Techniques for phishing protection using cloning detection are described herein. The techniques described herein can include a server which hosts a website detecting that a fetcher is a cloning toolkit or an entity known for using a cloning toolkit. The techniques can also include a server which hosts a downloadable application (such as a mobile application) detecting that a fetcher for the application is a cloning toolkit or an entity known for using a cloning toolkit. The detection can be done in several ways, such as by analyzing data logs for patterns associated with cloning toolkits or entities known for using cloning toolkits. The techniques described herein can also include a part of an end user device (such as a part of a mobile device) detecting a clone (such as a clone website or application) that was cloned by a cloning toolkit. Then, upon detection, security actions can be taken.

Techniques for polluting phishing campaign responses with content that includes fake sensitive information of a type that is being sought in phishing messages. Embodiments disclosed herein identify phishing messages that are designed to fraudulently obtain sensitive information. Rather than simply quarantining these phishing messages from users' accounts to prevent users from providing “real” sensitive information, embodiments disclosed herein analyze these phishing messages to determine what type(s) of information is being sought and then respond to these phishing messages with “fake” sensitive information of these type(s). For example, if a phishing message is seeking sensitive credit card and/or banking account information, some fake information of this type(s) may be generated and sent in response to the phishing message. In various implementations, a natural language processing (NLP) model may be used to analyze the phishing message and/or generate a response thereto.

A method by a web application layer proxy for dynamically creating counters during runtime based on actual web application layer requests received by the web application layer proxy. The method includes installing a counting rule in the web application layer proxy, where the counting rule specifies a set of parameters based upon which to create counters, receiving a web application layer request generated by a web application client that is intended for a web application server, determining a set of parameter values associated with the web application layer request that corresponds to the set of parameters specified by the counting rule, and creating a counter associated with the set of parameter values associated with the web application layer request in response to a determination that a counter associated with the set of parameter values associated with the web application layer request does not exist.

An impact range estimation apparatus 10 estimates a range of impact due to infection by malware in a network system with a plurality of nodes. The impact range estimation apparatus 10 includes: a reverse propagation probability calculation unit 11 configured to, when a specific node is infected with the malware, based on scenario information that specifies a pattern of attack by the malware and a communications log in the network system before infection by the malware, for each node other than the specific node, calculate a probability that the malware propagates from that other node to the specific node; and a simulation execution unit 12 configured to, using the calculated probability, execute a plurality of times a simulation in which the malware is propagated to the specific node, and for each other node, calculate a number of times that that node becomes a propagation source of the malware.

Disclosed herein are systems and methods that may generate so-called “honey credentials” that are transmitted to a “phishing” website, and are then stored into a honey credential database. The honey credentials appear to be valid credentials, but whenever a bad actor attempts to access an enterprise using the honey credentials, security appliances the enterprise may update the records of the honey credential database to include one or more unique identifiers for each bad actor device that attempts to access the enterprise network using the honey credentials. A server may automatically query the honey credential database to identify other accounts that have been accessed by devices that used the honey credentials to access the enterprise. The server may then flag the accounts and restrict their functionality.

Data processing methods, devices, access control systems, and storage media are provided in the present disclosure. In a data processing method, isolated sessions corresponding to a same source IP address in a preset time period are identified. When the number of isolated sessions meets a preset condition, the source IP address is determined to be a target IP. In implementations, based on activities of isolated sessions, a method of reverse identification of whether a source IP address of the isolated sessions is a target IP is not easily bypassed by the target IP, and is advantageous for accurately identifying the target IP that satisfies a condition.

A dynamic network feature processing device includes a storage device and a processor. The storage device is configured to store a plurality of malicious feature groups. Each of the malicious feature groups corresponds to a malicious feature, and each of the malicious feature groups includes a plurality of malicious network addresses. The processor is coupled to the storage device. The processor is configured to: acquire an unknown network address of an unknown packet; compare the unknown network address with the malicious feature of each of the malicious feature groups; and filter the unknown packet when determining that the unknown network address matches at least one of the malicious feature of the plurality of malicious feature groups.

A non-transitory computer-readable recording medium storing a program that causes a computer to execute a process the process includes acquiring malicious behavior data indicating behavior of a malicious domain used for each attack of a plurality of types of attacks, specifying a probability of detecting the behavior when each feature of a plurality of kinds of features that appears in the behavior is utilized to detect the behavior used for the each attack, based on the acquired malicious behavior data, analyzing usefulness of the each feature in detecting the behavior used for the each attack, based on the specified probability, and determining which type of attack among the plurality of types of attacks the malicious domain is used for with regard to behavior of an object domain when corresponding to the behavior of the malicious domain, based on a result of the analyzing.

Disclosed herein are systems and methods that may generate so-called “honey credentials” that are transmitted to a “phishing” website, and are then stored into a honey credential database. The honey credentials appear to be valid credentials, but whenever a bad actor attempts to access an enterprise using the honey credentials, security appliances the enterprise may update the records of the honey credential database to include one or more unique identifiers for each bad actor device that attempts to access the enterprise network using the honey credentials. A server may automatically query the honey credential database to identify other accounts that have been accessed by devices that used the honey credentials to access the enterprise. The server may then flag the accounts and restrict their functionality.

Systems, apparatuses and methods may provide for technology that detects one or more non-compliant nodes with respect to a timing schedule, detects one or more compliant nodes with respect to the timing schedule, and identifies a malicious node based on positions of the one or more non-compliant nodes and the one or more compliant nodes in a network topography. The non-compliant node(s) and the compliant node(s) may be detected based on post-synchronization messages, historical attribute data and/or plane diversity data.