Abstract: A proxy detection method includes: in response to receiving, from a client device, a first request to establish a transport-layer connection between the client device and the server, transmitting a first message to the client device according to a first handshake sequence, for establishing the transport-layer connection; determining a first time period associated with completion of the first handshake sequence; in response to receiving, from the client device over the transport-layer connection, a second request to establish a secure link between a client endpoint and the server, transmitting a second message to the client endpoint according to a second predefined handshake sequence, for establishing the secure link; determining a second time period associated with completion of the second handshake sequence; and generating, based on the first time period and the second time period, a score indicating a likelihood that the client device is a proxy for the client endpoint.

Abstract: Systems and methods for monitoring user authenticity during user activities in a user session on an application server is provided. The method being carried out in a distributed manner by a distributed server system. The method comprises a user modeling-process and a user-verification process. The user-modeling process is performed on a user-model server in which a user model is adapted session-by-session to user activity data received from the application server. The user-verification process is performed on the application server on the basis of the user model adapted on the user-model server. The user-verification process comprises comparing the user model with features extracted from user activity in the user session on the application server and determining a total risk-score value based on the comparison. If the total risk-score value is greater than a given threshold, a corrective action is performed.

Abstract: The disclosed computer-implemented method for preventing targeted malware attacks may include (1) identifying at least one candidate risk factor for targets of previous targeted malware attacks that were directed to the targets based on characteristics of the targets, (2) calculating a degree of association between the candidate risk factor and the previous targeted malware attacks by comparing rates of targeted malware attacks between a group that possesses the risk factor and a group that does not possess the risk factor, (3) identifying a candidate target of a targeted malware attack that possesses the candidate risk factor, and (4) adjusting a security policy assigned to the candidate target of the targeted malware attack based on the calculated degree of association between the candidate risk factor and the previous targeted malware attacks. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Systems and methods for monitoring user authenticity according to user activities on an application server. A user-modeling process and a user-verification process are performed. In the user-modeling process, a user model is adapted session-by-session to user activities in which the user model includes a plurality of adaptive feature-specific user-behavior models. The user-verification process includes determining a plurality of feature-specific risk-score values, comparing the at least one of the adaptive feature-specific user-behavior models with a respective feature extracted from user activity in the user session on the application server, and determining a total risk-score value indicative of user authenticity by weighting and combining the plurality of feature-specific risk-score values. If the total risk-score value is greater than a given threshold, a corrective action is performed.

Abstract: A computer-implemented method for detecting compromised messaging accounts may include maintaining a behavior database that associates a plurality of messaging accounts with messaging behaviors that typify each of the messaging accounts. The method may also include detecting an attempt by a user to send a message from a messaging account. In addition, the method may include determining that the messaging account has potentially been compromised by comparing features of the message with messaging behaviors associated with the messaging account in the behavior database. Finally, the method may include verifying that the user is an owner of the messaging account in response to the determination that the messaging account has potentially been compromised. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Systems and methods for monitoring user authenticity during user activities in a user session on an application server is provided. The method being carried out in a distributed manner by a distributed server system. The method comprises a user modeling-process and a user-verification process. The user-modeling process is performed on a user-model server in which a user model is adapted session-by-session to user activity data received from the application server. The user-verification process is performed on the application server on the basis of the user model adapted on the user-model server. The user-verification process comprises comparing the user model with features extracted from user activity in the user session on the application server and determining a total risk-score value based on the comparison. If the total risk-score value is greater than a given threshold, a corrective action is performed.

Abstract: Systems and methods for monitoring user authenticity according to user activities on an application server. A user-modeling process and a user-verification process are performed. In the user-modeling process, a user model is adapted session-by-session to user activities in which the user model includes a plurality of adaptive feature-specific user-behavior models. The user-verification process includes determining a plurality of feature-specific risk-score values, comparing the at least one of the adaptive feature-specific user-behavior models with a respective feature extracted from user activity in the user session on the application server, and determining a total risk-score value indicative of user authenticity by weighting and combining the plurality of feature-specific risk-score values. If the total risk-score value is greater than a given threshold, a corrective action is performed.

Abstract: A computer system monitors a set of inactive addresses. The computer system identifies a suspicious activity associated with at least one inactive address of the set of inactive addresses. The computer system determines a suspicion score for the at least one inactive address based on the suspicious activity associated with the at least one inactive address. The computer system categorizes the at least one inactive address as a potentially hijacked address if the suspicion score exceeds a threshold.

Abstract: The disclosed computer-implemented method for identifying security threat sources responsible for security events may include (1) identifying security-event data collected from a plurality of security events detected over a network, (2) partitioning the security-event data into a set of single-dimensional security clusters, each grouped by a common feature, (3) determining that a subset of the single-dimensional security clusters exceed a threshold level of similarity relative to one another, (4) grouping the subset of single-dimensional clusters into a multi-dimensional security cluster corresponding to a single threat source in response to determining that the subset of single-dimensional clusters exceed the threshold level of similarity relative to one another, and then (5) determining, based at least in part on grouping the single-dimensional clusters into the multi-dimensional cluster, that the single threat source is likely responsible for some of the security events.

Abstract: The disclosed computer-implemented method for attributing potentially malicious email campaigns to known threat groups may include (1) identifying a potentially malicious email campaign targeting at least one organization, (2) detecting, within the potentially malicious email campaign, an incriminating feature that has been linked to a known threat group, (3) determining, based at least in part on detecting the incriminating feature linked to the known threat group, that the known threat group is likely responsible for the potentially malicious email campaign, and then in response to determining that the known threat group is likely responsible for the potentially malicious email campaign, (4) attributing the potentially malicious email campaign to the known threat group. Various other methods, systems, and computer-readable media are also disclosed.