Implementations of the present disclosure involve a system and/or method for identifying and mitigating malicious network threats. Network data associated is retrieved from various sources across a network and analyzed to identify a malicious network threat. When a threat is found, the system performs a mitigating action to neutralize the malicious network threat

Methods and systems for detecting and responding to Denial of Service (DoS) attacks comprise: detecting a DoS attack or potential DoS attack against a first server system comprising one or more servers; receiving, at a second server system comprising one or more servers, network traffic directed to the first server system; subjecting requesting clients to one or more challenge mechanisms, the challenge mechanisms including one or more of challenging requesting clients to follow through HTTP redirect responses, challenging requesting clients to request Secure Sockets Layer (SSL) session resumption, or challenging requesting clients to store and transmit HTTP cookies; identifying one or more non-suspect clients; and forwarding, by the second server system, traffic corresponding to the one or more non-suspect clients to the first server system. Once a client has been validated, clients may communicate directly with application servers in a secure manner by transparently passing through intermediary proxy servers.

Captcha risk or score technique systems and methods are presented. A method can begin with extracting client information from the service request. The extracted client information may be used to determine if the client device has been identified as a computer bot. A captcha is also selected in response to the service request. Captcha instructions and expected captcha response are generated for the selected captcha. The captcha instructions are sent to the client device for processing and a captcha response from the client device may be received, which is compared to the expected response to determine based on the service policy if the client device is operating under control of a human user or operating autonomously. Risk levels may be associated with likelihood of the client device being a bot computer and operating autonomously or operating under control of a human user.

MITM attacks are detected by intercepting network configuration traffic (name resolution, DHCP, ARP, ICMP, etc.) in order to obtain a description of network components. A computer system generates artificial requests for network configuration information and monitors responses. Multiple responses indicate a MITM attack. Responses that are different from previously-recorded responses also indicate a MITM attack. MITM attacks may be confirmed by transmitting fake credentials to a source of a response to a request for network configuration information. If the fake credentials are accepted or are subsequently used in an access attempt, then a MITM attack may be confirmed.

Exemplary methods, apparatuses, and systems include a communication system accessing a request received from an application on a user device to log into a primary platform of a communication system using a user account. In response to detecting the request as an unrecognized login attempt, that the user account also grants access to a secondary platform of the communication system, and that settings of the user account include enabled push notifications via the secondary platform, the communication system provides a notification for display to a user of the user account via the secondary platform.

A system automatically detects bots and/or botnets.

In one embodiment, a device in a network receives an indication that a network anomaly detected by an anomaly detector of a first node in the network is associated with scanning activity in the network. The device receives labeled traffic data associated with the detected anomaly that identifies whether the traffic data is associated with legitimate or illegitimate scanning activity. The device trains a machine learning-based classifier using the labeled traffic data to distinguish between legitimate and illegitimate scanning activity in the network. The device deploys the trained classifier to the first node, to distinguish between legitimate and illegitimate scanning activity in the network.

A system, apparatus, computer-readable medium, and computer-implemented method are provided for detecting anomalous behavior in a network. Historical parameters of the network are determined in order to determine normal activity levels. A plurality of paths in the network are enumerated as part of a graph representing the network, where each computing system in the network may be a node in the graph and the sequence of connections between two computing systems may be a directed edge in the graph. A statistical model is applied to the plurality of paths in the graph on a sliding window basis to detect anomalous behavior. Data collected by a Unified Host Collection Agent (UHCA) may also be used to detect anomalous behavior.

In accordance with an embodiment, a method includes: receiving, from a host, a DNS domain name request forwarded by the internal DNS server; in response to a domain name carried in the DNS domain name request being a malicious domain name, determining a fake internet protocol (IP) address that is in a one-to-one correspondence with the malicious domain name; returning the fake IP address to the host via the internal DNS server; receiving a communication link establishment request packet from the host; and in response to a destination IP address in the communication link establishment request packet being the fake IP address, determining that the host is a compromised host.

Techniques are provided that facilitate responding to cyberattacks using counter intelligence (CI) bot technology. In one embodiment, a first system is disclosed that comprises a processor and a memory. The memory can store executable instructions that, when executed by the processor, facilitate performance of operations including receiving a request from a second system requesting assistance in association with a cyberattack on the second system, wherein the request comprises information indicating a type of the cyberattack. The operations further comprise selecting a counter intelligence bot configured to respond to the type of cyberattack, and directing the counter intelligence bot to respond to the cyberattack, wherein the directing comprises enabling the counter intelligence bot to respond to the cyberattack by establishing a gateway with the second system and employing the gateway to intercept and respond to traffic associated with the cyberattack on behalf of the second system.