Techniques, devices, and systems for receiving, from a mobile device, a request associated with a subscriber information module (SIM) are described herein. At least one of the mobile device, the SIM, or a communication identifier can be determined. A query can be transmitted, based on a difference between a first time associated with the query and a second time associated with a previous query meeting or exceeding a threshold amount of time. An action can be performed based on the query information being associated with the malicious activity information.

Facilitating web page spectroscopy in a communications network is provided herein. A system can comprise a processor and a memory that stores executable instructions that, when executed by the processor, facilitate performance of operations. The operations can comprise receiving first data that describes a first communication packet flow and second data that describes a second communication packet flow. The operations can also comprise training a model based on the first data and the second data, as a result of which the model is trained to detect respective behaviors represented by the first data and the second. Further, the operations can comprise extracting a common parameter from third data that describes a third communication packet flow and fourth data that describes a fourth communication packet flow based on the model.

An illustrative computing system for a weblink content scanning system scans an electronic message for the presence of one or more weblinks. The computing system accesses, in a sandbox computing environment, content linked to the one or more weblinks. The computing system generates a hash of the accessed content and/or content linked to weblinks accessible via the accessed content. The computing system scans the content accessed via the one or more weblinks for a presence of malicious content and categorizes the scanned content accessed via the one or more weblinks (e.g., safe, malicious, and the like), associates the categorization with each corresponding hash, and saves such information to a data store for future analysis. Based on a result of this analysis, the computing system allows delivery of the original electronic message or generates a modified electronic message for delivery to a recipient device.

A computer implemented method to detect a data breach in a network-connected computing system including generating, at a trusted secure computing device, a copy of data distributed across a network; the computing device accessing sensitive information for the network-connected computer system and searching for at least part of the sensitive information in the copy of the data; in response to an identification of sensitive information in the copy of the data identifying the sensitive information as compromised sensitive information.

A system for detecting and mitigating forged authentication object attacks is provided, comprising an authentication object inspector configured to observe a new authentication object generated by an identity provider, and retrieve the new authentication object; and a hashing engine configured to retrieve the new authentication object from the authentication object inspector, calculate a cryptographic hash for the new authentication object, and store the cryptographic hash for the new authentication object in a data store; wherein subsequent access requests accompanied by authentication objects are validated by comparing hashes for each authentication object to previous generated hashes.

System and methods are described for efficient monitoring of network traffic in a public cloud computing environment. In one implementation, a method comprises: generating flow log records of network traffic in the public cloud computing environment; identifying a data packet that presents a potential security risk; identifying a captured data packet (PCAP) record corresponding to the identified data packet; and transmitting the PCAP record to a computing device for network traffic analysis.

Requests are received for handling by a cloud computing environment which are then executed by the cloud computing environment. While each request is executing, performance metrics associated with the request are monitored. A vector is subsequently generated that encapsulates information associated with the request including the text within the request and the corresponding monitored performance metrics. Each request is then assigned (after it has been executed) to either a normal request cluster or an abnormal request cluster based on which cluster has a nearest mean relative to the corresponding vector. In addition, data can be provided that characterizes requests assigned to the abnormal request cluster. Related apparatus, systems, techniques and articles are also described.

Embodiments of the present disclosure provide systems, methods, and non-transitory computer storage media for detecting abnormal behavior of device in an enterprise network based on an analysis of behavioral information of the device's neighbors in network. At a high level, embodiments of the present disclosure employ a hive-mind approach to determine anomalous behavior of a device in a network based on analyzing behavior information reported by neighboring devices within the network. Embodiments identify that a device is alive and connected within the network based on multiple neighboring devices reporting behavioral information about the device; however, the device may be dysfunctional and failing to report its own information. By aggregating and analyzing behavioral information of a device based on the reporting information of its neighboring devices, embodiments of the present disclosure are able to determine whether a device is healthy even when the device is unable to report its own information.

A variety of systems and methods can include evaluation of human user effort data. Various embodiments apply techniques to identify anomalous effort data for the purpose of detecting the efforts of a single person, as well as to segment and isolate multiple persons from a single collection of data. Additional embodiments describe the methods for using real-time anomaly detection systems that provide indicators for scoring effort data in synthesized risk analysis. Other embodiments include approaches to distinguish anomalous effort data when the abnormalities are known to be produced by a single entity, as might be applied to medical research and enhance sentiment analysis, as well as detecting the presence of a single person's effort data among multiple collections, as might be applied to fraud analysis and insider threat investigations. Embodiments include techniques for analyzing the effects of adding and removing detected anomalies from a given collection on subsequent analysis.

A first correspondence table in a terminal device stores a correspondence between an identifier of a process running on the terminal device and an identifier of a data stream created by the process, a second correspondence table stores a second correspondence between an identifier of an application and an identifier of a process created by the application. The terminal device receives an identifier, sent by a network security device, of a first data stream. The terminal device can find, in the first correspondence table, a first record storing the identifier of the first data stream to obtain an identifier of a process. The terminal device can find in the second correspondence table, a second record storing the identifier of the process in the first record to obtain an identifier of an application from the second record. The identifier of the application is then sent to the network security device.