetermined time period, the network data comprising a plurality of usernames and a plurality of events, wherein each of the plurality of events is associated with at least one of the plurality of usernames; determining a plurality of pairs, each pair of the plurality of pairs comprising a username of the plurality of usernames and an associated event of the plurality of events; determining qualifying pairs of the plurality of pairs, the qualifying pairs corresponding to a subset of the plurality of pairs that meet or exceed one or more predetermined event frequency thresholds; determining non-qualifying pairs of the plurality of pairs, the non-qualifying pairs corresponding to the subset of the plurality of pairs that do not meet or exceed one or more predetermined event frequency thresholds; generating at least one distribution associated with the qualifying pairs and non-qualifying pairs; and based on the at least one distribution, determining if at least one username of the plurality of usernames is associated with a human user or a non-human user.

Computer systems and methods for improving the security and efficiency of client computers interacting with server computers through an intermediary computer using one or more polymorphic protocols are discussed herein. In an embodiment, a computer system comprises a memory; one or more processors coupled to the memory and configured to: generate a modified identifier for a original object based on a original identifier and a nonce; render one or more instructions that include the nonce and define a modified object that corresponds to the original object and includes the modified identifier; send the one or more instructions to a client computer, wherein the one or more instructions, when executed by the client computer, are configured to cause the client computer to send a request from the client computer with the modified identifier and the nonce; receive, from the client computer, a request with a challenge identifier and a challenge nonce; generate a test identifier based on the original identifier and the challenge nonce; determine whether the test identifier matches the challenge identifier.

One or more computing devices, systems, and/or methods for monitoring levels of activity of client devices using a cluster of servers having a decentralized network architecture are provided, where over-counting, which may be caused by an uneven distribution of requests transmitted by the client devices to the cluster of servers, may be mitigated. For example, a request may be received by a first server, of the cluster of servers, from a client device. A first counter value associated with a level of activity of the client device may be incremented by a first number. One or more data packets may be transmitted to one or more servers of the cluster of servers. Each data packet of the one or more data packets may comprise an instruction to increment a counter value associated with the client device by a second number, which may be different than the first number.

Methods, systems, and media for dynamically separating Internet of Things (IoT) devices in a network are provided. In accordance with some embodiments of the disclosed subject matter, a method for dynamically separating IoT devices in a network is provided, the method comprising: detecting a first IoT device in the network; monitoring network communication of the first IoT device; determining device information of the first IoT device based on the monitored network communication; and causing the first IoT device to communicate on a first subnet of a plurality of subnets in the network based on the device information.

A system and method for botmaster discovery are disclosed. The system and method may be used in a network that has a plurality of known malicious domains, a plurality of servers each having a known malicious internet protocol (IP) address in which each server is associated with one or more of the plurality of domains, a plurality of hosts associated with one or more of the plurality of servers wherein the host is one of a bot which is compromised host and involved as a part of resource for cyber-crime purpose and a botmaster which involves bots for cyber-crime purpose. The system and method generate a plurality of clusters of known malicious entities, the known malicious entities being one or more known malicious IP addresses, one or more known malicious domains and a known malicious domain and a known malicious IP address, perform flow matching of each IP address in each cluster of known malicious entities between a plurality of source IP addresses and a plurality of destination IP addresses to identify a plurality of host flows wherein each host flow has a source IP address or a destination IP address matched a particular IP address in a cluster of known malicious entities and detect a bot master of each cluster of known malicious entities from the plurality of host flows corresponding to each cluster of known malicious entities by analyzing difference of flow features between the bot and the botmaster.