Abstract: Information related to data communication between a plurality of connected devices is obtained. A plurality of initiated connections between the plurality of connected devices as directed edges between nodes in a directed graph based on the information are defined. Each initiated connection is represented by a directed edge from a source node to a destination node in the directed graph, and each node comprises an internet protocol (IP) address of the node. The directed graph is explored to determine a plurality of source/destination-pairs, wherein each source/destination-pair contains a source IP address of a source node of a directed edge, and a destination IP address of a destination node of the directed edge. A peer-to-peer (P2P) network including a plurality of P2P devices is detected based on the source/destination-pairs.

Abstract: A network apparatus maintains a database of a plurality of virtual private network (VPN) protocols and respective VPN providers. A VPN protocol detection process is performed for determining a VPN protocol used by a computing device based on analyzing network traffic data and the database. In response to detecting the VPN protocol detection process failing or detecting a need to identify a respective VPN provider, an endpoint detection process for determining the VPN usage of the computing device is performed. In response to detecting the endpoint detection process failing or detecting a need to identify VPN usage time information, a traffic pattern search process for determining the VPN usage of the computing device is performed. Further action is taken to protect the computing device in response to detecting the VPN usage on the basis of the VPN protocol detection process, the endpoint detection process, and/or the traffic pattern search process.

Abstract: A first data communication of a first connected device related to a first target website is intercepted. The first data communication identifies the first target website by a first fully qualified domain name (FQDN), and the first FQDN is mapped to a first Internet protocol (IP) address. A pair of the first FQDN and the first IP address is determined. A second data communication of a second connected device related to a second target website is intercepted. The second data communication comprises a second encrypted FQDN and a second IP address of the second target website. The second IP address is determined to be equal to the first IP address. A cybersecurity reputation of the second target website is retrieved based on the first FQDN. In response to determining that the reputation matches a predetermined alarm condition, a cybersecurity operation is enforced for the second data communication.

Abstract: A network apparatus maintains a data repository comprising network traffic data related to a plurality of user devices, the network traffic data being collected from a plurality of Network Service Providers (NSPs). A subset of the plurality of user devices are detected to be communicating with one or more same endpoint devices based on analysing the network traffic data. A number of historical connections between each user device of the subset of the plurality of user devices and the one or more endpoint devices is determined based on analysing historical connection data maintained in the data repository, and in response to detecting that the number of historical connections between the subset of the plurality of user devices and the one or more endpoint devices exceeds a predetermined threshold, the one or more endpoint devices are identified as a suspected botnet.

Abstract: A computing device receives an IP address and a port number related to a transport protocol and an application protocol version and other attributes related to an application protocol extracted from an encrypted client hello (ECH) enabled transport layer security (TLS) connection request from a client computing device and extracts, from the database, a set of all known hostnames matching the IP address. The device generates a reduced list of the set of all hostnames matching the IP address, and assigns a confidence score to each hostname of the reduced list based on an alias count and/or a popularity ranking of the hostname. Finally, a prioritized list of one or more hostnames is generated based on the confidence score, the prioritized list indicating the one or more hostnames in the order of descending probability of being requested in the ECH enabled TLS connection request.

Abstract: Maintaining a database of a plurality of time series data sets, wherein each time series data set is associated to a previously known computer device of a computer network; detecting a connection request from a second computer device of the computer network; collecting one or more new data sets related to the second computer device; comparing the one or more new data sets with one or more time series data sets; calculating one or more value scores related to the plurality of time series data sets based on the comparison; and determining a device association score based on the calculated one or more value scores related to the plurality of time series data sets, wherein the device association score determines an association level between the previously known computer device and the second computer device of the computer network.

Abstract: A network apparatus detects connection requests and extracts related data. The data is analyzed to determine whether the host is in an active state, whether the host matches a domain referrer and an amount of time from a last connection request. If it is detected that the host is not in an active state, the host is not matching the domain referrer and the amount of time from the last connection request exceeds a predetermined new session threshold, then a connection request is classified as a main request. If the amount of time from the last connection request is below a predetermined continuous session threshold, then any connection requests following the main request are classified as sub-requests. If the domain of host in the active state does not match current host for a sub-request, the sub-request is classified as a third-party request.

Abstract: A network apparatus maintains a data repository comprising network traffic data related to a plurality of user devices, the network traffic data being collected from a plurality of Network Service Providers (NSPs). A subset of the plurality of user devices are detected to be communicating with one or more same endpoint devices based on analysing the network traffic data. A number of historical connections between each user device of the subset of the plurality of user devices and the one or more endpoint devices is determined based on analysing historical connection data maintained in the data repository, and in response to detecting that the number of historical connections between the subset of the plurality of user devices and the one or more endpoint devices exceeds a predetermined threshold, the one or more endpoint devices are identified as a suspected botnet.

Abstract: Maintaining a database of a plurality of time series data sets, wherein each time series data set is associated to a previously known computer device of a computer network; detecting a connection request from a second computer device of the computer network; collecting one or more new data sets related to the second computer device; comparing the one or more new data sets with one or more time series data sets; calculating one or more value scores related to the plurality of time series data sets based on the comparison; and determining a device association score based on the calculated one or more value scores related to the plurality of time series data sets, wherein the device association score determines an association level between the previously known computer device and the second computer device of the computer network.

Abstract: A network apparatus detects connection requests and extracts related data. The data is analyzed to determine whether the host is in an active state, whether the host matches a domain referrer and an amount of time from a last connection request. If it is detected that the host is not in an active state, the host is not matching the domain referrer and the amount of time from the last connection request exceeds a predetermined new session threshold, then a connection request is classified as a main request. If the amount of time from the last connection request is below a predetermined continuous session threshold, then any connection requests following the main request are classified as sub-requests. If the domain of host in the active state does not match current host for a sub-request, the sub-request is classified as a third-party request.