A method of tracking phishing activity is disclosed. A request to download a webpage hosted as part of a legitimate website on a server is initiated. The request includes identification data pertaining to at least one user computing device. The identification data is extracted from the request. A unique identifier corresponding to the extracted identification data is generated. Fingerprint data is generated using at least a subset of the extracted identification data. The unique identifier, the extracted identification data and the fingerprint data is stored. The fingerprint data is encoded into a program and/or data associated with the webpage to generate a modified webpage. The modified webpage is transmitted from the server to the user computing device in response to the request.

Various embodiments of the teachings herein include an information leakage detection method. In some embodiments, the method includes: acquiring a data packet sent from a protected system to the outside; identifying signatures from the data packet, wherein a signature uniquely corresponds to a host in the protected system and is stored in one or a plurality of files in the corresponding host; and when a signature is identified, deciding information in the host corresponding to the identified signature is leaked.

A threat actor identification system that obtains domain data for a set of domains, generates domain clusters, determines whether the domain clusters are associated with threat actors, and presents domain data for the clusters that are associated with threat actors to brand owners that are associated with the threat actors. The clusters may be generated based on similarities in web page content, domain registration information, and/or domain infrastructure information. For each cluster, a clustering engine determines whether the cluster is associated with a threat actor, and for clusters that are associated with threat actors, corresponding domain information is stored for presentation to brand owners to whom the threat actor poses a threat.

A cyber security system creates a behavioral framework for evaluating the cyber security of an organization's computer systems based on its employees. The system leverages offline and online individual identity information and then translates this data to anonymous identifiers to protect privacy. The identifiers are used to pull data from an identity graph, which includes behavioral data. A business-to-business identity graph correlates the name of an organization that maintains the targeted computer system with the anonymous identifiers of employees. Online activity is gathered by pixels fired from websites accessed by user browsers and gathered by one or more remote servers.

A method for predicting one or more events includes generating, for features of each of at least two feature types, an intermediate representation using a representation learning model for the at least two feature types. The intermediate representations of the at least two feature types are analyzed using a neural network and at least one neural network model so as to provide a joint representation for predicting certain events. One or more actions to be taken can be determined based on the one or more events predicted by the joint representation.

A system for analyzing and clustering darknet traffic streams with word embeddings, comprising a data processing module which collects packets that are sent to non-existing IP addresses that belong to darknet's taps (blackholes) that are deployed over the internet: a port embedding module for performing port sequence embeddings by using a word embedding algorithm on the port sequences extracted from the data processing module while transforming the port sequences into a meaningful numerical feature vectors: a clustering module for performing temporal clustering of the feature vectors over time; and an alert logic and visualization module visualizes the data and provides alerts regarding a cluster that an analyst classified as malicious in the past.

Methods and systems for defending an infrastructure against a distributed denial of service (DDoS) attack use a software decoy installed in the infrastructure to deliberately attract a malware. An address or a domain name of a command and control (C&C) server is extracted from the malware. A client of the infrastructure uses the address or the domain name of the C&C server to connect to the C&C server. The client receives a command intended by the C&C server to cause the client to participate in the DDoS attack. The client forwards particulars of the DDoS attack to a cleaning component. The cleaning component discards incoming signals having one or more of the particulars of the DDoS attack. The address or domain name of the C&C server may be obfuscated in the malware, in which case reverse engineering is used to decipher the malware.

A user equipment (“UE”) in a wireless communication network can receive a plurality of signals from a plurality of nodes. The UE can further determine a plurality of radio signal strength measurements. Each radio signal strength measurement can be associated with a signal of the plurality of signals received from the plurality of nodes. The UE can further determine whether there is an indication that a first node of the plurality of nodes may be an imposter node based on the plurality of radio signal strength measurements.

The described technology is generally directed towards spammer location detection, and in particular, to locating a spammer that makes multiple calls from a given location via a cellular communications network. In some examples, network equipment can obtain call trace records associated with the multiple calls, identify a group of call trace records based on a shared call trace feature, aggregate data from call trace records within the group, and determine an estimated location based on the aggregated data.

Systems and methods for inspection of traffic between UE and the core network to mitigate DDoS attacks on mobile networks are provided. According to one embodiment, the method involves parsing SCTP packets and monitoring header anomalies to block anomalous packet floods. According to another embodiment, a memory table maintains requesting S1AP-IDs which have sent certain monitored commands and then blocking those which are sending these messages at abnormally high rates. According to yet another embodiment, a packet classifier parses the GTP-U protocol, unwraps the encapsulated IP packet and then monitors layer 3, 4 and 7 rate-based attacks such as UDP, ICMP, SYN, HTTP GET floods and drops them to protect the targeted Internet server as well as mobile infrastructure (e.g., the MME, the SGW, the PGW, and the PDN) downstream from the DDoS mitigation system.