Abstract: A traffic control method, adapted to a server, includes detecting a packet sent by user equipment and transmitted through a base station to obtain packet information of the packet, wherein the packet information comprises an Internet protocol address, determining whether the packet information is abnormal, tagging identification information corresponding to the Internet protocol address when the packet information is abnormal, and blocking a connection between the user equipment and a network based on the identification information.

Abstract: A verification method and a verification system for an information and communication safety protection mechanism are provided. The verification methods includes: selecting a target malicious program, and collecting at least one behavioral trace of the target malicious program; providing a target machine and deploying a protection mechanism to be tested for the target machine; configuring the target machine to reproduce the at least one behavioral trace; and determining whether the protection mechanism to be tested detects an abnormal event, so as to verify an effectiveness of the protection mechanism to be tested.

Abstract: A network attack pattern determination apparatus, method, and non-transitory computer readable storage medium thereof are provided. The apparatus is stored with several attack patterns and access records. Each access record includes a network address, time stamp, and access content. Each attack pattern corresponds to at least one attack access relation. Each attack access relation is defined by a network address and access content. The apparatus retrieves several attack records according to at least one attack address. The network address of each attack record is one of the attack address(s). The apparatus divides the attack records into several groups according to the time stamps and performs the following operations for each group: (a) creating at least one access relation for each attack address included in the group and (b) determining that the group corresponds to one of the attack patterns according to the at least one access relation of the group.

Abstract: An attacking node detection apparatus, method, and computer program product thereof are provided. The attacking node detection apparatus stores a plurality of access records of an application, wherein each access record includes a network address of a host and an access content. The attacking node detection apparatus filters the access records into a plurality of filtered access records according to a predetermined rule so that the access content of each filtered access record conforms to the predetermined rule. The attacking node detection apparatus creates at least one access relation of each of the network addresses according to the filtered access records, wherein each access relation is defined by one of the network addresses and one of the access contents. The attacking node detection apparatus identifies a specific network address as an attacking node according to the access relations.

Abstract: A network attack pattern determination apparatus, method, and non-transitory computer readable storage medium thereof are provided. The apparatus is stored with several attack patterns and access records. Each access record includes a network address, time stamp, and access content. Each attack pattern corresponds to at least one attack access relation. Each attack access relation is defined by a network address and access content. The apparatus retrieves several attack records according to at least one attack address. The network address of each attack record is one of the attack address(s). The apparatus divides the attack records into several groups according to the time stamps and performs the following operations for each group: (a) creating at least one access relation for each attack address included in the group and (b) determining that the group corresponds to one of the attack patterns according to the at least one access relation of the group.

Abstract: An attacking node detection apparatus, method, and computer program product thereof are provided. The attacking node detection apparatus is stored with a plurality of access records of an application, wherein each access record includes a network address of a host and an access content. The attacking node detection apparatus filters the access records into a plurality of filtered access records according to a predetermined rule so that the access content of each filtered access record conforms to the predetermined rule. The attacking node detection apparatus creates at least one access relation of each of the network addresses according to the filtered access records, wherein each access relation is defined by one of the network addresses and one of the access contents. The attacking node detection apparatus identifies a specific network address as an attacking node according to the access relations.

Abstract: The instant disclosure illustrates a system and method for information security management based on application level log analysis. The system and method for information security management involve analyzing a plurality of application level logs of a user and modeling the continuative behaviors of the user. Furthermore, the system and method for information security management include the selection of models according to different environmental contexts, thereby efficiently determining whether the user has had an abnormal behavior occur.

Abstract: A method, an electronic device, and a user interface for on-demand detecting a malware are provided and adapted for estimating whether an application has vulnerabilities or malicious behaviors. The method includes the following steps. Firstly, evaluating a risk level and a test time of the application which has vulnerabilities or malicious behaviors. Next, detecting the application by selection of user to estimate the risk level of the application which has vulnerabilities or malicious behaviors and then correspondingly generating a detection result. Therefore, the method, the electronic device, and the user interface for on-demand detecting the malware can detect the risk level of the application which has vulnerabilities or malicious behaviors before getting virus pattern of the variant or new malware.

Abstract: A method, an electronic device, and a user interface for on-demand detecting a malware are provided and adapted for estimating whether an application has vulnerabilities or malicious behaviors. The method includes the following steps. Firstly, evaluating a risk level and a test time of the application which has vulnerabilities or malicious behaviors. Next, detecting the application by selection of user to estimate the risk level of the application which has vulnerabilities or malicious behaviors and then correspondingly generating a detection result. Therefore, the method, the electronic device, and the user interface for on-demand detecting the malware can detect the risk level of the application which has vulnerabilities or malicious behaviors before getting virus pattern of the variant or new malware.

Abstract: A method for tracing at least one domain name is disclosed. In the method, several DNS resource records of candidate domain names are queried from at least one DNS name server. The candidate domain names are domain names that need to be traced. Internet Protocol (IP) addresses associated with the candidate domain names are retrieved from the DNS resource records of the candidate domain names. At least one external resource server is connected to retrieve corresponding registration information of the respective IP addresses of the candidate domain names. A tracing weight of each of the candidate domain names is calculated according to the DNS resource records, the IP addresses and the corresponding registration information of the candidate domain names. The candidate domain names are traced according to their respective tracing weights. A system for tracing at least one domain name is also disclosed.

