Abstract: A method for predicting an attacked path on enterprise networks includes: obtaining a plurality of accounts, a plurality of machines and network resource data, where the plurality of machines include at least one attacked target; calculating, according to the network resource data, a plurality of evaluated values of executing access on other machines of each account logging in at least one machine; and presenting an attacked path where a machine at least one account logs in accesses the attacked target directly, or indirectly by connecting to other machines, and the machine the at least one account logs in points to the attacked target directly, or indirectly by connecting to other machines.

Abstract: The present invention provides an event visualization device configured to generate one or more directed acyclic graphs (DAGs) that can be used as a basis for diagnosing whether a target network system has been hacked according to a plurality of activities records. The plurality of activities records pertain to an event cluster associated with a suspicious event category. The event visualization device performs a graph generating operation on the plurality of activities records in a recursive manner to generate a hierarchical directed acyclic graph (HDAG). The graph generating operation includes: interpreting an activities record into a target DAG, and performing a hierarchical partial order alignment (HPOA) operation on the target DAG and a reference DAG to obtain a merging condition of each node; and merging the target DAG and the reference DAG into the HDAG according to the merging condition.

Abstract: The present invention provides a log classification system configured to perform a hierarchical similarity analysis operation according to a plurality of activities records to generate a discrete space metric tree, and perform a clustering operation on the discrete space metric tree to generate one or more event clusters associated with one or more suspicious event categories. The log classification system includes an output device configured to output the one or more event clusters to an information security incident diagnosis system, and allow the information security incident diagnosis system to calculate similar feature information and differential feature information of a plurality of activities records in the one or more event clusters as auxiliary information for diagnosing whether there are intrusions or abnormalities in a target network system.

Abstract: The present invention provides an information security incident diagnosis system for assisting in detecting whether a target network system has been hacked. First, a plurality of activities records of one or more computing devices in a target network system are collected. Then, a discrete space metric tree is generated according to the plurality of activities records, and a clustering operation is performed on the discrete space metric tree to generate one or more event clusters associated with one or more suspicious event categories. Each event cluster may form a guide tree corresponding to the event cluster through single linkage clustering analysis to indicate a merging order from high to low similarity. The merging order is used for recursively performing a graph generating operation to convert a plurality of activities records corresponding to the one or more event clusters into a hierarchical directed acyclic graph (HDAG).

Abstract: A cyber security protection system includes a plurality of threat information updating devices; and a proactive suspicious domain alert system, which including: a domain information monitoring device; a domain information storage device; and a security threat analysis device, arranged to operably communicate data with the plurality of threat information updating devices through a network. If the domain information monitoring device detects that a domain mapping of a suspect domain is changed and the new domain mapping of the suspect domain points to a predetermined local address, the domain information monitoring device would further monitor a domain mapping variation frequency of the suspect domain. If the domain mapping variation frequency of the suspect domain exceeds a predetermined value, the security threat analysis device adds the suspect domain into an alert list to render the plurality of threat information updating devices to block their member devices from accessing the suspect domain.

Abstract: A cyber security protection system includes a plurality of threat information updating devices; and a proactive suspicious domain alert system, which including: a domain information monitoring device, arranged to operably inspect domain ages of suspect domains; a domain information storage device; and a security threat analysis device, arranged to operably communicate data with the plurality of threat information updating devices through a network. Before the domain age of a suspect domain reaches a first threshold value, if the plurality of threat information updating devices discovers that an member device within a plurality of client network systems is trying to access the suspect domain, the security threat analysis device adds the suspect domain into an alert list to render the plurality of threat information updating devices to block member devices within the plurality of client network systems from accessing the suspect domain.

Abstract: A suspicious event analysis device includes: a display device; a communication circuit, arranged to operably receive multiple suspicious activities records related to multiple computing devices in a target network and corresponding multiple time stamps and multiple attribute tags through internet; a storage circuit, arranged to operably store a suspicious event sequence diagram generating program; and a control circuit, arranged to operably execute the suspicious event sequence diagram generating program to conduct a suspicious event sequence diagram generating operation, so as to identify multiple suspicious events related to the target network as well as multiple time records corresponding to the multiple suspicious events, and to generate and display a suspicious event sequence diagram corresponding to the multiple suspicious events according to the multiple suspicious events and the multiple time records.

