Abstract: Detecting and defending against password spraying attacks is provided. Information is received regarding failed attempts to login to user accounts located on a target system of a network. Each password used to attempt a failed login to any of the user accounts located on the target system is recorded. It is determined whether a common password is used in a failed login attempt to a number of different user accounts located on the target system greater than or equal to a predetermined threshold. In response to determining that the common password was used in the failed login attempt to the number of different user accounts on the target system greater than or equal to the predetermined threshold, an alert is sent regarding a password spraying attack corresponding to the common password that resulted in the failed login attempt to the number of different user accounts located on the target system.

Abstract: Web sites are crawled using multiple browser profiles to avoid malicious cloaking. Based on web page content returned from HTTP requests using the multiple browser profiles, web sites returning substantively different content to HTTP requests for different browser profiles are identified. Web sites are further filtered by common cloaking behavior, and redirect scripts are extracted from web page content that performed cloaking. Signatures comprising tokenized versions of the redirect scripts are generated and compared to a database of known cloaking signatures. URLs corresponding to signatures having approximate matches with signatures in the database are flagged for recrawling. Recrawled URLs are verified for malicious cloaking again using HTTP requests from multiple browser profiles.

Abstract: The disclosed embodiments are directed toward monitoring and classifying encrypted network traffic. In one embodiment, a method is disclosed comprising intercepting an encrypted network request, the network request transmitted by a client device to a network endpoint; identifying a network service associated with the network endpoint based on unencrypted properties of the encrypted network request; identifying, based on the encrypted network request and a series of subsequent network requests issued by the client device, an action taken by the client device, the action comprising an activity performed during a session established with the network service; and updating a catalog of network interactions using the network service and the action.

Abstract: Systems, methods, and products comprise an analytic server, which improves security of a unified system of distributed network infrastructure comprising a plurality of cyber-physical systems. The analytic server may instantiate a sub attack tree for each cyber-physical system within the unified system. The analytic server may determine how the interconnection of the plurality of cyber-physical systems may affect the unified system security. The analytic server may monitor systems and receive electronic notifications of alerts in real-time from devices in the plurality of cyber-physical systems. The analytic server may follow the logic of the attack tree model by traversing the attack tree from bottom up and determine how the alerts from the cyber-physical systems may affect the distributed network infrastructure as a whole. The analytic server may generate reports comprising a list of the prioritized attacks and recommendation actions to mitigate the attacks.

Abstract: Provided is a process that includes: obtaining, with one or more processors, a query identifying a user identification; retrieving, with one or more processors, via an application programming interface, from a database, one or more passwords associated with one or more user identification entries in the database that matches the user identification in response to the obtained query; determining, with one or more processors, whether the one or more passwords matches a password associated with the user identification; blocking, with one or more processors, access to a user account associated with the user identification and the password when the one or more passwords matches the password associated with the user identification; and notifying, with one or more processors, a user associated with the user account to reset the password when the one or more passwords matches the password associated with the user identification.

Abstract: A computer-implemented system and method of providing utility service network information for a utility service disturbance monitoring equipment management network and system. The system includes six components: an operating system with mirrors/feedback point, a local provider/USI DME application repositories, working snapshots, published snapshots, a quality control test system; and a dedicated provider/USI portion of the Cloud.

Abstract: A method, system and computer-usable medium for performing a feature generation operation. The performing a feature generation operation including: receiving a stream of events, the stream of events comprising a plurality of events; applying labels to applicable events from the plurality of events, the applying labels providing a labeled event; and, processing the labeled event to extract a feature from the labeled event, the processing providing a feature associated with an event.

Abstract: In accordance with an embodiment, described herein are systems and methods for use of a suffix tree to control blocking of blacklisted encrypted domains. A suffix tree includes encrypted hash keys corresponding to a plurality of domain nodes. A domain-related request packet is received, and a target domain name extracted from the packet. A pair of hash keys are generated for the request packet and target domain; and a hash table is searched with the generated hash key pair. If a corresponding entry is found in the hash table, then a corresponding hash suffix pointer is determined for the packet, and the suffix tree examined to determine whether the node identified by the query is part of a blacklisted node. If the suffix tree indicates the node to be part of a blacklisted node, then the system can perform a specified action associated with that node.

