Amichai Shulman

Method for orchestrating wireless sensors, including registering each of a plurality of monitoring sensors that are attached to a respective plurality of wireless hosting equipment, with an orchestrator, generating, for each sensor, a monitoring plan including a description of wireless channels/protocols for the sensor to monitor, and amounts of time that the sensor should spend monitoring each channel/protocol prior to advancing to a next channel/protocol, wherein the monitoring plan for a… רוצה לראות יותר

Method for orchestrating wireless sensors, including registering each of a plurality of monitoring sensors that are attached to a respective plurality of wireless hosting equipment, with an orchestrator, generating, for each sensor, a monitoring plan including a description of wireless channels/protocols for the sensor to monitor, and amounts of time that the sensor should spend monitoring each channel/protocol prior to advancing to a next channel/protocol, wherein the monitoring plan for a sensor includes directives that instruct the sensor what to do when a monitoring period for a channel/protocol is interrupted before its intended monitoring time is finished, attempting, by the sensors, to monitor the channels/protocols specified in the sensor's monitoring plan in accordance with the time specified in the sensor's monitoring plan, and generating, by each sensor, an execution report including time spent at each channel/protocol, amount of data collected from each channel/protocol, and data captured from each channel/protocol. רוצה לראות פחות

A method by one or more network devices communicatively coupled to a web application layer proxy for profiling parameters of web application layer requests received by the web application layer proxy while preserving privacy. The method includes obtaining masked parameter values associated with a parameter in the web application layer requests, where the masked parameter values associated with the parameter are generated by the web application layer proxy based on masking parameter values… רוצה לראות יותר

A method by one or more network devices communicatively coupled to a web application layer proxy for profiling parameters of web application layer requests received by the web application layer proxy while preserving privacy. The method includes obtaining masked parameter values associated with a parameter in the web application layer requests, where the masked parameter values associated with the parameter are generated by the web application layer proxy based on masking parameter values associated with the parameter while preserving lengths of the parameter values associated with the parameter and character types of characters in the parameter values associated with the parameter, generating the profile of the parameter based on analyzing the masked parameter values associated with the parameter, and providing the profile of the parameter to the web application layer proxy רוצה לראות פחות

A method by one or more electronic devices to notify an administrator when it is safe to mitigate a non-compliant database configuration of a database. The method includes responsive to identifying the non-compliant database configuration of the database, applying a security rule that detects occurrences of database operations that make use of the non-compliant database configuration and responsive to a determination that the security rule has not been invoked for at least a threshold length of… רוצה לראות יותר

A method by one or more electronic devices to notify an administrator when it is safe to mitigate a non-compliant database configuration of a database. The method includes responsive to identifying the non-compliant database configuration of the database, applying a security rule that detects occurrences of database operations that make use of the non-compliant database configuration and responsive to a determination that the security rule has not been invoked for at least a threshold length of time, causing a notification to be sent to the administrator that indicates that it is safe for the administrator to mitigate the non-compliant database configuration. רוצה לראות פחות

A method by a computing device implementing an attack analyzer for processing malicious events. The method includes determining a first set of features describing a malicious event detected by a firewall, determining a set of distances using a non-Euclidean distance function and the first set of features, wherein the non-Euclidean distance function is used to determine geographic origin similarity between different Internet Protocol addresses included in the first and second set of features… רוצה לראות יותר

A method by a computing device implementing an attack analyzer for processing malicious events. The method includes determining a first set of features describing a malicious event detected by a firewall, determining a set of distances using a non-Euclidean distance function and the first set of features, wherein the non-Euclidean distance function is used to determine geographic origin similarity between different Internet Protocol addresses included in the first and second set of features, generating a statistical distribution object using the set of distances, wherein the statistical distribution object includes information describing a cluster that includes at least the malicious event and one or more other malicious events that are determined to be similar to the malicious event in terms of geographic origin, and transmitting information describing the cluster to a management console for presentation to an administrator on a graphical user interface. רוצה לראות פחות

A method in a cloud network to detect compromises within an enterprise network based on tokens tunneled outside of the enterprise network to the cloud network. The method includes receiving, at a tunnel gateway server within the cloud network, a first set of packets via a tunnel across a public network from a first server within the enterprise network, where the first set of packets were generated responsive to the first server receiving a second set of packets that originated from within the… רוצה לראות יותר

A method in a cloud network to detect compromises within an enterprise network based on tokens tunneled outside of the enterprise network to the cloud network. The method includes receiving, at a tunnel gateway server within the cloud network, a first set of packets via a tunnel across a public network from a first server within the enterprise network, where the first set of packets were generated responsive to the first server receiving a second set of packets that originated from within the enterprise network and that included data and a source enterprise network address, where the first set of packets does not include the source enterprise network address and the data includes a token. The method further includes transmitting, by the tunnel gateway server, the data within a third set of packets to a second server that acts as if it were an enterprise server within the enterprise network רוצה לראות פחות

A method for protecting information from databases includes a web application firewall and a database activity monitor. According to one aspect, a web gateway receives a request from a client device and provides the request to an application server to query a database. The web gateway receives sensitive data information describing requested data output by the database. The sensitive data information may include, for example, hints for detecting a type or structure of sensitive data output by… רוצה לראות יותר

A method for protecting information from databases includes a web application firewall and a database activity monitor. According to one aspect, a web gateway receives a request from a client device and provides the request to an application server to query a database. The web gateway receives sensitive data information describing requested data output by the database. The sensitive data information may include, for example, hints for detecting a type or structure of sensitive data output by the database. Additionally, the web gateway receives response data from the application server. The web gateway identifies sensitive data within the response data based on the sensitive data information. The web gateway protects the sensitive data to be provided to the client device using one or more data protection operations, which may include alerts, blocking policies, masking, or anomaly detection using machine learning algorithms. רוצה לראות פחות

Orchestrating wireless monitoring sensors, including registering each sensor with an orchestrator, generating, by the orchestrator for each sensor, a monitoring plan including a description of wireless channels and protocols for the sensor to monitor, and amounts of time that the sensor should spend monitoring each channel/protocol, attempting, by each of the sensors, to monitor the channels/protocols specified in the sensor's monitoring plan in accordance with the amounts of time specified in… רוצה לראות יותר

