Systems, methods, and devices of the various embodiments may enable the mitigation of malicious botnets. Various embodiments may block communication of malicious botnets from customer computing devices to malicious command and control (C2) servers. Various embodiments may include mitigating botnets in a network by diverting Internet traffic bound for a malicious C2 server to a botnet mitigation controller of the network. In various embodiments, diverting Internet traffic may include programmatically injecting Border Gateway Protocol (BGP) routes in a network to route Internet traffic bound for a malicious C2 server to a botnet mitigation controller of the network. In various embodiments, a botnet mitigation controller may determine whether diverted Internet traffic is malicious and may handle malicious diverted Internet traffic according to one or more security settings.

Systems, methods, and devices of the various embodiments may enable the mitigation of malicious botnets. Various embodiments may block communication of malicious botnets from customer computing devices to malicious command and control (C2) servers. Various embodiments may include mitigating botnets in a network by diverting Internet traffic bound for a malicious C2 server to a botnet mitigation controller of the network. In various embodiments, diverting Internet traffic may include programmatically injecting Border Gateway Protocol (BGP) routes in a network to route Internet traffic bound for a malicious C2 server to a botnet mitigation controller of the network. In various embodiments, a botnet mitigation controller may determine whether diverted Internet traffic is malicious and may handle malicious diverted Internet traffic according to one or more security settings.

A threat response platform to act as a bridge between non-inline security programs and inline security programs. The threat response platform receives event reports, relating to client devices, from the non-inline security programs and creates incident reports for a user. The incident reports describe the event report and also additional data gathered by an active correlation system of the threat response platform. The active correlation system automatically gathers various types of data that are potentially useful to a user in determining whether the reported event is an incidence of malware operating on the client device or a false positive. The active correlation system places a temporary agent on the client device to identify indications of compromise.

The disclosure relates to a method of detecting suspicious electronic messages. The method is performed in a messaging server which is in communication with a plurality of message senders and a plurality of message receivers, and comprises the steps of: receiving electronic messages sent from the plurality of message senders to at least one message receiver; extracting from each received message at least one message sender feature and at least one message content feature; recording the extracted message sender features and message content features in a database; determining, on the basis of the message content features recorded in the database, whether a specific content feature that can be associated with a current message has already been recorded in the past; if the specific content feature has already been recorded in the past, determining, on the basis of the message sender features recorded in the database, a number of message senders that can be associated with the specific content feature; and classifying the current message as suspicious if the determined number of message senders that can be associated with the specific content feature exceeds a predetermined threshold value. Also disclosed is a messaging server implementing the above described method.

A gateway apparatus, a detecting method of malicious domain and hacked host thereof, and a non-transitory computer readable medium are provided. The detecting method includes the following steps: capturing network traffics, and parsing traces and channels from the network traffics. Each channel is related to a link between a domain and an Internet Protocol (IP) address, and each trace is related to an http request requested from the IP address for asking the domain. Then, a trace-channel behavior graph is established. The malicious degree model is trained based on the trace-channel behavior graph and threat intelligence. Accordingly, a malicious degree of an unknown channel can be determined, thereby providing a detecting method with high precision.

A system includes a terminal and a gateway. The terminal is programmed to identify, in received data, a signature of rogue data that includes at least a device identifier and an application identifier, and to transmit, via uplink to a satellite, the identified signature to a gateway. The gateway is programmed to block downlink data, upon determining that downlink data includes the received signature, and to broadcast the received signature to a second gateway.

A system includes one or more BotMagnet modules that are exposed to infection by malicious code. The BotMagnets may include one or more virtual machines hosing operating systems in which malicious code may be installed and executed without exposing sensitive data or other parts of a network. In particular, outbound traffic may be transmitted to a Sinkhole module that implements a service requested by the outbound traffic and transmits responses to the malicious code executing within the BotMagnet. In the case of shellcode attacks, unsuccessful attacks may be emulated by selecting a corresponding emulator that will receive and execute instructions, as would a successful shellcode attack. Events occurring on the BotMagnet and Sinkhole are correlated and used to characterize the malicious code. The characterization may be transmitted to other computer systems in order to detect instances of the malicious code.

A computer-implemented method for securing a content server system is disclosed. The method includes identifying that a request has been made by a client computing device for serving of content from the content server system; serving, to the client computing device and for execution on the client computing device, reconnaissance code that is programmed to determine whether the client computing device is human-controlled or bot-controlled; receiving, from the reconnaissance code, data that indicates whether the client computing device is human-controlled or bot-controlled; and serving follow-up content to the client computing device, wherein the make-up of the follow-up content is selected based on a determination of whether the client computing device is human-controlled or bot-controlled.

Some embodiments provide techniques for mitigating against layer 7 distributed denial of service attacks. Some embodiments submit a computational intensive problem, also referred to as a bot detection problem, in response to a user request. Bots that lack sophistication needed to render websites or are configured to not respond to the server response will be unable to provide a solution to the problem and their requests will therefore be denied. If the requesting user is a bot and has the sophisticated to correctly solve the problem, the server will monitor the user request rate. For subsequent requests from that same user, the server can increase the difficulty of the problem when the request rate exceeds different thresholds. In so doing, the problem consumes greater resources of the user, slowing the rate at which the user can submit subsequent requests, and thereby preventing the user from overwhelming the server.

Online service providers may operate a rendering service for generating and providing substitute web content information for rendering substitute web content instead of authentic web content. The rendering service may obtain web content information for the authentic web content in response to receiving a request for web content. The rendering service may use the web content information to generate the substitute web content information. The substitute web content information is useable by the computing device to generate substitute web content that includes one or more visual elements resembling resource objects of the authentic web content. The visual elements are rendered, as a result of processing by the computing device, as image content instead of interactive objects.