Abstract: The present disclosure describes a system, method, and computer program for detecting unmanaged and unauthorized assets on an IT network by identifying anomalously-named assets. A recurrent neural network (RNN) is trained to identify patterns in asset names in a network. The RNN learns the character distribution patterns of the names of all observed assets in the training data, effectively capturing the hidden naming structures followed by a majority of assets on the network. The RNN is then used to identify assets with names that deviate from the hidden naming structures. Specifically, the RNN is used to measure the reconstruction errors of input asset name strings. Asset names with high reconstruction errors are anomalous since they cannot be explained by learned naming structures. After filtering for attributes or circumstances that mitigate risk, such assets are associated with a higher cybersecurity risk.

Abstract: A computer-implemented method for dynamically identifying security threats comprising a cyber-attack chain composed of a sequence of partial cyber-attacks represented by attack patterns may be provided. The method comprises receiving a sequence of security events, determining, a first cyber-attack pattern by applying a set of predefined rules for detecting an indicator of compromise of a first partial cyber-attack of the cyber-attack chain—thereby, identifying a specific cyber-attack chain—and determining a type and an attribute in the pattern of the first partial cyber-attack. The method comprises further configuring at least one rule for a downstream partial cyber-attack in the specific cyber-attack chain based on the type and the attribute in the attack pattern of the first partial cyber-attack, and adding the at least one configured rule to the set of predefined rules to be used by the correlation engine for dynamically identifying security threats to information technology systems.

Abstract: Described are platforms, systems, and methods for actuating transmission control protocol/Internet protocol (TCP/IP) through a method comprises: identifying a computer workload during a handshake process for establishing a network connection with a remote host; configuring, based on the computer workload, one or more TCP/IP parameters of the network connection; and completing the handshake process to establish the network connection with the remote host.

Abstract: Embodiments are directed to monitoring network traffic over a network using one or more network monitoring computers. A monitoring engine may be instantiated to perform actions, including: monitoring network traffic to identify client requests provided by clients and server responses provided by servers in response to the client requests; determining request metrics associated with the client requests; and determining response metrics associated with the server responses. An analysis engine may be instantiated that performs actions, including: comparing the request metrics with the response metrics; determining atypical behavior associated with the clients based on the comparison such that the atypical behavior includes an absence of adaption by the clients to changes in the server responses; and providing alerts that may identify the clients be associated with the atypical behavior.

Abstract: A cybersecurity system, method, and computer program is provided for detecting whether an entity's collection of processes during an interval is abnormal compared to the historical collection of processes observed for the entity during previous intervals of the same length. Logs from a training period are used to calculate global and local risk probabilities for each process based on the process's execution history during the training period. Risk probabilities may be computed using a Bayesian framework. For each entity in a network, an entity risk score is calculated by summing the applicable risk probabilities of the unique processes executed by the entity during an interval. An entity's historical risk scores form a score distribution. If an entity's current score is an outlier on the historical score distribution, an alert of potentially malicious behavior is generated with respect to the entity. Additional post-processing may be performed to reduce false positives.

Abstract: At an artificial intelligence based service to detect violations of resource usage policies, an indication of a first data set comprising a plurality of network traffic flow records associated with at least a first device of a set of devices may be obtained. Using the first data set, a machine learning model may be trained to predict whether resource usage of a particular device of a particular network violates a first resource usage acceptability criterion. In response to determining, using a trained version of the model, that the probability that a second device has violated the acceptability criterion exceeds a threshold, one or more actions responsive to the violation may be initiated.

Abstract: Client-side attack detection via simulation for detecting and mitigating cross-site script code client-side attacks is disclosed. A system can receive, through a network interface from a web server, a first response having a first payload that includes an action based on a request to the web server and a second response having a corresponding payload that is received concurrently with the first response on a signal path from the web server that is different from that of the first response. The system can invoke the action from the first payload and detect malicious activity in the invoked action. The system can verify the detecting of the malicious activity and issue a message indicating a security incident relating to the malicious activity. The system can either allow or restrict passage of the second response to a network based on a mode of the system when the malicious activity is verified.

Abstract: Tuning a neural network may include selecting a portion of a first neural network for modification to increase computational efficiency and generating, using a processor, a second neural network based upon the first neural network by modifying the selected portion of the first neural network while offline.

