The system inhibits malware, which has infected user equipment (UE), from establishing a communication channel between to the UE and a malware command and control (C2) website. A malware threat detector detects traffic generated by user equipment generated by malware. The system extracts the logs of these detections and processes the packet capture and extracts the fully qualified domain name (FQDN). The FQDN is then transmitted to a malware information sharing platform and added to the domain name system response policy zone (DNS RPZ). The DNS RPZ can block subsequent access to the malware C2 website due to the inclusion of the FQDN on the DNS RPZ.

Provided is a method for domain name ranking. An example method includes receiving Domain Name System (DNS) data, which includes domain names. The DNS data is processed to obtain multiple metric values for each of the domain names. The metric values can include a query count (QC), a client count (CC), and a network count (NC). The method proceeds with calculating a score for each of the domain names based on the metric values. The calculation can be performed using the following equation: Score=NC.Math.CC.Math.(1+log(QC)). Furthermore, the method ranks the domain names based on the score for each of the domain names. The ranking can be based on normalization of the scores or based on converting the scores into respective percentile ranks.

A system and method for controlling authorization to a protected entity are provided. The method includes: receiving an access request for access to the protected entity, wherein the access request is received from a client device; in response to the access request, causing the client device to perform an admission process that includes performing at least one game; monitoring a distributed database to identify at least one admission transaction designating admission criteria; determining if the admission criteria satisfy a set of conditions for accessing the protected entity; identifying, on the distributed database, completion results of the at least one game, wherein whether the admission criteria satisfies the set of conditions for accessing the protected entity is determined based on the results of the at least one game; and granting access to the protected entity by the client device when the admission criteria satisfies the set of conditions.

A method for detecting Command and Control (C&C) toward a web application in a network includes: obtaining, using a Web Application Firewall (WAF) of the network, network traffic between the web application and a server outside the network; transmitting the network traffic from the WAF to a machine learning model; determining, using the machine learning model, whether the network traffic includes a command signature; in response to determining that the network traffic includes a command signature, generating a notification; and determining, based on the notification, whether the server is a C&C.

Methods, systems, and media for testing insider threat detection systems are provided. In some embodiments, the method comprises: receiving, using a hardware processor, a first plurality of actions in a computing environment that are associated with one of a plurality of user accounts; generating a plurality of models of user behavior based at least in part on the first plurality of actions, wherein each of the plurality of models of user behavior is associated with each of the plurality of user accounts; selecting a model of user behavior from the plurality of models of user behavior, wherein the model of user behavior is associated with a malicious user type; generating a simulated user bot based on the selected model of user behavior; executing the simulated user bot in the computing environment, wherein the simulated user bot injects a second plurality of actions in the computing environment; determining whether an insider threat detection system executing within the computing environment identifies the simulated user bot as a malicious user; and transmitting a notification indicating an efficacy of the insider threat detection system based on the determination.

The present invention relates to a method and an apparatus for detecting anomalies of a DNS traffic in a network comprising analysing, through a network analyser connected to said network, each data packets exchanged in the network, isolating, through the network analyser, from each of the analysed data packets the related DNS packet, evaluating, through a computerized data processing unit, each of the DNS packets generating a DNS packet status, signaling, through the computerized data processing unit, an anomaly of the DNS traffic when the DNS packet status defines a critical state, wherein the evaluating further comprises assessing, through the computerized data processing unit, each of the DNS packet by a plurality of evaluating algorithms generating a DNS packet classification for each of the evaluating algorithms, aggregating, through the computerized data processing unit, the DNS packet classifications generating the DNS packet status, and wherein the critical state is identified when the DNS packet status is comprised in a critical state database stored in a storage medium.

A method includes identifying, from online clustering data, an internet protocol (IP) pair. The method further includes determining, by a processing device during an offline process, that the IP pair is part of a botnet. The method further includes, in response to the determining, appending data associated with the botnet to the online clustering data.

A novel system and network architecture unburdens the end users as a result of reduced complexity of the infrastructure used by said users. As a result of the omission of processors, operating systems and conventional software on the user side, the use of the IT is simplified and the infiltration of malware into the devices belonging to the end users is prevented. In addition, the new architecture makes it possible to set up secure and more efficient networks even with respect to IoT and Industry 4.0 as well as new business models and supports both the coexistence and the migration of the conventional technology to the new architecture.

The invention provides a command-and-control (C&C) domain name analysis-based botnet detection method, device, apparatus and medium. The method includes an information acquisition step where DNS logs are acquired; a domain name analysis step where C&C domain names in the DNS logs are detected and the category of each C&C domain name is determined according to a pre-built domain name analyzer; a botnet determination step where whether a botnet exists is determined according to the C&C domain name and the category of C&C domain name. In the C&C domain name analysis-based botnet detection method, device, apparatus and medium provided by the present invention, by analyzing the domain name system (DNS) logs, the C&C domain name used in the attack activity is extracted for further analysis of the types of parasitic Trojans to thereby lock down the bot that the C&C server has controlled. In addition, the botnet activity trend can be analyzed by analyzing the Poisson parameter of each type of the C&C domain name, so as to form effective suppression measures in time.

A server interacts with a bot detection service to provide bot detection as a requesting client interacts with the server. In an asynchronous mode, the server injects into a page a data collection script configured to record interactions at the requesting client, to collect sensor data about the interactions, and to send the collected sensor data to the server. After the client receives the page, the sensor data is collected and forwarded to the server through a series of posts. The server forwards the posts to the detection service. During this data collection, the server also may receive a request from the client for a protected endpoint. When this occurs, and in a synchronous mode, the server issues a query to the detection service to obtain a threat score based in part on the collected sensor data that has been received and forwarded by the server. Based on the threat score returned, the server then determines whether the request for the endpoint should be forwarded onward for handling.