A monitor apparatus, method, and non-transitory computer readable storage medium thereof are provided. The monitor method is adapted for an electronic computing apparatus, wherein the electronic computing apparatus stores a smart contract and a blockchain ledger of a blockchain system. The monitor method periodically executes the following steps: (a) obtaining a piece of behavior information of a first electronic apparatus at a time point, (b) retrieving, via the smart contract, a plurality of pieces of previous behavior information within a time interval from the blockchain ledger, wherein the time interval is defined by the time point, and each piece of previous behavior information corresponds to one of a plurality of second electronic apparatuses and the first electronic apparatus, (c) determining a legality of the piece of behavior information according to the pieces of previous behavior information, and (d) writing the behavior information into the blockchain ledger.

A system includes a terminal and a gateway. The terminal is programmed to identify, in received data, a signature of rogue data that includes at least a device identifier and an application identifier, and to transmit, via uplink to a satellite, the identified signature to a gateway. The gateway is programmed to block downlink data, upon determining that downlink data includes the received signature, and to broadcast the received signature to a second gateway.

A system includes one or more BotMagnet modules that are exposed to infection by malicious code. The BotMagnets may include one or more virtual machines hosing operating systems in which malicious code may be installed and executed without exposing sensitive data or other parts of a network. In particular, outbound traffic may be transmitted to a Sinkhole module that implements a service requested by the outbound traffic and transmits responses to the malicious code executing within the BotMagnet. In the case of shellcode attacks, unsuccessful attacks may be emulated by selecting a corresponding emulator that will receive and execute instructions, as would a successful shellcode attack. Events occurring on the BotMagnet and Sinkhole are correlated and used to characterize the malicious code. The characterization may be transmitted to other computer systems in order to detect instances of the malicious code.

An apparatus may comprise a processing resource operatively coupled to a memory resource and a frame determination component operatively coupled to the processing resource and the memory resource. The frame determination component may cause a counter corresponding to a particular station associated to the apparatus to be stored in the memory resource, the counter to be incremented in response to receipt of a transmission frame containing an invalid starting sequence number (SEN) and a deauthentication frame to be transmitted in response to receipt of a threshold number of transmission frames containing the invalid.

Methods and systems for defending an infrastructure against a distributed denial of service (DDoS) attack use a software decoy installed in the infrastructure to deliberately attract a malware. An address or a domain name of a command and control (C&C) server is extracted from the malware. A client of the infrastructure uses the address or the domain name of the C&C server to connect to the C&C server. The client receives a command intended by the C&C server to cause the client to participate in the DDoS attack. The client forwards particulars of the DDoS attack to a cleaning component. The cleaning component discards incoming signals having one or more of the particulars of the DDoS attack. The address or domain name of the C&C server may be obfuscated in the malware, in which case reverse engineering is used to decipher the malware.

In an anomaly detection method that determines whether each frame in observation data constituted by a collection of frames sent and received over a communication network system is anomalous, a difference between a data distribution of a feature amount extracted from the frame in the observation data and a data distribution for a collection of frames sent and received over the communication network system, obtained at a different timing from the observation data, is calculated. A frame having a feature amount for which the difference is predetermined value or higher is determined to be an anomalous frame. An anomaly contribution level of feature amounts extracted from the frame determined to be an anomalous frame is calculated, and an anomalous payload part, which is at least one part of the payload corresponding to the feature amount for which the anomaly contribution level is at least the predetermined value, is output.

Example implementations relate to the processing of refresh token requests at an API gateway. The API gateway determines a first time associated with receipt of the refresh token request and a second time associated with the generation of a current access token. The current access token and a refresh token in the refresh token request are provided by the API gateway to the client device for accessing a backend service. The API gateway determines whether a difference between the first time and the second time is within a pre-defined threshold duration. When the difference between the first time and the second time is within the pre-defined threshold, the API gateway denies the refresh token request for generating the new access token and transmits the current access token back to the client device.

In a blockchain-based SDP access control method and apparatus, an SDP connection initiation host submits identity authentication request information to a blockchain system node, receives an authentication result feedback after verification; sends, to the blockchain system node, a query request for an SDP connection accepting host list that can be accessed, the query request including an authentication result of the blockchain system node for the SDP connection initiation host; after verifying the query request, the blockchain system node queries the SDP connection accepting host list that can be accessed by the SDP connection initiation host, and records the SDP connection accepting host list to a blockchain ledger; the SDP connection initiation host initiates a connection request to the SDP connection accepting host, queries the SDP connection accepting host list that can be accessed by the SDP connection initiation host; and if so, then access service is provided.

The attack vectors for some denial-of-service cyber attacks on the Internet's Domain Name System (DNS) are bad, bogus, or unregistered domain name DNS requests to resolve domain names that are not registered in the DNS. Some other cyber attacks steal sensitive data by encoding the data in bogus domain names, or domain names otherwise not registered in the DNS, that are transferred across networks in bogus DNS requests. A DNS gatekeeper may filter in-transit packets containing DNS requests and may efficiently determine if a request's domain name is registered in the DNS. When the domain name is not registered in the DNS, the DNS gatekeeper may take one of a plurality of protective actions. The DNS gatekeeper drops requests determined not to be legitimate, which may prevent an attack.

In a communication network, a device is configured to predict attacks and detect attacks from data logs received from the network and generate a response to an attack upon prediction or detection of an attack. Graph representations of data logs are generated based on a predefined schema. Attacks are detected by applying inference rules to a graph representation of the data logs. Attacks are predicted by using a graph neural network trained with subgraphs obtained by querying a graph representation of training data corresponding to normal traffic and attacks.