Abstract: A link binding chain is disclosed that enables multiple hops of link bindings to be cascaded to form a chain of link bindings. The binding chain can be leveraged when a one-hop link binding is infeasible or fails to be established. Dynamic binding method switching is disclosed for updating the binding method after a link binding has been established such that the link binding may be selected for a more proper or efficient link binding method to adapt to the changing environment. Methods for broker assisted link binding are disclosed to facilitate link binding functionalities between a source resource and a destination resource that are connected through a binding broker.

Abstract: Methods, apparatuses and computer program products implement embodiments of the present invention that include protecting a computing device by specifying one or more Internet sites that are accessible by one or more computing devices that communicate over a data network and identifying process binaries that executed on the computing devices accessed and retrieved data from any of the specified one more Internet sites. The identified process binaries are classified into a plurality of classes of matching process binaries, and for a given class, a count of the computing devices that that executed one of the process binaries of the given class is computed. When determining that the count of the computing devices is less than a predefined threshold, a preventive action is initiated to inhibit command and control (C2) channel transmissions from any of the computing devices that executed any of the process binaries of the given class.

Abstract: In an example embodiment, a new solution is provided for an in-memory database provided in a cloud as a service that enables “job cross running” instead of “parallel job running.” Specifically, job scripts are clustered based on a shared service. A primary job script in the cluster is compiled and executed, but secondary job scripts in the cluster are not compiled until after the execution of the primary job script has begun. A mock library is inserted into each of the secondary job scripts to cause service calls for the shared service in the secondary job scripts to be replaced with mock service calls. The secondary job scripts are then scheduled and executed, and upon completion the primary job script is permitted to delete the shared service.

Abstract: Methods, systems, and computer readable media for providing computer security analysis are described. In some implementations, a system providing computer security analysis comprises one or more processors coupled to a non-transitory computer readable storage having software instructions stored thereon configured to cause the one or more processors to: perform a Markov Decision Process (MDP) as part of a cyber-attack mechanism and a Discrete Time Markov Chain (DTMC) process as part of a cyber-defense mechanism, preferably, the cyber-attack and cyber-defense system is modeled as MDP whereas the security analyst SA is modeled as DTMC; synchronize the cyber-attack mechanism with the cyber-defense mechanism through an attack-defense synchronization action; and synchronize an update action, wherein the attack-defense synchronization action includes initiating the DTMC process, and wherein the synchronization of the update action results from one or more actions taken by the DTMC process.

Abstract: Disclosed are various approaches for automating the detection and identification of security issues. A plurality of signals received from a plurality of security devices are analyzed to identify a predicted security incident, each of the plurality of signals indicating a potential security issue. A confidence score is then calculated for the predicted security incident. At least one compliance policy is then evaluated to determine whether to perform a remedial action specified in the compliance policy, wherein a determination to perform the remedial action is based at least in part on the confidence score. Finally, the remedial action is performed in response to an evaluation of the at least one compliance policy.

Abstract: The present invention relates to a receiver (2200) for recognizing blinding attacks in a quantum encrypted channel (1300) comprising an optical fiber, comprising a multipixel detector (2210) comprising a plurality of pixels, and configured to be illuminated by a light beam outputted by the optical fiber, and a processing unit (2220) connected to the multipixel detector (2210) and configured to determine the presence of a blinding attack if a predetermined number of pixels detects light within a predetermined interval. The invention further relates to the use of the receiver (2200) for recognizing blinding attacks in a quantum encrypted channel (1300) and to a method for recognizing blinding attacks in a quantum encrypted channel (1300).

Abstract: In one or more examples, there is disclosed a system and method of detecting agent presence for self-healing. An out-of-band monitoring process, such as Intel® AMT, or any process in firmware executing on a co-processor, may monitor one or more processes to determine if one goes down or otherwise meets a security criterion. Crashed processes may be reported to an enterprise security controller (ESC). The ESC may notice trends among affected machines and instruct the machines to take appropriate remedial action, such as booting from a remedial image.

Abstract: Systems and methods are provided for mitigating denial of service attacks in a communications network. Based on a determination that requests to access an E11 resource exceeds a threshold, it may be determined that a denial of service attack attempt is occurring. One or more mitigation protocols can be used to block, filter, or re-route attempts that are associated with the denial of service attack. Association with the denial of service attack can be identified based on a distance between the user devices associated with the requests and a time period for which the requests were originated.