Orchestrating wireless monitoring sensors, including registering each sensor with an orchestrator, generating, by the orchestrator for each sensor, a monitoring plan including a description of wireless channels and protocols for the sensor to monitor, and amounts of time that the sensor should spend monitoring each channel/protocol, attempting, by each of the sensors, to monitor the channels/protocols specified in the sensor's monitoring plan in accordance with the amounts of time specified in the monitoring plan, generating, by each sensor, an execution report including, for each channel/protocol monitored by the sensor, the actual time spent at the channel/protocol, the actual amount of data collected from the channel/protocol, and data captured from the channel/protocol, generating, by the orchestrator, a current coverage map indicating coverage of each channel over space and time, and further generating, by the orchestrator, one or more respective updated monitoring plans, based on the current coverage map. רוצה לראות פחות

A method of processing malicious events in a network infrastructure determines features of malicious events detected by a firewall of an attack analyzer. Example features may indicate an origin of an attack, a target of the attack, or a type of a malicious event. The attack analyzer determines distances, e.g., using a non-Euclidean distance function, between features of a given malicious event and features of statistical distribution objects (SDOs). The SDOs describe clusters of previously… רוצה לראות יותר

A method of processing malicious events in a network infrastructure determines features of malicious events detected by a firewall of an attack analyzer. Example features may indicate an origin of an attack, a target of the attack, or a type of a malicious event. The attack analyzer determines distances, e.g., using a non-Euclidean distance function, between features of a given malicious event and features of statistical distribution objects (SDOs). The SDOs describe clusters of previously detected malicious events. The attack analyzer may select one of the SDOs that has features similar to those of the given malicious event. The attack analyzer can update the SDOs by including an alert of the given malicious event with an existing cluster or generating a new cluster including the alert. The attack analyzer may transmit information describing the clusters of the SDOs to a management console רוצה לראות פחות

According to one embodiment, a web application layer attack detector (AD) is coupled between an HTTP client and a web application server. Responsive to receipt of a set of packets from the HTTP client carrying a web application layer message that violates a condition of a security rule, the AD transmits an alert package to an automatic attribute value generation and rule feedback module (AVGRFM). The AVGRFM uses the alert package, and optionally other alert packages from the same AD or other… רוצה לראות יותר

According to one embodiment, a web application layer attack detector (AD) is coupled between an HTTP client and a web application server. Responsive to receipt of a set of packets from the HTTP client carrying a web application layer message that violates a condition of a security rule, the AD transmits an alert package to an automatic attribute value generation and rule feedback module (AVGRFM). The AVGRFM uses the alert package, and optionally other alert packages from the same AD or other ADs, to automatically generate a new set of attribute values for each of a set of attribute identifiers for use, by the AD or other ADs, in a different security rule than the violated security rule. The new set of attribute values may be used in an attack specific rule to detect a previously unknown web application layer attack רוצה לראות פחות

An analyzer module (AM) within a same protected network and on-premise with a server detects and distinguishes between types of Denial-of-Service (DoS) attacks. The AM tracks whether test messages, which include test request messages that a signal generation module (SGM) is configured to transmit to the server according to a predefined time schedule to allow the AM to detect and distinguish between types of DoS attacks, are timely received. The AM is aware of the predefined time schedule… רוצה לראות יותר

An analyzer module (AM) within a same protected network and on-premise with a server detects and distinguishes between types of Denial-of-Service (DoS) attacks. The AM tracks whether test messages, which include test request messages that a signal generation module (SGM) is configured to transmit to the server according to a predefined time schedule to allow the AM to detect and distinguish between types of DoS attacks, are timely received. The AM is aware of the predefined time schedule according to which the SGM is configured to transmit the test request messages to the server. The AM detects an occurrence of a DoS attack and identifies the type of the DoS attack based upon the result of the tracking indicating that a number of the test messages have not been timely received. רוצה לראות פחות

A method by a security system for selectively triggering different ones of a plurality of database assessment scans for a database and detecting when non-compliant database configurations of the database are being used. The method includes monitoring for occurrences of a first class of database operations, responsive to detecting an occurrence of one or more database operations of the first class, selecting one or more subsets of the plurality of database assessment scans to be rerun… רוצה לראות יותר

A method by a security system for selectively triggering different ones of a plurality of database assessment scans for a database and detecting when non-compliant database configurations of the database are being used. The method includes monitoring for occurrences of a first class of database operations, responsive to detecting an occurrence of one or more database operations of the first class, selecting one or more subsets of the plurality of database assessment scans to be rerun, triggering performance of only the selected one or more of the subsets, identifying one or more non-compliant database configurations of the database based on accessing results of the selected one or more of the subsets, determining one or more security rules for detecting occurrences of database operations that make use of the identified one or more non-compliant database configurations, and applying the determined one or more security rules. רוצה לראות פחות

A botnet identification module identifies members of one or more botnets based upon network traffic destined to one or more servers over time, and provides sets of botnet sources to a traffic monitoring module. Each set of botnet sources includes a plurality of source identifiers of end stations acting as part of a corresponding botnet. A traffic monitoring module receives the sets of botnet sources from the botnet identification module, and upon a receipt of traffic identified as malicious… רוצה לראות יותר

A botnet identification module identifies members of one or more botnets based upon network traffic destined to one or more servers over time, and provides sets of botnet sources to a traffic monitoring module. Each set of botnet sources includes a plurality of source identifiers of end stations acting as part of a corresponding botnet. A traffic monitoring module receives the sets of botnet sources from the botnet identification module, and upon a receipt of traffic identified as malicious that was sent by a source identified within one of the sets of botnet sources, activates a protection mechanism with regard to all traffic from all of the sources identified by the one of the sets of botnet sources for an amount of time. רוצה לראות פחות

A method by a security system for detecting malicious attempts to access a decoy database object in a database. The database includes database objects accessible by clients of the database called database clients. The method includes detecting access to a decoy database object of the database is being attempted by a database client over a connection to the database, where the decoy database object is a database object that is created for the purpose of deceiving an attacker as opposed to being… רוצה לראות יותר

