Methods and systems for generating stateful attacks for simulating and testing security infrastructure readiness. Attack templates descriptive of a plurality of attacks to be executed against one or more targets are defined. The attack templates are processed to compile a decision tree by traversing through a list of attack templates to create a logical tree with tree branches representing different execution paths through which attacks may be executed against the targets. During attack simulations and/or testing, single and/or multi-stage attacks are executed against targets, wherein attack sequences are dynamically determined using the execution paths in the decision tree in view of real-time results. The attacks may be executed against various types of targets, including target in existing security infrastructures and simulated targets. Moreover, the attacks may originate from computer systems within security infrastructures or remotely using computer systems external to the security infrastructures.

A system and method for controlling authorization to a protected entity are provided. The method includes: receiving an access request for access to the protected entity, wherein the access request is received from a client device; in response to the access request, causing the client device to perform an admission process that includes performing at least one game; monitoring a distributed database to identify at least one admission transaction designating admission criteria; determining if the admission criteria satisfy a set of conditions for accessing the protected entity; identifying, on the distributed database, completion results of the at least one game, wherein whether the admission criteria satisfies the set of conditions for accessing the protected entity is determined based on the results of the at least one game; and granting access to the protected entity by the client device when the admission criteria satisfies the set of conditions.

This disclosure describes a bot detection system that leverages deep learning to facilitate bot detection and mitigation, and that works even when an attacker changes an attack script. The approach herein provides for a system that rapidly and automatically (without human intervention) retrains on new, updated or modified attack vectors.

A system for efficiently thwarting syn flood DDoS attacks on a target server including a CPU, the system comprising: network controller hardware having steering capability; and a software application to create and to configure initial steering object/s which define a steering configuration of the network controller and monitor at least one opened connection to the server, including updating the steering configuration responsive to establishment of at least one connection to the server, wherein the network controller hardware's steering capability is used to provide a SYN cookie value used for said thwarting, and to send at least one packet, modified, to the packet's source.

A method for protecting entities against bots is provided. The method includes identifying a request from a client to access a protected entity; selecting an access policy in response to the access request, wherein the access policy includes at least one challenge to be performed by the client; identifying results of the at least one challenge, wherein the results are provided by the client upon completion of the challenge; determining a bias of the client based on the completion results, wherein the determined bias is utilized for a cyber-security assessment of the client; and granting access to the protected entity by the client based on the determined bias.

In one embodiment, a security device in a computer network detects potential domain generation algorithm (DGA) searching activity using a domain name service (DNS) model to detect abnormally high DNS requests made by a host attempting to locate a command and control (C&C) server in the computer network. The server device also detects potential DGA communications activity based on applying a hostname-based classifier for DGA domains associated with any server internet protocol (IP) address in a data stream from the host. The security device may then correlate the potential DGA searching activity with the potential DGA communications activity, and identifies DGA performing malware based on the correlating, accordingly.

A system includes one or more BotMagnet modules that are exposed to infection by malicious code. The BotMagnets may include one or more virtual machines hosing operating systems in which malicious code may be installed and executed without exposing sensitive data or other parts of a network. In particular, outbound traffic may be transmitted to a Sinkhole module that implements a service requested by the outbound traffic and transmits responses to the malicious code executing within the BotMagnet. Credentials for services implemented by a BotSink may be planted in an active directory (AD) server. The BotSink periodically uses the credentials thereby creating log entries indicating use thereof. When an attacker accesses the services using the credentials, the BotSink engages and monitors an attacker system and may generate an alert. Decoy services may be assigned to a domain and associated with names according to a naming convention of the domain.

In one embodiment, a device in a network constructs a graph based on Domain Name System (DNS) traffic in which vertices of the graph correspond to client addresses from the DNS traffic and domains from DNS traffic. The device uses stacked autoencoders to determine priors for the domains and client addresses. The device assigns the determined priors to the corresponding vertices of the graph. The device uses belief propagation on the graph to determine a malware inference from the graph. The device causes performance of a mitigation action when the malware inference from the graph indicates the presence of malware.

A computer-implemented method for securing a content server system is disclosed. The method includes identifying that a request has been made by a client computing device for serving of content from the content server system; serving, to the client computing device and for execution on the client computing device, reconnaissance code that is programmed to determine whether the client computing device is human-controlled or bot-controlled; receiving, from the reconnaissance code, data that indicates whether the client computing device is human-controlled or bot-controlled; and serving follow-up content to the client computing device, wherein the make-up of the follow-up content is selected based on a determination of whether the client computing device is human-controlled or bot-controlled.

In a particular embodiment, a network protocol modification system is configured to identify a malicious attack on a particular computing system, and modify a protocol (e.g., Border Gateway Protocol) that dictates a path of network traffic to the particular computing system. The system may, for example, modify a protocol (e.g., Border Gateway Protocol) that dictates the path of network traffic to the particular computing system for: (1) all network traffic; (2) any network traffic from one or more particular sources; and/or (3) any other suitable combination of traffic. In some embodiments, the system may interface with one or more ISP or other systems in order to propagate network protocol updates. In particular embodiments, the system is particularly configured to mitigate one or more DDoS attacks against a particular target network or service.