A suspicious packet detection device and a suspicious packet detection method thereof are provided. The suspicious packet detection device captures an HTTP packet transmitted from an internal network to an external network, and based on an HTTP header of the HTTP packet, determines that the HTTP packet belongs to one of a browser category and an application category and identifies the HTTP packet as one of a normal packet and a suspicious packet. When the HTTP packet is identified as the normal packet, the suspicious packet detection device further verifies whether the HTTP packet is the suspicious packet or not by comparing the HTTP header with relevance information or by using a URL classification model.

A method of detecting coordinated attacks on computer and computer networks via the internet. The method includes using a web crawler to crawl the world wide web to identify domains and subdomains and their associated IP addresses, and to identify links between domains and subdomains, and storing the results in a database. When an IP address is identified as malicious or suspicious, the IP address is used as a lookup in the database to identify the associated domain and subdomain, and linked domains and subdomains. Those linked domains and subdomains are then identified as malicious or suspicious.

This disclosure relates to systems and methods for verifying the presentation of content to a target audience using generated metrics indicative of a likelihood that the content was presented to actual human individuals within the target audience. In some instances, such a metric may be associated with a probability model estimating that a user (e.g., a user of a device) is human and not a bot and/or other automated service. Metrics consistent with aspects of the disclosed embodiments may be generated based, at least in part, on user information received from a user and/or associated devices and/or associated services. Consistent with various disclosed embodiments, metrics indicative of whether a user is human, content distribution decisions and user agency decisions may use such metrics

A method for detecting a cyber-attack by performing a first analysis on content within a first portion of a communication to determine whether the content includes a first high quality indicator. The first high quality indicator identifies a correlation of the content with a malicious activity. Subsequent to the first analysis, performing a second analysis on a second portion of the communication to determine one or more supplemental indicators. Thereafter, the communication is classified as part of a cyber-attack when (i) a value associated with the first high quality indicator exceeds a first threshold without consideration of the one or more supplemental indicators, or (ii) upon failing to exceed the first threshold and being greater than a second threshold, using the values representing the one or more supplemental indicators with the first value to classify the communication as being part of the cyber-attack.

Devices, systems, and methods of contextual mapping of web-page elements and other User Interface elements, for the purpose of differentiating between fraudulent transactions and legitimate transactions, or for the purpose of distinguishing between a fraudulent user and a legitimate user. User Interface elements of a website or webpage or application or other computerized service, are contextually analyzed. A first User Interface element is assigned a low fraud-relatedness score-value, since user engagement with the first User Interface element does not create a security risk or a monetary exposure. A second, different, User Interface element is assigned a high fraud-relatedness score-value, since user engagement with the second User Interface element creates a security risk or a monetary exposure. The fraud-relatedness score-values are taken into account, together with user-specific behavioral characteristics, in order to determine whether to generate a possible-fraud notification, or as part of generating a possible-fraud score for a particular set-of-operations.

A computer implemented method to generate a classification scheme for configuration parameters of virtual machines (VMs) in a virtualized computing environment including: training a machine learning algorithm as a classifier based on a plurality of training data items, each training data item corresponding to a training VM and including a representation of parameters for a configuration of the training VM and a representation of characteristics of security attacks for the training VM; and generating a data structure for storing one or more relationships between VM configuration parameters and attack characteristics, wherein the data structure is generated by sampling the trained machine learning algorithm to identify the relationships.

A system (and method, and computer readable storage medium storing computer program instructions) is configured to determine a fingerprint of a client and qualify client behavior. For example, a proxy positioned between a host and the client may determine the fingerprint of the client and qualify the behavior of clients engaging the host. The client fingerprint provides a relatively stable representation of the client such that the client may be distinguished from the other clients engaging the host and the behavior of the client tracked. Clients engaging the host in a positive manner are prequalified to access the host based on the positive behavior they exhibit. During an attack on the host, such as a DDoS attack, prequalified clients retain access to features and functionality provided by the host to maintain legitimate user experience and better enable the proxy to handle malicious clients.

Systems and methods are disclosed herein for generating a signature of an anomalous network event capable of adversely affecting the performance of a computing resource service provider. A signature computing workflow service receives network traffic information received at the computing resources service provider, and parses the network traffic information into a set of entries. The set of entries may include data for a set of parameters useable for communicating over a network. Entropy values may be calculated for the data and anomalies for the set of parameters may be detected based on changes in entropy for the set of parameters. A signature of an anomalous network traffic event may be generated based on characteristic entropy changes in the parameters associated with the anomalies. The signature may be useable to detect the presence of the network event.

The disclosure provides a method for evaluating domain name and a server using the same method. The method includes: retrieving a raw domain name and dividing the raw domain name into a plurality of parts; retrieving a specific part of the parts, wherein the specific part include characters; encoding the characters into encoded data; padding the encoded data to a specific length; projecting the encoded data being padded as embedded vectors; sequentially inputting the embedded vectors to a plurality cells of a long short term memory model to generate a result vector; and converting the result vector to a prediction probability via a fully-connected layer and a specific function.

A system and method for detecting bots. The method includes receiving a request to access a server, the request is being received from a client device, and responsive to the request, causing the client device to download a script code file to the client device. The script code file, when executed, collects a profile, and the profile includes a plurality of parameters. The method also includes receiving the created profile, generating a score based on the plurality of parameters to identify a bot, and initiating a mitigation action based on the identified bot.