Abstract: A computer-implemented method, a computer program product, and a computer system for creating malware domain sinkholes by domain clustering. The computer system clusters malware domains into domain clusters. The computer system collects domain metrics in the domain clusters. The computer system sorts clustered malware domains in the respective ones of the domain clusters, based on the domain metrics. The computer system selects, from the clustered malware domains in the respective ones of the domain clusters, a predetermined number of top domains as candidates of respective domain sinkholes, wherein the respective domain sinkholes are created for the respective ones of the domain clusters.

Abstract: A computer-implemented method, a computer program product, and a computer system for creating malware domain sinkholes by domain clustering. The computer system clusters malware domains into domain clusters. The computer system collects domain metrics in the domain clusters. The computer system sorts clustered malware domains in the respective ones of the domain clusters, based on the domain metrics. The computer system selects, from the clustered malware domains in the respective ones of the domain clusters, a predetermined number of top domains as candidates of respective domain sinkholes, wherein the respective domain sinkholes are created for the respective ones of the domain clusters.

Abstract: A method for automated determination of IP address information of malicious attacks. An intrusion detection system may receive an index tree for storing IP addresses in one or more nodes of the index tree in a predefined sorting order. The instruction detection system may receive a data structure including a first set of one or more IP addresses from a honeypot system. The intrusion detection may receive unstructured data indicative of a second set of one or more IP addresses from a predefined data source. The intrusion detection system may process the unstructured data to determine the second set of one or more IP addresses. The intrusion detection system may insert each IP address of the first and second sets of one or more IP addresses into one or more nodes of the index tree.

Abstract: A method for classification of suspicious activities is provided. In the method, a first intrusion detection system comprising a normal operation mode and which is connected to a second intrusion detection system by a first communications connection is implemented. In response to detecting a malfunction of the first communications connection, the first intrusion detection system is switched from the normal operation mode to a limited operation mode for receiving first data from one or more honeypot systems and second data from the second intrusion detection system. A prediction model for representing malicious attacks is generated by execution of a predefined classification algorithm with respect to the received data, wherein the predefined classification algorithm further determine a model evaluation metric with respect to the prediction model. The prediction model is deployed to detect the malicious attacks if the model evaluation metric meets a predefined validation condition.

Abstract: A method for automated determination of IP address information of malicious attacks. An intrusion detection system may receive an index tree for storing IP addresses in one or more nodes of the index tree in a predefined sorting order. The instruction detection system may receive a data structure including a first set of one or more IP addresses from a honeypot system. The intrusion detection may receive unstructured data indicative of a second set of one or more IP addresses from a predefined data source. The intrusion detection system may process the unstructured data to determine the second set of one or more IP addresses. The intrusion detection system may insert each IP address of the first and second sets of one or more IP addresses into one or more nodes of the index tree.

Abstract: A method for classification of suspicious activities is provided. In the method, a first intrusion detection system comprising a normal operation mode and which is connected to a second intrusion detection system by a first communications connection is implemented. In response to detecting a malfunction of the first communications connection, the first intrusion detection system is switched from the normal operation mode to a limited operation mode for receiving first data from one or more honeypot systems and second data from the second intrusion detection system. A prediction model for representing malicious attacks is generated by execution of a predefined classification algorithm with respect to the received data, wherein the predefined classification algorithm further determine a model evaluation metric with respect to the prediction model. The prediction model is deployed to detect the malicious attacks if the model evaluation metric meets a predefined validation condition.

Abstract: A mechanism is provided for blocking IP connection addresses and prefixes. Header information is extracted from an incoming connection request. A determination is made as to whether a portion of an Internet Protocol address comprised in the header information is blacklisted. Responsive to a portion of the Internet Protocol address being blacklisted, a fingerprint is generated, and a determination is made as to whether the fingerprint is blacklisted. Responsive to the fingerprint being blacklisted, the underlying physical connection is dropped; data associated with the incoming connection request is stored in a buffer, the fingerprint is associated to the incoming connection request; the incoming connection request is merged with stored blacklisted requests of a related originating system; and shared prefixes of the Internet Protocol address of the stored blacklisted requests are filtered out.

Abstract: A mechanism is provided for blocking IP connection addresses and prefixes. Header information is extracted from an incoming connection request. A determination is made as to whether a portion of an Internet Protocol address comprised in the header information is blacklisted. Responsive to a portion of the Internet Protocol address being blacklisted, a fingerprint is generated, and a determination is made as to whether the fingerprint is blacklisted. Responsive to the fingerprint being blacklisted, the underlying physical connection is dropped; data associated with the incoming connection request is stored in a buffer, the fingerprint is associated to the incoming connection request; the incoming connection request is merged with stored blacklisted requests of a related originating system; and shared prefixes of the Internet Protocol address of the stored blacklisted requests are filtered out.

Abstract: Software that automatically detects anomalous attributes indicative of a potential intrusion in a computing system. The software performs the following operations: (i) determining a baseline pattern for one or more attributes of a computing system, based on a first set of statistical thresholds determined for received values of the one or more attributes, wherein the received values correspond to one or more time periods, and on a second set of statistical thresholds determined for a first subset of values of the received values of the one or more attributes, wherein each value of the first subset exceeds the first set of statistical thresholds; and (ii) in response to identifying, based on the determined baseline pattern, anomalous values in monitored additional values of the one or more attributes, sending an alert to a user of the computing system indicating that a potential intrusion in the computing system has occurred.

Abstract: Software that automatically detects anomalous attributes indicative of a potential intrusion in a computing system. The software performs the following operations: (i) determining a baseline pattern for one or more attributes of a computing system, based on a first set of statistical thresholds determined for received values of the one or more attributes, wherein the received values correspond to one or more time periods, and on a second set of statistical thresholds determined for a first subset of values of the received values of the one or more attributes, wherein each value of the first subset exceeds the first set of statistical thresholds; and (ii) in response to identifying, based on the determined baseline pattern, anomalous values in monitored additional values of the one or more attributes, sending an alert to a user of the computing system indicating that a potential intrusion in the computing system has occurred.

Abstract: Software that automatically creates baselines from time series data of computer system activity, thereby providing immediate value from observed system data. The software performs the following operations: (i) receiving values of one or more attributes of a computing system that correspond to one or more time periods; (ii) determining a first set of statistical thresholds for the received values, wherein the received values include a subset of values that exceed the first set of statistical thresholds; (iii) determining a second set of statistical thresholds for the subset of values that exceed the first set of statistical thresholds; and (iv) determining a baseline pattern for the one or more attributes based, at least in part, on the determined first set of statistical thresholds and the determined second set of statistical thresholds.