In one embodiment, a device in a network receives traffic data regarding a plurality of observed traffic flows. The device maps one or more characteristics of the observed traffic flows from the traffic data to traffic characteristics associated with a targeted deployment environment. The device generates synthetic traffic data based on the mapped traffic characteristics associated with the targeted deployment environment. The device trains a machine learning-based traffic classifier using the synthetic traffic data.

A system for analyzing and clustering darknet traffic streams with word embeddings, comprising a data processing module which collects packets that are sent to non-existing IP addresses that belong to darknet's taps (blackholes) that are deployed over the internet: a port embedding module for performing port sequence embeddings by using a word embedding algorithm on the port sequences extracted from the data processing module while transforming the port sequences into a meaningful numerical feature vectors: a clustering module for performing temporal clustering of the feature vectors over time; and an alert logic and visualization module visualizes the data and provides alerts regarding a cluster that an analyst classified as malicious in the past.

The present invention relates management of security of a computing environment. The method may include; monitoring and learning, through a master computer, a data traffic of the each of the coupled connecting node to alter a security design to speed up the communications; analysing, through the master computer, the data traffic to categorize the each of the coupled connecting node into a first category of node, which is accessed by a human and a second category of node, which is accessed by a bot; utilizing, at the master computer, one or more secured hidden servers for determining a first data communication route to speed up data traffic for the human and a second data communication route to prevent data traffic above a pre-set limit, for the bot.

Described herein are methods, systems, and apparatuses for query analysis and classification. A plurality of entity identifier queries associated with a plurality of entity identifiers may be received and classified as being legitimate or illegitimate. Illegitimate entity identifier queries may be associated with originating devices that are infected with malware. The originating devices may have sent the illegitimate entity identifier queries in an attempt to communicate with a command and control server(s) of a botnet. Such originating devices may be identified and one or more remedial actions may be performed.

This disclosure relates to systems and methods for verifying the presentation of content to a target audience using generated metrics indicative of a likelihood that the content was presented to actual human individuals within the target audience. In some instances, such a metric may be associated with a probability model estimating that a user (e.g., a user of a device) is human and not a bot and/or other automated service. Metrics consistent with aspects of the disclosed embodiments may be generated based, at least in part, on user information received from a user and/or associated devices and/or associated services. Consistent with various disclosed embodiments, metrics indicative of whether a user is human, content distribution decisions and user agency decisions may use such metrics.

An information leakage detection method and a device using the same are disclosed. The method includes the following steps. Network connection data of an electronic device is obtained. Log data related to a (domain name system) DNS is extracted from the network connection data. A DNS request in the log data is analyzed to obtain multiple character distribution feature values according to an analysis result. The character distribution feature values reflect a character distribution status of a domain name in the DNS request under different classification rules. A machine learning model determines whether the DNS request is a malicious DNS request according to the character distribution feature values, and the malicious DNS request is used to carry leaked data to a remote host.

Methods and systems for defending an infrastructure against a distributed denial of service (DDoS) attack use a software decoy installed in the infrastructure to deliberately attract a malware. An address or a domain name of a command and control (C&C) server is extracted from the malware. A client of the infrastructure uses the address or the domain name of the C&C server to connect to the C&C server. The client receives a command intended by the C&C server to cause the client to participate in the DDoS attack. The client forwards particulars of the DDoS attack to a cleaning component. The cleaning component discards incoming signals having one or more of the particulars of the DDoS attack. The address or domain name of the C&C server may be obfuscated in the malware, in which case reverse engineering is used to decipher the malware.

One or more computing devices, systems, and/or methods for monitoring levels of activity of client devices using a cluster of servers having a decentralized network architecture are provided, where over-counting, which may be caused by an uneven distribution of requests transmitted by the client devices to the cluster of servers, may be mitigated. For example, a request may be received by a first server, of the cluster of servers, from a client device. A first counter value associated with a level of activity of the client device may be incremented by a first number. One or more data packets may be transmitted to one or more servers of the cluster of servers. Each data packet of the one or more data packets may comprise an instruction to increment a counter value associated with the client device by a second number, which may be different than the first number.

Systems, methods, and apparatuses for authenticating requests to access one or more accounts over a network using authenticity evaluations of two or more automated decision engines are discussed. A login request for access to a user account may be submitted to multiple decision engines that each apply different rulesets for authenticating the login request, and output an evaluation of the authenticity of the login request. Based on evaluations from multiple automated decision engines, the login request may be allowed to proceed to validation of user identity and, if user identity is validated, access to the user account may be authorized. Based on the evaluations, the login attempt may also be rejected. One or more additional challenge question may be returned to the computing device used to request account access, and the login request allowed to proceed to validation of identity if the response to the challenge question is deemed acceptable.

Methods, systems, and computer program products for performing passive and active identity verification in association with online communications. For example, a computer-implemented method may include receiving one or more electronic messages associated with a user account, analyzing the electronic messages based on a plurality of identity verification profiles associated with the user account, generating an identity trust score associated with the electronic messages based on the analyzing, determining whether to issue a security challenge in response to the electronic messages based on the generated identity trust score, and issuing the security challenge in response to the electronic messages based on the determining.