A system and method detects and handles replay attacks using counters maintained for each of several different periods for various values of IP addresses and browser description attributes encountered.

A method of protecting data is disclosed herein. The method comprises: encrypting a data in a protected data item using a first encryption key; and encrypting the first encryption key in the protected data item using a second encryption key that is unique to the protected data item, wherein the unique second encryption key is derived from a third encryption key in the protected data item and to a plurality of protected data items comprising a common characteristic shared with the protected data item.

A method, computer system, and a computer program product for identifying a hacked database is provided. The present invention may include generating a marked account using a plurality of data. The present invention may then include initiating a first transaction using the generated marked account. The present invention may also include determining that a second transaction has occurred using the generated marked account. The present invention may further include receiving notification of the second transaction based on determining that the second transaction occurred.

Technologies are provided herein and include embodiments for protecting applications and information on a user computing device and include generating a menu of icons including an application icon and a decoy icon that correspond to a mobile application in a mobile device, where the application icon is assigned to a first location in the menu and the decoy icon is assigned to a second location in the menu. The embodiment further includes communicating icon location information to the mobile application, providing the menu of icons for display on a display screen of the mobile device, receiving a first indication of user input to select the decoy icon in the menu of icons, invoking the mobile application based on the decoy icon being selected, and communicating, to the mobile application based on the decoy icon being selected, second location information indicating the second location in the menu of icons.

A computer-implemented method for securing a content server system is disclosed. The method includes identifying that a request has been made by a client computing device for serving of content from the content server system; serving, to the client computing device and for execution on the client computing device, reconnaissance code that is programmed to determine whether the client computing device is human-controlled or bot-controlled; receiving, from the reconnaissance code, data that indicates whether the client computing device is human-controlled or bot-controlled; and serving follow-up content to the client computing device, wherein the make-up of the follow-up content is selected based on a determination of whether the client computing device is human-controlled or bot-controlled.

A device receives end user device information for end user devices associated with a network, and creates a data structure that includes the end user device information. The device creates a data structure that includes false account credentials, and maps the end user device information and the false account credentials to create a mapped data structure. The device provides the false account credentials to memory locations of corresponding ones of the end user devices, and provides information from the mapped data structure to one or more network devices associated with the network, wherein the information from the mapped data structure enables the one or more network devices to detect an unauthorized access attempt of the network using one or more of the false account credentials.

A stackable filesystem that transparently tracks process file writes for forensic analysis. The filesystem comprises a base filesystem, and an overlay filesystem. Processes see the union of the upper and lower filesystems, but process writes are only reflected in the overlay. By providing per-process views of the filesystem using this stackable approach, a forensic analyzer can record a process's file-based activityi.e., file creation, deletion, modification. These activities are then analyzed to identify indicators of compromise (IoCs). These indicators are then fed into a forensics analysis engine, which then quickly decides whether a subject (e.g., process, user) is malicious. If so, the system takes some proactive action to alert a proper authority, to quarantine the potential attack, or to provide other remediation. The approach enables forensic analysis without requiring file access mediation, or conducting system event-level collection and analysis, making it a lightweight, and non-intrusive solution.

A method for querying a knowledge base of malicious hosts numbered from 1 through N. The method includes providing a network of computers, which has a plurality of unknown malicious host machines. In a specific embodiment, the malicious host machines are disposed throughout the network of computers, which includes a worldwide network of computers. The method includes querying a knowledge base including a plurality of known malicious hosts, which are numbered from 1 through N, where N is an integer greater than 1. In a preferred embodiment, the knowledge base is coupled to the network of computers. The method includes receiving first information associated with an unknown host from the network; identifying an unknown host and querying the knowledge base to determine if the unknown host is one of the known malicious hosts in the knowledge base, and outputting second information associated with the unknown host based upon the querying process.

A malware for defending against a malware includes the following steps: create a bait file in a storage media of an electric appliance; check whether the bait file is changed; when the bait file is changed, shut down the electric appliance. Thus, when the bait file is changed, it is determined that the malware has begun to execute, and the electric appliance is shut down immediately, so as to avoid the other files in the storage medium from continuously being changed by the malware, facilitating the follow-up information rescue.

A method, computer system, and a computer program product for identifying a hacked database is provided. The present invention may include generating a marked account using a plurality of data. The present invention may then include initiating a first transaction using the generated marked account. The present invention may also include determining that a second transaction has occurred using the generated marked account. The present invention may further include receiving notification of the second transaction based on determining that the second transaction occurred.