Computer-implemented methods, program products, and systems for provenance-based defense against poison attacks are disclosed. In one approach, a method includes: receiving observations and corresponding provenance data from data sources; determining whether the observations are poisoned based on the corresponding provenance data; and removing the poisoned observation(s) from a final training dataset used to train a final prediction model. Another implementation involves provenance-based defense against poison attacks in a fully untrusted data environment. Untrusted data points are grouped according to provenance signature, and the groups are used to train learning algorithms and generate complete and filtered prediction models. The results of applying the prediction models to an evaluation dataset are compared, and poisoned data points identified where the performance of the filtered prediction model exceeds the performance of the complete prediction model. Poisoned data points are removed from the set to generate a final prediction model.

Security mechanisms for content delivery networks (“CDNs”) are disclosed herein. One security mechanism can be used to mitigate or prevent dynamic content attacks. A system can execute a CDN manager to perform operations. In particular, the CDN manager can receive a plurality of hypertext transfer protocol (“HTTP”) requests, and parse a plurality of headers from the plurality of HTTP requests to determine a plurality uniform resource locators (“URLs”). The CDN manager can generate a plurality of web page images associated with the plurality of URLs. The CDN manager can execute a machine learning algorithm, such as a convolution neural network, to perform an analysis of the plurality of web page images. Based upon the analysis of the plurality of web page images, the CDN manager can determine whether the plurality of HTTP requests are for the same web page, which can be indicative of a dynamic content attack.

Computer-implemented methods, program products, and systems for provenance-based defense against poison attacks are disclosed. In one approach, a method includes: receiving observations and corresponding provenance data from data sources; determining whether the observations are poisoned based on the corresponding provenance data; and removing the poisoned observation(s) from a final training dataset used to train a final prediction model. Another implementation involves provenance-based defense against poison attacks in a fully untrusted data environment. Untrusted data points are grouped according to provenance signature, and the groups are used to train learning algorithms and generate complete and filtered prediction models. The results of applying the prediction models to an evaluation dataset are compared, and poisoned data points identified where the performance of the filtered prediction model exceeds the performance of the complete prediction model. Poisoned data points are removed from the set to generate a final prediction model.

The present application describes a system and method for passively collecting DNS traffic data as that data is passed between a recursive DNS resolver and an authoritative DNS server. The information contained in the collected DNS traffic data is used to generate a virtual authoritative DNS server, or a zone associated with the authoritative DNS server, when it is determined that the authoritative DNS server has been compromised.

Disclosed are a system and a method for detecting a malicious code using visualization in order to allow a user to intuitively detect behavior of client terminals infected with a malicious code. The system for detecting a malicious code using visualization includes a data collection module which collects DNS packets, a parameter extraction module which extracts parameters for visualization from the collected DNS packets, a data loading module which loads the extracted parameters; a blacklist management module which manages blacklist domain, a filter module which filters unnecessary data from the loaded data, and a visualization generation module which generates visualization patterns using the extracted parameters.

The present disclosure provides a method and a device for preventing DNS cache poisoning. According to an example of the method, a preventing equipment may forward a first DNS query request packet sent by a DNS server to a first authoritative DNS server. The preventing equipment may construct a second DNS query request packet including the target domain name and send the second DNS query request packet to a second authoritative DNS server when a first DNS reply packet received for the first DNS query request packet indicates a DNS cache poisoning attack occurs. When a second DNS reply packet received for the second DNS query request packet indicates no DNS cache poisoning attack occurs, the preventing equipment may generate a final DNS reply packet according to the second DNS reply packet and feed back the final DNS reply packet to the DNS server.

A control method implemented by a computer which is configured to be operated as a terminal apparatus, the control method including: transmitting, from the terminal apparatus to a first management server, a first request for transmission of a certificate of a first server, the first server being one of a plurality of servers, the first management server being configured to manage certificates for the plurality of servers; in response to the transmitting of the first request, receiving the certificate of the first server from the first management server; in response to the receiving of the certificate, determining a certificate authority by using information included in the received certificate, the certificate authority being a server from which the received certificate has been issued; and transmitting, from the terminal apparatus to the determined certificate authority, a second request for transmission of first address information on the first server.

Security mechanisms for content delivery networks (“CDNs”) are disclosed herein. One security mechanism can be used to mitigate or prevent dynamic content attacks. A system can execute a CDN manager to perform operations. In particular, the CDN manager can receive a plurality of hypertext transfer protocol (“HTTP”) requests, and parse a plurality of headers from the plurality of HTTP requests to determine a plurality uniform resource locators (“URLs”). The CDN manager can generate a plurality of web page images associated with the plurality of URLs. The CDN manager can execute a machine learning algorithm, such as a convolution neural network, to perform an analysis of the plurality of web page images. Based upon the analysis of the plurality of web page images, the CDN manager can determine whether the plurality of HTTP requests are for the same web page, which can be indicative of a dynamic content attack.

Methods for validating delivery of content and verifying a delegation of delivery of a content, and corresponding devices and computer program products. A method is proposed for validating a delivery of a content to a client terminal. Such a method includes receiving, by the client terminal, an address, referred to as the received address, in response to a request sent to an address server in order to obtain an address of a delivery server of the content. The request includes a piece of information relating to the delivery server. Such a method further includes receiving, by the client terminal, a piece of information relating to an authentic address associated with the delivery server, the information being sent by a server of the content supplier, and determining the validity of the received address with respect to the authentic address on the basis of the information relating to the authentic address.

Security mechanisms for content delivery networks (“CDNs”) are disclosed herein. One security mechanism can be used to mitigate or prevent dynamic content attacks. A system can execute a CDN manager to perform operations. In particular, the CDN manager can receive a plurality of hypertext transfer protocol (“HTTP”) requests, and parse a plurality of headers from the plurality of HTTP requests to determine a plurality uniform resource locators (“URLs”). The CDN manager can generate a plurality of web page images associated with the plurality of URLs. The CDN manager can execute a machine learning algorithm, such as a convolution neural network, to perform an analysis of the plurality of web page images. Based upon the analysis of the plurality of web page images, the CDN manager can determine whether the plurality of HTTP requests are for the same web page, which can be indicative of a dynamic content attack.