Systems and methods are disclosed for identifying human users on a network. One method includes receiving network data comprising data transmitted over a network over predetermined time period, the network data comprising a plurality of usernames and a plurality of events, wherein each of the plurality of events is associated with at least one of the plurality of usernames; determining a plurality of pairs, each pair of the plurality of pairs comprising a username of the plurality of usernames and an associated event of the plurality of events; determining qualifying pairs of the plurality of pairs, the qualifying pairs corresponding to a subset of the plurality of pairs that meet or exceed one or more predetermined event frequency thresholds; determining non-qualifying pairs of the plurality of pairs, the non-qualifying pairs corresponding to the subset of the plurality of pairs that do not meet or exceed one or more predetermined event frequency thresholds; generating at least one distribution associated with the qualifying pairs and non-qualifying pairs; and based on the at least one distribution, determining if at least one username of the plurality of usernames is associated with a human user or a non-human user.

Methods, systems, and media for dynamically separating Internet of Things (IoT) devices in a network are provided. In accordance with some embodiments of the disclosed subject matter, a method for dynamically separating IoT devices in a network is provided, the method comprising: detecting a first IoT device in the network; monitoring network communication of the first IoT device; determining device information of the first IoT device based on the monitored network communication; and causing the first IoT device to communicate on a first subnet of a plurality of subnets in the network based on the device information.

A method for protecting entities against bots is provided. The method includes identifying a request from a client to access a protected entity; selecting an access policy in response to the access request, wherein the access policy includes at least one challenge to be performed by the client; identifying results of the at least one challenge, wherein the results are provided by the client upon completion of the challenge; determining a bias of the client based on the completion results, wherein the determined bias is utilized for a cyber-security assessment of the client; and granting access to the protected entity by the client based on the determined bias.

The present disclosure relates to techniques for automated and adaptive cloud security management. Embodiments provide for, at an electronic device configured to interface with a cloud computing environment, initiating one or more transactions in the cloud computing environment using a first identifier to cause a first service of the cloud computing environment to generate a first set of data including the first identifier and a second identifier, and a second service of the cloud computing environment to generate a second set of data including a third identifier and a fourth identifier. Embodiments also provide for automatically determining whether the first identifier corresponds to the third identifier, and, in accordance with a determination that the first identifier corresponds to the third identifier, associating the second identifier and the fourth identifier to generate a linkage between the first and second services.

A method in one example implementation includes receiving information related to a network access attempt on a first computing device with the information identifying a software program file associated with the network access attempt. The method also includes evaluating a first criterion to determine whether network traffic associated with the software program file is permitted and then creating a restriction rule to block the network traffic if the network traffic is not permitted. The first criterion includes a trust status of the software program file. In specific embodiments, the method includes pushing the restriction rule to a network protection device that intercepts the network traffic associated with the software program file and applies the restriction rule to the network traffic. In more specific embodiments, the method includes searching a whitelist identifying trustworthy software program files to determine the trust status of the software program file.

The system and method disclosed performs entity authentication through identification proofing. A relying party such as a corporation or other type of entity having a secure website, computer network and secure facility working a risk engine can determine the authenticity, validation and verification during registration of a user entity. The identification proofing is integrated with a risk engine. The risk engine is capable of using bio-behavior based information which may be continuously monitored.

Disclosed are systems and methods that require/force bots to access and interact with webpages at a similar level to humans, by including an executable script that generates/updates a test value for a webpage. The client devices must perform certain processing and/or rendering of the webpage to call the computations necessary for generating the updated test value. The script must be executed as a function of processing and/or rendering the webpage. The script may be retrieved from the webserver as a function of processing and/or rendering the webpage. When the browser executes this script, the browser generates the updated test value. At some point, the client device submits a request for certain process with the updated test value. The server compares the inbound test value from the client device against an initial/previously received test value or an expected test value to determine whether the browser is being operated by a human.

A system comprises an enterprise network system and engine. The engine has a discovery module coupled to a switch device, an AI and machine learning based monitoring and detection module coupled to the switch device, and a remediation module coupled to the switch device. The remediation module is configured to initiate a remediation process based upon the detection of at least one of the bot anomalies from the flow of data.

An Active Intelligence method and system are provided for detecting malicious servers using an automated machine-learning active intelligence manager. The Active Intelligence method and system automatically and covertly extract forensic data and intelligence related to a selected server in real time to determine whether the server is part of a cybercrime infrastructure. An automated machine-learning active intelligence manager is provided that collects or gathers one or more types of forensic intelligence related to the operation of the server under investigation. The active intelligence manager combines the collected one or more types of forensic intelligence, extracts features from the combined forensic intelligence, and classifies the server as malicious or benign based on the extracted features.

This specification generally relates to methods and systems for applying network policies to devices based on their current access network. One example method includes identifying a proxy connection request sent from a particular client device to a proxy server over a network, the proxy connection request including a hostname and configured to direct the proxy server to establish communication with the computer identified by the hostname on behalf of the client device; determining an identity of the client device based on the proxy connection request; identifying a domain name system (DNS) response to a DNS request including the hostname from the proxy connection request; and updating DNS usage information for the particular client based on the identified DNS response including the hostname from the proxy connection request.