A botnet detection system and method are provided. The method includes the steps of: retrieving a network log file of a computer device; refining the network log file according to a device alive-time record of the computer device and a network white list to obtain a plurality of individual network log files, wherein each individual network log file records time information, a source IP address of the computer device, and an individual destination IP address; and analyzing a plurality of connection intervals of the source IP address connecting to the individual destination IP address in each individual network log file to determine whether the computer device exhibits connection behavior that indicates infection by a botnet malware.

Protocol suites such as hypertext transfer protocol (HTTP) using secure socket layer (SSL) can facilitate secure network communications. When using this type of secure communication, network addresses are typically expressed as numeric internet protocol addresses rather than the human-readable uniform resource locators (URLs) that are entered into a browser address bar by a human user. This property can be exploited to differentiate between secure and insecure communications, and to detect certain instances where a malicious proxy has been deployed to intercept network traffic with an endpoint.

This application provides an example method, system, and computer-readable medium for identifying potential account take over fraud attacks through monitoring of user credential login attempts across a network of websites. One example method includes identifying a login attempt to a particular website. The method further includes determining whether the login user credentials correspond to site-specific user credentials for the particular website. The method also includes in response to determining that the login user credentials correspond to the site-specific user credentials, determining whether the login attempt to the particular website is allowed by a first allowance rule associated with the first RTW, and in response to determining that the login attempt to the particular website is allowed by the first allowance rule, setting a first allowance indicator to indicate that the login attempt to the particular website is to be allowed by the first allowance rule.

Methods and systems for generating stateful attacks for simulating and testing security infrastructure readiness. Attack templates descriptive of a plurality of attacks to be executed against one or more targets are defined. The attack templates are processed to compile a decision tree by traversing through a list of attack templates to create a logical tree with tree branches representing different execution paths through which attacks may be executed against the targets. During attack simulations and/or testing, single and/or multi-stage attacks are executed against targets, wherein attack sequences are dynamically determined using the execution paths in the decision tree in view of real-time results. The attacks may be executed against various types of targets, including target in existing security infrastructures and simulated targets. Moreover, the attacks may originate from computer systems within security infrastructures or remotely using computer systems external to the security infrastructures.

Examples relate to detecting network anomalies. In one example, a computing device may: receive, from each of a plurality of packet capture devices of a private network, domain name system (DNS) query packets that were sent by a particular client computing device operating on the private network, each DNS query packet specifying i) a destination DNS server, ii) a query domain name, and iii) a source address that specifies the particular client computing device; provide at least one of the DNS query packets to a DNS traffic analyzer that is trained to identify DNS anomalies based on characteristics of the DNS query packets; receive anomaly output from the DNS traffic analyzer, the anomaly output indicating a DNS anomaly that was identified for the DNS query packets; and in response to receiving the anomaly output, provide a user device with data specifying the identified DNS anomaly.

In one embodiment, a security device identifies, from monitored network traffic of one or more users, one or more suspicious domain names as candidate domains, the one or more suspicious domain names identified based on an occurrence of linguistic units used in discovered domain names within the monitored network traffic. The security device may then determine one or more features of the candidate domains, and confirms certain domains of the candidate domains as malicious domains using a parameterized classifier against the one or more features.

The present disclosure is related to the network communication technology field and relates to a method for the classification and recognition of the Domain Name System (DNS) server, using machine-learning techniques. The classification process assigns a given DNS server as belonging to a preset of classes. For example, it enables to label a DNS server as either benign or malicious. On the other hand, the recognition process seeks the identification of the DNS server behavioral profile, which, consequently, can be used to assess the DNS server trustworthiness before DNS responses can be reliably used, e.g. identification of well-known and trusted DNS servers. Hence, the present patent, by the means of detecting the DNS server RFC adherence improves user security through the classification and recognition of DNS characteristics. Therefore, security solutions can use the DNS server characteristics to assess its trustworthiness before DNS responses can be reliably used.

Flux domain is generally an active threat vector, and flux domain behaviors are continually changing in an attempt to evade existing detection measures. Accordingly, new and improved techniques are disclosed for flux domain detection. In some embodiments, an online platform implementing an analytics framework for DNS security is provided for facilitating flux domain detection. For example, the online platform can implement an analytics framework for DNS security based on passive DNS traffic analysis, disclosed herein with respect to various embodiments.

Methods, systems and apparatus are provided which allow a server of a security awareness system to associate IP addresses with events representing user interactions with simulated phishing campaigns. The server receives a plurality of events related to one or more simulated phishing campaigns for a plurality of accounts. The server determines if an IP address of the plurality of IP addresses is associated with one or more events for multiple accounts of the plurality of accounts. Based upon this determination, the server provides identification of the IP address as suspected as having the one or more events associated with it not originating from any user of the multiple accounts. The server receives an indication of whether the IP address is validated as having the one or more events originating from a bot instead of a user of one of the multiple accounts.

In one embodiment, a networking device in a network causes formation of device clusters of devices in the network. The devices in a particular cluster exhibit similar characteristics. The networking device receives feedback from a device identity service regarding the device clusters. The feedback is based in part on the device identity service probing the devices. The networking device adjusts the device clusters based on the feedback from the device identity service. The networking device performs anomaly detection in the network using the adjusted device clusters.