Abstract: Disclosed are systems and methods for temporal link prediction based on (generalized) random dot product graphs (RDPGs), as well as applications of such temporal link prediction to network anomaly detection. In various embodiments, starting from a time series of adjacency matrices characterizing the evolution of the network, spectral embeddings and time-series models are used to predict estimated link probabilities for a future point in time, and the predicted link probabilities are compared against observed links to identify anomalous behavior. In some embodiments, element-wise independent models are used in the prediction to take network dynamics into account at the granularity of individual nodes or edges.

Abstract: A method and system for controlling internet browsing user security is provided. A control device (120) receives, via a first communication channel, a web page request from a control agent (102) implemented in a browser (101), the browser (101) being installed in a computer device operated by a user. Then, the control device (120) requests, to a control service (130), via a second communication channel, a security level of said requested web page including a status of the user and the presence of risks in the requested web page. The control service (130) executes a security check on said requested web page by checking whether the requested web page is included in a blacklist or a whitelist and also by checking certain risk control criteria of the requested web page. Finally, in response to receipt a result of said security check, the control device (120) allows or denies access to said web page.

Abstract: A computer-implemented method, computer program product and computing system for importing threat data from a plurality of threat data sources, thus generating a plurality of raw threat data definitions. The plurality of raw threat data definitions are processed, thus generating a plurality of processed threat data definitions. The plurality of processed threat data definitions are processed to form a master threat data definition. The master threat data definition is provided to one or more client electronic devices.

Abstract: A security platform employs a variety techniques and mechanisms to detect security related anomalies and threats in a computer network environment. The security platform is “big data” driven and employs machine learning to perform security analytics. The security platform performs user/entity behavioral analytics (UEBA) to detect the security related anomalies and threats, regardless of whether such anomalies/threats were previously known. The security platform can include both real-time and batch paths/modes for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence, the security platform enables network security administrators to respond to a detected or threat, and to take action promptly.

Abstract: Change fingerprinting is applied to a text file, database table, or data feed to determine the timeframe in which an identified “wild file” was generated, even when its file creation meta-data is missing. Each row in the data contains information on a single object. At least one column in the data contains an age for each object at the time the file was created. The age data can be used to determine the date the file was created, such as by using recognition processing or by looking at data that has been added or dropped from the file based on age. By identifying the timeframe in which the wild file was created, the data owner may greatly reduce the computational burden needed to determine if the wild file contains stolen data because it greatly reduces the universe of files that must be compared to the wild file.

Abstract: A method and system for detection of security threats on network resources based on referrer indications are presented. A determination that a second request originated from a first network resource is performed based on second request information associated with a second request for a second network resource. In response to determining that the second request originated from the first network resource, a referrer indication that the first network resource is a referrer to the second network resource is logged. A third request for a third network resource is received. A determination that the third request is part of a cyber-attack on a second server is performed based at least in part on the referrer indication.

Abstract: The disclosed computer-implemented method for protecting a cloud computing device from malware may include (i) intercepting, at a computing device, a malicious attempt by the malware to (A) access sensitive information in an encrypted file stored on the computing device and (B) send the sensitive information to the cloud computing device and (ii) performing, responsive to the attempt to access the encrypted file, a security action. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A network firewall detects and protects against persistent low volume attacks based on a sequence of network data having a pattern that matches by some threshold or percentage a sequence of network data from an earlier iteration of the same persistent low volume attack. The attack patterns are derived from tokenizing one or more elements from a captured sequence of network data that is representative of an attack iteration. Counts for different resulting tokens may be stored in a feature vector that represents the attack pattern. If subsequent sequences of network data have a sufficient number of similar token, a pattern match can be identified and the firewall can take protective action including blacklisting the sending clients, blocking the traffic, redirecting the traffic, sending a problem to verify the sender is an actual user, or other actions.

