A method for querying a knowledgebase of malicious hosts numbered from 1 through N. The method includes providing a network of computers, which has a plurality of unknown malicious host machines. In a specific embodiment, the malicious host machines are disposed throughout the network of computers, which includes a worldwide network of computers, e.g., Internet. The method includes querying a knowledge base including a plurality of known malicious hosts, which are numbered from 1 through N, where N is an integer greater than 1. In a preferred embodiment, the knowledge base is coupled to the network of computers. The method includes receiving first information associated with an unknown host from the network; identifying an unknown host and querying the knowledge base to determine if the unknown host is one of the known malicious hosts in the knowledge base. The method also includes outputting second information associated with the unknown host based upon the querying process.

A telecommunications defence system comprises: at least one shield server; at least one target server arranged to be in communication with the shield server and with a client telecommunications system, via a telecommunications network. The target server is provided in a geographical location of the telecommunications network that is nearer the client telecommunications system than the shield server. The telecommunications defence system further comprises an attack detection application, a communication application and a shielding application. The attack detection application detects an attack aimed at the client telecommunications system via the telecommunications network and generates an identification signal indicative of the source of the attack. The communication application transmits the identification signal to the shield server. The shielding application causes the shield server to generate a shield signal in response to the transmitted identification signal, to provide at least one shield operative to shield the client telecommunications system from the attack identified.

Methods and systems are described for the detection of malicious host systems in real time using techniques that are computationally efficient, and that minimize delays or interruptions to the flow of network transmissions. The methods and systems include using a Bloom filter to efficiently determine that a host name requested by a user device is not on a list of known malicious hosts. However, because the Bloom filter may also ambiguously determine that the requested host name may be on the list of host names for which communication is prohibited, an SQL table storing the list of prohibited host names is referenced to resolve any ambiguous determinations of the Bloom filter.

An impact range estimation apparatus 10 estimates a range of impact due to infection by malware in a network system with a plurality of nodes. The impact range estimation apparatus 10 includes: a reverse propagation probability calculation unit 11 configured to, when a specific node is infected with the malware, based on scenario information that specifies a pattern of attack by the malware and a communications log in the network system before infection by the malware, for each node other than the specific node, calculate a probability that the malware propagates from that other node to the specific node; and a simulation execution unit 12 configured to, using the calculated probability, execute a plurality of times a simulation in which the malware is propagated to the specific node, and for each other node, calculate a number of times that that node becomes a propagation source of the malware.

In some examples, a terminal can establish wireless communication with a base station. The terminal can determine a challenge, transmit the challenge, receive a response, and determine that the response is valid. The terminal can, in response, establish a secure network tunnel to a network node. In some examples, a terminal can determine a first communication parameter associated with communication with the base station. The terminal can receive data indicating a second communication parameter via a secure network tunnel. The terminal can determine that the communication parameters do not match, and, in response, provide an indication that an attack is under way against the network terminal. Some example terminals transmit a challenge, determine a response status associated with the challenge, and determine that an attack is under way based on the response status.

Methods and systems for intrusion attack recovery include monitoring two or more hosts in a network to generate audit logs of system events. One or more dependency graphs (DGraphs) is generated based on the audit logs. A relevancy score for each edge of the DGraphs is determined. Irrelevant events from the DGraphs are pruned to generate a condensed backtracking graph. An origin is located by backtracking from an attack detection point in the condensed backtracking graph.

The present invention provides a method and an apparatus for tracing an attack source in the case of an abnormal network traffic, where said method comprises: from the network node(s) of an attack link, any or multiple said network nodes are selected as a tracing start point(s) and there into, said attack link is a communication link between an attacked target and an attack source. According to said tracing start point(s), a higher-level network node of said attack link is identified stepwise until a final attack source is confirmed. By adopting said technical solution provided by the present invention, the problems that the network security mechanisms in related technologies can only alleviate a network attack rather than position an attack source are solved, thus an effect can be achieved to trace and position the attack source in a reverse direction.

Disclosed are a system and a method for detecting a malicious code using visualization in order to allow a user to intuitively detect behavior of client terminals infected with a malicious code. The system for detecting a malicious code using visualization includes a data collection module which collects DNS packets, a parameter extraction module which extracts parameters for visualization from the collected DNS packets, a data loading module which loads the extracted parameters; a blacklist management module which manages blacklist domain, a filter module which filters unnecessary data from the loaded data, and a visualization generation module which generates visualization patterns using the extracted parameters.

An analysis ECU acquires information related to a first flow and information related to a second flow, the first flow and the second flow organizing packets transferred in a monitored system into respective groups. The analysis ECU acquires information related to a conversion that takes the first flow as input and the second flow as output. The analysis ECU acknowledges alert information generated in the monitored system and including information capable of identifying at least one flow. The analysis ECU generates, when the second flow is identified by the alert information, route information that includes at least one of the information related to the conversion and the information related to the first flow associated with the second flow in the information related to the conversion.

A method and an apparatus for improving network security are provided. The method includes obtaining, by a control node, alarm information, where the alarm information includes address information of an attack source that attacks a subnet of at least two subnets and identification information of the attacked subnet of the at least two subnets, using, by the control node, the alarm information to sort the attack sources in descending order of threat levels, and using a sorting result as a blacklist, and sending, by the control node, the obtained blacklist to at least one subnet that is not attacked yet in the network system. The method and apparatus are applicable to collaborative defense among multiple subnets.