Abstract: A method is provided for determining command-to-process correspondence. The method includes identifying, by the hardware processor, initial processes resulting from executions of container immutability change events for each of multiple containers in a cluster, based on an execution time, a process identifier and a process group identifier for each of the container immutability change events. The method further includes checking, by the hardware processor, if an initial process from among the identified initial processes matches an entry in a database that stores external container commands and at least one respective process resulting from executing each of the external container commands.

Abstract: Methods and systems for detecting mutation events include collecting change event pattern counts from one or more processing nodes. Unintended change events are identified based on the collected change event pattern counts. A corrective action is performed for the unintended change events.

Abstract: A computer-implemented method for linking combo-squatting domains is provided. The method includes grouping domain names into nameserver groups based on a nameserver for each of the domains. Each of the domain names contain valued words. The method also includes splitting words in each domain name and generating a wordlist for each of the nameserver groups. The method further includes finding feature words among the nameserver groups, and extracting malicious domain names which contain the feature words in each of the nameserver groups. The method further includes outputting, for each of the nameserver groups, the malicious domain names and corresponding registrant identifying data based on the feature words.