A network security computing system includes a steganographic communications analysis engine monitoring incoming and outgoing messages on a secure computing network. The steganographic communications analysis engine identifies a pattern of file transfers between a first computing device on the secure computing network and an internal or external message recipient. When a pattern is identified, the steganographic communications analysis engine quarantines an associated computing device from the secure network. The steganographic communications analysis engine analyzes files transferred between the computing device and the recipient for indications of steganographic information and causes display, based on an identified indication of steganography, an indication that the computing device had been compromised by command and control malware.

A method and apparatus that securely obtains services in response to a request for a service while concealing personally identifiable information (PII) includes a software package having a user identification (ID) and network protection module that runs on a third party system and an anonymizer module that runs on a user system. The user system sends the request for the service via an API that invokes the user ID and network protection module to validate the request. In response to receiving validation, the anonymizer module modifies the request for the service to conceal at least part of the PII and sends the modified request to the service provider. In one embodiment, the third party system may be an application program configured to run on the user system. Thus, no PII or data to identify the unique individual is transmitted to the service provider.

Detecting, mitigating and isolating a Signaling Storm, particularly in 5G communication networks. A Control Plane signal probe is connected at a first network node located between a Radio Access Network and a 5G Core Network, to monitor control messages originating from 5G-capable devices. A User Plane signal probe is connected at a second network node located between the 5G Core Network and remote entities to which the 5G-capable devices are sending messages, to monitor control messages passing through the second network node. An Inventory Management sub-system stores data correlating between 5G-capable devices and IMSI numbers. A Protector Unit is configured to receive (i) data collected by the Control Plane signal probe, and (ii) data collected by the User Plane signal probe, and (iii) a subset of IMSI numbers. The Protector Unit performs Machine Learning analysis, and detects and quarantines particular 5G-capable devices that are compromised or malfunctioning.

A computer system configured to improve security of server computers interacting with client computers, the system comprising: one or more processors executing instructions that cause the one or more processors to: select, from the plurality of detection tests, one or more first detection tests to be performed by a client computer; send, to the client computer, a first set of detection instructions that define the one or more first detection tests, and which when executed causes generating a first set of results that identifies a first set of characteristics of the client computer; receive the first set of results from the client computer; select one or more first countermeasures from a plurality of countermeasures based on the first set of characteristics identified in the first set of results; send, to the client computer, a first set of countermeasure instructions that define the one or more first countermeasures.

In one embodiment, a node in a network detects an anomaly in the network based on a result of a machine learning-based anomaly detector analyzing network traffic. The node determines a packet capture policy for the anomaly by applying a machine learning-based classifier to the result of the anomaly detector. The node selects a set of packets from the analyzed traffic based on the packet capture policy. The node stores the selected set of packets for the detected anomaly.

Systems and methods of monitoring and controlling Internet of Things (IOT) and ZeroConf devices using a cloud-based security system include receiving fingerprints of the IOT and ZeroConf devices and data related to operation from a plurality of user devices; receiving updates related to the IOT and ZeroConf devices, configuration thereof, and proper operation thereof; determining security risk of the IOT and ZeroConf devices based on the fingerprints, the data related to operation, and the updates; and providing the security risk to the plurality of user devices and causing one or more policy-based actions to be performed based on the security risk.

Methods, non-transitory computer readable media, anomaly detection apparatuses, and network traffic management systems that generate, based on the application of one or more models and for a first flow associated with a received first set of network traffic, one or more likelihood scores and at least one flow score based on the likelihood scores. One or more of the one or more models are associated with one or more browsing patterns for a web application to which the first set of network traffic is directed. A determination is made when the flow score exceeds a threshold. A mitigation action is initiated, based on a stored policy, with respect to the first set of network traffic, when the determining indicates that the flow score exceeds the established threshold.

A system monitors network activity of an end-user device that communicates with servers over a communications network. The performs analysis of packets of data that are transported via the network. The system detects a first set of communications in which a first server infects the end-user device with a cryptocurrency mining malware; a second set of communications, in which a second server activates the end-user device as an activated cryptocurrency mining bot; and a third set of communications, in which the second server allocates a cryptocurrency mining task to the end-user device and later receives a cryptocurrency mining output from the end-user device. The system determines that the first server is a malicious infecting web-server; that the second server is a malicious Command and Control server of a distributed bot-net of cryptocurrency mining bots; and that the end-user device is an infected and activated and operational cryptocurrency mining bot.

A method, computer program product, system and apparatus for the prevention of RGA and DGA malware over an existing internet service is disclosed. The invention exploits the fact that when malware rapidly attempts to access many contact points, a malware is likely to need several attempts to find a current server. Software is installed on the individual endpoints in a network of internet services. The software monitors the websites or services and collects information about access attempts. The invention detects a series of failed attempts by the malware to access the service/website. These attempts can be accrued by being temporally linked (e.g., many attempts in a short time, many attempts consecutively), conceptually linked (e.g., similar addresses, similar attempts across multiple machines or time scales), higher than normal prevalence or other methods. The invention provides an indication of a malware attempt if enough failed attempts have accrued.

A computer implemented method to identify one or more parameters of a configuration of a target virtual machine (VM) in a virtualized computing environment used in a security attack against the target VM, the security attack exhibiting a particular attack characteristic, is disclosed.