A method by a security system for detecting malicious attempts to access a decoy database object in a database. The database includes database objects accessible by clients of the database called database clients. The method includes detecting access to a decoy database object of the database is being attempted by a database client over a connection to the database, where the decoy database object is a database object that is created for the purpose of deceiving an attacker as opposed to being a legitimate database object, determining that the connection is of an application connection type, where the application connection type is a type of connection over which queries generated by a database client are submitted, and responsive to the determination that the connection is of the application connection type, causing an alert to be generated. רוצה לראות פחות

A method implemented by a security system for selectively triggering different ones of a plurality of database assessment scans for a database The method includes monitoring for occurrences of a first class of database operations that have been determined to require only rerunning subsets of the plurality of database assessment scans to determine whether results of the plurality of database assessment scan shave changed, responsive to detecting an occurrence of one or more database operations… רוצה לראות יותר

A method implemented by a security system for selectively triggering different ones of a plurality of database assessment scans for a database The method includes monitoring for occurrences of a first class of database operations that have been determined to require only rerunning subsets of the plurality of database assessment scans to determine whether results of the plurality of database assessment scan shave changed, responsive to detecting an occurrence of one or more database operations of the first class, selecting one or more of the subsets to be rerun based on which of the database operations of the first class occurred, and triggering performance of only the selected one or more of the subsets to determine whether the results of the plurality of database assessment scans have changed. רוצה לראות פחות

A Token Transmission Server transmits active tokens within an enterprise network. The active tokens include either active data tokens or active request tokens, and are fraudulent from the perspective of the enterprise. A Token Monitoring Server monitors network traffic within the enterprise network to detect the presence of network traffic being originated by an enterprise device based upon the active tokens, and generates an alert indicating that the enterprise device is likely compromised.

A token tunnel server (TTS) within an enterprise network receives packets from a source address directed to a destination address (both of the enterprise network) that were caused to be originated by an attacker. The packets carry data including a token that was placed upon an end station of the enterprise and that appears to be useful for accessing an enterprise server, despite the apparent enterprise server not actually being deployed within the enterprise network. The TTS transmits packets… רוצה לראות יותר

A token tunnel server (TTS) within an enterprise network receives packets from a source address directed to a destination address (both of the enterprise network) that were caused to be originated by an attacker. The packets carry data including a token that was placed upon an end station of the enterprise and that appears to be useful for accessing an enterprise server, despite the apparent enterprise server not actually being deployed within the enterprise network. The TTS transmits packets carrying the data (that do not include the source address) across a public network outside of the enterprise network to a tunnel gateway server (TGS). The TGS sends the data to a trap server that acts as the apparent enterprise server. Actions of the attacker with regard to the trap server can be monitored while the source address is not provided to the TGS. רוצה לראות פחות

Noisy tokens can be placed in locations of client end stations such that local operations performed upon the noisy tokens generate network traffic. A traffic monitoring module (TMM) can determine normal activity patterns of network traffic resulting from one or more of the placed noisy tokens being activated by one or more non-malicious operations, and identify that other network traffic resulting from one or more of the noisy tokens being activated does not meet the one or more normal activity… רוצה לראות יותר

Noisy tokens can be placed in locations of client end stations such that local operations performed upon the noisy tokens generate network traffic. A traffic monitoring module (TMM) can determine normal activity patterns of network traffic resulting from one or more of the placed noisy tokens being activated by one or more non-malicious operations, and identify that other network traffic resulting from one or more of the noisy tokens being activated does not meet the one or more normal activity patterns. In response, the TMM can cause an alert to be generated. רוצה לראות פחות

According to one embodiment, an analyzer module (AM) within a same protected network and on-premise with a web application server (WAS) detects and distinguishes between types of Denial-of-Service (DoS) attacks. The AM tracks whether test HTTP messages, which include test HTTP request messages that a signal generation module (SGM) is configured to transmit to the WAS and test HTTP response messages that the WAS is expected to transmit in response to the test HTTP request messages, are timely… רוצה לראות יותר

According to one embodiment, an analyzer module (AM) within a same protected network and on-premise with a web application server (WAS) detects and distinguishes between types of Denial-of-Service (DoS) attacks. The AM tracks whether test HTTP messages, which include test HTTP request messages that a signal generation module (SGM) is configured to transmit to the WAS and test HTTP response messages that the WAS is expected to transmit in response to the test HTTP request messages, are timely received. The AM is aware of a timeliness that the SGM is expected to transmit the test HTTP request messages and that the WAS is expected to transmit the test response HTTP messages. The AM detects an occurrence of a DoS attack and identifies the type of the DoS attack based upon the result of the tracking indicating that a number of the test HTTP messages have not been timely received. רוצה לראות פחות

Techniques for unobtrusively protecting against large-scale data breaches over time are described. A security gateway coupled between clients and servers receives data object (DO) access requests from the clients on behalf of users of an enterprise. Each of the users is allocated a budget for each of one or more time periods. The security gateway determines an access cost for each DO access request based on characteristics of the DO request, where lower access costs are indicative expected DO… רוצה לראות יותר

Techniques for unobtrusively protecting against large-scale data breaches over time are described. A security gateway coupled between clients and servers receives data object (DO) access requests from the clients on behalf of users of an enterprise. Each of the users is allocated a budget for each of one or more time periods. The security gateway determines an access cost for each DO access request based on characteristics of the DO request, where lower access costs are indicative expected DO access consumption for users of the enterprise, and charges the determined access cost against the budget for that user corresponding to the time period when the DO access request was received. Alert messages are transmitted based on different ones of the users exceeding their budget(s), and the transmission of the DO access requests to the data object servers is not prevented. רוצה לראות פחות

Techniques related to preventing large-scale data breaches utilizing differentiated data object (DO) protection layers are described. A security gateway placed within a communication path between client end stations and servers receives DO access requests from the client end stations. The DOs are divided into a first subset that are currently classified as active and a second subset that are currently classified as inactive based upon a likelihood of further legitimate access to the DOs. Those… רוצה לראות יותר

