A method of determining a location of a mobile device in the presence of a spoofing signal includes obtaining current position information associated with the mobile device, determining a Global Navigation Satellite System (GNSS) signal search window for acquiring GNSS signals associated with a satellite based on the current position information, searching a GNSS signal associated with the satellite based on the GNSS signal search window, and determining updated position information of the mobile device based on at least information of the GNSS signal associated with the satellite.

Systems, methods, and software described herein enhances how security actions are implemented within a computing environment. In one example, a method of implementing security actions for a computing environment comprising a plurality of computing assets includes identifying a security action in a command language for the computing environment. The method further provides identifying one or more computing assets related to the security action, and obtaining hardware and software characteristics for the one or more computing assets. The method also includes translating the security action in the command language to one or more action procedures based on the hardware and software characteristics, and initiating implementation of the one or more action procedures in the one or more computing assets.

A method of detecting abnormality may include the following steps. A normal-value range of a parameter for a target object is determined based on historical values of the parameter in a preset time period or at a preset time point. Whether the target object is abnormal is determined based on the normal-value range and the value of the parameter for the target object in the preset time period or at the preset time point within a current time cycle. Further, another normal-value range may be determined based on historical deviation values for the target object in historical time periods or at historical time points before the preset time period or the preset time point. Whether the target object is abnormal is determined based on either of the two normal-value ranges.

Technology is disclosed for detecting imposters of a brand account. The technology can store a brand profile of the brand account, detect that a message has been publicly communicated to the brand account from a social media account, monitor messages sent publicly to the social media account from other social media accounts by repeatedly comparing the brand profile to metadata of each of the monitored messages, and identify at least one of the other social media accounts as an imposter account based on the comparing. The technology can cease the comparing at predetermined expiration time occurring after the detection of the message that was sent publicly to the brand account.

A method including collecting, by a communication device comprising a machine learning model obtained at least in part from a server computer, metadata associated with an application. The communication device can then embed the metadata to form vectorized data. The communication device can input the vectorized data into the machine learning model to obtain a security value. The communication device can determine whether to run or install the application based upon the security value.

A method of identifying risky user behaviors in computer networks includes determining behavior data of a user. The behavior data describes user activities of the user using a computer network. A particular event chain is identified from the behavior data. The particular event chain includes one or more events of the user activities. A risk coefficient of the particular event chain is determined. Based on the risk coefficient, whether the particular event chain represents a risky user behavior is determined.

A software defined networking (SDN)-based distributed denial of service (DDoS) attack prevention method, an apparatus, and a system, where a controller delivers a traffic statistics collection instruction to a first packet forwarding device. The traffic statistics collection instruction instructs the first packet forwarding device to perform traffic statistics collection, and carries a destination Internet Protocol (IP) address. The controller collects statistical data reported by the first packet forwarding device, obtains, according to the statistical data, a statistical value of global traffic flowing to the destination IP address, and delivers a DDoS prevention policy to a second packet forwarding device based on a determining result that the statistical value of the global traffic exceeds the preset threshold. Correspondingly, the second packet forwarding device receives the DDoS prevention policy from the controller, and performs, according to the DDoS prevention policy, prevention process on the traffic flowing to the destination IP address.

Disclosed herein are systems and methods for classifying organizational structure for implementing data protection policies. In one exemplary aspect, a method may comprise retrieving a plurality of data files of an organization, wherein the plurality of data files are stored in a data storage; retrieving structural information of the organization, the structural information comprising details of user accounts, organizational roles, and file metadata within the organization; classifying the structural information into an organization type of a plurality of organization types; classifying each respective data file of the plurality of data files into a respective topic of a plurality of topics, wherein the plurality of topics are associated with the organization type; generating a data protection policy for the organization based on each respective topic of the plurality of data files and the organization type; and executing the data protection policy on the data storage.

Disclosed herein are a dynamic security module terminal device for receiving a dynamic security module and transmitting a security management event to a security server, and a method of operating the dynamic security module terminal device. The dynamic security module terminal device includes a communication unit configured to transmit and receive a security management event over a network, and a processor configured to control the communication unit. The processor is configured to create a security session with a security server, and to receive the dynamic security module from the security server so that part or all of code of the dynamic security module performing security management has a predetermined valid period.

Security system for protecting a vehicle electronic system by selectively intervening in the communications path in order to prevent the arrival of malicious messages at ECUs, in particular at the safety critical ECUs. The security system includes a filter which prevents illegal messages sent by any system or device communicating over a vehicle communications bus from reaching their destination. The filter may, at its discretion according to preconfigured rules, send messages as is, block messages, change the content of the messages, request authentication or limit the rate such messages can be delivered, by buffering the messages and sending them only in preconfigured intervals.