Abstract: A method for generating a cross-site scripting attack is provided. An attack string sample is analyzed for obtaining a token sequence. A string word corresponding to each token is used to replace the token for generating a cross-site scripting attack string. Accordingly, a large number of cross-site scripting attacks are generated automatically, so as to execute a penetration test for a website.

Abstract: A method for generating a cross-site scripting attack is provided. An attack string sample is analyzed for obtaining a token sequence. A string word corresponding to each token is used to replace the token for generating a cross-site scripting attack string. Accordingly, a large number of cross-site scripting attacks are generated automatically, so as to execute a penetration test for a website.

Abstract: A network attack detection device is provided, including a spatial coordinate database for storing spatial coordinate data; a standard time zone database for storing standard time zone data; a domain name system packet collector for collecting a domain name system packet; a spatial snapshot feature extractor for extracting internet protocol address corresponding to the domain name system packet according to the domain name system packet, and generating spatial feature data corresponding to the internet protocol address according to the internet protocol address, the spatial coordinate data and the standard time zone data; and an attack detector for determining whether the domain name system packet is an attack according to the spatial feature data and a spatial snapshot detection model, and when determining that the domain name system packet is an attack, sending a warning to indicate the attack.

Abstract: A botnet detection system is provided. A bursty feature extractor receives an Internet Relay Chat (IRC) packet value from a detection object network, and determines a bursty feature accordingly. A Hybrid Hidden Markov Model (HHMM) parameter estimator determines probability parameters for a Hybrid Hidden Markov Model according to the bursty feature. A traffic profile generator establishes a probability sequential model for the Hybrid Hidden Markov Model according to the probability parameters and pre-defined network traffic categories. A dubious state detector determines a traffic state corresponding to a network relaying the IRC packet in response to reception of a new IRC packet, determines whether the IRC packet flow of the object network is dubious by applying the bursty feature to the probability sequential model for the Hybrid Hidden Markov Model, and generates a warning signal when the IRC packet flow is regarded as having a dubious traffic state.

Abstract: A method for detecting a malicious script is provided. A plurality of distribution eigenvalues are generated according to a plurality of function names of a web script. After the distribution eigenvalues are inputted to a hidden markov model (HMM), probabilities respectively corresponding to a normal state and an abnormal state are calculated. Accordingly, whether the web script is malicious or not can be determined according to the probabilities. Even an attacker attempts to change the event order, insert a new event or replace an event with a new one to avoid detection, the method can still recognize the intent hidden in the web script by using the HMM for event modeling. As such, the method may be applied in detection of obfuscated malicious scripts.

Abstract: A hot video prediction system is provided. A video comments database stores video comments submitted by a plurality of users. A user social network constructor establishes a user social network according to the video comments. When new comments of a new video are received, a hot video predictor uses the user social network to determine a similar theme between the new video and hot videos that have been hot for a period of time, and predicts whether the new video will become popular accordingly. A social network adaptor checks the prediction, and modifies the user social network accordingly.

Abstract: A network attack detection device is provided, including a spatial coordinate database for storing spatial coordinate data; a standard time zone database for storing standard time zone data; a domain name system packet collector for collecting a domain name system packet; a spatial snapshot feature extractor for extracting internet protocol address corresponding to the domain name system packet according to the domain name system packet, and generating spatial feature data corresponding to the internet protocol address according to the internet protocol address, the spatial coordinate data and the standard time zone data; and an attack detector for determining whether the domain name system packet is an attack according to the spatial feature data and a spatial snapshot detection model, and when determining that the domain name system packet is an attack, sending a warning to indicate the attack.

Abstract: A web mimicry attack detection device is provided, including: a first token sequence collector receiving a hypertext transfer protocol request and extracting string content of the hypertext transfer protocol request according to a token collection method to generate a token sequence corresponding to the hypertext transfer protocol request, wherein the token sequence comprises a plurality of the tokens; and a mimicry attack detector generating a label and a confidence score corresponding individually to the tokens according to the tokens and a conditional random field probability model, summing the confidence score individually corresponding to the tokens in the token sequence by a summary rule to generate a summary confidence score, and determining whether the hypertext transfer protocol request is an attack according to the summary confidence score and the label individually corresponding to the tokens.

Abstract: A botnet detection system is provided. A bursty feature extractor receives an Internet Relay Chat (IRC) packet value from a detection object network, and determines a bursty feature accordingly. A Hybrid Hidden Markov Model (HHMM) parameter estimator determines probability parameters for a Hybrid Hidden Markov Model according to the bursty feature. A traffic profile generator establishes a probability sequential model for the Hybrid Hidden Markov Model according to the probability parameters and pre-defined network traffic categories. A dubious state detector determines a traffic state corresponding to a network relaying the IRC packet in response to reception of a new IRC packet, determines whether the IRC packet flow of the object network is dubious by applying the bursty feature to the probability sequential model for the Hybrid Hidden Markov Model, and generates a warning signal when the IRC packet flow is regarded as having a dubious traffic state.

Abstract: A hot video prediction system is provided. A video comments database stores video comments submitted by a plurality of users. A user social network constructor establishes a user social network according to the video comments. When new comments of a new video are received, a hot video predictor uses the user social network to determine a similar theme between the new video and hot videos that have been hot for a period of time, and predicts whether the new video will become popular accordingly. A social network adaptor checks the prediction, and modifies the user social network accordingly.