Abstract: In an embodiment, the disclosed technologies monitor electronic message traffic between a network and a recipient computer system. An embodiment includes obtaining, from an electronic message received from the network, a triple of a display name, email address, and sending domain, determining a name score for triple, and determining characteristics of the electronic message. The name score of the triple and the characteristics of the electronic message may be used to determine whether the electronic message is a spoofing attack such as a business email compromise (BEC) attack. In response to determining that the electronic message is malicious, an embodiment may cause the network to at least one of modify, delay, re-route, or block transmission of the electronic message to the recipient computer system.

Abstract: In an embodiment, the disclosed technologies monitor electronic message traffic between a network and a recipient computer system. An embodiment includes obtaining, from an electronic message received from the network, a triple of a display name, email address, and sending domain, determining a name score for triple, and determining characteristics of the electronic message. The name score of the triple and the characteristics of the electronic message may be used to determine whether the electronic message is a spoofing attack such as a business email compromise (BEC) attack. In response to determining that the electronic message is malicious, an embodiment may cause the network to at least one of modify, delay, re-route, or block transmission of the electronic message to the recipient computer system.

Abstract: A method and apparatus for packet capture is provided.

Abstract: A computer system programmed to provide improved packet capture comprises: a plurality of sensor computers each programmed to capture data packets directed to a different compromised computer; a command server that is programmed to determine an expiration time for capturing a first set of data packets that have been routed toward a first compromised computer, to determine a time interval indicating an interval for capturing the first set of data packets, to identify a first packet capture filter of a plurality of packet capture filters for a first sensor computer of the plurality of sensor computers, to transmit, via a communications network, the first packet capture filter and a message, which comprises the time interval and the expiration time, to the first sensor computer of the plurality of sensor computers to capture the first set of data packets every the time interval and until the expiration time expires.

Abstract: A computer system programmed to provide improved packet capture comprises: a plurality of sensor computers each programmed to capture data packets directed to a different compromised computer; a command server that is programmed to determine an expiration time for capturing a first set of data packets that have been routed toward a first compromised computer, to determine a time interval indicating an interval for capturing the first set of data packets, to identify a first packet capture filter of a plurality of packet capture filters for a first sensor computer of the plurality of sensor computers, to transmit, via a communications network, the first packet capture filter and a message, which comprises the time interval and the expiration time, to the first sensor computer of the plurality of sensor computers to capture the first set of data packets every the time interval and until the expiration time expires.

Abstract: A computer-implemented method, comprising: detecting network messages that are emitted by a compromised computer, wherein the compromised computer comprises at least one malware item that is configured to direct unauthorized network activity toward one or more enterprise networks or enterprise computers; queuing copies of the network messages in a queue; forwarding the network messages to original destinations; determining whether the number of network messages exceeds a specified threshold associated with an attack vector; filtering by the processor, the copies that do not include one of a set of port values associated with known computer attacks; analyzing, by the processor, timing of the copies with respect to a predetermined schedule including active hours and inactive hours, detecting one or more security threats caused by the comprised computer based on the determining, filtering, and the analyzing, sending a result of the detecting to a security control computer over a communication network.

Abstract: A method and apparatus for packet capture is provided.

Abstract: A data processing system comprising: a sensor computer that is coupled to and co-located with a compromised computer, the compromised computer comprising at least one malware item that is configured to direct unauthorized network activity toward one or more enterprise networks or enterprise computers, wherein the compromised computer is coupled to a firewall that is configured to control ingress of packets to the compromised computer and is logically between one or more attacker computers and the one or more enterprise networks or enterprise computers; a security control computer that is coupled to the sensor computer; one or more non-transitory data storage media in the security control computer storing security logic comprising one or more sequences of instructions which when executed cause the security control computer to perform: obtaining, from the sensor computer, detection data relating to network messages that the compromised computer emits, as the compromised computer emits the network messages; usin

Abstract: A data processing system comprising: a sensor computer that is coupled to and co-located with a compromised computer, the compromised computer comprising at least one malware item that is configured to direct unauthorized network activity toward one or more enterprise networks or enterprise computers, wherein the compromised computer is coupled to a firewall that is configured to control ingress of packets to the compromised computer and is logically between one or more attacker computers and the one or more enterprise networks or enterprise computers; a security control computer that is coupled to the sensor computer; one or more non-transitory data storage media in the security control computer storing security logic comprising one or more sequences of instructions which when executed cause the security control computer to perform: obtaining, from the sensor computer, detection data relating to network messages that the compromised computer emits, as the compromised computer emits the network messages; usin

Abstract: A data processing system comprises a security control computer performing operations comprising: receiving, an advertising exchange network computer, advertising presentation data indicating presentations of advertisements to particular browsers that have browsed to particular websites; determining, based upon detection data, whether the particular websites are associated with network attacks or malware; in response, storing transit data specifying computers that have visited the particular web sites and using the transit data to determine a plurality of particular web pages to inspect for threats; based on a hierarchical structure of the particular web pages and without consideration of content of the particular web pages, identifying one or more features, of links in the particular web page or files referenced in the particular web pages, that indicate one or more security threats in the web pages; and determining remediation measures to remediate security threats that are identified in one of the particula

Abstract: A data processing system comprising: a sensor computer that is coupled to and co-located with a compromised computer, the compromised computer comprising at least one malware item that is configured to direct unauthorized network activity toward one or more enterprise networks or enterprise computers, wherein the compromised computer is coupled to a firewall that is configured to control ingress of packets to the compromised computer and is logically between one or more attacker computers and the one or more enterprise networks or enterprise computers; a security control computer that is coupled to the sensor computer; one or more non-transitory data storage media in the security control computer storing security logic comprising one or more sequences of instructions which when executed cause the security control computer to perform: obtaining, from the sensor computer, detection data relating to network messages that the compromised computer emits, as the compromised computer emits the network messages; usin