The present application describes a system that uses endpoint data and network data to detect an anomaly. Once an anomaly is detected, the system may determine a severity of the anomaly by comparing the anomaly to a global database of known anomalies. The system may then initiate preventative measures to address the anomaly.

A computer-implemented method for building socket transferring between containers in cloud-native environments by using kernel tracing techniques is provided including probing a connection-relevant system call event by using an eBPF to collect and filter data at a router, creating a mirror call at a host namespace with a dummy server and dummy client by creating the dummy server with mirror listening parameters, sending a server host address mapping to overlay the server host address to the client coordinator in an overlay process, and creating and connecting the dummy client to return a client host address to the server coordinator. The method further includes transferring mirror connections to the overlay process via a forwarder by temporary namespaces entering and injecting socket system calls and probing a transfer call event to map an overlay socket with a transferred dummy socket to activate duplication when the overlay socket is not locked.

Systems and methods for managing Application Programming Interfaces (APIs) are disclosed. Systems may involve automatically generating a honeypot. For example, the system may include one or more memory units storing instructions and one or more processors configured to execute the instructions to perform operations. The operations may include receiving, from a client device, a call to an API node and classifying the call as unauthorized. The operation may include sending the call to a node-imitating model associated with the API node and receiving, from the node-imitating model, synthetic node output data. The operations may include sending a notification based on the synthetic node output data to the client device.

A collection apparatus that collects a URL of a Web page that leads to user operation and includes a search query generation unit that generates a search query by combining a digital content name and an associated keyword of the digital content. There is a fitness prediction unit that predicts a degree to which a Web page that leads to user operation is output as a search result when a search is performed by using the generated search query, a determination unit that searches for a Web page by using a search query in a search order that is based on the predicted degree, and determines analysis priority of a URL of a Web page on the basis of the degree and search result information. Further, there is a communication unit that outputs the URL of the retrieved Web page and the analysis priority of the URL.

An anti-malware device 50 includes: a risk information storage unit 51 in which risk information 510 is stored, in which there are associated a value indicating an attribution of an information processing device 60 for executing software 600, a value indicating an attribution of the software 600, and a value that indicates the degree of risk when the software 600 is executed; a subject attribution collection unit 53 for collecting the value indicating the attribution of the information processing device 60; an object attribution collection unit 54 for collecting the value indicating the attribution of the software 600; and a determination unit 55 for determining that the software 600 is malware when the value indicating the degree of risk obtained by comparing the risk information 510 and the values collected by the subject attribution collection unit 53 and object attribution collection unit 54 satisfies a criterion.

Various embodiments of the invention provide solutions (including inter alia, systems, methods and software) for dealing with online fraud. Some embodiments function to access and/or obtain information from (and/or receive data from) a data source; the data might, for example, indicate a possible instance of online fraud. Certain embodiments, therefore, can be configured to analyze the data, e.g., to determine whether the data indicate a likely instance of online fraud. Such instances may be further investigated, and/or a response may be initiated. Data sources can include, without limitation, web pages, email messages, online chat sessions, domain zone files, newsgroup (and/or posting thereto), etc. Data obtained from the data sources can include, without limitation, suspect domain registrations, uniform resources locators, references to trademarks, advertisements, etc.

A server can receive a plurality of records at a databases such that each record is associated with a phone call and includes at least one request generated based on a transcript of the phone call. The server can generate a training dataset based on the plurality of records. The server can further train a binary classification model using the training dataset. Next, the server can receive a live transcript of a phone call in progress. The server can generate at least one live request based on the live transcript using a natural language processing module of the server. The server can provide the at least one live request to the binary classification model as input to generate a prediction. Lastly, the server can transmit the prediction to an entity receiving the phone call in progress. The prediction can cause a transfer of the call to a chatbot.

This technical solution relates to systems and methods of cyber attack detection, and more specifically it relates to analysis methods and systems for protocols of interaction of malware and cyber attack detection and control centres (servers). The method comprises: uploading the malware application into at least one virtual environment; collecting, by the server, a plurality of malware requests transmitted by the malware application to the malware control center; analyzing the plurality of malware requests to determine, for each given malware request: at least one malware request parameter contained therein; and an order thereof of the at least one malware request parameter. The method then groups the plurality of malware requests based on shared similar malware request parameters contained therein and order thereof and for each group of the at least one group containing at least two malware requests, generates a regular expression describing malware request parameters and order thereof of the group, which regular expression can be used as an emulator of the malware application.

The present disclosure provides a cleaning and recovery method and device for a heterogeneous executor in a mimic switch, and a mimic switch, the method includes: a mimic scheduler determining a designated heterogeneous executor that needs to be cleaned, marking the designated heterogeneous executor that needs to be cleaned as in a cleaning state, and sending a cleaning instruction to the designated heterogeneous executor; the designated heterogeneous executor sending a normal protocol negotiation message to the mimic scheduler to try to interact with the mimic scheduler; the mimic scheduler receiving the protocol negotiation message and detecting whether the designated heterogeneous executor is in the cleaning state; if in the cleaning state, the mimic scheduler; constructing a training message, and sending the training message to the designated heterogeneous executor for protocol training; repeating sending and processing the protocol negotiation message until the designated heterogeneous executor is in a normal state.

Embodiments include a method of detecting anomalies within a blockchain network including a plurality of nodes, the method including for at a measured node, of the blockchain network, measuring at least one operational parameter of the measured node. The method also includes injecting at least one measured value of at least one operational parameter into at least one predetermined heuristic model signaling a possible anomaly within the blockchain network based on the at least one measured value. Embodiments also include a computer program including computer instructions, which, when they are executed by a computer device, implement the method. Embodiments also include a block chain network configured to implement the method of detecting anomalies.