Abstract: In an embodiment, the disclosed technologies implement scaling operations for clusters of server nodes hosting stateful services. An embodiment includes a cluster manager computer calling a first instance of scaling status functions for a first stateful service and a second instance of scaling status functions for a second stateful service, the first stateful service being programmed to implement a different service than the second stateful service. The cluster manager computer is programmed to implement different scaling operations for the first stateful service and the second stateful service, each set of the scaling operations being optimized for respective services.

Abstract: In an embodiment, the disclosed technologies monitor electronic message traffic between a network and a recipient computer system. An embodiment includes extracting, from an electronic message received from the network, a sending domain and message data, computing a lookalike score based on the sending domain, and assigning a message type to the electronic message based on the message data. The lookalike score and the message type may be used to determine whether the electronic message is a spoofing attack such as a business email compromise (BEC) attack. In response to determining that the electronic message is malicious, an embodiment may cause the network to at least one of modify, delay, re-route, or block transmission of the electronic message to the recipient computer system.

Abstract: A method and apparatus for packet capture is provided.

Abstract: In an embodiment, a computer system comprises one or more computer processors configured with a message transfer application; a message transfer/vision processing (MT/VP) interface coupled to the one or more computer processors and interposed between the message transfer application and a vision processing computer, wherein the MT/VP interface performs operations comprising: extracting risk indicator data from a message that is in transit to a recipient computer on a computer network; in response to the risk indicator data matching a message risk criterion, transmitting an image address for an image of interest coupled to the message or the image of interest to the vision processing computer; receiving, from the vision processing computer, a label that semantically describes visual content of the image of interest; using the label, querying a set of correlation data to determine a reference address that is associated with the label; in response to the image address matching the reference address, transmitting

Abstract: A computer system programmed to provide improved packet capture comprises: a plurality of sensor computers each programmed to capture data packets directed to a different compromised computer; a command server that is programmed to determine an expiration time for capturing a first set of data packets that have been routed toward a first compromised computer, to determine a time interval indicating an interval for capturing the first set of data packets, to identify a first packet capture filter of a plurality of packet capture filters for a first sensor computer of the plurality of sensor computers, to transmit, via a communications network, the first packet capture filter and a message, which comprises the time interval and the expiration time, to the first sensor computer of the plurality of sensor computers to capture the first set of data packets every the time interval and until the expiration time expires.

Abstract: Techniques are described herein for detecting malicious program code stored on computer devices before the code can be executed to potentially compromise a computer network. In an embodiment, a method comprises receiving, at a computer device, a file containing instructions in a programming language; based on a syntax of the programming language, parsing the file to generate parsed information, and based on the parsed information, generating a syntax tree for the file; identifying one or more alphanumeric strings in the syntax tree, and based on the alphanumeric strings, generating a syntax string for the syntax tree; generating a hash digest by applying a piecewise hashing to the alphanumeric strings in the syntax string; determining whether the hash digest indicates that the file contains potentially malicious code; in response to determining that the hash digest indicates that the file contains the potentially malicious code, performing a responsive action.

Abstract: In an embodiment, a data processing method providing an improvement in computer security, comprises selecting, from a domain name queue comprising a plurality of domain names, a particular domain name to analyze; extracting one or more features of the particular domain name; determining a particular risk priority score of the particular domain name based on analyzing the one or more features of the particular domain name by applying a classifier to the one or more features of the particular domain name; inserting the particular risk priority score and an identifier associated with the particular domain name into a priority queue comprising a plurality of risk priority scores and a plurality of domain names; repeating the selecting, extracting, determining, and inserting steps for the remaining domain names in the domain name queue; retrieving from the priority queue, based upon the risk priority score, the identifier associated with the particular domain name; determining the particular domain name associated

Abstract: Systems and methods for providing an improvement to computer security relating to electronic digital messages are provided. In an embodiment, a computing device receives an electronic digital message that is sent to a receiving account. The computing device identifies a sending account associated with the electronic digital message and from which the electronic digital message was sent. The computing device obtains metadata relating to the sending account, the metadata including received message data that is related to a number of messages that have been received by the sending account. The computing device determines that the sending account satisfies a received message criteria based, at least in part, on the received message data and, in response, performs a responsive action relating to the electronic digital message.

Abstract: A computer system programmed to provide improved packet capture comprises: a plurality of sensor computers each programmed to capture data packets directed to a different compromised computer; a command server that is programmed to determine an expiration time for capturing a first set of data packets that have been routed toward a first compromised computer, to determine a time interval indicating an interval for capturing the first set of data packets, to identify a first packet capture filter of a plurality of packet capture filters for a first sensor computer of the plurality of sensor computers, to transmit, via a communications network, the first packet capture filter and a message, which comprises the time interval and the expiration time, to the first sensor computer of the plurality of sensor computers to capture the first set of data packets every the time interval and until the expiration time expires.

Abstract: In an embodiment, a data processing method providing an improvement in computer security, comprises selecting a uniform resource location (URL) for classification wherein the selected URL is associated with a webpage; determining a URL risk score for the selected URL; comparing the URL risk score to a URL risk threshold; in response to determining that the URL risk score exceeds the URL risk threshold, determining a maliciousness risk score for the webpage content associated with the selected URL; comparing the maliciousness risk score to a maliciousness risk threshold; and classifying the URL based on the comparison between the maliciousness risk score and the maliciousness risk threshold; in response to determining that the maliciousness risk score exceeds the maliciousness risk threshold, classifying the URL as malicious; in response to determining that the maliciousness risk score does not exceed the maliciousness risk threshold, classifying the URL as benign.

