Methods, systems, and program products for analyzing cyber-attacks on computing systems of a business are disclosed. The methods may include detecting each of the plurality of cyber-attacks. The plurality of cyber-attacks may target information systems stored on at least one information technology (IT) component of an infrastructure of the computing system of the business. The methods may also include determining cyber-attack data relating to the plurality of cyber-attacks, identifying a business impact on the business for each of the plurality of cyber-attacks. The identified business impact on the business for the plurality of cyber-attacks may be based on predetermined business impact data and the determined cyber-attack data. Additionally, the method may include prioritizing the plurality of cyber-attacks attempted on the computing system based on the identified business impact on the business for each of the plurality of cyber-attacks.

A vehicle network system is configured to detect unauthorized intrusions by a passenger-owned device, and to identify the passenger-owned device based at least in part on stored information representative of network communications. The vehicle network system can be further configured to determine a position of the intruding passenger-owned device within a passenger area of the vehicle and to obtain a name and/or camera image of a passenger associated with the device. The position of the intruding device can be identified based at least in part on communications between the intruding device and one or more network-access devices distributed throughout the passenger area.

A system, central controller, and method for mitigating a distributed denial-of-service (DDoS) attack in a networked computing system. One or more records including meta-data about network traffic are received from one or more network devices and anomalous network traffic is identified. A source address of the anomalous network traffic is determined and a mitigation action is initiated based on the source address and one or more mitigation rules, wherein a determination of whether the received data packet is part of the DDoS attack is based on one or more detection rules.

A route anomaly detection and remediation system analyzes a prefix for each route received to validate the route. A route monitoring component provides a centralized querying system for all routers from all devices to study routing history. A route collection component receives and stores all routes from multiple routers at a server. A set of microservice analysis components performs prefix analysis on each received route. Each microservice analysis component analyzes one or more portions of the prefix for each route to detect hijacked routes, leaked routes, withdrawn routes and/or other unhealthy routes before the routes are utilized for routing traffic on the network. The analysis performs new prefix validation and identifies healthy routes. Alerts identifying invalid routes are transmitted to an incident management system. Healthy routes are approved for usage by routers on the network to prevent network outages while improving network reliability, availability and stability.

A framework for efficiently and automatically exploring a data network and accurately identifying network threats, which comprises a plurality of software and hardware-based agents, distributed over the data network. The agents are capable of adjusting or reconfiguring, on the fly, the behavior of the agents and their ability to collect data in a targeted manner, so as to investigate suspicious incidents and alerts and collect data that was not yet collected by the system; collecting forensic data by executing tasks defined in workflows, being distributed threat intercepting programs and reporting about the collected forensic data, back to a Central Control Unit (C&C). Distributed threat intercepting programs (workflows) are used to provide instructions to agents, to perform branching and provide instructions to the Central Control Unit (C&C), which orchestrates the agents to assure proper execution of the workflows; analyzes the collected information and presents ongoing status to an operator supervising the data network.

A threat actor identification system that obtains domain data for a set of domains, generates domain clusters, determines whether the domain clusters are associated with threat actors, and presents domain data for the clusters that are associated with threat actors to brand owners that are associated with the threat actors. The clusters may be generated based on similarities in web page content, domain registration information, and/or domain infrastructure information. For each cluster, a clustering engine determines whether the cluster is associated with a threat actor, and for clusters that are associated with threat actors, corresponding domain information is stored for presentation to brand owners to whom the threat actor poses a threat.

The present disclosure provides systems and methods of selecting candidates for comparison of fingerprints of devices. An exemplary method comprises calculating a digital fingerprint of a device, determining a group of digital fingerprints where the digital fingerprint occurs, calculating vectors of changed features of each digital fingerprint, calculating a probability that the digital fingerprint and each digital fingerprint within the group belong to the same chain, identifying a set of candidates from the group whose probability of belonging to the same chain of fingerprints crosses a value, comparing the calculated digital fingerprint of the device with the fingerprints in the set of candidates, determine that the device correspond to a device in the set of candidates when the comparison results in a match higher than a specified threshold and permitting the user actions, otherwise tracking the user actions with the online service as fraudulent activity.

A method by a web application layer proxy for dynamically creating counters during runtime based on actual web application layer requests received by the web application layer proxy. The method includes installing a counting rule in the web application layer proxy, where the counting rule specifies a set of parameters based upon which to create counters, receiving a web application layer request generated by a web application client that is intended for a web application server, determining a set of parameter values associated with the web application layer request that corresponds to the set of parameters specified by the counting rule, and creating a counter associated with the set of parameter values associated with the web application layer request in response to a determination that a counter associated with the set of parameter values associated with the web application layer request does not exist.

Systems and techniques for detecting suspicious file activity are described herein. System for identifying anomalous data events is adapted to monitor a networked file system and receive an indication of a suspicious event associated with a user and a file. The system is further adapted to perform a pattern of behavior analysis for the user, perform an adjacency by time analysis based on a set of events before the suspicious event and a set of events after the suspicious event, and perform an adjacency by location analysis using a set of files located in a location of the file. The system is further adapted to determine whether the suspicious event is an anomalous event based on the pattern of behavior analysis, the adjacency by time analysis, and the adjacency by location analysis and display a report for the user including the anomalous event.

An attack path detection method, attack path detection system and non-transitory computer-readable medium are provided in this disclosure. The attack path detection method includes the following operations: establishing a connecting relationship among a plurality of hosts according to a host log set to generate a host association graph; labeling at least one host with an abnormal condition on the host association graph; calculating a risk value corresponding to each of the plurality of hosts; in a host without the abnormal condition, determining whether the risk value corresponding to the host without the abnormal condition is greater than a first threshold, and utilizing a host with the risk value greater than the first threshold as a high-risk host; and searching at least one host attach path from the high-risk host and the at least one host with the abnormal condition according to the connecting relationship of the host association graph.