A system and method for detecting and blocking bots are presented. The method includes receiving unlabeled data regarding a visitor of a web source, grouping the received unlabeled data with similar characteristics into a group of data, detecting, based on the group of data, at least one anomaly, and determining, based on the at least one detected anomaly, several visitors to be blacklisted.

A system and method are provided for detecting a botnet in a network based on traffic flow, daisy chained mechanism and white-list generation mechanism. The system and method uses the known malicious components in a botnet such as IP address, domain name and URL, to be the root of a daisy chain and creates a network graph based on given traffic flow data such as NetFlow data, DNS cache data, DNS sinkhole data, DDoS data and Attack log data in threat sensors. The system and method iteratively detects new malicious factors by tracing that network graph. The system and method also introduces a technique to create a white list which is used in the daisy chain to reduce false positive.

This disclosure provides a device monitoring method and apparatus and a deregistration method and apparatus. The device monitoring apparatus has a capability of obtaining signaling plane data exchanged between a core network element and a terminal device, and after obtaining the signaling plane data, the device monitoring apparatus can determine, by analyzing attribute information of the signaling plane data, a device that may initiate a DoS attack.

An innovative method is implemented to determine a robocall and blocks the incoming communication deemed to be a robocall. The method leverages blockchain's shared storage, memory, and ability to transact all information across a network and independently verified and stored on the immutable blockchain. The method takes advantage high-speed cellular network to process each communication with high-speed. Further, the method integrates blockchain encryption, swarm intelligence (SI), artificial intelligence (AI) and machine learning (ML) algorithms, a telecommunication expert knowledge graph (TEKG), and real-time parsing of records to block robocalls and reduce connection delays. All modules can evolve and update themselves with each use of the present invention through various SI, AI, and ML technologies. Additionally, the method includes a localized call-filtering feature based on state and federal laws to ensure the blocking of calls that are prohibited by either federal or state governments thereby facilitating recovery of damages.

Method and systems for detecting and mitigating a malicious bot. Threat information is obtained, the threat information identifying one or more indicators of compromise (IOC) corresponding to suspected or known malicious network traffic. A control list (CL) corresponding to the threat information is generated, the CL describing rules for identifying network flows to be logged in a network log. The network log identifying the network flows is obtained and a suspect network flow identified by both the threat information and the network log is identified. An address corresponding to the suspect network flow is identified and the address is correlated with a user identifier. A notification is issued to a user associated with the user identifier, the notification indicating a suspected existence of a malicious bot.

A system for limiting access to a digital resource based on detection of unauthorized scraping of the digital resource includes one or more processors configured to execute the instructions to receive a request from a client device to access a digital resource, determine at least a first attribute and a second attribute associated with the request, determine a first confidence score based in part on evaluating the first attribute relative to the second attribute, detect interaction data representing interactions by the client device with the digital resource, determine a second confidence score based at least in part on the interaction data, the second confidence score indicating that the interaction data is unauthorized, detect unauthorized scraping of the digital resource based at least in part on the second confidence score, and limit access of the client device to the digital resource.

A drone unit operatively connected to a server may identify an attack, launched by a botnet, on a resource. A drone unit may continuously and iteratively, while the attack is in progress, determine and report to a server a first set of values of a respective set of operational parameters related to the resource. A drone unit may determine, and report to the server, a second set of values of the set of operational parameters after the attack is terminated. A server may determine an impact of an attack by relating the first set values to the second set of values.

Systems and methods for providing identification tests. In some embodiments, a system and a method are provided for generating and serving to a user an animated challenge graphic comprising a challenge character set whose appearance may change over time. In some embodiments, marketing content may be incorporated into a challenge message for use in an identification test. The marketing content may be accompanied by randomly selected content to increase a level of security of the identification test. In some embodiments, a challenge message for use in an identification test may be provided based on information regarding a transaction for which the identification test is administered. For example, the transaction information may include a user identifier such as an IP address. In some embodiments, identification test results may be tracked and analyzed to identify a pattern of behavior associated with a user identifier. A score indicative of a level of trustworthiness may be computed for the user identifier.

A computer-implemented method for detecting anomalies in DNS requests comprises receiving a plurality of DNS requests generated within a predetermined period. The predetermined period includes a plurality of DNS data fragments. The method further includes receiving a first DNS request and selecting a plurality of second DNS requests from the plurality of DNS requests such that each of the second DNS requests is a subset of the first DNS request. The method also includes calculating a count value for each of the DNS data fragments, where each of the count values represents a number of instances the second DNS requests appear within one of the DNS data fragments. In some embodiments, the count values for each of the DNS data fragments can be normalized. The method further includes determining an anomaly trend, for example, based on determining that at least one of the count values exceeds a predetermined threshold value.

The system inhibits malware, which has infected user equipment (UE), from establishing a communication channel between to the UE and a malware command and control (C2) website. A malware threat detector detects traffic generated by user equipment generated by malware. The system extracts the logs of these detections and processes the packet capture and extracts the fully qualified domain name (FQDN). The FQDN is then transmitted to a malware information sharing platform and added to the domain name system response policy zone (DNS RPZ). The DNS RPZ can block subsequent access to the malware C2 website due to the inclusion of the FQDN on the DNS RPZ.