The present application describes a system and method for passively collecting DNS traffic data as that data is passed between a recursive DNS resolver and an authoritative DNS server. The information contained in the collected DNS traffic data is used to generate a virtual authoritative DNS server, or a zone associated with the authoritative DNS server, when it is determined that the authoritative DNS server has been compromised.

A control method implemented by a computer which is configured to be operated as a terminal apparatus, the control method including: transmitting, from the terminal apparatus to a first management server, a first request for transmission of a certificate of a first server, the first server being one of a plurality of servers, the first management server being configured to manage certificates for the plurality of servers; in response to the transmitting of the first request, receiving the certificate of the first server from the first management server; in response to the receiving of the certificate, determining a certificate authority by using information included in the received certificate, the certificate authority being a server from which the received certificate has been issued; and transmitting, from the terminal apparatus to the determined certificate authority, a second request for transmission of first address information on the first server.

Computer-implemented methods, program products, and systems for provenance-based defense against poison attacks are disclosed. In one approach, a method includes: receiving observations and corresponding provenance data from data sources; determining whether the observations are poisoned based on the corresponding provenance data; and removing the poisoned observation(s) from a final training dataset used to train a final prediction model. Another implementation involves provenance-based defense against poison attacks in a fully untrusted data environment. Untrusted data points are grouped according to provenance signature, and the groups are used to train learning algorithms and generate complete and filtered prediction models. The results of applying the prediction models to an evaluation dataset are compared, and poisoned data points identified where the performance of the filtered prediction model exceeds the performance of the complete prediction model. Poisoned data points are removed from the set to generate a final prediction model.

Aspects of the disclosure include replacing, by a DNS proxy in DNS responses, a cryptographic key associated with a client-facing server for an origin content server with another cryptographic key received from a TLS proxy. A device may encrypt an extension of a ClientHello message with the other cryptographic key, such that the encrypted ClientHello (ECH) extension can be decrypted by the TLS proxy. The TLS proxy can then allow or deny the connection using a TLS intercept policy and decrypted information in the ClientHello message, and if the TLS connection is allowed, re-encrypt the ECH with the cryptographic key in the DNS response for the client-facing server to decrypt for establishment of the TLS connection with the origin content server. To preserve selective intercept while using ECH, a TLS Intercept Policy may be used to decide whether the TLS proxy feeds an Application Layer Proxy.

A computer-implemented method for dynamically varying web application firewall security processes based on cache hit results may include (i) identifying, at a computing device, a request directed to a web application resource protected by the computing device, (ii) determining, in response to identifying the request, whether a response to the request will be served from a cache stored on the computing device, (iii) determining, based at least in part on whether the response to the request will be served from the cache, a level of security processing to apply to the request, and (iv) applying the determined level of security processing to the request. Various other methods, systems, and computer-readable media are also disclosed.

The present disclosure provides a method and a device for preventing DNS cache poisoning. According to an example of the method, a preventing equipment may forward a first DNS query request packet sent by a DNS server to a first authoritative DNS server. The preventing equipment may construct a second DNS query request packet including the target domain name and send the second DNS query request packet to a second authoritative DNS server when a first DNS reply packet received for the first DNS query request packet indicates a DNS cache poisoning attack occurs. When a second DNS reply packet received for the second DNS query request packet indicates no DNS cache poisoning attack occurs, the preventing equipment may generate a final DNS reply packet according to the second DNS reply packet and feed back the final DNS reply packet to the DNS server.

Methods for validating delivery of content and verifying a delegation of delivery of a content, and corresponding devices and computer program products. A method is proposed for validating a delivery of a content to a client terminal. Such a method includes receiving, by the client terminal, an address, referred to as the received address, in response to a request sent to an address server in order to obtain an address of a delivery server of the content. The request includes a piece of information relating to the delivery server. Such a method further includes receiving, by the client terminal, a piece of information relating to an authentic address associated with the delivery server, the information being sent by a server of the content supplier, and determining the validity of the received address with respect to the authentic address on the basis of the information relating to the authentic address.

Systems, methods, and computer-readable media for preventing man-in-the-middle attacks within network, without the need to maintain trusted/un-trusted port listings on each network device. The solutions disclosed herein leverage a host database which can be present on controllers, thereby providing a centralized database instead of a per-node DHCP binding database. Systems configured according to this disclosure (1) use a flood list only for ARP packets received from the controller 116; and (2) unicast ARP packets to the controller before communicating the packets to other VTEPs.

A computer-implemented method for dynamically varying web application firewall security processes based on cache hit results may include (i) identifying, at a computing device, a request directed to a web application resource protected by the computing device, (ii) determining, in response to identifying the request, whether a response to the request will be served from a cache stored on the computing device, (iii) determining, based at least in part on whether the response to the request will be served from the cache, a level of security processing to apply to the request, and (iv) applying the determined level of security processing to the request. Various other methods, systems, and computer-readable media are also disclosed.

Client-less methods and systems destroy/break the predictive layout of, for example, a client computer memory. The methods and systems operate by injecting a library that manipulates the client computer memory during exploitation attempts.