Abstract: A method for locating a mobile device which is not in possession of the owner using an owner verification server. A mobile network operator server sends a message to the owner verification server requesting verification of ownership. The owner verification server retrieves ownership status and transmits a request to the mobile network operator server to transmit location tracking data when the ownership status indicates that the device is not in the owner's possession. The owner verification server forwards the location tracking data to the device owner.

Abstract: A method for locating a mobile device which is not in possession of the owner using an owner verification server. A mobile network operator server sends a message to the owner verification server requesting verification of ownership. The owner verification server retrieves ownership status and transmits a request to the mobile network operator server to transmit location tracking data when the ownership status indicates that the device is not in the owner's possession. The owner verification server forwards the location tracking data to the device owner.

Abstract: There is provided data-efficient threat detection method in a computer network. The method can include: receiving raw data related to a network node, generating local 5 behaviour models related to the network node; generating at least one common model of normal behaviour on the basis of local behaviour models related to multiple network nodes; filtering input events by using a measure for estimating the likelihood that the input event is produced by the generated common model of normal behaviour and/or by the generated one or more local behaviour models, wherein only input events having a 10 likelihood below a predetermined threshold of being produced by any one of the models are passed through the filtering; and processing input events passed through the filtering for generating a security related decision.

Abstract: It is provided a method, comprising monitoring if a firewall receives a first packet and a second packet, wherein the first packet is directed to a IP address and a first port number; the second packet is directed to the IP address and a second port number; a hole through a firewall is punched for the IP address a hole port number different from the first port number and the second port number; the first packet has a first payload; the second packet has a second payload; and the method comprises checking if the first payload is substantially the same as the second payload; causing the firewall to block the first packet and the second packet if the firewall receives the first packet and the second packet and the first payload is substantially the same as the second payload.

Abstract: A method for identifying devices in a computer network includes collecting data points including device related parameters/information from a device accessing network resources, determining a string distance between the set of collected data points with the data sets collected from previously known network devices and selecting the smallest string distance value and/or highest similarity score. If the determined string distance to the data set of the closest device exceeds a threshold value, the device accessing the network resources is new and its entry can be created. If the determined string distance is under a predetermined threshold value, it is determined that the device accessing the network resources is the device having the closest string distance value to the collected set of data points, and the values in a database and/or the network element of the previously known device can be updated based on the collected set of data points.

Abstract: A method of monitoring traffic by a router acting as a gateway between a first and second network is described. The router can receive data packets sent from the first device over the TCP connection and can send a TCP ACK packet to the first device in response to each data packet. The data packets can be stored without sending them to the second device. The stored data packets can be examined in order to determine whether to block or allow the TCP connection. In the event that it is determined to allow the TCP connection, the router can send each of the stored data packets to the second device. In the event that it is determined to block the TCP connection, the router can send a TCP RST message to each of the first and second devices in order to close the TCP connection.

Abstract: There is provided a network security method in a computer network. The method comprises detecting, by a gateway computer, a target device being connected to the computer network, detecting the target device transmitting a DNS query for resolving a hostname into an IP address, transmitting a query to a content rating system, wherein the query comprises the resolved hostname related to the DNS query of the target device, receiving, from the content rating system, a list of categorization categories assigned to the resolved hostname, determining a type of the target device on the basis of the received list of categorization categories assigned to the hostname, and generating a security related decision on the basis of the determined type of the target device.

Abstract: There is provided a threat control method on a computer system including: collecting one or more events from a first endpoint, each event identifying one or more attributes associated to the event; detecting a security threat related to one or more of the collected events; searching matching events from one or more further endpoints, wherein the matching event includes at least part of the same attributes than the one or more events related to the detected security threat; and in case a matching event with at least part of the same attributes is found, identifying the associated endpoint as being related to a security threat similar to what was earlier detected.

Abstract: A method comprising: monitoring events collected from a plurality of network nodes; detecting a first suspicious event among the monitored events by a detection mechanism; monitoring the behaviour of the first suspicious event and any related events; in case the monitored first suspicious event and/or a related event is detected to perform an activity triggering an IOC (indicator of compromise, generating a new IOC; monitoring new events when the activity ends; comparing the behaviour of the new events with the behaviour of the generated IOC; in case a matching behaviour is found, merging the new event with the first suspicious event and/or related events related to the generated IOC; and generating a security related decision on the basis of the IOC.

Abstract: A method including collecting and aligning raw data from a plurality of network nodes, wherein dissimilar data types are aligned as input events; filtering the input events by discarding events and/or parts of events that are detected to be equal or similar to previously observed events or events and/or parts of events found to be redundant by using predetermined criteria; separating processing of the input events into event aggregation and event enrichment processes, wherein the event aggregation process includes processing all the input events for generating aggregated events, and the event enrichment process includes processing only events passed by the filtering and the aggregated events from the event aggregation process; and analysing the data received from the event enrichment process for generating a security related decision.

