A computer-implemented method (and apparatus) includes receiving input data comprising bipartite graph data in a format of source MAC (Machine Access Code) data versus destination IP (Internet Protocol) data and timestamp information. The input bipartite graph data is provided into a first processing to detect malicious beaconing activities using a lockstep detection method on the input bipartite graph data to detect possible synchronized attacks against a targeted infrastructure. The input bipartite graph data is also provided into a second processing, the second processing initially converting the bipartite graph data into a co-occurrence graph format that indicates in a graph format how devices in the targeted infrastructure communicate with different external destination servers over time. The second processing detects malicious beaconing activities by analyzing data exchanges with the external destination servers to detect anomalies.

A system to distinguish human input from machine input on a video delivery website prior to awarding click-per-view rewards. A question set must be completed in order to claim click-per-view rewards. The server records each unique registered user and each unique Media Access Control (MAC) address for each device and denies access to the question set from registered user or a device that has previously accessed the question set for the selected video presentation, thereby preventing multiple access to the question set of the selected video presentation by the same device. The server tracks combinations of questions that have been used from the first question pool database and the second question pool database, to ensure that identical combinations of questions are never duplicated. The server validates input through the user input portal as being human input and awards click-per-view rewards only if correct answers have been given to all of the questions in the question set.

A method for preventing denial of service attacks which are distributed attacks is applied in a target service provider server, a platform server, and a botnet service provider server. The target service provider server determines a first SDN controller according to an attack protection request, and issues a first flow rule. The target service provider server directs data flow of a network equipment to a first cleaning center and controls the first cleaning center to identify the attacking or malicious element in the data flow according to the first flow rule. The platform server receives the attacking element in the data flow sent by the target service provider server, and regards the same as malicious traffic. The platform server generates an attack report, and sends the attack report to the botnet service provider server to notify the botnet service provider server to clean or filter out the malicious traffic.

Exemplary methods, apparatuses, and systems include a communication system accessing a request received from an application on a user device to log into a primary platform of a communication system using a user account. In response to detecting the request as an unrecognized login attempt, that the user account also grants access to a secondary platform of the communication system, and that settings of the user account include enabled push notifications via the secondary platform, the communication system provides a notification for display to a user of the user account via the secondary platform.

The present concepts relate to identifying entities based on their behavior using machine learning models. Where an entity may be a bot or a human, the entity's requests sent to a website are used to generate a graph. The graph may be used to create an image, such that the image reflects the entity's browsing behavior. A machine learning model, which has been trained using a first training set of images that correspond to bots and a second training set of images that correspond to humans, can determine whether the entity is a bot or a human by performing an image classification.

The invention provides a command-and-control (C&C) domain name analysis-based botnet detection method, device, apparatus and medium. The method includes an information acquisition step where DNS logs are acquired; a domain name analysis step where C&C domain names in the DNS logs are detected and the category of each C&C domain name is determined according to a pre-built domain name analyzer; a botnet determination step where whether a botnet exists is determined according to the C&C domain name and the category of C&C domain name. In the C&C domain name analysis-based botnet detection method, device, apparatus and medium provided by the present invention, by analyzing the domain name system (DNS) logs, the C&C domain name used in the attack activity is extracted for further analysis of the types of parasitic Trojans to thereby lock down the bot that the C&C server has controlled. In addition, the botnet activity trend can be analyzed by analyzing the Poisson parameter of each type of the C&C domain name, so as to form effective suppression measures in time.

An emergency answering center and a method of handling a distributed denial of service attack on an emergency answering center are provided. The emergency answering center receives an emergency call from a current caller. The emergency answering center determines websites visited by the current caller prior to calling the emergency answering center. If the number of calls received at the emergency answering center within a predetermined time period exceeds a predetermined threshold, the emergency answering center compares the websites visited by the current caller prior to calling the emergency answering center to a list of websites visited by other callers within the predetermined time period. If the websites visited by the current caller match at least a subset of the list of websites visited by other callers within the predetermined time period, the emergency answering center processes the emergency call in an alternate manner that is different from the regular manner of processing emergency calls.

In one embodiment, a device in a network receives an attack mitigation request regarding traffic in the network. The device causes an assessment of the traffic, in response to the attack mitigation request. The device determines that an attack detector associated with the attack mitigation request incorrectly assessed the traffic, based on the assessment of the traffic. The device causes an update to an attack detection model of the attack detector, in response to determining that the attack detector incorrectly assessed the traffic.

A system and method identifies activity data that is related to activity of a plurality of users of a gaming platform. The activity data is used by the gaming platform to perform a gaming process. The system and method identifies first data of the activity data based on a first characteristic. The first data is a subset of the activity data. The system and method determines a number of times that the first data of the activity data meets a first condition. The system and method responsive to determining that the number of times that the first data of the activity data meets the first condition satisfies a first threshold, modifies the activity data by removing the first data from the activity data. The system and method performs the gaming process using the modified activity data.

A method and apparatus that securely obtains services in response to a request for a service while concealing personally identifiable information (PII) includes a software package having a user identification (ID) and network protection module that runs on a third party system and an anonymizer module that runs on a user system. The user system sends the request for the service via an API that invokes the user ID and network protection module to validate the request. In response to receiving validation, the anonymizer module modifies the request for the service to conceal at least part of the PII and sends the modified request to the service provider. In one embodiment, the third party system may be an application program configured to run on the user system. Thus, no PII or data to identify the unique individual is transmitted to the service provider.