Abstract: A defense platform for protecting a cloud-hosted application against distributed denial-of-services (DDoS) attacks, wherein the defense platform is deployed out-of-path of incoming traffic of the cloud-hosted application hosted in a plurality of cloud computing platforms, comprising: a detector; a mitigator; and a controller communicatively connected to the detector and the mitigator; wherein the detector is configured to: receive telemetries related to behavior of the cloud-hosted application from sources deployed in the plurality of cloud computing platforms; and detect, based on the telemetries, a potential DDoS attack; wherein, the controller, upon detection of a potential DDoS attack, is configured to: divert traffic directed to the cloud-hosted application to the mitigator; cause the mitigator to perform at least one mitigation action to remove malicious traffic from the diverted traffic; and cause injection of clean traffic to at least one of the plurality of cloud computing platforms hosting the cloud

Abstract: In an embodiment, a computer implemented method and architecture for managing data in mobile communication network which includes core and access components. This embodiment performs specialized data handling through processing nodes referred as Storage Retention and Intelligent Function (SRIF) nodes, an evaluation operation on control plane and user plane data received from the mobile communication network. This action determines whether any portion of the data needs intelligent processing and applies knowledge extraction algorithm for build-up retention or policy decision. As responsive to the evaluation operation, the SRIF nodes apply decisions on data or enable network nodes to apply data processing rules. The architecture of SRIF is hierarchical comprising end node as serving node, middle node as load balancing node providing flexibility, and central node as the brain.

Abstract: Described is a system for network threat detection. The system identifies a targeted sub-network representing a threat within a multi-layer network having members. The targeted sub-network is identified with differential privacy protection, such that privacy of individuals that are not in the targeted sub-network is protected. The system causes an action to be generated, the action being one of generating an alert of a threat, initiating monitoring of the non-benign persons, or disabling network access of the non-benign persons.

Abstract: A security monitoring apparatus and method for a vehicle network are provided. The apparatus transmits an indicator and an encryption key to a plurality of electronic control units via the controller area network interface. The apparatus receives a response code from each electronic control unit via the controller area network interface, wherein each of the response codes is generated by a serial number of each electronic control unit and the encryption key via a hash algorithm. The apparatus compares the response code returned by each electronic control unit according to a list, the encryption key and the hash algorithm to determine whether each electronic control unit correctly returns the response code. The apparatus determines to generate an alert signal when one of the electronic control units does not correctly return the response code.

Abstract: A computing system receives a data piece from an electronic device. The data piece includes one or more items of anonymous personal identification information. The computing system identifies an electronic address associated with the data piece. The computing system accesses the one or more servers to identify one or more client systems permitted to transmit data to the electronic device based on the electronic address. The computing system transmits the data piece to the one or more client systems permitted to transmit data to the electronic device.

Abstract: The disclosed computer-implemented method for adaptively managing data drift in a classifier may include (i) receiving, at a computing device, an input sample of digital information having an unknown reputation and (ii) performing a security action that may include (A) identifying the input sample as benign or malicious based on a result obtained by classifying the input sample using a machine learning model trained using activity regularization, (B) calculating an internal activity of the machine learning model occurring during the classifying, (C) calculating an activation entropy of the machine learning model occurring during the classifying, (D) comparing a combination of the internal activity and the activation entropy to a threshold, and (E) when the combination of the internal activity and the activation entropy meets or exceeds the threshold, identifying the result as a low-confidence result. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Disclosed is a webshell detection method that detects a webshell by collecting process information about a process in execution on a server providing a web service and by determining whether the process is executed by a webshell based on the collected process information.

Abstract: Methods for detection of anomalous data samples from a plurality of data samples are provided. In some embodiments, an anomaly detection procedure that includes a plurality of tasks is executed to identify the anomalous data samples from the plurality of data samples.

Abstract: A network device obtains to-be-detected mirrored traffic between a client and a server, obtains a first session information sequence based on the to-be-detected mirrored traffic, where the first session information sequence includes a plurality of pieces of session information, the plurality of pieces of session information have a one-to-one correspondence with a plurality of login sessions, and an arrangement order of the plurality of pieces of session information in the first session information sequence is consistent with a chronological order of the plurality of login sessions, using the first session information sequence as a first Markov chain, and obtains a state chain probability value of the first Markov chain, and determines, based on the state chain probability value of the first Markov chain and a first benchmark probability value, whether the plurality of login sessions are a brute force attack.

Abstract: Analyzing and mitigating website privacy issues by automatically classifying cookies.

Abstract: A system and associated methods for the detection of anomalous behavior in a system. In some embodiments, time-series data that is obtained from the system (such as log data) may be used as an input to a process that converts the data into greyscale values. The greyscale values are used to construct an “image” of the system operation that is used as an input to a convolutional neural network (CNN). The image is used to train the neural network so that the neural network is able to recognize when other input “images” constructed from time-series data are anomalous or otherwise indicative of a difference between the prior (and presumed normal or acceptable) and the current operation of the system.

