Disclosed are a system and a method for detecting a malicious code using visualization in order to allow a user to intuitively detect behavior of client terminals infected with a malicious code. The system for detecting a malicious code using visualization includes a data collection module which collects DNS packets, a parameter extraction module which extracts parameters for visualization from the collected DNS packets, a data loading module which loads the extracted parameters; a blacklist management module which manages blacklist domain, a filter module which filters unnecessary data from the loaded data, and a visualization generation module which generates visualization patterns using the extracted parameters.

A graph stream mining processing system and method may be used to analyze the data from a plurality of data streams. In one embodiment, the graph stream mining processing system and method may be used to detect one or more candidate botnet malicious nodes.

A system includes one or more “BotMagnet” modules that are exposed to infection by malicious code. The BotMagnets may include one or more virtual machines hosing operating systems in which malicious code may be installed and executed without exposing sensitive data or other parts of a network. In particular, outbound traffic may be transmitted to a Sinkhole module that implements a service requested by the outbound traffic and transmits responses to the malicious code executing within the BotMagnet. The Sinkhole module may implement a proxy mode in which traffic received by the Sinkhole module is transmitted to a destination specified in the traffic but modified to reference the Sinkhole as the source. Events occurring on the BotMagnet and Sinkhole are correlated and used to characterize the malicious code. The characterization may be transmitted to other computer systems in order to detect instances of the malicious code.

A web-session recording system comprising at least one processing circuitry configured to: provide instructions, executable as part of execution of a webpage executable by a web browser executing on a user device, the instructions designed to cause recording of a web-session, wherein executing the instructions as part of the webpage on the user device results in sending an execution indication, indicating of successful execution of the instructions, from the user device to the web-session recording system; upon the web-session recording system not receiving the execution indication after an attempt to execute the instructions on the user device, record (a) requests sent from the user device associated with the web-session to the web-session recording system, and (b) responses sent from the web-session recording system to the user device associated with the web-session.

In an embodiment, a computer system configured to improve security of client computer interacting with server computers comprises one or more processors; a digital electronic memory storing a set of program instructions which when executed using the one or more processors cause the one or more processors to: process a first set of original instructions that produce a first set of outputs or effects; generate a first set of interpreter instructions that define a first interpreter; generate a first set of alternate instructions from the first set of original instructions, wherein the first set of alternate instructions is functionally equivalent to the first set of original instructions when the first set of alternate instructions is executed by the first interpreter; send, to the first client computer, the first set of alternate instructions and the first set of interpreter instructions.

In some embodiments, heuristic botnet detection is provided. In some embodiments, heuristic botnet detection includes monitoring network traffic to identify suspicious network traffic; and detecting a bot based on a heuristic analysis of the suspicious network traffic behavior using a processor, in which the suspicious network traffic behavior includes command and control traffic associated with a bot master. In some embodiments, heuristic botnet detection further includes assigning a score to the monitored network traffic, in which the score corresponds to a botnet risk characterization of the monitored network traffic (e.g., based on one or more heuristic botnet detection techniques); increasing the score based on a correlation of additional suspicious behaviors associated with the monitored network traffic (e.g., based on one or more heuristic botnet detection techniques); and determining the suspicious behavior is associated with a botnet based on the score.

Methods and systems for generating stateful attacks for simulating and testing security infrastructure readiness. Attack templates descriptive of a plurality of attacks to be executed against one or more targets are defined. The attack templates are processed to compile a decision tree by traversing through a list of attack templates to create a logical tree with tree branches representing different execution paths through which attacks may be executed against the targets. During attack simulations and/or testing, single and/or multi-stage attacks are executed against targets, wherein attack sequences are dynamically determined using the execution paths in the decision tree in view of real-time results. The attacks may be executed against various types of targets, including target in existing security infrastructures and simulated targets. Moreover, the attacks may originate from computer systems within security infrastructures or remotely using computer systems external to the security infrastructures.

A network security computing system includes a steganographic communications analysis engine monitoring incoming and outgoing messages on a secure computing network. The steganographic communications analysis engine identifies a pattern of file transfers between a first computing device on the secure computing network and an internal or external message recipient. When a pattern is identified, the steganographic communications analysis engine quarantines an associated computing device from the secure network. The steganographic communications analysis engine analyzes files transferred between the computing device and the recipient for indications of steganographic information and causes display, based on an identified indication of steganography, an indication that the computing device had been compromised by command and control malware.

A bot traffic detection system detects scripted network traffic. The bot traffic detection system may use a one-sided unsupervised machine learning technique to estimate distributions for human, non-scripted traffic (clean distributions). The clean distributions may be dynamically updated based on the latest traffic patterns. To estimate the clean distributions the bot traffic detection system may identify, for a certain subset of network traffic, feature values of the certain subset of network traffic that do not include bot traffic (clean buckets). Using clean traffic may provide more robust and stable behavior that can be tracked over time. Using the clean distributions, the bot traffic detection system may generate a rules table that indicates a likelihood that network traffic with a given combination of feature values is scripted network traffic. The bot traffic detection system may apply the rules table in real time to identify scripted network traffic.

A system and methods of processing feedback for use by a large organization which process the information using artificial intelligence and graphically display the results is disclosed. The continuous process of refining the data of this method and system uses collective reactions to correct misinterpreted feedback to improve the quality and accuracy of future iterations.