A method for determining a spam URL includes: (a) extracting a URL from an e-mail; (b) determining whether the extracted URL is a redirecting URL; (c) when the extracted URL is a redirecting URL, accessing a redirection URL that is connected as a result of access to the extracted URL; (d) when the redirection URL is a redirecting URL, accessing a redirection URL that is connected as a result of access to the redirection URL; (e) repeating operation (d); (f) when a last accessed URL in one of operations (c), (d), and (e) is not a redirecting URL, determine whether the last accessed URL is a spam URL; and (g) when it is determined that the last accessed URL is a spam URL, determining the extracted URL, the last accessed URL and any redirection URL connected between the extracted URL and the last accessed URL as spam URLs.

Various systems and methods for bus-off attack detection are described herein. An electronic device for bus-off attack detection and prevention includes bus-off prevention circuitry coupled to a protected node on a bus, the bus-off prevention circuitry to: detect a transmitted message from the protected node to the bus; detect a bit mismatch of the transmitted message on the bus; suspend further transmissions from the protected node while the bus is analyzed; determine whether the bit mismatch represents a bus fault or an active attack against the protected node; and signal the protected node indicating whether a fault has occurred.

The present disclosure relates to securing workloads of a network by identifying compromised elements in communication with the network and preventing their access to network resources. In one aspect, a method includes monitoring network traffic at network elements of a network; detecting a compromised element in communication with one or more of the network elements, the compromised element being associated with at least one network threat; and based on a defined network policy, applying one of a number of different access prevention schemes to the compromised element to prevent access to the network by the compromised element.

A system and method automatically links security events associated with a computer network and system calls of plural networked computers interfaced with the computer network. System call information of the system calls of the plural networked computers are communicated to a network location to associate security events with system calls across the networked computers and provide a causal graph that reconstructs a sequence of events with precise attribution and timing to comprehend entities and actions associated with the security event.

A computer-implemented method for responding to network threat includes receiving, by the threat detection module, security-associated data from a unit security system; generating, by the threat detection module, a ticket based on the received security-associated data; requesting, by the ticket management module, ticket analysis and response to the workflow module; calling, by the plugin program module, AIP of the unit security system or an external security service; and carrying out, by the workflow module, a task according to API communication with the called unit security system or the external security service. The task includes at least one of an inquiry task, a blocking task, an alarm task, and a follow-up action task. The inquiry task includes at least one of an inquiry about IP reputation, asset information, WHOIS, GEOIP, URL, HASH, sandbox, and prior information. The blocking task includes at least one of account deactivation, IP blocking, HASH blocking, URL blocking and domain blocking.

In some examples, a terminal can establish wireless communication with a base station. The terminal can determine a challenge, transmit the challenge, receive a response, and determine that the response is valid. The terminal can, in response, establish a secure network tunnel to a network node. In some examples, a terminal can determine a first communication parameter associated with communication with the base station. The terminal can receive data indicating a second communication parameter via a secure network tunnel. The terminal can determine that the communication parameters do not match, and, in response, provide an indication that an attack is under way against the network terminal. Some example terminals transmit a challenge, determine a response status associated with the challenge, and determine that an attack is under way based on the response status.

A method for IP traceback is provided comprising receiving a traceback request including the identity of a traceback-deployed autonomous system closest to the destination node in a network routing path, recursively querying a traceback server associated with the traceback-deployed autonomous system to receive the identity of a preceding traceback-deployed autonomous system in the network routing path, and determining the network routing path based on the received identities of traceback-deployed autonomous systems. Additionally, authentication for traceback request is achieved using token delivery, wherein token is fragmented and marking of a packet is performed when a field on the packet matches at least one token fragment.

An occurrence of an infection-spreading attack and an attack source thereof are detected with high accuracy. A first feature value is calculated based on traffic information regarding a packet forwarded by a forwarding device, and M partial address spaces to be monitored are specified based on the first feature value. A second feature value is calculated for each address of a terminal in a network, based on traffic information regarding the M partial address spaces, the second feature value is learned to classify terminal addresses into a plurality of clusters, and whether or not each of the clusters is an infection-spreading attack is determined to generate cluster information. Whether or not an infection-spreading attack has occurred and an address of a terminal that is an attack source are specified based on the second feature value and the cluster information.

The present description relates to a method of monitoring and protecting access to an online service from account take over, comprising the steps of: providing a traffic inspector (1) in signal communication with at least one client device (2) and with a web server (4) having an online service residing therein; providing a traffic analyzer (5) in signal communication with the traffic inspector (1); identifying each browsing session of the client device (2) on the online service; analyzing the traffic exchanged between the client device (2) and the web server (4) to extract and identify at least one username when a user performs authentication to the online service; collecting first characteristic data concerning unique and/or non-unique technical parameters and associating them with a respective identified username; identifying each anonymous web beacon generated by the client device (2) on the online service, the web beacon being indicative of the fact that the client device (2) has started a fraudulent browsing session on a phishing web server (11); collecting third characteristic data concerning unique and/or non-unique technical parameters and associating them with the anonymous web beacon; comparing the first characteristic data by means of a user prediction algorithm (7) with the third characteristic data to associate an identified username with the anonymous web beacon in case of similarity or substantial coincidence between the first characteristic data and the third characteristic data so compared; analyzing by means of a detection algorithm (8) each anonymous web beacon associated with one or more identified usernames to enter each username associated with the anonymous web beacon in which a situation involving a risk of credential theft has been detected after a phishing attack in a watch list; monitoring the browsing sessions at risk associated with each username in the watch list when its respective user further performs authentication to the online service.

A network data processing method and apparatus, an electronic device, and a storage medium are provided, which are related to the fields of big data and cloud computing. The specific embodiment is: acquiring a plurality of network access records, each of the plurality of network access records includes a source address and a target address; determining a first redirect relationship from the source address to the target address in a respective network access record of the plurality of network access records; determining a set of redirect relationships for all of addresses in the plurality of network access records according to a plurality of first redirect relationships of the plurality of network access records; and acquiring an address to be searched, and determining a final address to which the address to be searched is redirected according to the set of redirect relationships.