Abstract: A computer implemented method of detecting malicious electronic mail comprising: receiving an electronic mail message including an indication of a purported sender network domain and a Simple Mail Transfer Protocol identifier (SMTP ID); processing the SMTP ID with a classifier, wherein the classifier is implemented using a supervised machine learning method trained to classify the SMTP ID as originating from the purported sender domain based on a training data set including authentic electronic mail messages from the domain; and responsive to a classification, by the classifier, of the received message indicating that the received message originates from a sender other than the purported sender domain, identifying the received message as malicious.

Abstract: A method of detecting blockchain miner code executing in a web browser including receiving a profile for the browser identifying typical resource consumption by the browser in use; responsive to a detection of a deviation of the resource consumption by the browser from the profile, intercepting a communication with the browser including a cryptographic nonce, training a plurality of classifiers based on generated training examples, each training example being generated by applying a hashing algorithm to the nonce such that each classifier is trained with training examples generated using a different hashing algorithm; intercepting one or more second communications with the browser, each of the second communications including a hash value; executing at least a subset of the classifiers based on the hash value of each of the second communications; and identifying malicious miner code executing in the browser.

Abstract: A computer implemented method for determining a plurality of data sources providing seed parameters for generation of an encryption key by a ransomware algorithm, the method including exposing a target computer system to the ransomware algorithm; monitoring application programming interface (API) calls made to an operating system of the target computer system to identify a set of API calls for retrieving data about one or more hardware components of the target computer system, the data about the hardware components being determined to constitute the seed parameters.

Abstract: A method for detecting malware software in a computer system includes accessing a plurality of hostnames for a malware server from a computer system infected with malware and attempting to communicate with the malware server, each hostname including a plurality of symbols in each of a plurality of symbol positions; training an autoencoder based on each of the plurality of hostnames, wherein the autoencoder includes: a set of input units for each possible symbol and symbol position in a hostname; output units each for storing an output of the autoencoder; and a set of hidden units smaller in number than the set of input units and each interconnecting all input and all output units with weighted interconnections, such that the autoencoder is trainable to provide an approximated reconstruction of values of the input units at the output units; selecting a set of one or more symbol and symbol position tuples based on weights of interconnections in the trained autoencoder; and identifying infected computer systems

Abstract: A method for identifying malicious network traffic communicated via a computer network, the method including: evaluating a measure of a correlation fractal dimension for a portion of network traffic over a monitored network connection; comparing the measure of correlation fractal dimension with a reference measure of correlation fractal dimension for a corresponding portion of network traffic of a malicious network connection so as to determine if malicious network traffic is communicated over the monitored network connection.

Abstract: A computer implemented method to identify a derivative of one or more malicious software components in a computer system including: evaluating a measure of a correlation fractal dimension (CFD) for at least a portion of a monitored software component in the computer system, the CFD including a plurality of CFD values varying with a resolution of fractal dimension; and comparing the plurality of CFD values with a reference measure of CFD for each of the malicious software components, each reference measure of CFD including a plurality of CFD values varying with a resolution of fractal dimension, so as to identify one or more of the plurality of malicious software components from which the monitored software component is derived.

Abstract: A computer implemented method to identify malicious software in a computer system includes receiving an indication of a detection of malicious network traffic communicated via a computer network accessed by the computer system; identifying a software component involved in the malicious network traffic at the computer system; evaluating a measure of a correlation fractal dimension (CFD) for at least a portion of the software component; and storing the measure of CFD for subsequent comparison with a second measure of CFD for a corresponding portion of a second software component in the computer system to identify the second software component as a software component involved in malicious network communication.

Abstract: A method for identifying malicious encrypted network traffic associated with a malware software component communicating via a network, the method including: defining, for the malware, a portion of network traffic including a plurality of contiguous bytes occurring at a predefined offset in a network communication of the malware; extracting the defined portion of network traffic for each of a plurality of disparate network connections for the malware; evaluating a metric for each byte in each extracted portion; representing each extracted portion in a matrix data structure as an image of pixels wherein each pixel corresponds to a byte of the extracted portion; training a neural network based on the images for the extracted portions such that subsequent network traffic can be classified by the neural network to identify malicious network traffic associated with the malware based on an image generated to represent the defined portion of the subsequent network traffic.

Abstract: A method for identifying malicious encrypted network traffic communicated via a network between a first and second computer system, the method including: monitoring network traffic over the network to detect a network connection as a new network connection; identifying characteristics of the network connection to determine a protocol of the network connection; retrieving a definition of a portion of network traffic for a network connection based on the determined protocol; evaluating Fourier transform coefficient values for each of a plurality of bytes in a portion of network traffic of the new network connection based on the retrieved definition; and comparing the evaluated coefficient values with a dictionary of one or more reference sets of coefficients, each of the one or more reference sets of coefficients being associated with a portion of network traffic of a malicious encrypted network connection, so as to determine if malicious encrypted network traffic is communicated over the network connection.

Abstract: A malicious encrypted traffic inhibitor connected to a computer network is disclosed. A method for inhibiting malicious encrypted network traffic communicated via a computer network also is disclosed.

Abstract: A computer system arranged to detect an ineffective network device in a set of network devices for a computer network as a device ineffective at identifying an attack in the network, the computer system including: an input unit to receive events generated by the set of network devices for each of a plurality of time periods, each event including an attribute belonging to a class of attributes; a processing system having at least one processor and being arranged to: evaluate a normalized representative value of the attribute as a score for each network device for each of the plurality of time periods based on the received events; evaluating a measure of similarity of scores for each of a plurality of pairs of devices in the set of network devices for one or more time windows, each time window comprising two or more of the time periods; and identify a network device having evaluated similarity measures meeting a predetermined threshold as ineffective network devices.

Abstract: A malicious encrypted traffic detector connected to a computer network method for identifying malicious encrypted network traffic communicated via a computer network, the method comprising: a storage storing a plurality of network traffic window definitions, each window defining a different subset of network traffic for a network connection; an analyzer adapted to identify characteristics of a network connection to determine a protocol of a network connection; a network traffic recorder adapted to record a subset of network traffic corresponding to a window of network traffic; an entropy estimator adapted to evaluate an estimated measure of entropy for a portion of network traffic of a network connection recorded by the network traffic recorder; and a window selector adapted to identify and store a window as a portion of a network connection for which an estimated measure of entropy is most similar for a plurality of network connections, the identified window being stored in association with an identifier of

Abstract: A malicious encrypted traffic detector connected to a computer network, the detector comprising: a Shannon entropy estimator; an entropy comparator; a store storing a reference measure of Shannon entropy of a portion of network traffic of a malicious encrypted network connection, wherein the estimator is adapted to estimate a measure of entropy for a corresponding portion of network traffic communicated over the computer network, and the entropy comparator is adapted to compare the estimated measure of entropy with the reference measure so as to determine if malicious encrypted network traffic is communicated over the network connection.