Abstract: There is provided a method for application behaviour control on a computer system. The method includes grouping applications into a set of clusters, wherein each application is grouped to a specific cluster on the basis of predefined event profiles for applications in the specific cluster; monitoring procedures that a specific cluster performs on one or more computer devices; and generating a list of expected events and prohibited events of the specific cluster based on monitoring for enabling the one or more client computer devices and/or an administrator of the one or more client computer devices to take further action related to the applications installed on the one or more client computer devices.

Abstract: In accordance with an example embodiment of the present invention, there is provided an apparatus, including at least one processor; and at least one memory including computer program code the at least one memory and the computer program code configured to, with the at least one processor, cause the apparatus to perform at least the following: detecting a listing of web content elements provided by a web search engine, the web content elements relating to web pages retrieved by the web search engine; analyzing one or more web content elements of the detected listing; and categorizing the content of one or more web pages on the basis of the analysis.

Abstract: There is provided a method of detecting a threat against a computer system. The method comprises: creating a modular representation of behavior of known applications on the basis of sub-components of a set of known applications; entering the modular representation to an evolutionary analysis system for generating previously unknown combinations of the procedures; storing the generated previously unknown combinations as candidate descendants of known applications to a future threat candidate database; monitoring the behavior of the computer system to detect one or more procedures matching the behavior of a stored candidate descendant in the future threat candidate database; and upon detection of one or more procedures matching the behavior of the stored candidate descendant and if the stored candidate descendant is determined to be malicious or suspicious, identifying the running application as malicious or suspicious.

Abstract: Method of detecting an attack against a function on a client computer including generating a first hash value having a weak collision resistance; sending the first hash value to a server computer for storing to a database of known hash value pairs, a hash value pair including the first hash value and a second hash value calculated for the entity, the second hash value having a strong collision resistance, receiving a request for the entity with an object including a first hash value and a second hash value; accepting the received object and transmitting data relating to the received object to the server computer for a validity check when the first hash value of the received object is identical with the first hash value stored in the local database, and detecting a hash collision attempt when the hash value pairs do not match.

Abstract: There are provided measures for enabling dynamic remote malware scanning. Such measures could exemplarily include identification of an electronic file to be scanned for malware, generation of at least one scanning object of the identified electronic file on the basis of a dynamic configuration by a remote entity, said at least one scanning object being generated by using malware-susceptible data of the identified electronic file and neglecting malware-insusceptible data of the identified electronic file, transfer of the at least one scanning object of the identified electronic file for remote malware scanning to the remote entity, and execution of a malware scan of the at least one scanning object of the electronic file at the remote entity by a malware scanning engine or application.

Abstract: There is provided a method of detecting a threat against a computer system. The method comprises: creating a modular representation of behavior of known applications on the basis of sub-components of a set of known applications; entering the modular representation to an evolutionary analysis system for generating previously unknown combinations of the procedures; storing the generated previously unknown combinations as candidate descendants of known applications to a future threat candidate database; monitoring the behavior of the computer system to detect one or more procedures matching the behavior of a stored candidate descendant in the future threat candidate database; and upon detection of one or more procedures matching the behavior of the stored candidate descendant and if the stored candidate descendant is determined to be malicious or suspicious, identifying the running application as malicious or suspicious.

Abstract: Measures for enabling resource-efficient remote malware scanning capable of static and dynamic file analysis including, at a remote entity, obtaining metadata of an electronic file to be scanned for malware, said metadata including at least information for identification of one or more file items contained in the electronic file, identifying whether at least one file item of the electronic file is not pre-known at the remote entity, instructing delivery of any identified at least one file item of the electronic file, reconstructing the electronic file by assembling its file items, including any file item of the electronic file, which is not pre-known at the remote entity, and any remaining file item of the electronic file, which is pre-known at the remote entity, on the basis of the obtained metadata of the electronic file, and executing a dynamic malware analysis on a runtime behavior of the reconstructed electronic file.

Abstract: There is provided a method for privacy protection including: identifying an API request being related to a tracking service; generating and sending a predetermined number of initial requests to the tracking service when processing the API requests to the tracking service; storing the initial requests and respective responses related to the initial requests from the API in a database; analysing body objects of the stored initial requests and respective responses and generating a dynamic response recipe on the basis of the analysis; and generating a response including a response body acceptable by the tracking process on the basis of the generated dynamic response recipe.

Abstract: There are provided measures for protection from malicious and/or harmful content in cloud-based service scenarios. Such measures exemplarily include detecting a transmission attempt of a file between a file service cloud entity and a remote accessing entity, identifying said file, checking for presence of a security threat scan result for said file in a scan result memory based on a result of said identifying, and transmitting, based on a result of said checking, a security threat scan task for said file to a security cloud entity connected to said file service cloud entity.

Abstract: There are provided measures for enabling detecting malware. A method includes generating a copy of a first node, configuring a sandbox environment by using the generated copy, executing an electronic file or a URL in the sandbox environment configured with the copy, providing a result of the malware analysis of the electronic file or the URL, identifying the electronic file or the URL as malicious or suspicious on the basis of the provided result, and taking further action for protecting the first node from the electronic file or the URL identified as malicious or suspicious.