Abstract: A cyber security protection system includes a plurality of threat information updating devices; and a proactive suspicious domain alert system, which including: a domain information monitoring device; a domain information storage device; and a security threat analysis device, arranged to operably communicate data with the plurality of threat information updating devices through a network. If the domain information monitoring device detects that a domain mapping of a suspect domain is changed and the new domain mapping of the suspect domain points to a predetermined local address, the domain information monitoring device would further monitor a domain mapping variation frequency of the suspect domain. If the domain mapping variation frequency of the suspect domain exceeds a predetermined value, the security threat analysis device adds the suspect domain into an alert list to render the plurality of threat information updating devices to block their member devices from accessing the suspect domain.

Abstract: A cyber security protection system includes a plurality of threat information updating devices; and a proactive suspicious domain alert system, which including: a domain information monitoring device, arranged to operably inspect domain ages of suspect domains; a domain information storage device; and a security threat analysis device, arranged to operably communicate data with the plurality of threat information updating devices through a network. Before the domain age of a suspect domain reaches a first threshold value, if the plurality of threat information updating devices discovers that an member device within a plurality of client network systems is trying to access the suspect domain, the security threat analysis device adds the suspect domain into an alert list to render the plurality of threat information updating devices to block member devices within the plurality of client network systems from accessing the suspect domain.

Abstract: A suspicious event analysis device includes: a display device; a communication circuit, arranged to operably receive multiple suspicious activities records related to multiple computing devices in a target network and corresponding multiple time stamps and multiple attribute tags through internet; a storage circuit, arranged to operably store a suspicious event sequence diagram generating program; and a control circuit, arranged to operably execute the suspicious event sequence diagram generating program to conduct a suspicious event sequence diagram generating operation, so as to identify multiple suspicious events related to the target network as well as multiple time records corresponding to the multiple suspicious events, and to generate and display a suspicious event sequence diagram corresponding to the multiple suspicious events according to the multiple suspicious events and the multiple time records.

Abstract: A cyber breach diagnostics system includes: an activity records collection device arranged to operably collect multiple suspicious activities records related to multiple computing devices in a target network and corresponding multiple time stamps and multiple attribute tags, and to operably process the multiple suspicious activities records, the multiple time stamps, and the multiple attribute tags to generate a return data; and a suspicious event analysis device arranged to operably conduct a suspicious event sequence diagram generating operation to identify multiple suspicious events related to the target network as well as multiple time records corresponding to the multiple suspicious events, and to operably generate and display a suspicious event sequence diagram corresponding to the multiple suspicious events according to the multiple suspicious events and the multiple time records.

Abstract: A suspicious event analysis device includes: a display device; a communication circuit, arranged to operably receive multiple suspicious activities records related to multiple computing devices in a target network and corresponding multiple time stamps and multiple attribute tags through internet; a storage circuit, arranged to operably store a suspicious event sequence diagram generating program; and a control circuit, arranged to operably execute the suspicious event sequence diagram generating program to conduct a suspicious event sequence diagram generating operation, so as to identify multiple suspicious events related to the target network as well as multiple time records corresponding to the multiple suspicious events, and to generate and display a suspicious event sequence diagram corresponding to the multiple suspicious events according to the multiple suspicious events and the multiple time records.

Abstract: A method for recognizing disguised malicious document, carried out by a computer system including a central processing unit (CPU), a memory, and a database storing rules for defining executable file and non-executable file, comprising steps of: receiving a static file through a network and an input/out interface; scanning the static file for a file header to determine if it is a non-executable file; analyzing file body of the non-executable file to locate components of an executable file and mark these positions; extracting components of the executable file from the non-executable file; concatenating the extracted components in accordance with a default rule or a heuristic rule to form a new file; and obtaining a new file that is executable, such that the received static file is a non-executable file having an embedded executable file, thus labeling the static file as a disguised malicious document.

Abstract: A method for recognizing malicious file has steps: receiving a static file through a network or an input/out interface to be stored in the memory; defining suspicious positions where components of a malware are possibly encrypted in the static file; decrypting the suspicious positions to identify a PE header and a shellcode; extracting the PE header and the shellcode terms in segments; and determining whether the PE header and the shellcode terms can be assembled into an executable binary which indicates a recognition of the malicious file.

Abstract: A method for extracting the genetic fingerprinting of a malicious document file includes the steps of establishing a database to store a plurality of genetic fingerprinting data of the first malicious document, then retrieving a document file sent via the Internet, and then proceeding with multi-point detection and extraction to the document file, so as to obtain a multi-point section, then comparing and analyzing the multi-point section with the plurality of genetic fingerprinting data of the first malicious document to confirm whether the multi-point section program code of the document file matches a malicious feature, thereby achieves the goal of extracting the content information of the document file and converts it into the genetic fingerprinting data of a new malicious document.