Abstract: Information related to data communication between a plurality of connected devices is obtained. A plurality of initiated connections between the plurality of connected devices as directed edges between nodes in a directed graph based on the information are defined. Each initiated connection is represented by a directed edge from a source node to a destination node in the directed graph, and each node comprises an internet protocol (IP) address of the node. The directed graph is explored to determine a plurality of source/destination-pairs, wherein each source/destination-pair contains a source IP address of a source node of a directed edge, and a destination IP address of a destination node of the directed edge. A peer-to-peer (P2P) network including a plurality of P2P devices is detected based on the source/destination-pairs.

Abstract: There is provided a method that comprises receiving one or more unique passwords for identifying respective one or more user devices of the wireless local area network; associating the one or more unique passwords with the respective one or more user devices and storing the one or more unique passwords to a database; in response to receiving, at an access point of the wireless local area network, a connection request from a user device, requesting, from the user device, a unique password of the user device; and identifying the user device based on the unique password.

Abstract: A network apparatus maintains a data repository comprising network traffic data related to a plurality of user devices, the network traffic data being collected from a plurality of Network Service Providers (NSPs). A subset of the plurality of user devices are detected to be communicating with one or more same endpoint devices based on analysing the network traffic data. A number of historical connections between each user device of the subset of the plurality of user devices and the one or more endpoint devices is determined based on analysing historical connection data maintained in the data repository, and in response to detecting that the number of historical connections between the subset of the plurality of user devices and the one or more endpoint devices exceeds a predetermined threshold, the one or more endpoint devices are identified as a suspected botnet.

Abstract: Network device identification is disclosed. A set of data attributes relating to at least two different data types is extracted from network traffic data associated with each user device of a set of user devices. A cluster data set of one or more known device clusters is expanded with the set of data attributes for generating an expanded cluster data set. One or more new device clusters is identified from the expanded cluster data set of the one or more known device clusters by using similarity-based metrics and a weighting factor selected based on the data types of the set of data attributes, and one or more device identification rules is generated based on the one or more new device clusters.

Abstract: There is provided a method that comprises receiving one or more unique passwords for identifying respective one or more user devices of the wireless local area network; associating the one or more unique passwords with the respective one or more user devices and storing the one or more unique passwords to a database; in response to receiving, at an access point of the wireless local area network, a connection request from a user device, requesting, from the user device, a unique password of the user device; and identifying the user device based on the unique password.

Abstract: A network apparatus maintains a data repository comprising network traffic data related to a plurality of user devices, the network traffic data being collected from a plurality of Network Service Providers (NSPs). A subset of the plurality of user devices are detected to be communicating with one or more same endpoint devices based on analysing the network traffic data. A number of historical connections between each user device of the subset of the plurality of user devices and the one or more endpoint devices is determined based on analysing historical connection data maintained in the data repository, and in response to detecting that the number of historical connections between the subset of the plurality of user devices and the one or more endpoint devices exceeds a predetermined threshold, the one or more endpoint devices are identified as a suspected botnet.

Abstract: There is provided a method comprising: maintaining a database of one or more computer devices registered at a computer network, detecting a connection request from a new computer device, determining a physical location of the new computer device and comparing the physical location of the new computer device with the physical location data stored in the database. In response to detecting a previously registered computer device of the one or more computer devices having at least an approximately same physical location as the new computer device based on the comparison, the method further comprises determining that a change has occurred in network-based identification data of the previously registered computer device and taking further action to protect the computer devices from a security threat caused by the change of the network-based identification data.

Abstract: There are provided measures for enabling detecting malware. A method includes generating a copy of a first node, configuring a sandbox environment by using the generated copy, executing an electronic file or a URL in the sandbox environment configured with the copy, providing a result of the malware analysis of the electronic file or the URL, identifying the electronic file or the URL as malicious or suspicious on the basis of the provided result, and taking further action for protecting the first node from the electronic file or the URL identified as malicious or suspicious.

Abstract: There is provided a method for improving security of computer resources, including obtaining raw memory snapshots of a computer memory of one or more computing systems during runtime of identical processes relating to a predetermined application or a service; forming a map of expected memory behaviour relating to the application or the service based on the obtained raw memory snapshots; monitoring the memory behaviour of a computing system during the execution of the same application or the service; comparing the monitored memory behaviour of the computing system with the formed map of expected memory behaviour; and in the event that a deviation from the expected memory behaviour is detected based on the comparison, triggering an alert.

Abstract: There are provided measures for enabling detecting malware. A method includes generating a copy of a first node, configuring a sandbox environment by using the generated copy, executing an electronic file or a URL in the sandbox environment configured with the copy, providing a result of the malware analysis of the electronic file or the URL, identifying the electronic file or the URL as malicious or suspicious on the basis of the provided result, and taking further action for protecting the first node from the electronic file or the URL identified as malicious or suspicious.

Abstract: There is provided a method for improving security of computer resources, including obtaining raw memory snapshots of a computer memory of one or more computing systems during runtime of identical processes relating to a predetermined application or a service; forming a map of expected memory behaviour relating to the application or the service based on the obtained raw memory snapshots; monitoring the memory behaviour of a computing system during the execution of the same application or the service; comparing the monitored memory behaviour of the computing system with the formed map of expected memory behaviour; and in the event that a deviation from the expected memory behaviour is detected based on the comparison, triggering an alert.

Abstract: Malicious object detection is disclosed. An apparatus includes one or more processors, and one or more memories including computer program code. The one or more memories and the computer program code are configured to, with the one or more processors, cause the apparatus at least to perform: obtain image data; obtain association data relating to the image data; identify the image data as corresponding to an identified image among known reference images; and set reputation data of the association data as suspicious, if the association data does not match acceptable associations for the identified image.

Abstract: Malicious object detection is disclosed. An apparatus includes one or more processors, and one or more memories including computer program code. The one or more memories and the computer program code are configured to, with the one or more processors, cause the apparatus at least to perform: obtain image data; obtain association data relating to the image data; identify the image data as corresponding to an identified image among known reference images; and set reputation data of the association data as suspicious, if the association data does not match acceptable associations for the identified image.