Techniques related to preventing large-scale data breaches utilizing differentiated data object (DO) protection layers are described. A security gateway placed within a communication path between client end stations and servers receives DO access requests from the client end stations. The DOs are divided into a first subset that are currently classified as active and a second subset that are currently classified as inactive based upon a likelihood of further legitimate access to the DOs. Those of the DO access requests for DOs determined to be in the first subset are subjected to a first protection layer utilizing zero or more protection mechanisms. Those of the plurality of DO access requests for DOs not in the first subset are subjected to a second protection layer utilizing one or more protection mechanisms. Large-scale data breaches are efficiently prevented without disruption to legitimate DO access requests. רוצה לראות פחות

According to one embodiment, a method in a computing device for responding to a determination that a verification with a user is desired responsive to detection of activity indicative of a possible insider threat is described. The method includes selecting a target role and a target user for the verification based on an activity context and an enterprise context repository, the selecting including selecting the target role from a plurality of target roles based on the activity context and… רוצה לראות יותר

According to one embodiment, a method in a computing device for responding to a determination that a verification with a user is desired responsive to detection of activity indicative of a possible insider threat is described. The method includes selecting a target role and a target user for the verification based on an activity context and an enterprise context repository, the selecting including selecting the target role from a plurality of target roles based on the activity context and optionally the enterprise context repository and selecting a target user in the selected target role based on the enterprise context repository. The method further includes causing a verification request to be sent to the selected target user; and generating an alert when a verification result indicates that the activity is indicative of the possible insider threat. רוצה לראות פחות

A system for automatic stability determination and deployment of discrete parts of a profile representing normal behavior to provide fast protection of web applications is disclosed. The system, in response to a sensor collecting from HTTP requests sent by the clients to the web application installed on the protected device, automatically creates for a web application a profile with discrete parts that will represent normal behavior so that deviations from the profile can be considered… רוצה לראות יותר

A system for automatic stability determination and deployment of discrete parts of a profile representing normal behavior to provide fast protection of web applications is disclosed. The system, in response to a sensor collecting from HTTP requests sent by the clients to the web application installed on the protected device, automatically creates for a web application a profile with discrete parts that will represent normal behavior so that deviations from the profile can be considered anomalous. The system automatically determines that a first of the discrete parts of the profile has become stable. The system then automatically deploys the first discrete part of the profile to the sensor that now will compare with the first discrete part of the profile subsequent HTTP requests sent by the clients to the web application to detect deviations from the normal behavior represented by the first discrete part. רוצה לראות פחות

Techniques related to virtual encryption patching are described. A security gateway includes multiple Transport Layer Security Implementations (TLSI) that can be used for creating secure communications channels to carry application-layer traffic between one or more clients and one or more server applications. In some embodiments, upon determining that one of the multiple TLSIs contains a security vulnerability, that TLSI can be disabled, leaving one or more others of the multiple TLSIs enabled… רוצה לראות יותר

Techniques related to virtual encryption patching are described. A security gateway includes multiple Transport Layer Security Implementations (TLSI) that can be used for creating secure communications channels to carry application-layer traffic between one or more clients and one or more server applications. In some embodiments, upon determining that one of the multiple TLSIs contains a security vulnerability, that TLSI can be disabled, leaving one or more others of the multiple TLSIs enabled and available to be used to carry traffic of new connections between the clients and server applications. רוצה לראות פחות

A system for automatic stability determination and deployment of discrete parts of a profile representing normal behavior to provide fast protection of web applications is disclosed. The system, in response to a sensor collecting from HTTP requests sent by the clients to the web application installed on the protected device, automatically creates for a web application a profile with discrete parts that will represent normal behavior so that deviations from the profile can be considered… רוצה לראות יותר

A system for automatic stability determination and deployment of discrete parts of a profile representing normal behavior to provide fast protection of web applications is disclosed. The system, in response to a sensor collecting from HTTP requests sent by the clients to the web application installed on the protected device, automatically creates for a web application a profile with discrete parts that will represent normal behavior so that deviations from the profile can be considered anomalous. The system automatically determines that a first of the discrete parts of the profile has become stable. The system then automatically deploys the first discrete part of the profile to the sensor that now will compare with the first discrete part of the profile subsequent HTTP requests sent by the clients to the web application to detect deviations from the normal behavior represented by the first discrete part רוצה לראות פחות

According to one embodiment, a web application layer attack detector (AD) is coupled between an HTTP client and a web application server. Responsive to receipt of a set of packets from the HTTP client carrying a web application layer message that violates a condition of a security rule, the AD transmits an alert package to an automatic attribute value generation and rule feedback module (AVGRFM). The AVGRFM uses the alert package, and optionally other alert packages from the same AD or other… רוצה לראות יותר

According to one embodiment, a web application layer attack detector (AD) is coupled between an HTTP client and a web application server. Responsive to receipt of a set of packets from the HTTP client carrying a web application layer message that violates a condition of a security rule, the AD transmits an alert package to an automatic attribute value generation and rule feedback module (AVGRFM). The AVGRFM uses the alert package, and optionally other alert packages from the same AD or other ADs, to automatically generate a new set of attribute values for each of a set of attribute identifiers for use, by the AD or other ADs, in a different security rule than the violated security rule. The new set of attribute values may be used in an attack specific rule to detect a previously unknown web application layer attack. רוצה לראות פחות

Techniques related to detecting compromised unmanaged client end stations using synchronized tokens placed on enterprise-managed client end stations are described. A token distribution module causes token(s) to be placed with user data of a managed client end station in specific locations. The placement locations are selected due to the token(s) likely being synchronized, the token(s) being unlikely to be discovered or used by an authorized user, but likely discovered by an attacker. During a… רוצה לראות יותר

Techniques related to detecting compromised unmanaged client end stations using synchronized tokens placed on enterprise-managed client end stations are described. A token distribution module causes token(s) to be placed with user data of a managed client end station in specific locations. The placement locations are selected due to the token(s) likely being synchronized, the token(s) being unlikely to be discovered or used by an authorized user, but likely discovered by an attacker. During a synchronization process, the token(s) are sent to an unmanaged client end station. The token(s) can be detected and/or acquired from the unmanaged client end station by an attacker, and thereafter used in an attempt to access an apparent enterprise resource. A token detection module can detect this use of the token(s) to thereby detect the compromise of the unmanaged client end station, without needing direct access to the unmanaged client end station. רוצה לראות פחות

