A method, a device, and a system for alerting against unknown malicious codes are disclosed. The method includes: detecting characteristics of a packet; judging whether any suspicious code exists in the packet according to a result of the detection; recording a source address of the suspicious code if the suspicious code exists in the packet; and sending alert information that carries the source address to a monitoring device. The embodiments of the present invention can report source addresses of numerous suspicious codes proactively at the earliest possible time, lay a foundation for shortening the time required for overcoming virus threats, and avoid the trouble of installing software on the client.

One or more processors generate a website mimicking a virtual message board. One or more processors receive a request message directed to the website. One or more processors analyze the request message for evidence that the request message originates from a source of spam. In response to a determination that the request message likely does originate from a spam source, one or more processors provide data about the spam source to an anti-spam system.

Disclosed herein are system, method, and computer program product embodiments for creating cyber situational understanding in an operational environment. An embodiment operates by normalizing streaming cyber information for a plurality of cyberspace entities and generating cyber-graphs based on relationships between two or more of the plurality of cyberspace entities. A cyber-threat inquiry of the cyber-graphs returns potential cyber-threats that are subsequently visualized as an overlay on a corresponding operational environment.

A packet processing method and apparatus are provided. The method includes: on a forwarding path of an IPv6 packet, a key node (for example, a firewall) signs a packet, and a downstream apparatus of the key node verifies the signature, to determine whether the packet passes through the key node in a forwarding process. According to this application, the key node performs checking, to effectively prevent a packet which packet header is modified by attackers from bypassing the key node.

A computer-implemented method of analysing anomalous network traffic in a telecommunications network, said telecommunications network comprising a plurality of network entities (120, 110) and a security analyser (130-3), wherein the method comprises the steps of: receiving at the security analyser a network communication from a first network entity; identifying the first network entity; by means of the security analyser: analysing the network communication and/or a performance of the first network entity thereby to identify the network communication as an anomalous communication (310); in response to identifying the network communication as an anomalous communication, communicating an instruction to the identified first network entity to respond with origin information regarding the anomalous communication, wherein the origin information identifies a preceding network entity from which the anomalous communication was directly received by the first network entity (320, 330); and commencing with the preceding network entity, iteratively communicating an instruction to a preceding network entity to respond with origin information for identifying another preceding network entity from which the anomalous communication was directly received until a source network entity from which the anomalous communication originated is identified (380, 390; and applying a security policy to the identified source network entity (370).

A method for cyber security, including detecting, by a decoy management server, a breach by an attacker of a specific resource within a network of resources in which users access the resources based on credentials, wherein each resource has a domain name server (DNS) record stored on a DNS server, changing, by the decoy management server, the DNS record for the breached resource on the DNS server, in response to the detecting, predicting, by the decoy management server, which credentials are compromised, based on credentials stored on the breached resource, and changing, by the decoy management server, those credentials that were predicted to be compromised, in response to the predicting which credentials.

Disclosed is a hotlinking protection method and an electronic device. The method includes acquiring characteristic information from access request; generating a digital watermark based on the characteristic information and adding it to the URL of a file to be played to generate a play page address; counting the number of accesses of the play page address having the digital watermark within a certain period; comparing the number of accesses with the predetermined threshold to screen out the play page addresses of which the number of accesses is greater than the predetermined threshold; parsing the digital watermark in the play page addresses to determine IP address of hotlinking user; and shielding the IP address from access service. A more thorough hotlinking protection can be realized and the accuracy of hotlinking protection can be improved.

In one kind of DoS attack, malicious customers may try to send a large number of filter requests against an innocent customer. In one implementation, a Filter Request Server (FRS) may allow a customer against who a filter request is made to dispute the implicit accusation of the filter request or stop sending malicious traffic. If the customer claims innocence, the FRS may log destination addresses of data packets sent by the customer and identify and ignore false filter requests if these filter requests come from customers who do not correspond to one or more of the destination addresses that have previously been logged by the FRS.

A variety of techniques are disclosed for detection of advanced persistent threats and similar malware. In one aspect, the detection of certain network traffic at a gateway is used to trigger a query of an originating endpoint, which can use internal logs to identify a local process that is sourcing the network traffic. In another aspect, an endpoint is configured to periodically generate and transmit a secure heartbeat, so that an interruption of the heartbeat can be used to signal the possible presence of malware. In another aspect, other information such as local and global reputation information is used to provide context for more accurate malware detection.

A technique allows associating host applications and user agents in network traffic and detecting possible malware without relying on signatures of the user agents. A database of host applications and user agents is maintained, allowing automatic update of the database when a new application or new application to user agent mapping is discovered. Partial matches may be made when a change is made to the application, allowing learning the new mapping automatically. If an application is associated with more than a threshold number of user agents, an indication may be generated that the application is suspicious and possibly malware.