Abstract: There is provided data-efficient threat detection method in a computer network. The method can include: receiving raw data related to a network node, generating local 5 behaviour models related to the network node; generating at least one common model of normal behaviour on the basis of local behaviour models related to multiple network nodes; filtering input events by using a measure for estimating the likelihood that the input event is produced by the generated common model of normal behaviour and/or by the generated one or more local behaviour models, wherein only input events having a 10 likelihood below a predetermined threshold of being produced by any one of the models are passed through the filtering; and processing input events passed through the filtering for generating a security related decision.

Abstract: A method for identifying devices in a computer network includes collecting data points including device related parameters/information from a device accessing network resources, determining a string distance between the set of collected data points with the data sets collected from previously known network devices and selecting the smallest string distance value and/or highest similarity score. If the determined string distance to the data set of the closest device exceeds a threshold value, the device accessing the network resources is new and its entry can be created. If the determined string distance is under a predetermined threshold value, it is determined that the device accessing the network resources is the device having the closest string distance value to the collected set of data points, and the values in a database and/or the network element of the previously known device can be updated based on the collected set of data points.

Abstract: There is provided a method for privacy protection including: intercepting at least part of network traffic from a client device; analysing network traffic data of the intercepted network traffic to identify any elements indicative of a website visitor tracking process; analysing the one or more elements indicative of the website visitor tracking process to identify any tracking fields comprising user specific data; selecting random tracking field data accepted by the website visitor tracking process and replacing the user specific data of the one or more tracking fields with the selected random tracking field data respectively.

Abstract: There are provided measures for enabling advanced local-network threat response. Such measures could exemplarily comprise receiving, at a local-network honeypot entity, a username/password related authentication data in relation to a login attempt to the honeypot entity, triggering a threat response operation at a local-network backend entity upon detection of the username/password related authentication data, the threat response operation comprising testing validity of the username/password related authentication data in one or more local accounts of the local-network, and in case the username/password related authentication data is detected to be valid for any account in the local-network, determining that said account is compromised and locking the compromised account.

Abstract: Methods and apparatus are disclosed for detecting if a source of initial content is serving exploits to a target device exposed to initial content. The method includes selecting at least two target devices and dividing the selected target devices into at least two groups, and causing the at least two groups to appear towards the initial content as having different software profiles towards the initial content. Information is obtained regarding at least one of connections and content transmitted/received by the at least two groups as a result of exposure to the initial content. The obtained information between the at least two groups is compared. If the comparison indicates that target devices in one of the at least two groups transmit/receive at least one of additional connections and additional content due to being exposed to the initial content, deciding that a source of the initial content serves exploits.

Abstract: There is provided a malware analysis method including at a computer device having an operating system and a memory: collecting Dynamic Link Library (DLL) data under a system folder, the data including at least the DLL name and all pairs of exported function names and function addresses relative to the starting address of the DLL once it has been loaded into memory; comparing the two least significant bytes of the collected function addresses with the two least significant bytes of absolute virtual addresses in a memory dump; deducing a list of potential targets for API function calls when there is a match between the compared two least significant bytes of the collected function addresses and the absolute virtual addresses; and quarantining or deleting malware from which the suspicious API function calls originated.

Abstract: Methods, apparatus, connection systems, and client devices are described. The apparatus receives a multiplicity of DNS query messages from multiple client devices. For each received DNS query message to a malware domain name or a particular domain name, the apparatus sends a marker DNS response message to the corresponding client device for use in detecting whether the client device is infected with malware or is accessing the particular domain name. The connection system receives a connection request from a client device of the multiple client devices for access to the communication network, and sends marker detection information to the client device for use in identifying whether client device is marked as infected with malware or accessing a particular domain name. It is determined whether the client device is infected with malware or accessed the particular domain name. The client device may be blocked or granted access to the communication network.

Abstract: A method and apparatus for a determining whether an electronic file stored at a client device is malware. A server receives from the client device a request message that signature information of the electronic file. The server queries a database of signature information of a multiplicity of electronic files. If the signature information of the electronic file corresponds to signature information stored on the database, a determination is made as to whether the electronic file is malware. If the signature information of the electronic file does not correspond to signature information stored on the database, a determination is made as to whether a predetermined number of further request messages for the electronic file are received from further client devices within a predetermined time period. If fewer request messages are received within the time period, it is likely that the electronic file is malware.