Techniques related to preventing large-scale data breaches utilizing differentiated data object (DO) protection layers are described. A security gateway placed within a communication path between client end stations and servers receives DO access requests from the client end stations. The DOs are divided into a first subset that are currently classified as active and a second subset that are currently classified as inactive based upon a likelihood of further legitimate access to the DOs. Those… רוצה לראות יותר

Techniques related to preventing large-scale data breaches utilizing differentiated data object (DO) protection layers are described. A security gateway placed within a communication path between client end stations and servers receives DO access requests from the client end stations. The DOs are divided into a first subset that are currently classified as active and a second subset that are currently classified as inactive based upon a likelihood of further legitimate access to the DOs. Those of the DO access requests for DOs determined to be in the first subset are subjected to a first protection layer utilizing zero or more protection mechanisms. Those of the plurality of DO access requests for DOs not in the first subset are subjected to a second protection layer utilizing one or more protection mechanisms. Large-scale data breaches are efficiently prevented without disruption to legitimate DO access requests. רוצה לראות פחות

Techniques for unobtrusively protecting against large-scale data breaches over time are described. A security gateway coupled between clients and servers receives data object (DO) access requests from the clients on behalf of users of an enterprise. Each of the users is allocated a budget for each of one or more time periods. The security gateway determines an access cost for each DO access request based on characteristics of the DO request, where lower access costs are indicative expected DO… רוצה לראות יותר

Techniques for unobtrusively protecting against large-scale data breaches over time are described. A security gateway coupled between clients and servers receives data object (DO) access requests from the clients on behalf of users of an enterprise. Each of the users is allocated a budget for each of one or more time periods. The security gateway determines an access cost for each DO access request based on characteristics of the DO request, where lower access costs are indicative expected DO access consumption for users of the enterprise, and charges the determined access cost against the budget for that user corresponding to the time period when the DO access request was received. Alert messages are transmitted based on different ones of the users exceeding their budget(s), and the transmission of the DO access requests to the data object servers is not prevented. רוצה לראות פחות

According to one embodiment, a method for setting a trap to detect that an intruder has compromised a client end station (CES) in an attempt to gain unauthorized access to enterprise data provided by a server is described. The method includes causing a honey token to be placed on the CES secluded within a configuration repository, wherein the honey token is metadata and/or instructions indicating how applications can seemingly access the enterprise data but that is actually invalid, and the… רוצה לראות יותר

According to one embodiment, a method for setting a trap to detect that an intruder has compromised a client end station (CES) in an attempt to gain unauthorized access to enterprise data provided by a server is described. The method includes causing a honey token to be placed on the CES secluded within a configuration repository, wherein the honey token is metadata and/or instructions indicating how applications can seemingly access the enterprise data but that is actually invalid, and the honey token is placed on the CES and not on the server. The method also includes causing attribute values to be installed on a security gateway for a security rule causing the security gateway to monitor network traffic for attempted use of the honey token, and to generate an alert when a set of one or more packets that include the honey token are received. רוצה לראות פחות

According to one embodiment, a method in a computing device for responding to a determination that a verification with a user is desired responsive to detection of activity indicative of a possible insider threat is described. The method includes selecting a target role and a target user for the verification based on an activity context and an enterprise context repository, the selecting including selecting the target role from a plurality of target roles based on the activity context and… רוצה לראות יותר

According to one embodiment, a method in a computing device for responding to a determination that a verification with a user is desired responsive to detection of activity indicative of a possible insider threat is described. The method includes selecting a target role and a target user for the verification based on an activity context and an enterprise context repository, the selecting including selecting the target role from a plurality of target roles based on the activity context and optionally the enterprise context repository and selecting a target user in the selected target role based on the enterprise context repository. The method further includes causing a verification request to be sent to the selected target user; and generating an alert when a verification result indicates that the activity is indicative of the possible insider threat. רוצה לראות פחות

According to one embodiment, an analyzer module (AM) within a same protected network and on-premise with a web application server (WAS) detects and distinguishes between types of Denial-of-Service (DoS) attacks. The AM tracks whether test HTTP messages, which include test HTTP request messages that a signal generation module (SGM) is configured to transmit to the WAS and test HTTP response messages that the WAS is expected to transmit in response to the test HTTP request messages, are timely… רוצה לראות יותר

According to one embodiment, an analyzer module (AM) within a same protected network and on-premise with a web application server (WAS) detects and distinguishes between types of Denial-of-Service (DoS) attacks. The AM tracks whether test HTTP messages, which include test HTTP request messages that a signal generation module (SGM) is configured to transmit to the WAS and test HTTP response messages that the WAS is expected to transmit in response to the test HTTP request messages, are timely received. The AM is aware of a timeliness that the SGM is expected to transmit the test HTTP request messages and that the WAS is expected to transmit the test response HTTP messages. The AM detects an occurrence of a DoS attack and identifies the type of the DoS attack based upon the result of the tracking indicating that a number of the test HTTP messages have not been timely received. רוצה לראות פחות

A method for detecting and blocking Javascript hijacking attacks, comprising checking if an incoming request belongs to a valid session established between a client and a trusted server. When said incoming request does belong to a valid session, it is checked if a Referer header of said incoming request includes a valid domain name. The incoming request is marked as suspicious, when said incoming request does not include a valid domain name. It is checked if a respective response of said… רוצה לראות יותר

A method for detecting and blocking Javascript hijacking attacks, comprising checking if an incoming request belongs to a valid session established between a client and a trusted server. When said incoming request does belong to a valid session, it is checked if a Referer header of said incoming request includes a valid domain name. The incoming request is marked as suspicious, when said incoming request does not include a valid domain name. It is checked if a respective response of said suspicious incoming request includes a script code. A preventive action responsive to a user input is taken when said respective response includes a script code. רוצה לראות פחות

According to one embodiment, a method for setting a trap to detect that an intruder has compromised a client end station (CES) in an attempt to gain unauthorized access to enterprise data provided by a server is described. The method includes causing a honey token to be placed on the CES secluded within a configuration repository, wherein the honey token is metadata and/or instructions indicating how applications can seemingly access the enterprise data but that is actually invalid, and the… רוצה לראות יותר

