Disclosed is an improved approach for identifying suspicious administrative host activity within a network. Network traffic is examined to learn the behavior of hosts within a network. This provides an effective way of determining whether or not a host is performing suspicious activity over an administrative protocol.

An exemplary computer-implemented method includes obtaining at least one teleportation invite block that records a virtual universe teleportation invite marked by at least one parameter. The teleportation invite identifies a virtual universe user as an invitee. Responsive to the parameter, assess whether the virtual universe teleportation invite is potentially malicious, and alert the invitee in case the virtual universe teleportation invite is potentially malicious. Another exemplary computer-implemented method includes obtaining at least one complaint block that records a complaint made against a virtual universe user; obtaining a plurality of traversal blocks that record virtual universe traversal events by the virtual universe user; identifying a pattern of harassment by analyzing a first plurality of traversal blocks that precede the complaint block; identifying a risk of future harassment by analyzing a second plurality of traversal blocks that follow the complaint block; and issuing an alert regarding the risk of future harassment.

A vehicle network system is configured to detect unauthorized intrusions by a passenger-owned device, and to identify the passenger-owned device based at least in part on stored information representative of network communications. The vehicle network system can be further configured to determine a position of the intruding passenger-owned device within a passenger area of the vehicle and to obtain a name and/or camera image of a passenger associated with the device. The position of the intruding device can be identified based at least in part on communications between the intruding device and one or more network-access devices distributed throughout the passenger area.

An information handling system performs a method for analyzing attacks against a networked system of information handling systems. The method includes detecting a threat indicator, representing the threat indicator in part by numerical parameters, normalizing the numerical parameters, calculating one or more measures of association between the threat indicator and other threat indicators, finding an association of the threat indicator with another threat indicator based upon the normalized numerical parameters, and assigning to the threat indicator a probability that a threat actor group caused the attack, wherein the threat actor group was assigned to the other threat indicator. In some embodiments, the normalizing may include transforming a distribution of the numerical parameters to a distribution with a standard deviation of 1 and a mean of 0. In some embodiments, the normalizing may include applying an empirical cumulative distribution function. In some embodiments, the one or more measures of association between the threat indicator and other threat indicators may include a Kendall's tau between the threat indicator and the other threat indicators, a covariance between the threat indicator and the other threat indicators; or a conditional entropy between the threat indicator and the other threat indicators.

Data processing methods, devices, access control systems, and storage media are provided in the present disclosure. In a data processing method, isolated sessions corresponding to a same source IP address in a preset time period are identified. When the number of isolated sessions meets a preset condition, the source IP address is determined to be a target IP. In implementations, based on activities of isolated sessions, a method of reverse identification of whether a source IP address of the isolated sessions is a target IP is not easily bypassed by the target IP, and is advantageous for accurately identifying the target IP that satisfies a condition.

A gateway apparatus, a detecting method of malicious domain and hacked host thereof, and a non-transitory computer readable medium are provided. The detecting method includes the following steps: capturing network traffics, and parsing traces and channels from the network traffics. Each channel is related to a link between a domain and an Internet Protocol (IP) address, and each trace is related to an http request requested from the IP address for asking the domain. Then, a trace-channel behavior graph is established. The malicious degree model is trained based on the trace-channel behavior graph and threat intelligence. Accordingly, a malicious degree of an unknown channel can be determined, thereby providing a detecting method with high precision.

Methods and systems for identifying a source of leak of confidential information are described herein. The methods and systems related to a file sharing system that may generate a copy of a shared file that is unique each user. The file management system may determine a plurality of differences within each version of the file. A table of differences is maintained by the file management system, for comparison against any leaked version of the file. The file management system compares each generated version of the file against previously generated versions to ensure enough differences are included to determine a unique identity of the user associated with any leaked file.

Disclosed are systems, methods, and computer-readable storage media for automatic firewall configuration based on aggregated cloud managed information. A cloud management device can determine, based on security event data received from a first set of client computing environments, that a security attack detected on at least one client computing environment from the first set of client computing environments is likely to occur on other client computing environments. In response to determining that the security attack detected on at least one client computing environment from the first set of client computing environments is likely to occur on other client computing environments, the cloud management device can identify a second set of client computing environments to protect from the security attack. For each client computing environment from the second set of client computing environments, the cloud management device can configure firewall settings to protect from the security attack.

Systems for providing a subscription-based multi-tenant threat intelligence service are provided. The systems receive first threat information associated with a first source of a first threat intelligence feed. Receive an indication that a first user associated with a first computing resource within a compute environment has subscribed to the first threat intelligence feed. Determine, based on the first threat information and the first user's subscription to the first threat intelligence feed, that a portion of activity associated with the first computing resource includes activity by an endpoint identified in the first threat information. In response to determining that the portion of the activity includes activity by an endpoint identified in the first threat information, perform an action.

Techniques for polluting phishing campaign responses with content that includes fake sensitive information of a type that is being sought in phishing messages. Embodiments disclosed herein identify phishing messages that are designed to fraudulently obtain sensitive information. Rather than simply quarantining these phishing messages from users' accounts to prevent users from providing real sensitive information, embodiments disclosed herein analyze these phishing messages to determine what type(s) of information is being sought and then respond to these phishing messages with fake sensitive information of these type(s). For example, if a phishing message is seeking sensitive credit card and/or banking account information, some fake information of this type(s) may be generated and sent in response to the phishing message. In various implementations, a natural language processing (NLP) model may be used to analyze the phishing message and/or generate a response thereto.