A system includes one or more BotMagnet modules that are exposed to infection by malicious code. The BotMagnets may include one or more virtual machines hosing operating systems in which malicious code may be installed and executed without exposing sensitive data or other parts of a network. In particular, outbound traffic may be transmitted to a Sinkhole module that implements a service requested by the outbound traffic and transmits responses to the malicious code executing within the BotMagnet. Dark space in a network (unused IP addresses, unused ports and absent applications, and invalid usernames and passwords) is consumed by a BotSink such that attempts to access Darkspace resources will be directed to the BotSink, which will engage the source host of such attempts.

System, device, and method for behaviorally validated link analysis, session linking, transaction linking, transaction back-coloring, transaction forward-coloring, fraud detection, and fraud mitigation. A method includes: receiving an indicator of a seed transaction known to be fraudulent; selecting, from a database of transactions, multiple transactions that share at least one common property with the seed transaction; generating a list of candidate fraudulent transactions; filtering the candidate fraudulent transactions, by applying a transaction filtering rule that is based on one or more behavioral characteristics; and generating a filtered list of candidate fraudulent transactions.

System, method, and device of detecting identity of a user and authenticating a user; as well as detecting a possible attacker or impostor, and differentiating among users of an electronic device or of a computerized service. A mobile or portable electronic device is utilized to capture a self-taken image or video of a user, which is utilized as a user-authentication factor. The accelerometer and gyroscope or device-orientation sensor of the mobile device, sense and measure spatial and physical device properties during, before or after the submission of the self-taken image or video. Based on such spatial and physical device properties, in combination with computer-vision analysis of the content shown in the self-taken image or video, the system determines liveness of the user and freshness of the submitted self-taken image or video, and differentiates between a legitimate user and an attacker.

A technique uses a graph neural network (GNN) to determine whether a particular entity under consideration is engaging in abusive network-related activity over a computing network in collaboration with other entities. In some applications, the particular entity is part of a bot attack aimed at fraudulently engaging with advertisements. The technique trains the GNN by performing machine learning on a training set that includes a plurality of nodes, edges, and node labels. In forming the training set, the technique associates a feature set with each node in the training set that describes the network activity exhibited by that node's entity. The technique then connects each pair of nodes in the training set with an edge if the feature sets of the pair satisfy a prescribed test for similarity. The technique assigns labels to at least some nodes to convey whether the nodes are associated abusive network-related activity.

A network security computing system includes a steganographic communications analysis engine monitoring incoming and outgoing messages on a secure computing network. The steganographic communications analysis engine identifies a pattern of file transfers between a first computing device on the secure computing network and an internal or external message recipient. When a pattern is identified, the steganographic communications analysis engine quarantines an associated computing device from the secure network. The steganographic communications analysis engine analyzes files transferred between the computing device and the recipient for indications of steganographic information and causes display, based on an identified indication of steganography, an indication that the computing device had been compromised by command and control malware.

A detection method for a malicious domain name in a domain name system (DNS) and a detection device are provided. The method includes: obtaining network connection data of an electronic device; capturing log data related to at least one domain name from the network connection data; analyzing the log data to generate at least one numerical feature related to the at least one domain name; inputting the at least one numerical feature into a multi-type prediction model, which includes a first data model and a second data model; and predicting whether a malicious domain name related to a malware or a phishing website exists in the at least one domain name by the multi-type prediction model according to the at least one numerical feature.

In one embodiment, a device in a network receives feedback regarding an anomaly reporting mechanism used by the device to report network anomalies detected by a plurality of distributed learning agents to a user interface. The device determines an anomaly assessment rate at which a user of the user interface is expected to assess reported anomalies based in part on the feedback. The device receives an anomaly notification regarding a particular anomaly detected by a particular one of the distributed learning agents. The device reports, via the anomaly reporting mechanism, the particular anomaly to the user interface based on the determined anomaly assessment rate.

A method and system for blockchain-based access to a protected entity are provided. The method includes granting access tokens of a first-type to a client; identifying, in a blockchain network, a conversion transaction identifying a request to convert the first-type of access tokens with access tokens of a second-type, wherein the transaction designates at least the protected entity; determining a conversion value for converting the first-type of access tokens into the second-type of access tokens, wherein the conversion value is determined based on at least one access parameter; converting, based on the determined conversion value, a first sum of the first-type of access tokens into a second sum of the second-type of access-tokens; and granting the client access to the protected entity when the sum of the second-type of access tokens is received as a payment from the protected entity.

A method and system for determining a cost to allow a blockchain-based admission to a protected entity. The method includes identifying, in a blockchain network, a conversion transaction identifying a conversion of a first-type of access tokens with access tokens of a second-type, wherein the transaction designates at least the protected entity; determining a conversion value for converting the first-type of access tokens into the second-type access tokens, wherein the conversion value is determined based on at least one access parameter; and converting, based on the determined conversion value, a first sum of the first-type access tokens into a second sum of the second-type access-tokens, wherein a client spends the second sum of the second-type access tokens to access the protected entity, the determined conversion value is the access cost to the protected entity.

A method and a trust broker system for blockchain-based anti-bot protection are provided. The method includes identifying, on a blockchain network, a request from a client to access a protected entity; selecting an access policy in response to the access request, wherein the access policy includes at least one game to be performed by the client; causing execution of the at least one game defined in the access policy; identifying, on the blockchain network, results of the at least one game, wherein the results are deposited by the client upon completion of the game; determining a bias of the client based on the completion results, wherein the determined bias is utilized for a cyber-security assessment of the client, wherein the determined bias for the client is maintained on the blockchain network; and granting or denying access to the protected entity by the client based on the determined bias.