Abstract: A computer-implemented method, comprising: detecting network messages that are emitted by a compromised computer, wherein the compromised computer comprises at least one malware item that is configured to direct unauthorized network activity toward one or more enterprise networks or enterprise computers; queuing copies of the network messages in a queue; forwarding the network messages to original destinations; determining whether the number of network messages exceeds a specified threshold associated with an attack vector; filtering by the processor, the copies that do not include one of a set of port values associated with known computer attacks; analyzing, by the processor, timing of the copies with respect to a predetermined schedule including active hours and inactive hours, detecting one or more security threats caused by the comprised computer based on the determining, filtering, and the analyzing, sending a result of the detecting to a security control computer over a communication network.

Abstract: A method and apparatus for packet capture is provided.

Abstract: In an embodiment, a method providing an improvement in remediating vulnerabilities in computer security comprising: receiving, using a network tap of a sensor computer that is coupled to a compromised computer, a communication packet that was sent from the compromised computer to a target computer; using the sensor computer, determining that the target computer is one of a plurality of enterprise computers; reading, at the sensor computer, a plurality of fields within a header of the communication packet; and performing a remediation measure by generating a header of an action packet, wherein the header comprises duplicates of at least some fields of the plurality of fields so as to appear to be generated by the target computer, generating a payload of the action packet, and sending the action packet comprising the generated header and the generated payload to the compromised computer.

Abstract: A data processing system comprising: a sensor computer that is coupled to and co-located with a compromised computer, the compromised computer comprising at least one malware item that is configured to direct unauthorized network activity toward one or more enterprise networks or enterprise computers, wherein the compromised computer is coupled to a firewall that is configured to control ingress of packets to the compromised computer and is logically between one or more attacker computers and the one or more enterprise networks or enterprise computers; a security control computer that is coupled to the sensor computer; one or more non-transitory data storage media in the security control computer storing security logic comprising one or more sequences of instructions which when executed cause the security control computer to perform: obtaining, from the sensor computer, detection data relating to network messages that the compromised computer emits, as the compromised computer emits the network messages; usin

Abstract: In an embodiment, a data processing method providing an improvement in computer security comprises selecting, from a queue identifying a plurality of web pages, a particular web page to retrieve from one of a plurality of internet sources; causing retrieving a copy of the particular web page from a particular internet source; determining a hierarchical structure of the particular web page; based upon a hierarchical structure of the particular web page and without consideration of content of the particular web page, identifying one or more features, of links in the particular web page or files referenced in the particular web page, that indicate one or more security threats; determining a reputation score for the particular web page; determining a specified remediation measure, based upon the reputation score, to remediate a security threat that is identified in the particular web page; providing the specified remediation measure to one or more of a compromised computer, a sensor computer and an enterprise com

Abstract: In an embodiment, a method providing an improvement in remediating vulnerabilities in computer security comprising: receiving, using a network tap of a sensor computer that is coupled to a compromised computer, a communication packet that was sent from the compromised computer to a target computer; using the sensor computer, determining that the target computer is one of a plurality of enterprise computers; reading, at the sensor computer, a plurality of fields within a header of the communication packet; and performing a remediation measure by generating a header of an action packet, wherein the header comprises duplicates of at least some fields of the plurality of fields so as to appear to be generated by the target computer, generating a payload of the action packet, and sending the action packet comprising the generated header and the generated payload to the compromised computer.

Abstract: Systems and methods for generating rules in a networking environment having one or more sensor computers logically connected to compromised computers are provided. The rules comprise detection data used by a sensor computer to detect a potential security threat and a specified remediation measure that is caused to be performed when the security threat is detected. A security control computer generates the rules from record of series of actions created by the sensor computer, generates a rule, and distributes the rule to the sensor computers. The sensor computers periodically poll a central database for new rules and store a copy of each rule locally. Using the locally stored rules, the sensor computers can more efficiently and accurately respond to security threats.

Abstract: A data processing system comprises a security control computer performing operations comprising: receiving, an advertising exchange network computer, advertising presentation data indicating presentations of advertisements to particular browsers that have browsed to particular websites; determining, based upon detection data, whether the particular websites are associated with network attacks or malware; in response, storing transit data specifying computers that have visited the particular web sites and using the transit data to determine a plurality of particular web pages to inspect for threats; based on a hierarchical structure of the particular web pages and without consideration of content of the particular web pages, identifying one or more features, of links in the particular web page or files referenced in the particular web pages, that indicate one or more security threats in the web pages; and determining remediation measures to remediate security threats that are identified in one of the particula

Abstract: Systems and methods for generating rules in a networking environment having one or more sensor computers logically connected to compromised computers are provided. The rules comprise detection data used by a sensor computer to detect a potential security threat and a specified remediation measure that is caused to be performed when the security threat is detected. A security control computer generates the rules from record of series of actions created by the sensor computer, generates a rule, and distributes the rule to the sensor computers. The sensor computers periodically poll a central database for new rules and store a copy of each rule locally. Using the locally stored rules, the sensor computers can more efficiently and accurately respond to security threats.

Abstract: In an embodiment, a method providing an improvement in remediating vulnerabilities in computer security comprising: receiving, using a network tap of a sensor computer that is coupled to a compromised computer, a communication packet that was sent from the compromised computer to a target computer; using the sensor computer, determining that the target computer is one of a plurality of enterprise computers; reading, at the sensor computer, a plurality of fields within a header of the communication packet; and performing a remediation measure by generating a header of an action packet, wherein the header comprises duplicates of at least some fields of the plurality of fields so as to appear to be generated by the target computer, generating a payload of the action packet, and sending the action packet comprising the generated header and the generated payload to the compromised computer.