Abstract: A method of collecting training data related to a branded phishing URL may comprise retrieving a phishing URL impersonating a brand; fetching a final webpage referenced thereby; determining the main language of the textual content thereof; rendering graphical representation(s) of the final webpage; extracting, from the source of URLs, information including the retrieved phishing URL, a brand, a type and a date associated therewith and storing the extracted information together with the final webpage and the rendered graphical representation(s). A message that contains a URL matching the phishing URL may then be retrieved. The main language of the textual content of the message may be determined and graphical representations thereof rendered. A record may be updated with the message, the main language and the rendered graphical representations, which may be made accessible as training data to train users to recognize phishing websites and messages.

Abstract: A method of collecting training data related to a branded phishing URL may comprise retrieving a phishing URL impersonating a brand; fetching a final webpage referenced thereby; determining the main language of the textual content thereof; rendering graphical representation(s) of the final webpage; extracting, from the source of URLs, information including the retrieved phishing URL, a brand, a type and a date associated therewith and storing the extracted information together with the final webpage and the rendered graphical representation(s). A message that contains a URL matching the phishing URL may then be retrieved. The main language of the textual content of the message may be determined and graphical representations thereof rendered. A record may be updated with the message, the main language and the rendered graphical representations, which may be made accessible as training data to train users to recognize phishing websites and messages.

Abstract: A method of collecting training data related to a branded phishing URL may comprise retrieving a phishing URL impersonating a brand; fetching a final webpage referenced thereby; determining the main language of the textual content thereof; rendering graphical representation(s) of the final webpage; extracting, from the source of URLs, information including the retrieved phishing URL, a brand, a type and a date associated therewith and storing the extracted information together with the final webpage and the rendered graphical representation(s). A message that contains a URL matching the phishing URL may then be retrieved. The main language of the textual content of the message may be determined and graphical representations thereof rendered. A record may be updated with the message, the main language and the rendered graphical representations, which may be made accessible as training data to train users to recognize phishing websites and messages.

Abstract: A machine includes a processor and a memory connected to the processor. The memory stores instructions executed by the processor to preserve a second level domain, track requests for subdomains of the second level domain, determine the size of encoded subdomain data and determine the size of response data for subdomain requests. When the ratio of the number of unique subdomains versus the number of subdomain requests is over a first threshold a first satisfied condition is established. It is determined, in response to the first satisfied condition, when the size of the subdomain data exceeds a second threshold and the size of response data exceeds a third threshold to establish a second satisfied condition corresponding to deemed domain name system tunnel activity. It is determined, in response to the first satisfied condition, when the size of the subdomain data exceeds the second threshold to establish a third satisfied condition corresponding to deemed domain name system data exfiltration activity.

Abstract: A machine includes a processor and a memory connected to the processor. The memory stores instructions executed by the processor to identify a resource attack in response to spikes in the number of unique subdomains being queried and spikes in the number of timeouts or delayed responses from a specified name server.

Abstract: A machine includes a processor and a memory connected to the processor. The memory stores instructions executed by the processor to preserve a second level domain, track requests for subdomains of the second level domain, determine the size of encoded subdomain data and determine the size of response data for subdomain requests. When the ratio of the number of unique subdomains versus the number of subdomain requests is over a first threshold a first satisfied condition is established. It is determined, in response to the first satisfied condition, when the size of the subdomain data exceeds a second threshold and the size of response data exceeds a third threshold to establish a second satisfied condition corresponding to deemed domain name system tunnel activity. It is determined, in response to the first satisfied condition, when the size of the subdomain data exceeds the second threshold to establish a third satisfied condition corresponding to deemed domain name system data exfiltration activity.

Abstract: A machine includes a processor and a memory connected to the processor. The memory stores instructions executed by the processor to identify a resource attack in response to spikes in the number of unique subdomains being queried and spikes in the number of timeouts or delayed responses from a specified name server.

Abstract: A multipurpose storage system based upon a distributed hashing mechanism with transactional support and failover capability is disclosed. According to one embodiment, a system comprises a client system in communication with a network, a secondary storage system in communication with the network, and a supervisor system in communication with the network. The supervisor system assigns a unique identifier to a first node system and places the first node system in communication with the network in a location computed by using hashing. The client system stores a data object on the first node system.

Abstract: A multipurpose storage system based upon a distributed hashing mechanism with transactional support and failover capability is disclosed. According to one embodiment, a system comprises a client system in communication with a network, a secondary storage system in communication with the network, and a supervisor system in communication with the network. The supervisor system assigns a unique identifier to a first node system and places the first node system in communication with the network in a location computed by using hashing. The client system stores a data object on the first node system.