According to one embodiment, a method for setting a trap to detect that an intruder has compromised a client end station (CES) in an attempt to gain unauthorized access to enterprise data provided by a server is described. The method includes causing a honey token to be placed on the CES secluded within a configuration repository, wherein the honey token is metadata and/or instructions indicating how applications can seemingly access the enterprise data but that is actually invalid, and the honey token is placed on the CES and not on the server. The method also includes causing attribute values to be installed on a security gateway for a security rule causing the security gateway to monitor network traffic for attempted use of the honey token, and to generate an alert when a set of one or more packets that include the honey token are received. רוצה לראות פחות

According to one embodiment, an analyzer module (AM) within a same protected network and on-premise with a web application server (WAS) detects and distinguishes between types of Denial-of-Service (DoS) attacks. The AM tracks whether test HTTP messages, which include test HTTP request messages that a signal generation module (SGM) is configured to transmit to the WAS and test HTTP response messages that the WAS is expected to transmit in response to the test HTTP request messages, are timely… רוצה לראות יותר

According to one embodiment, an analyzer module (AM) within a same protected network and on-premise with a web application server (WAS) detects and distinguishes between types of Denial-of-Service (DoS) attacks. The AM tracks whether test HTTP messages, which include test HTTP request messages that a signal generation module (SGM) is configured to transmit to the WAS and test HTTP response messages that the WAS is expected to transmit in response to the test HTTP request messages, are timely received. The AM is aware of a timeliness that the SGM is expected to transmit the test HTTP request messages and that the WAS is expected to transmit the test response HTTP messages. The AM detects an occurrence of a DoS attack and identifies the type of the DoS attack based upon the result of the tracking indicating that a number of the test HTTP messages have not been timely received. רוצה לראות פחות

Communications to a server over an in-band communications channel are monitored for requests to access a file. Based on the communications, a request to access a particular file stored by the server is identified. Security and/or audit rules are identified based on the request. A determination is thereafter made that the security and/or audit rules require evaluation of classification information for contents of the requested file. Thus, a determination is made as to whether classification… רוצה לראות יותר

Communications to a server over an in-band communications channel are monitored for requests to access a file. Based on the communications, a request to access a particular file stored by the server is identified. Security and/or audit rules are identified based on the request. A determination is thereafter made that the security and/or audit rules require evaluation of classification information for contents of the requested file. Thus, a determination is made as to whether classification information for the contents of the particular file is available, such as determining whether the classification information is stored in a local classification cache. Responsive to a determination that the classification information is not available, classification information is obtained for the contents of the particular file using an out-of-band communications channel. Thereafter, processing with respect to the request to access the particular file is performed based on the obtained classification information and the one or more security and/or audit rules. רוצה לראות פחות

According to one embodiment, a computing device is coupled to a web application layer attack detector (AD), which itself is coupled between an HTTP client and a web application server. The computing device automatically learns a new condition to detect a first type of web application layer attack. Responsive receiving a web application layer message from the HTTP client that violates a rule for detecting the first type of web application layer attack, the AD transmits an alert package to the… רוצה לראות יותר

According to one embodiment, a computing device is coupled to a web application layer attack detector (AD), which itself is coupled between an HTTP client and a web application server. The computing device automatically learns a new condition to detect a first type of web application layer attack. Responsive receiving a web application layer message from the HTTP client that violates a rule for detecting the first type of web application layer attack, the AD transmits an alert package to the computing device, which uses the alert package, and optionally other alert packages, to automatically generate a new set of attribute values for each of a set of attribute identifiers to be transmitted to the AD or optionally other ADs for use in a different rule than the violated rule. The different rule is another attack specific rule for detecting the first type of web application layer attack. רוצה לראות פחות

According to one embodiment, a web application layer attack detector (AD) is coupled between an HTTP client and a web application server. Responsive to receipt of a set of packets from the HTTP client carrying a web application layer message that violates a condition of a security rule, the AD transmits an alert package to an automatic attribute value generation and rule feedback module (AVGRFM). The AVGRFM uses the alert package, and optionally other alert packages from the same AD or other… רוצה לראות יותר

According to one embodiment, a web application layer attack detector (AD) is coupled between an HTTP client and a web application server. Responsive to receipt of a set of packets from the HTTP client carrying a web application layer message that violates a condition of a security rule, the AD transmits an alert package to an automatic attribute value generation and rule feedback module (AVGRFM). The AVGRFM uses the alert package, and optionally other alert packages from the same AD or other ADs, to automatically generate a new set of attribute values for each of a set of attribute identifiers for use, by the AD or other ADs, in a different security rule than the violated security rule. The new set of attribute values may be used in an attack specific rule to detect a previously unknown web application layer attack. רוצה לראות פחות

According to one embodiment, a computing device is coupled to a set of web application layer attack detectors (ADs), which are coupled between HTTP clients and web application servers. The computing device automatically learns a new condition shared by a plurality of alert packages reported by the set of ADs due to a triggering of one or more rules that is indicative of a web application layer attack. The computing device automatically generates a new set of attribute values by analyzing the… רוצה לראות יותר

According to one embodiment, a computing device is coupled to a set of web application layer attack detectors (ADs), which are coupled between HTTP clients and web application servers. The computing device automatically learns a new condition shared by a plurality of alert packages reported by the set of ADs due to a triggering of one or more rules that is indicative of a web application layer attack. The computing device automatically generates a new set of attribute values by analyzing the plurality of alert packages to identify the condition shared by the plurality of alert packages, and transmits the new set of attribute values for delivery to the set of ADs for a different rule to be used to protect against the web application layer attack from the HTTP clients or any other HTTP client. רוצה לראות פחות

According to one embodiment, a computing device is coupled to a set of web application layer attack detectors (AD), which are coupled between HTTP clients and web application servers. The computing device learns a new set of attribute values for a set of attribute identifiers for each of a sequence of rules through an iterative process having a plurality of iterations. The iterative process begins with an attack specific rule, and the sequence of rules includes an attacker specific rule and… רוצה לראות יותר

According to one embodiment, a computing device is coupled to a set of web application layer attack detectors (AD), which are coupled between HTTP clients and web application servers. The computing device learns a new set of attribute values for a set of attribute identifiers for each of a sequence of rules through an iterative process having a plurality of iterations. The iterative process begins with an attack specific rule, and the sequence of rules includes an attacker specific rule and another attack specific rule. Each iteration includes receiving a current alert package from one of the ADs sent responsive to a set of packets carrying a web application layer request meeting a condition of a current rule used by the AD, automatically generating a new set of attribute values based upon the current alert package, and transmitting the new set of attribute values to the set of ADs. רוצה לראות פחות

