One or more computing devices, systems, and/or methods are provided. Event information associated with a plurality of events may be identified. The plurality of events may be associated with first entities corresponding to a first entity type and second entities associated with a second entity type. A first network profile associated with the first entities and the second entities may be generated based upon the event information. An iterative process may be performed to identify a coalition network associated with fraudulent activity. The iterative process may include analyzing the first network profile to identify a first set of entities, of the first entities, that are related to an entity of the second entities, and/or analyzing the first network profile to identify a second set of entities, of the second entities, that are related to the first set of entities. Multiple iterations may be performed to identify the coalition network.

Disclosed is a method for defending against a malicious data traffic, the method includes: monitoring, by a defender device, data traffic flowing through a network device; generating a first control signal, by the defender device, in response to a detection that the data traffic includes a predefined amount of malicious data traffic, to cause a delivery of the data traffic to the defender device; terminating the malicious data traffic in the defender device. Also disclosed is an apparatus implementing the method, a computer program product and a system.

The method of some embodiments assigns a client to a particular datacenter from among multiple datacenters. The method is performed at a first datacenter, starting when it receives security data associated with a second datacenter. Then the method receives a DNS request from the client. Based on the received security data, the method sends a DNS reply assigning the client to the particular datacenter instead of the second datacenter. The receiving and sending is performed by a DNS cluster of the datacenter in some embodiments. The particular datacenter includes a set of servers implementing an application for the client in some embodiments. The datacenter to which the client gets assigned can be the first datacenter or a third datacenter.

A system for detecting Denial-of-Service (DoS) attacks on one or more user profiles collects a number of invalid sign-on attempts on the one or more user profiles during every time interval. The system determines a number of invalid sign-on attempts on every user profile since the start of the first time interval. The system detects a first DoS attack on a particular user profile if a first number of invalid sign-on attempts on the particular user profile exceeds a single-user profile. The system detects a second DoS attack on multiple user profiles during the first time interval if the increase in the total number of invalid sign-on attempts since the last time interval exceeds a scan-level threshold number. The system detects a third DoS attack on multiple user profiles if the total number of invalid sign-on attempts detected during combined time intervals exceeds a third threshold number.

An Internet of Things device is herein disclosed. The Internet of Things device comprises a communications module having circuitry to communicatively connect to a computer network, a memory operable to store data, a processor coupled to the memory and the communications module and operable to execute instructions stored in the memory, and an activity module, including at least one of a sensor and a control device. The activity module operates under control of the processor to perform a designated activity with at least one of the sensor and the control device. The activity module further communicates on the computer network via the communications module. The processor curtails a volume of communication of the communications module on the computer network if a measured value of a system parameter exceeds a threshold value.

The method of some embodiments protects multiple datacenters that implement an application. The datacenter include multiple DNS clusters for assigning clients to the datacenters. The method is performed at a first datacenter. The method receives, from a second datacenter, a security notification identifying a set of clients that pose a security threat. The method stores a set of identifiers associated with the set of clients on a deny-list. Prior to responding to a DNS request from a particular client, the method determines whether the particular client is on the deny-list. The method rejects the DNS request when the particular client is on the deny-list. The method processes the DNS request when the particular client is not on the deny-list.

Systems and methods for validating online activities through proof-of-work techniques are provided. In one example, a validating computing system receives a request for a proof-of-work instruction from a client device that has submitted an online activity request to an online server system. The validating computing system generates and transmits a proof-of-work instruction for solving a problem to the client device. The validating computing system further receives a response to the proof-of-work instruction from the client device. The validating computing system generates a validity decision based on whether the client device correctly solved the problem, and transmits, to the online server system, the validity decision for use in granting the online activity request to the online server system.

A method for managing traffic associated with a client domain, implemented in a server. The method includes: detecting a communication problem between the server and at least one first client node of the client domain, called failed node, identifying at least one second client node belonging to the client domain, verifying if a session between the server and the at least one second client node is active, and if no session is active: triggering a mitigation procedure on at least one IP resource associated with the client domain if at least one session is active: the use of the second client node associated with the at least one active session, called active node, to initiate an action managing the traffic associated with the client domain.

According to examples, an apparatus may include a processor and a memory on which is stored machine-readable instructions that when executed by the processor, may cause the processor to determine baseline behaviors from collected data. The processor may also detect that an anomalous event has occurred and may determine at least one feature of the anomalous event that caused the event to be determined to be anomalous. The processor may further identify, from the determined baseline behaviors, a set of baseline behaviors corresponding to the determined at least one feature. The processor may still further generate a message to include an indication that the anomalous event has been detected and the identified set of baseline behaviors and may output the generated message.

Provided are systems and methods for configuring a network servicing node with user-defined instruction scripts. A method for configuring a network servicing node with user-defined instruction scripts may commence with receiving, from a user of the network servicing node, a user loadable program. The user loadable program may include at least the user-defined instruction scripts. The method may continue with receiving a data packet from a data network associated with the user. The method may further include determining a condition associated with the data packet. The method may continue with identifying, in a name table, a program name associated with a program using the condition. The program may be the user loadable program. The method may further include processing the data packet by getting an instruction of the user-defined instruction scripts from a storage module and applying the instruction to the data packet.