The email campaign detector checks whether clustered emails with similar characteristics are part of a targeted campaign of malicious emails. An email similarity classifier analyzes a group of emails in order to cluster emails with similar characteristics in the group of emails. A targeted campaign classifier analyzes the clustered emails with similar characteristics to check whether the clustered emails with similar characteristics are a) coming from a same threat actor b) going to a same intended target, and c) any combination of both, as well as ii) verify whether the clustered emails with similar characteristics are deemed malicious. The email campaign detector uses this information from the email similarity classifier and the targeted campaign classifier to provide an early warning system of a targeted campaign of malicious emails is underway. The email campaign detector cooperates with one or more machine learning models to identify emails that are deemed malicious.

The disclosed computer-implemented method for detecting inter-personal attack applications may include (i) receiving application marketplace information describing application feature information, (ii) creating, by performing natural language processing on the feature information, a feature vector identifying a potentially malicious functionality of the application, (iii) creating a profiling vector that is a categorical feature representation of installation information from an application installation file, and (iv) performing a security action including (A) mapping, using a machine learning model, the feature vector and the profiling vector to a multi-dimensional output vector having element corresponding to a malware category and (B) determining a malicious extent of the application by combining the categories identified by the multi-dimensional output vector with bi-partite graph information identifying (I) relations between a plurality of applications and (II) relations between a plurality of computing devices hosting the plurality of applications. Various other methods, systems, and computer-readable media are also disclosed.

A computer training device and method is provided for training a deep learning algorithm to classify incoming emails as belonging to one of multiple categories. The deep learning algorithm uses a loss function to avoid a low precision risk caused by a number of received emails for at least two of the multiple categories being imbalanced (e.g., by at least two orders of magnitude). The loss function compensates for the imbalance in received emails by changing depending on the criticality of the score being determined.

A threat actor identification system that obtains domain data for a set of domains, generates domain clusters, determines whether the domain clusters are associated with threat actors, and presents domain data for the clusters that are associated with threat actors to brand owners that are associated with the threat actors. The clusters may be generated based on similarities in web page content, domain registration information, and/or domain infrastructure information. For each cluster, a clustering engine determines whether the cluster is associated with a threat actor, and for clusters that are associated with threat actors, corresponding domain information is stored for presentation to brand owners to whom the threat actor poses a threat.

An example non-transitory computer readable storage medium comprising instructions that when executed cause a processor of a computing device to: in response to receiving a first request to access a webpage, transmit a second request to an monitoring resource to determine if the webpage is unsafe; receive, from the monitoring resource, an indication that the webpage is an unsafe webpage; and in response to receiving the indication, render, at the computing device, a modified copy of the webpage with every active element of the webpage disabled.

A cyber security system creates a behavioral framework for evaluating the cyber security of an organization's computer systems based on its employees. The system leverages offline and online individual identity information and then translates this data to anonymous identifiers to protect privacy. The identifiers are used to pull data from an identity graph, which includes behavioral data. A business-to-business identity graph correlates the name of an organization that maintains the targeted computer system with the anonymous identifiers of employees. Online activity is gathered by pixels fired from websites accessed by user browsers and gathered by one or more remote servers.

A browser extension application is configured to collect data relating to the user's browsing activity and display notifications on a user interface. A user can instruct a web browsing application to navigate to a website. The browser extension application can detect a type of the webpage, and based on the type of the webpage, collect certain information relating to what the webpage is asking the user to provide and what the user is providing to the webpage. The browser extension application can transmit this information to a browser extension server. The browser extension server can determine a likelihood that the website is associated with instances of hacking online accounts. The browser extension server can transmit a signal to the browser extension application of the user's computing device. The browser extension application can take an action, e.g., direct the user to another website or log out of the user's account.

There is provided a method comprising receiving a domain name system (DNS) query from a client computing device, decrypting the DNS query by a DNS resolver device, and requesting reputation information related to the FQDN from an agent device of the router apparatus. If a matching FQDN is not found in a local database, the DNS query is allowed to proceed from the DNS resolver device to a cloud DNS resolver, the IP and MAC address of the client computing device are logged and mapped to the local database, the reputation information related to the FQDN is requested from a cloud FQDN server, and if the reputation information indicates that the FQDN should be blocked, the local database is updated with the reputation information and further queries to the FQDN are blocked.

Aspects of the subject disclosure may include, for example, receiving, at a device, a message over a communication network from a remote source, determining if the message includes executable code and initiating a virtual machine in an isolated portion of the memory of the device responsive to the determining the message include executable code. Aspects of the subject disclosure further include executing, by the virtual machine, the executable code within the isolated portion of the memory, monitoring, by an artificial intelligence module, activities of the executable code during the executing the executable code and determining if the executable code comprises malicious code responsive to the monitoring activities of the executable code. Aspects of the disclosure further include deleting the executable code from the device in response to a determination that the executable code comprises malicious code. Other embodiments are disclosed.

The present disclosure describes systems and methods for determining a subsequent action of a simulated phishing campaign. A campaign controller identifies a starting action for a simulated phishing campaign directed to a user of a plurality of users. The simulated phishing campaign includes a plurality of actions, one or more of the plurality of actions to be determined during execution of the simulated phishing campaign The campaign controller responsive to the starting action, communicates a simulated phishing communication to one or more devices of a user. The campaign controller determines a subsequent action of the plurality of actions of the simulated phishing campaign based at least on one of a response to the simulated phishing communication received by the campaign controller or a lack of response within a predetermined time period and initiating, responsive to the determination, the subsequent action of the simulated phishing campaign.