A method for detecting and blocking Javascript hijacking attacks, comprising checking if an incoming request belongs to a valid session established between a client and a trusted server. When said incoming request does belong to a valid session, it is checked if a Referer header of said incoming request includes a valid domain name. The incoming request is marked as suspicious, when said incoming request does not include a valid domain name. It is checked if a respective response of said… רוצה לראות יותר

A method for detecting and blocking Javascript hijacking attacks, comprising checking if an incoming request belongs to a valid session established between a client and a trusted server. When said incoming request does belong to a valid session, it is checked if a Referer header of said incoming request includes a valid domain name. The incoming request is marked as suspicious, when said incoming request does not include a valid domain name. It is checked if a respective response of said suspicious incoming request includes a script code. A preventive action responsive to a user input is taken when said respective response includes a script code. רוצה לראות פחות

According to one embodiment, a method for setting a trap to detect that an intruder has compromised a client end station (CES) in an attempt to gain unauthorized access to enterprise data provided by a server is described. The method includes causing a honey token to be placed on the CES secluded within a configuration repository, wherein the honey token is metadata and/or instructions indicating how applications can seemingly access the enterprise data but that is actually invalid, and the… רוצה לראות יותר

According to one embodiment, a method for setting a trap to detect that an intruder has compromised a client end station (CES) in an attempt to gain unauthorized access to enterprise data provided by a server is described. The method includes causing a honey token to be placed on the CES secluded within a configuration repository, wherein the honey token is metadata and/or instructions indicating how applications can seemingly access the enterprise data but that is actually invalid, and the honey token is placed on the CES and not on the server. The method also includes causing attribute values to be installed on a security gateway for a security rule causing the security gateway to monitor network traffic for attempted use of the honey token, and to generate an alert when a set of one or more packets that include the honey token are received. רוצה לראות פחות

The detection of web browser-based attacks using browser tests launched from a remote source is described. In one example, a digest is computed based on the content of an HTTP response message. The message is modified and sent to a client device that also computes a digest. The digests are compared to determine whether content has been modified by malware on the HTTP client. The results of the test are analyzed and defensive measures are taken.

The detection of web browser-based attacks using browser test launched from a remote source is described. In one example, it is determined that a test should be performed responsive to receiving an HTTP message sent by a client device and a policy. The test is performed with the client device to determine only whether content intended to be communicated between the HTTP client and the web application server using an HTTP message has been modified by malware on the HTTP client. The test includes… רוצה לראות יותר

The detection of web browser-based attacks using browser test launched from a remote source is described. In one example, it is determined that a test should be performed responsive to receiving an HTTP message sent by a client device and a policy. The test is performed with the client device to determine only whether content intended to be communicated between the HTTP client and the web application server using an HTTP message has been modified by malware on the HTTP client. The test includes the sending of an HTTP response to the HTTP client. The results of the test are analyzed and defensive measures are taken. רוצה לראות פחות

The detection of web browser-based attacks using browser tests launched from a remote source is described. In one example, a digest is computed based on the content of an HTTP response message. The message is modified and sent to a client device that also computes a digest. The digests are compared to determine whether content has been modified by malware on the HTTP client. The results of the test are analyzed and defensive measures are taken.

An adaptive normal behavior profile (NBP) architecture for providing fast protection of enterprise applications are disclosed. The adaptive NBP architecture includes a plurality of profile items. Each profile item includes a plurality of profile properties holding the descriptive values of the respective item. An application-level security system can identify and prevent attacks targeted at enterprise applications by matching application events against at least a single profile item in the… רוצה לראות יותר

An adaptive normal behavior profile (NBP) architecture for providing fast protection of enterprise applications are disclosed. The adaptive NBP architecture includes a plurality of profile items. Each profile item includes a plurality of profile properties holding the descriptive values of the respective item. An application-level security system can identify and prevent attacks targeted at enterprise applications by matching application events against at least a single profile item in the adaptive NBP. רוצה לראות פחות

According to one embodiment, a web application layer attack detector (AD) is coupled between an HTTP client and a web application server. Responsive to receipt of a set of packets from the HTTP client carrying a web application layer message that violates a condition of a security rule, the AD transmits an alert package to an automatic attribute value generation and rule feedback module (AVGRFM). The AVGRFM uses the alert package, and optionally other alert packages from the same AD or other… רוצה לראות יותר

According to one embodiment, a web application layer attack detector (AD) is coupled between an HTTP client and a web application server. Responsive to receipt of a set of packets from the HTTP client carrying a web application layer message that violates a condition of a security rule, the AD transmits an alert package to an automatic attribute value generation and rule feedback module (AVGRFM). The AVGRFM uses the alert package, and optionally other alert packages from the same AD or other ADs, to automatically generate a new set of attribute values for each of a set of attribute identifiers for use, by the AD or other ADs, in a different security rule than the violated security rule. The new set of attribute values may be used in an attack specific rule to detect a previously unknown web application layer attack. רוצה לראות פחות

A method for monitoring stored procedures is disclosed. The method performs on-line and inline monitoring of stored procedures for detecting table access operations performed by the procedures. This allows the enforcing of access control policies, correlation rules and audit rules on stored procedures. The monitoring is performed using mapping information gathered about each stored procedure that can be executed by a database server. The method comprises parsing an incoming transaction… רוצה לראות יותר

A method for monitoring stored procedures is disclosed. The method performs on-line and inline monitoring of stored procedures for detecting table access operations performed by the procedures. This allows the enforcing of access control policies, correlation rules and audit rules on stored procedures. The monitoring is performed using mapping information gathered about each stored procedure that can be executed by a database server. The method comprises parsing an incoming transaction submitted by a client; determining whether the incoming transaction includes an invocation of a stored procedure; obtaining a query group corresponding to the stored procedure; applying an access control policy on the query group; and asserting an unauthorized event if the query group is not compliant with the access control policy. רוצה לראות פחות

