Abstract: A method for characterizing network traffic is provided. The method includes maintaining a database identifying a plurality of digital certificates and a number of Internet Protocol addresses associated with each of the plurality of digital certificates, capturing network traffic over a network connection at a network connected device, analyzing the network traffic by determining the digital certificates associated with Internet Protocol addresses associated with the network traffic and a number of Internet Protocol addresses associated with each of the digital certificates and updating the database, and characterizing at least one of the Internet Protocol addresses associated with one of the digital certificates based on the number of Internet Protocol addresses associated with the one of the digital certificates.

Abstract: A method for characterizing network traffic is provided. The method includes maintaining a database identifying a plurality of digital certificates and a number of Internet Protocol addresses associated with each of the plurality of digital certificates, capturing network traffic over a network connection at a network connected device, analyzing the network traffic by determining the digital certificates associated with Internet Protocol addresses associated with the network traffic and a number of Internet Protocol addresses associated with each of the digital certificates and updating the database, and characterizing at least one of the Internet Protocol addresses associated with one of the digital certificates based on the number of Internet Protocol addresses associated with the one of the digital certificates.

Abstract: A method for detecting malware beaconing in a network is provided. The method includes maintaining a database identifying a plurality of server certificates and a number of Internet Protocol addresses associated with each of the plurality of server certificates, capturing network traffic over a network connection at a network connected device, and analyzing the network traffic by determining SSL and/or TLS server certificates associated with Internet Protocol addresses associated with the network traffic and a number of servers associated with each of the server certificates wherein a greater number of servers associated with a particular one of the server certificates is indicative of less likelihood of malware beaconing. The method may include further analyzing the network traffic to determine malware beaconing, wherein the further analyzing is performed by a computing device.

Abstract: A method for detecting malware beaconing in a network is provided. The method includes maintaining a database identifying a plurality of server certificates and a number of Internet Protocol addresses associated with each of the plurality of server certificates, capturing network traffic over a network connection at a network connected device, and analyzing the network traffic by determining SSL and/or TLS server certificates associated with Internet Protocol addresses associated with the network traffic and a number of servers associated with each of the server certificates wherein a greater number of servers associated with a particular one of the server certificates is indicative of less likelihood of malware beaconing. The method may include further analyzing the network traffic to determine malware beaconing, wherein the further analyzing is performed by a computing device.

Abstract: A method for detecting malware beaconing in a network, the method includes capturing network traffic over a network connection at a network connected device, representing the network traffic over the network connection as a set of tuples wherein each of the tuples includes at least a source Internet Protocol address, a destination Internet Protocol address, and a destination port, associating timestamps with each of the set of tuples, and analyzing the tuples using the timestamps based on frequency of connections to determine malware beaconing on the network, wherein the analyzing is performed by a computing device.

Abstract: A method for performing attribution on an adversary engaged in attacking a computer system while preventing the adversary from performing attribution includes steps of providing a callback server operatively connected to a communications network, configuring an anonymity system associated with the callback server, delivering executable code to an adversary computer operatively connected to the communications network and used by the adversary engaged in attacking the computer system wherein the executable code is executed by the adversary computer to send information associated with the adversary computer to the callback server through the anonymity system, routing the information associated with the adversary computer through the anonymity system to prevent the adversary from obtaining attribution associated with the callback server, receiving the information associated with the adversary computer at the callback server, and performing attribution on the adversary using the information associated with the adv

Abstract: A method for detecting malware beaconing in a network, the method includes capturing network traffic over a network connection at a network connected device, representing the network traffic over the network connection as a set of tuples wherein each of the tuples includes at least a source Internet Protocol address, a destination Internet Protocol address, and a destination port, associating timestamps with each of the set of tuples, and analyzing the tuples using the timestamps based on frequency of connections to determine malware beaconing on the network, wherein the analyzing is performed by a computing device.

Abstract: A method for detecting malware beaconing in a network, the method includes capturing network traffic over a network connection at a network connected device, representing the network traffic over the network connection as a set of tuples wherein each of the tuples defines an OSI layer 4 communications session and includes at least a source Internet Protocol address, a destination Internet Protocol address, and a destination port, associating timestamps with each of the set of tuples, and analyzing the tuples using the timestamps based on frequency of connections to determine malware beaconing on the network, wherein the analyzing is performed by a computing device.