This application provides an example method, system, and computer-readable medium for identifying potential account take over fraud attacks through monitoring of user credential login attempts across a network of websites. One example method includes identifying a login attempt to a particular website. The method further includes determining whether the login user credentials correspond to site-specific user credentials for the particular website. The method also includes in response to determining that the login user credentials correspond to the site-specific user credentials, determining whether the login attempt to the particular website is allowed by a first allowance rule associated with the first RTW, and in response to determining that the login attempt to the particular website is allowed by the first allowance rule, setting a first allowance indicator to indicate that the login attempt to the particular website is to be allowed by the first allowance rule.

The invention relates to a method, a device (101), a system (106), a computer program (504) and a computer program product (505) for supporting botnet traffic detection. A device (101) for supporting botnet traffic detection obtains information associated with a first data flow of a first communication device (104a) and information associated with a second data flow of the first communication device (104a) or of a second communication device (104b), and trains a first and a second prediction model. The first and second prediction models are applied to data traffic and a label based on the outputs of the first and the second prediction models is associated with the traffic, wherein the label either indicates benign traffic or malicious traffic.

An abnormal traffic detection method is provided according to an embodiment of the disclosure. The method includes: obtaining network traffic data of a target device; sampling the network traffic data by a sampling window with a time length to obtain sampling data; generating, according to the sampling data, an image which presents a traffic feature of the network traffic data corresponding to the time length; and analyzing the image to generate evaluation information corresponding to an abnormal traffic. In addition, an abnormal traffic detection device is also provided according to an embodiment of the disclosure to improve a detection ability and/or an analysis ability for the abnormal traffic and/or a malware.

Arrangements for controlling access to a protected entity include receiving a redirected request of the client to access the protected entity that was denied by the protected entity; granting, in response to the received redirected request, access tokens of a first type to the client; identifying a conversion transaction identifying a request to convert the first type of access tokens with access tokens of a second type, wherein the transaction designates at least the protected entity; converting, based on a determined conversion value, a first sum of the first type of access tokens into a second sum of the second type of access tokens wherein the conversion value is determined based on at least one access parameter; and granting the client access to the protected entity when the sum of the second type of access tokens is received as a payment from the protected entity.

A system for efficiently thwarting syn flood DDoS attacks on a target server including a CPU, the system comprising: network controller hardware having steering capability; and a software application to create and to configure initial steering object/s which define a steering configuration of the network controller and monitor at least one opened connection to the server, including updating the steering configuration responsive to establishment of at least one connection to the server, wherein the network controller hardware's steering capability is used to provide a SYN cookie value used for said thwarting, and to send at least one packet, modified, to the packet's source.

This disclosure describes a technique to fingerprint TLS connection information to facilitate bot detection. The notion is referred to herein as TLS fingerprinting. Preferably, TLS fingerprinting herein comprises combining different parameters from the initial Hello packet send by the client. In one embodiment, the different parameters from the Hello packet that are to create the fingerprint (the TLS signature) are: record layer version, client version, ordered TLS extensions, ordered cipher list, ordered elliptic curve list, and ordered signature algorithms list. Preferably, the edge server persists the TLS signature for the duration of a session.

A system for limiting access to a digital resource based on detection of unauthorized scraping of the digital resource includes one or more processors configured to execute the instructions to detect, over a network, first data representing a plurality of first interactions by a client device with the digital resource hosted on a host system; extract, from the hardware storage device, second data representing a plurality of second interactions with digital resources, with the second interactions satisfy conditions for an interaction to be authorized; determine a confidence score based on comparing the first and second data, with the confidence score indicating a likelihood that an interaction is unauthorized; based on the determined confidence score indicating that the first interactions are unauthorized, detect, by one or more processing devices, unauthorized scraping of the digital resource; and limit access of the client device to the digital resource.

Method and systems for detecting and mitigating a malicious bot. Threat information is obtained, the threat information identifying one or more indicators of compromise (IOC) corresponding to suspected or known malicious network traffic. A control list (CL) corresponding to the threat information is generated, the CL describing rules for identifying network flows to be logged in a network log. The network log identifying the network flows is obtained and a suspect network flow identified by both the threat information and the network log is identified. An address corresponding to the suspect network flow is identified and the address is correlated with a user identifier. A notification is issued to a user associated with the user identifier, the notification indicating a suspected existence of a malicious bot.

In a communication network, a device is configured to predict attacks and detect attacks from data logs received from the network and generate a response to an attack upon prediction or detection of an attack. Graph representations of data logs are generated based on a predefined schema. Attacks are detected by applying inference rules to a graph representation of the data logs. Attacks are predicted by using a graph neural network trained with subgraphs obtained by querying a graph representation of training data corresponding to normal traffic and attacks.

Systems and methods for dynamically mitigating a DDOS attack. In an aspect, the technology relates to a computer-implemented method for dynamically mitigating a distributed-denial-of-service (DDOS) attack. The computer-implemented method may include detecting a DDOS attack directing malicious traffic to a target, identifying one or more source locations of the malicious traffic, and in response to detecting the DDOS attack, activating one or more scrub clusters in the identified one or more source locations of the malicious traffic. The method may further include directing traffic intended for the target to the to the activated one or more scrub clusters, detecting an end of the DDOS attack, and in response to detecting the end of the DDOS attack, deactivating the one or more scrub clusters to release hardware resources.