The present disclosure is directed to a method of detecting anomalous behaviors based on a temporal profile. The method can include collecting, by a control system comprising a processor and memory, a set of network data communicated by a plurality of network nodes over a network during a time duration. The method can include identifying, by the control system, one or more seasonalities from the set of network data. The method can include generating, by the control system, a temporal profile based on the one or more identified seasonalities. The method can include detecting, by the control system and based on the temporal profile, an anomalous behavior performed by one of the plurality of network nodes. The method can include identifying, by the control system and based on the temporal profile, a root cause for the anomalous behavior.

Techniques are provided that facilitate responding to cyberattacks using counter intelligence (CI) bot technology. In one embodiment, a first system is disclosed that comprises a processor and a memory. The memory can store executable instructions that, when executed by the processor, facilitate performance of operations including receiving a request from a second system requesting assistance in association with a cyberattack on the second system, wherein the request comprises information indicating a type of the cyberattack. The operations further comprise selecting a counter intelligence bot configured to respond to the type of cyberattack, and directing the counter intelligence bot to respond to the cyberattack, wherein the directing comprises enabling the counter intelligence bot to respond to the cyberattack by establishing a gateway with the second system and employing the gateway to intercept and respond to traffic associated with the cyberattack on behalf of the second system.

A network security computing system includes a steganographic communications analysis engine monitoring incoming and outgoing messages on a secure computing network. The steganographic communications analysis engine identifies a pattern of file transfers between a first computing device on the secure computing network and an internal or external message recipient. When a pattern is identified, the steganographic communications analysis engine quarantines an associated computing device from the secure network. The steganographic communications analysis engine analyzes files transferred between the computing device and the recipient for indications of steganographic information and causes display, based on an identified indication of steganography, an indication that the computing device had been compromised by command and control malware.

A method for detecting Command and Control (C&C) toward a web application in a network includes: obtaining, using a Web Application Firewall (WAF) of the network, network traffic between the web application and a server outside the network; transmitting the network traffic from the WAF to a machine learning model; determining, using the machine learning model, whether the network traffic includes a command signature; in response to determining that the network traffic includes a command signature, generating a notification; and determining, based on the notification, whether the server is a C&C.

Computerized methods and systems identify malware enabled by automatically generated domain names. An agent executes a malware, in a controlled environment, at a first temporal input value and a second temporal input value. A first set of domain names is generated in response to the execution at the first temporal input value. A second set of domain names is generated in response to the execution at the second temporal input value. The agent compares the first set of domain names with the second set of domain names to produce a comparison output metric.

The proposed system employs one or more steps and an architectural arrangement of a plurality of relevant functional element to enable a security. A USB device is arranged to enable secure access of a computing device. A first cloud server is arranged to receive an ID, a cryptographic key, an authentication PIN and a pre-stored data from the computing device. The first cloud server encrypts the received pre-stored data using the received cryptographic key and subsequently transmits the ID, the cryptographic key and the authentication PIN, to a second cloud server. Further, the second cloud server performs a plurality of sequential functional operation, critical to the motive and objective of deploying the proposed system.

Systems and methods are provided for implementing pattern detection as a first step for security improvements of a computer network. The pattern detection may utilize a machine learning (ML) model for predicting network tuple parameters. The ML model can be trained on labelled data flow information and deployed by a central server for preventing network-wide cyber-security challenges (e.g., including DNS flux, etc.). Networking devices (e.g. switches, etc.) can monitor the data flow traffic that it receives from the networking devices and classify network tuple parameters based on the flow behavior. The system can compare the output of the ML model (e.g., a classification of the data flow traffic, etc.) to an implicit label (e.g., the network tuple parameter included with the data flow traffic, etc.). When the classification matches a particular network tuple parameter, the system can generate an alert and/or otherwise identify potential network intrusions and other abnormalities.

A system includes one or more “BotMagnet” modules that are exposed to infection by malicious code. The BotMagnets may include one or more virtual machines hosting operating systems in which malicious code may be installed and executed without exposing sensitive data or other parts of a network. In particular, outbound traffic may be transmitted to a Sinkhole module that implements a service requested by the outbound traffic and transmits responses to the malicious code executing within the BotMagnet. Credentials for services implemented by a BotSink may be planted in an active directory (AD) server. The BotSink periodically uses the credentials thereby creating log entries indicating use thereof. When an attacker accesses the services using the credentials, the BotSink engages and monitors an attacker system and may generate an alert. Decoy services may be assigned to a domain and associated with names according to a naming convention of the domain.

The present application discloses a method, system, and computer system for determining whether to train a machine learning model. The method includes analyzing a set of data for temporal drift detection, determining that a resultant stationary series has changed from training data, and in response to determining that the resultant stationary series has changed, automatically updating the machine learning model, wherein the machine learning model is trained based at least in part on a set of training data.

A graph stream mining processing system and method may be used to analyze the data from a plurality of data streams. In one embodiment, the graph stream mining processing system and method may be used to detect one or more candidate botnet malicious nodes.