Abstract: Aspects of the disclosure relate to information security by identifying unique or related factors in common between individuals subject to a common threat vector. Data mining and data acquisition of public and non-public user information is performed to prevent, disrupt, and/or address criminal, cyber, and fraudulent threats. The information can be normalized into template(s) to align information across disparate datasets and enable efficient storage of the big data into appropriate fields to be tracked. The information can be stored in data warehouse(s) or in multidimensional data structure(s) for investigation if a threat vector against a group of individuals is detected. The multidimensional data can be analyzed to identify direct connections, common connecting entities, and/or connectivity clusters between individuals who were attacked or who may be attacked in the future.

Abstract: Techniques are disclosed relating to a method that includes maintaining first and second databases within respective first and second security zones, having respective first and second sets of security rules. The first set of security rules defines restrictions for storing data objects within the first security zone, and the second set of security rules defines restrictions for storing data objects within the second security zone. The method further includes performing a first scan of the first database to determine whether data objects stored in the first database comply with the first set of security rules, and performing a second scan of the second database to determine whether data objects stored in the second database comply with the second set of security rules. The method also includes conveying results of the first and second scans to a repository zone. Results are conveyed without conveying the data objects.

Abstract: Cybersecurity enhancements help avoid malicious Uniform Resource Locators (URLs). Embodiments may reduce or eliminate reliance on subjective analysis or detonation virtual machines. URL substrings are automatically analyzed for maliciousness using malice patterns. Patterns may test counts, lengths, rarity, encodings, and other inherent aspects of URLs. URLs may be analyzed individually, or in groups to detect shared portions, or both. URL analysis may use or avoid machine learning, and may use or avoid lookups. Malice patterns may be used individually or in combinations to detect malicious URLs. Analysis results may enhance security through blocking use of suspect URLs, flagging them for further analysis, or allowing their validated use, for instance. Analysis results may also be fed back to further train a machine learning model or a statistical model.

Abstract: A method for detection of malicious files includes training a mapping model for mapping files in a probability space. A plurality of characteristics of an analyzed file is determined based on a set of rules. A mapping of the analyzed file in probability space is generated based on the determined plurality of characteristics. A first database is searched using the generated mapping of the analyzed file to determine whether the analyzed file is associated with a family of malicious files. The first database stores mappings associated with one or more families of malicious files. In response to determining that the analyzed file is associated with the family of malicious files, a selection of one or more methods of malware detection is made from a second database. The second database stores a plurality of malware detection methods. The selected method is used to detect the associated family.

Abstract: A method, system and computer-usable medium for detecting if a file(s) is/are copied to/from a computing device from/to one or more other devices. The computing device or information handling device is connected to other devices using a transfer protocol such as Media Transfer Protocol. File activity is monitored between the computing device and the other devices. Each file activity is entered into a common queue available to the computing device and the other devices. Comparison is made at to the entries in the queue as to entries that the same size and the file activity happens within a time window. Pairs that meet the size and activity time window are determined to be file copy pairs.

Abstract: In one embodiment, a network security service forms, for each of a plurality of malware classes, a feature vector descriptor for the malware class. The service uses the feature vector descriptors for the malware classes and a symmetric mapping function to generate a training dataset having both positively and negatively labeled feature vectors. The service trains, using the training dataset, an instant threat detector to determine whether telemetry data for a particular traffic flow is within a threshold of similarity to a feature vector descriptor for a new malware class that was not part of the plurality of malware classes.

Abstract: The invention provides a command-and-control (C&C) domain name analysis-based botnet detection method, device, apparatus and medium. The method includes an information acquisition step where DNS logs are acquired; a domain name analysis step where C&C domain names in the DNS logs are detected and the category of each C&C domain name is determined according to a pre-built domain name analyzer; a botnet determination step where whether a botnet exists is determined according to the C&C domain name and the category of C&C domain name. In the C&C domain name analysis-based botnet detection method, device, apparatus and medium provided by the present invention, by analyzing the domain name system (DNS) logs, the C&C domain name used in the attack activity is extracted for further analysis of the types of parasitic Trojans to thereby lock down the bot that the C&C server has controlled.