According to one embodiment, a security gateway (SG) is coupled between a hypertext transport protocol (HTTP) client and a web application server. Responsive to a first HTTP message being transmitted between the HTTP client and the web application server as part of an HTTP session, the SG generates security gateway session security state information (SGI) based on a policy. The SG also generates a digital signature (SGS) from the SGI, creates an SG signed session security state information… רוצה לראות יותר

According to one embodiment, a security gateway (SG) is coupled between a hypertext transport protocol (HTTP) client and a web application server. Responsive to a first HTTP message being transmitted between the HTTP client and the web application server as part of an HTTP session, the SG generates security gateway session security state information (SGI) based on a policy. The SG also generates a digital signature (SGS) from the SGI, creates an SG signed session security state information cookie (SGC), and sends the SGC to the HTTP client for storage instead of storing the SGI in the SG. Responsive to a second HTTP message of the HTTP session, the SG attempts to validate a claim made in the second HTTP request using at least the policy and the SGC that is supposed to be returned with the second HTTP message רוצה לראות פחות

A method for tracking and identifying an identity of a user accessing a web application. An application normal behavior profile (NBP), wherein said NBP includes a plurality of authentication identifiers of the web application is generated. It is determined using the NBP whether an authentication request submitted by the user was successful. A first actionable data on a successful authentication request is saved. A second actionable data on an unsuccessful authentication request is saved.

A method for detecting and blocking Javascript hijacking attacks, comprising checking if an incoming request belongs to a valid session established between a client and a trusted server. When said incoming request does belong to a valid session, it is checked if a Referer header of said incoming request includes a valid domain name. The incoming request is marked as suspicious, when said incoming request does not include a valid domain name. It is checked if a respective response of said… רוצה לראות יותר

A method for detecting and blocking Javascript hijacking attacks, comprising checking if an incoming request belongs to a valid session established between a client and a trusted server. When said incoming request does belong to a valid session, it is checked if a Referer header of said incoming request includes a valid domain name. The incoming request is marked as suspicious, when said incoming request does not include a valid domain name. It is checked if a respective response of said suspicious incoming request includes a script code. A preventive action responsive to a user input is taken when said respective response includes a script code רוצה לראות פחות

A method for transparently encrypting sensitive information, comprising detecting at least one literal in a database command that includes sensitive information. The literal is extracted from the database command. The literal is encrypted thereby forming an encrypted string. The literal is replaced by the encrypted string in the database command

A method for monitoring stored procedures is disclosed. The method performs on-line and inline monitoring of stored procedures for detecting table access operations performed by the procedures. This allows the enforcing of access control policies, correlation rules and audit rules on stored procedures. The monitoring is performed using mapping information gathered about each stored procedure that can be executed by a database server. The method comprises parsing an incoming transaction… רוצה לראות יותר

A method for monitoring stored procedures is disclosed. The method performs on-line and inline monitoring of stored procedures for detecting table access operations performed by the procedures. This allows the enforcing of access control policies, correlation rules and audit rules on stored procedures. The monitoring is performed using mapping information gathered about each stored procedure that can be executed by a database server. The method comprises parsing an incoming transaction submitted by a client; determining whether the incoming transaction includes an invocation of a stored procedure; obtaining a query group corresponding to the stored procedure; applying an access control policy on the query group; and asserting an unauthorized event if the query group is not compliant with the access control policy רוצה לראות פחות

A method for detecting and blocking web attacks, the method comprising identifying read-only parameters by parsing responses received from uniform resource locators. The combinations of binding correlation values (BCVs) of the read-only parameters are compared to their respective previously observed values

A method for detecting network attacks is provided. In one implementation, the method receives a plurality of attack indications based on data transmitted on the network and applies rules to the plurality of attack indications. Also, the method generates an alert if an application of at least a subset of the rules on the plurality of attack indications indicates a potential attack. In addition, a network device that performs the method and a computer program corresponding to the method are… רוצה לראות יותר

A method for detecting network attacks is provided. In one implementation, the method receives a plurality of attack indications based on data transmitted on the network and applies rules to the plurality of attack indications. Also, the method generates an alert if an application of at least a subset of the rules on the plurality of attack indications indicates a potential attack. In addition, a network device that performs the method and a computer program corresponding to the method are provided. רוצה לראות פחות

A method for detection and blocking of zero day worm attacks is disclosed. A zero day worm attack is the initial appearance of a new or revised Web worm. The method compares a hypertext transfer protocol (HTTP) request sent from an attacking computer (or server) to a predefined behavior profile of a protected Web application in order to detect a worm attack. A zero day worm attack based on the first data packet of an HTTP request can be detected.

A dynamic learning method and an adaptive normal behavior profile (NBP) architecture for providing fast protection of enterprise applications are disclosed. The adaptive NBP architecture includes a plurality of profile items. Each profile item includes a plurality of profile properties holding the descriptive values of the respective item. An application-level security system can identify and prevent attacks targeted at enterprise applications by matching application events against at least a… רוצה לראות יותר

A dynamic learning method and an adaptive normal behavior profile (NBP) architecture for providing fast protection of enterprise applications are disclosed. The adaptive NBP architecture includes a plurality of profile items. Each profile item includes a plurality of profile properties holding the descriptive values of the respective item. An application-level security system can identify and prevent attacks targeted at enterprise applications by matching application events against at least a single profile item in the adaptive NBP. רוצה לראות פחות

The system and method correlate between hypertext transfer protocol (HTTP) requests and structured query language (SQL) queries. The system operates in two modes: learn mode and protect mode. In the learn mode, the system identifies pairs of uniform resource locators (URLs) and SQL templates, in addition to, pairs of correlation parameters and SQL queries. In the protect mode, for each incoming SQL query, the system binds to each submitted SQL query a session identifier (sessionID) of a… רוצה לראות יותר

The system and method correlate between hypertext transfer protocol (HTTP) requests and structured query language (SQL) queries. The system operates in two modes: learn mode and protect mode. In the learn mode, the system identifies pairs of uniform resource locators (URLs) and SQL templates, in addition to, pairs of correlation parameters and SQL queries. In the protect mode, for each incoming SQL query, the system binds to each submitted SQL query a session identifier (sessionID) of a corresponding HTTP request and the user identity of the user that submitted the query. רוצה לראות פחות