Various embodiments provide an approach to detect intrusion of connected IoT devices. In operation, features associated with behavioral attributes as well as volumetric attributes of network data patterns of different IoT devices is analyzed by means of statistical analysis to determine deviation from normal operation data traffic patterns to detect anomalous operations and possible intrusions. Data from multiple networks and devices is combined in the cloud to provide for improved base models for statistical analysis.

There is disclosed in one example a computing apparatus, including: a hardware platform including at least a processor and a memory; and a security agent including instructions encoded in the memory to instruct the processor to: monitor a user's operation of the computing apparatus over time, including determining whether a selected behavior is a security risk; provide a risk analysis of the user's operation based at least in part on the monitoring; select a scan sensitivity based at least in part on the risk analysis; and scan, with the selected sensitivity, one or more objects on the computing apparatus to determine if the one or more objects are a threat.

A system for analyzing and clustering darknet traffic streams with word embeddings, comprising a data processing module which collects packets that are sent to non-existing IP addresses that belong to darknet's taps (blackholes) that are deployed over the internet; a port embedding module for performing port sequence embeddings by using a word embedding algorithm on the port sequences extracted from the data processing module while transforming the port sequences into a meaningful numerical feature vectors; a clustering module for performing temporal clustering of the feature vectors over time; and an alert logic and visualization module visualizes the data and provides alerts regarding a cluster that an analyst classified as malicious in the past.

Systems and methods for monitoring malicious software engaging in online advertising fraud or other form of deceit are disclosed herein. An example method for automated categorization of binary code for identifying malicious software engaging in online advertising fraud disclosed herein includes collecting data defining behavior of the binary code using sensors from a plurality of sandboxes, categorizing the binary code using a behavior signature, the behavior signature including a selector and a filter, the behavior signature defining a signature category based on actions associated with the binary code, wherein a match with the filter removes the binary code from the signature category, and wherein a match with the selector adds the binary code to the signature category, identifying the binary code as malicious software engaging in online advertising targeted behavior based on the signature category, and mimicking a communication associated with the binary code to identify a control server associated the binary code in response to identifying the binary code as malicious software.

This disclosure provides a device monitoring method and apparatus and a deregistration method and apparatus. The device monitoring apparatus has a capability of obtaining signaling plane data exchanged between a core network element and a terminal device, and after obtaining the signaling plane data, the device monitoring apparatus can determine, by analyzing attribute information of the signaling plane data, a device that may initiate a DoS attack.

The disclosure includes a method that includes receiving network traffic having a first plurality of packets that each indicate a first packet source and a first packet destination; determining an analysis host destination for each of the first plurality of packets such that the packets are distributed among a plurality of analysis hosts with communications between a given source-destination pair being sent to the same analysis host; encapsulating the first plurality of packets to generate a second plurality of encapsulated packets having the first plurality of packets as a second packet payload; and sending the second plurality of encapsulated packets to respective analysis host destinations.

Computerized methods and systems identify malware enabled by automatically generated domain names. An agent executes a malware, in a controlled environment, at a first temporal input value and a second temporal input value. A first set of domain names is generated in response to the execution at the first temporal input value. A second set of domain names is generated in response to the execution at the second temporal input value. The agent compares the first set of domain names with the second set of domain names to produce a comparison output metric.

A bot characteristic detection method and apparatus, where the apparatus obtains a first dynamic behavior file and a second dynamic behavior file, where the first dynamic behavior file is a behavior file resulting from dynamic behavior detection performed on a malicious file in a first sandbox, and the second dynamic behavior file is a behavior file resulting from dynamic behavior detection performed on the malicious file in a second sandbox. The apparatus determines a bot characteristic of the malicious file based on a common characteristic of the first dynamic behavior file and the second dynamic behavior file.

A drone unit operatively connected to a server may identify an attack, launched by a botnet, on a resource. A drone unit may continuously and iteratively, while the attack is in progress, determine and report to a server a first set of values of a respective set of operational parameters related to the resource. A drone unit may determine, and report to the server, a second set of values of the set of operational parameters after the attack is terminated. A server may determine an impact of an attack by relating the first set values to the second set of values.

A session identification system classifies network sessions with a network application as either human-generated or generated by a non-human, such as by a bot. In an embodiment, the session identification system receives a set of unlabeled network sessions, and determines a label for a single class of the unlabeled network sessions. Based on the one-class labeling information, the session identification system determines multiple subsets of the unlabeled network sessions. Multiple classifiers included in the session identification system generate probabilities describing each of the unlabeled network sessions. The session identification system classifies each of the unlabeled network sessions based on a combination of the generated probabilities.