Abstract: Mechanisms are provided to detect content generated from phishing attacks. The mechanisms process an electronic communication, received from a data network, to produce a structure token. The structure token represents a content structure of the electronic communication. The structure token is processed by a machine learning model, which is trained to identify content that is generated in response to one or more phishing attacks. The machine learning model produces a classification output that indicates whether the electronic communication includes content that was generated in response to the one or more phishing attacks.

Abstract: Mechanisms are provided to detect phishing exfiltration communications. The mechanisms receive an input electronic communication from a data network and process the input electronic communication to extract a structure token that represents the content structure of the input electronic communication. The structure token is input to a machine learning model that is trained to identify phishing exfiltration communication grammars, and relationships between phishing exfiltration communication grammars, in structure tokens. The machine learning model processes the structure token to generate a vector output indicating computed values for processing by classification logic. The classification logic processes the vector output from the machine learning model to classify the input electronic communication as either a phishing exfiltration communication or a non-phishing exfiltration communication, and outputs a corresponding classification output.

Abstract: Mechanisms are provided to detect phishing exfiltration communications. The mechanisms receive an input electronic communication from a data network and process the input electronic communication to extract a structure token that represents the content structure of the input electronic communication. The structure token is input to a machine learning model that is trained to identify phishing exfiltration communication grammars, and relationships between phishing exfiltration communication grammars, in structure tokens. The machine learning model processes the structure token to generate a vector output indicating computed values for processing by classification logic. The classification logic processes the vector output from the machine learning model to classify the input electronic communication as either a phishing exfiltration communication or a non-phishing exfiltration communication, and outputs a corresponding classification output.

Abstract: Mechanisms are provided to detect phishing exfiltration communications. The mechanisms receive an input electronic communication from a data network and process the input electronic communication to extract a structure token that represents the content structure of the input electronic communication. The structure token is input to a machine learning model that is trained to identify phishing exfiltration communication grammars, and relationships between phishing exfiltration communication grammars, in structure tokens. The machine learning model processes the structure token to generate a vector output indicating computed values for processing by classification logic. The classification logic processes the vector output from the machine learning model to classify the input electronic communication as either a phishing exfiltration communication or a non-phishing exfiltration communication, and outputs a corresponding classification output.

Abstract: Embodiments provide a computer implemented method for detecting a phishing internet link, wherein an internet link is a Uniform Resource Locator (URL) or a domain name, the method including: receiving the internet link; replacing one or more visually confusing characters with one or more original characters, wherein the one or more visually confusing characters are similar to the one or more original characters; removing a top-level domain from the internet link; removing a common subdomain from the internet link; splitting the remaining internet link into a list of words; converting the list of words into a list of word vectors; calculating an average word vector of the list of word vectors; and providing a phishing score for the average vector, indicating a probability of the internet link being a phishing internet link.

Abstract: Countering phishing attacks by generating multiple synthetic victims, where each of the synthetic victims includes synthetic victim information that represents a computer user identity and includes associated sensitive information, where the computer user identity and its associated sensitive information are fictitious in that they are not known to be associated with a legitimate computer user, providing any of the synthetic victim information of the synthetic victims to a computer-hosted phishing site, storing the synthetic victim information in a computer-accessible database, receiving from a computer-hosted target site information provided to the computer-hosted target site by a requestor, identifying in the computer-accessible database database synthetic victim information matching the requestor information, and notifying the computer-hosted target site that the requestor information is of a synthetic victim.

Abstract: A method, apparatus, system, and computer program product for performing security testing. Information about successful payloads in payloads is determined by a computer system using crowd-sourced data in which a successful payload is a payload used in a successful attack. A set of popular payloads is determined by a computer system from the payloads using information about the successful payloads determined using the crowd-sourced data. Testing is focused by the computer system on the set of popular payloads based on a set of key features for the set of popular payloads.

Abstract: Embodiments provide a computer implemented method for detecting a phishing internet link, wherein an internet link is a Uniform Resource Locator (URL) or a domain name, the method including: receiving the internet link; replacing one or more visually confusing characters with one or more original characters, wherein the one or more visually confusing characters are similar to the one or more original characters; removing a top-level domain from the internet link; removing a common subdomain from the internet link; splitting the remaining internet link into a list of words; converting the list of words into a list of word vectors; calculating an average word vector of the list of word vectors; and providing a phishing score for the average vector, indicating a probability of the internet link being a phishing internet link.

