A computer implemented method of identifying anomalous behavior of a computer system in a set of intercommunicating computer systems, each computer system in the set being uniquely identifiable, the method including monitoring communication between computer systems in the set for a predetermined baseline time period to generate a baseline vector representation of each of the systems; monitoring communication between computer systems in the set for a subsequent predetermined time period to generate a subsequent vector representation of each of the systems; comparing baseline and subsequent vector representations corresponding to a target computer system using a vector similarity function to identify anomalous behavior of the target system in the subsequent time period compared to the baseline time period, wherein a vector representation of the target system for a time period is generated based on a deterministic walk of a graph representation of communications between the computer systems in which nodes of the graph correspond to computer systems in the set and weighted directed edges between nodes of the graph correspond to a characteristic of communication between pairs of computer systems in the set.

Identifying Internet of Things (IoT) devices with packet flow behavior including by using machine learning models is disclosed. Information associated with a network communication of an IoT device is received. A determination of whether the IoT device has previously been classified is made. In response to determining that the IoT device has not previously been classified, a determination is made that a probability match for the IoT device against a behavior signature exceeds a threshold. Based at least in part on the probability match, a classification of the IoT device is provided to a security appliance configured to apply a policy to the IoT device.

A method comprises acquiring anomaly data including a plurality of anomalies detected from streaming data, wherein each of the anomalies relates to an entity on or associated with a computer network. The method determines a risk score of each of the anomalies, and adjusts the risk score of an anomaly according to a set of factors. The method further determines, for each of a plurality of sliding time windows of different lengths, an entity score of the entity in relation to the sliding time window, based on an aggregation of risk scores of all anomalies related to the entity that were detected within the sliding time window, where the entity score corresponds to a risk level associated with the entity. An action to prevent the entity from performing an operation can be determined and caused to occur based on the entity score.

Systems and methods perform a failover, handoff type of process for machines actively encoding and transcoding media content or other data, including live video. Based on dynamic analyses, including detection of needed updates due to security anomalies and encoder state evaluations, the encoder instance initially receiving a stream can restart following handoff to another encoder instance. System downtime is minimized through actions such as initializing the replacement encoder and passively migrating network resources to same, without any explicit coordination or messaging between the two instances.

A method of determining that a client is likely engaged in the sending of spam emails via a network node. The method comprises, at the network node, defining a message size threshold and a message sending rate threshold, detecting the opening of Simple Mail Transfer Protocol, SMTP connections between a client device and an email server, identifying messages sent from the client over the SMTP connections which exceed said message size threshold and counting the identified messages to determine a client email message sending rate. The method further comprises making an assumption that the client is engaged in the sending of spam emails if the client message sending rate exceeds said message sending rate threshold.

A method, system, and computer program product for identifying a malicious user obtain a plurality of service requests for a service provided by a processing system, each service request of the plurality of service requests being associated with a requesting user and a requesting system, and a plurality of service responses associated with the plurality of service requests, each service response of the plurality of service responses being associated with the processing system; and identify the requesting user as malicious based on the plurality of service requests and the plurality of service responses.

A multi-node, quantum communication network for providing quantum-secure time transfer with Damon attack detection is described. The network includes three or more nodes connected via authenticated communication channels forming a closed loop. By determining differences between the local times at as well as the time durations required for photons to travel between the three or more nodes, the network detects a Damon attack, if present. For example, the network imposes a closed loop condition to detect the Damon attack. The network can also use the local time differences and time durations for photon travel between nodes to synchronize the local clocks at the three or more nodes of the network.

An endpoint protection system is provided. The system comprises: an endpoint agent deployed to an endpoint device, wherein the endpoint agent is built-into one or more existing applications running on the endpoint device and is configured to capture network session activity between the endpoint device and one or more internet servers to detect a phishing attack using a set of machine learning algorithm trained classifiers, and block the phishing attack; and an endpoint management system in remote communication with the endpoint agent, wherein the endpoint management system is configured to train and develop the set of classifiers, and receive information about the detected phishing attack and an incident report from the endpoint agent, the endpoint agent provides a graphical user interface running on the endpoint device allowing an end user to configure one or more protections provided by the endpoint agent.

The disclosed computer-implemented method for protecting against misleading clicks on websites may include (i) detecting a user click event on a uniform resource locator (URL) for navigating to a website during a web browsing session, (ii) analyzing the user click event to identify expected domain behavior associated with navigating to the website based on the URL, (iii) determining, based on the analysis, that the user click event deviates from the expected domain behavior associated with navigating to the website based on the URL, and (iv) performing a security action that protects against potentially malicious activity caused by the user click event deviating from the expected domain behavior associated with navigating to the website based on the URL. Various other methods, systems, and computer-readable media are also disclosed.

A method of detecting manipulation of data on a Controller Area Network (CAN) bus, and a device performing the method. In an aspect, the method includes detecting manipulation of data on a CAN bus to which the device is connected. The method comprises detecting that bus impedance is below a threshold bus impedance value, detecting whether or not CAN node arbitration currently may occur on the CAN bus upon detecting that the bus impedance is below the threshold bus impedance value, and if not determining that an attempt to manipulate data on the CAN bus has occurred.