A security method in a network environment comprising a corporate network populated with one or more devices connectable to the corporate network over a first communication interface and connectable to other devices over a device-to-device communication interface distinct from the first communication interface, each device comprising a node in the network, one or more of the devices comprising a mobile device and one or more of the devices comprising an intentionally vulnerable node in the network, the method comprising: logging exchanged messages across the interfaces at the intentionally vulnerable node; monitoring the interfaces; identifying a candidate malicious message; tracking back from messages, including from a candidate malicious message; determining the paths used by the messages; determining the source and/or destination of a path to localise the candidate malicious message source.

Methods, apparatus, systems and articles of manufacture are disclosed to identify candidate boundaries of Internet protocol addresses associated with a malicious Internet protocol address. An example method includes collecting, with a processor, netflow data associated with the Internet protocol addresses within a netblock having a lower boundary Internet protocol address and an upper boundary Internet protocol address, generating, with the processor, a first window of Internet protocol addresses numerically lower than the malicious Internet protocol address, generating, with the processor, a second window of Internet protocol addresses numerically higher than the malicious Internet protocol address, for respective Internet protocol addresses in the first and second windows, calculating, with the processor, occurrence counts associated with behavior features, and identifying candidate boundaries within the netblock based on divergence values caused by the behavior features.

The present teaching generally relates to detecting abnormal user activity associated with an entity. In a non-limiting embodiment, baseline distribution data representing a baseline distribution characterizing normal user activities for an entity may be obtained. Information related to online user activities with respect to the entity may be received, distribution data representation a dynamic distribution may be determined based, at least in part, on the information. One or more measures characterizing a difference between the baseline distribution and the dynamic distribution may be computed, and in real-time it may be assessed whether the information indicates abnormal user activity. If the first information indicates abnormal user activity, then output data including the distribution data and the one or more measures may be generated.

A gateway apparatus, a detecting method of malicious domain and hacked host thereof, and a non-transitory computer readable medium are provided. The detecting method includes the following steps: capturing network traffics, and parsing traces and channels from the network traffics. Each channel is related to a link between a domain and an Internet Protocol (IP) address, and each trace is related to an http request requested from the IP address for asking the domain. Then, a trace-channel behavior graph is established. The malicious degree model is trained based on the trace-channel behavior graph and threat intelligence. Accordingly, a malicious degree of an unknown channel can be determined, thereby providing a detecting method with high precision.

A digital asset tracking system comprises one or more Client Machine (CM) being installed with an Agent; wherein the Agent determines digital asset to be armed and selects arming method to arm the to-be-armed digital asset; an Asset Management Platform (AMP) managed by a System Administrator; wherein the AMP allows the System Administrator to make informed decisions on which assets are to be armed for monitoring; and a Callback Server being installed in a server, hosted either by cloud service provider or in an enterprise network on an internet facing interface; wherein the Callback Server listens-in and logs all communications received from armed assets; and when an armed asset is being opened and viewed, the arming on the armed asset triggers a communication back to the Callback Server that logs all communications received. A digital asset tracking method is also provided.

A method and system for detecting malicious behavior from smart appliances within a network. Smart appliances have a certain level of intelligence that allows them to perform a specific role more effectively and conveniently. Network traffic data and appliance identification data is collected about smart appliances within a network. The data is sent to a behavior analysis engine, which computes confidence levels for anomalies within the network traffic that may be caused by malicious behavior. If the behavior analysis engine determines that malicious behavior is present in the network, it sends an instruction to a network traffic hub to block network traffic relating to the anomaly. In some embodiments, network traffic is blocked based on source-destination pairs. In some embodiments, network traffic is blocked from a device outside the network that is determined to be malicious.

In one embodiment, a security device identifies, from monitored network traffic of one or more users, one or more suspicious domain names as candidate domains, the one or more suspicious domain names identified based on an occurrence of linguistic units used in discovered domain names within the monitored network traffic. The security device may then determine one or more features of the candidate domains, and confirms certain domains of the candidate domains as malicious domains using a parameterized classifier against the one or more features.

Graph-based detection systems and techniques are provided to identify potential malicious lateral movement paths. System and security events may be used to generate a network connection graph and detect remote file executions and/or other detections, for use in tracking malicious lateral movement across a computer network, such as a compromised computer network. Lateral movement determination across a computer network may be divided into two subproblems: forensic analysis and general detection. With forensic analysis, given a malicious node, possible lateral movement leading into or out of the node is identified. General detection identifies previously unknown malicious lateral movement on a network using a remote file execution detector, and/or other detectors, and a rare path anomaly detection algorithm.

A method including parsing an attack packet when a network attack is detected, wherein the attack packet includes address information; locating a first gateway device according to the address information; and sending a first instruction to the first gateway device, wherein the first instruction is used for instructing the first gateway device to perform security control on a terminal to which the attack packet belongs. The present disclosure solves the technical problem of low defense efficiency when a target server under attack defends passively due to the lack of techniques of monitoring and countering network attacks in conventional techniques.

The embodiment of the present invention discloses a method for acquiring an identifier of a terminal in a network. The method includes: acquiring a device identifier of a current terminal which is registered in a network, herein the current terminal is a mobile user; and allocating a corresponding network identifier to the current terminal according to the device identifier of the current terminal such that the current terminal transmits data in the network by using the allocated network identifier, herein, the network identifier is a fixed public network Internet Protocol IP address or a fixed public network IP address and port number segment, allocated to the current terminal. The present invention further discloses a management network element and a computer storage medium.