Abstract: An approach is provided that automatically classify network traffic of web applications and services based on a dynamic analysis. The approach scans a resource that corresponds to a named network application and receives, as a result of the scan, network resource identifiers that are accessed by the named network application. Network traffic between users and network resources is monitored, with the monitoring resulting in a set of visited network resource identifiers. The set of resource identifiers is found by matching the visited network resource identifiers with the network resource identifiers returned by the scan. Each of the set of resource identifiers is then matched with the named application.

Abstract: Mechanisms are provided to detect phishing exfiltration communications. The mechanisms receive an input electronic communication from a data network and process the input electronic communication to extract a structure token that represents the content structure of the input electronic communication. The structure token is input to a machine learning model that is trained to identify phishing exfiltration communication grammars, and relationships between phishing exfiltration communication grammars, in structure tokens. The machine learning model processes the structure token to generate a vector output indicating computed values for processing by classification logic. The classification logic processes the vector output from the machine learning model to classify the input electronic communication as either a phishing exfiltration communication or a non-phishing exfiltration communication, and outputs a corresponding classification output.

Abstract: An example operation may include one or more of identifying a page of a website for phishing testing, attempting each of a Hypertext Transfer Protocol (HTTP) GET request and a HTTP Secure (HTTPS) GET request via the identified page of the website, attempting each of a HTTP POST request and a HTTPS POST request via the identified page of the website, determining if the website is a phishing website based on server responses to the attempted HTTP and HTTPS GET requests and the attempted HTTP and HTTPS POST requests received from the website, and in response to determining the website is a phishing website, outputting an indication of the determination for display on a display device.

Abstract: A method, apparatus, system, and computer program product for performing security testing. Information about successful payloads in payloads is determined by a computer system using crowd-sourced data in which a successful payload is a payload used in a successful attack. A set of popular payloads is determined by a computer system from the payloads using information about the successful payloads determined using the crowd-sourced data. Testing is focused by the computer system on the set of popular payloads based on a set of key features for the set of popular payloads.

Abstract: Countering phishing attacks by generating multiple synthetic victims, where each of the synthetic victims includes synthetic victim information that represents a computer user identity and includes associated sensitive information, where the computer user identity and its associated sensitive information are fictitious in that they are not known to be associated with a legitimate computer user, providing any of the synthetic victim information of the synthetic victims to a computer-hosted phishing site, storing the synthetic victim information in a computer-accessible database, receiving from a computer-hosted target site information provided to the computer-hosted target site by a requestor, identifying in the computer-accessible database database synthetic victim information matching the requestor information, and notifying the computer-hosted target site that the requestor information is of a synthetic victim.

Abstract: An approach is provided that automatically classify network traffic of web applications and services based on a dynamic analysis. The approach scans a resource that corresponds to a named network application and receives, as a result of the scan, network resource identifiers that are accessed by the named network application. Network traffic between users and network resources is monitored, with the monitoring resulting in a set of visited network resource identifiers. The set of resource identifiers is found by matching the visited network resource identifiers with the network resource identifiers returned by the scan. Each of the set of resource identifiers is then matched with the named application.

Abstract: An approach is provided that automatically classify network traffic of web applications and services based on a dynamic analysis. The approach scans a resource that corresponds to a named network application and receives, as a result of the scan, network resource identifiers that are accessed by the named network application. Network traffic between users and network resources is monitored, with the monitoring resulting in a set of visited network resource identifiers. The set of resource identifiers is found by matching the visited network resource identifiers with the network resource identifiers returned by the scan. Each of the set of resource identifiers is then matched with the named application.

Abstract: An example operation may include one or more of identifying a page of a website for phishing testing, attempting each of a Hypertext Transfer Protocol (HTTP) GET request and a HTTP Secure (HTTPS) GET request via the identified page of the website, attempting each of a HTTP POST request and a HTTPS POST request via the identified page of the website, determining if the website is a phishing website based on server responses to the attempted HTTP and HTTPS GET requests and the attempted HTTP and HTTPS POST requests received from the website, and in response to determining the website is a phishing website, outputting an indication of the determination for display on a display device.

Abstract: An approach is provided that automatically classify network traffic of web applications and services based on a dynamic analysis. The approach scans a resource that corresponds to a named network application and receives, as a result of the scan, network resource identifiers that are accessed by the named network application. Network traffic between users and network resources is monitored, with the monitoring resulting in a set of visited network resource identifiers. The set of resource identifiers is found by matching the visited network resource identifiers with the network resource identifiers returned by the scan. Each of the set of resource identifiers is then matched with the named application.