Abstract: Various embodiments provide techniques for graph clustering. In one or more embodiments, a participation graph is obtained that represents relationships between entities. An auxiliary graph is constructed based on the participation graph. The auxiliary graph may be constructed such that the auxiliary graph is less dense than the participation graph and is therefore computationally less complex to analyze. Clusters in the auxiliary graph are determined by solving an objective function defined for the auxiliary graph. Clusters determined for the auxiliary graph may then be utilized to ascertain clusters in the participation graph that solve a related objective function defined for the participation graph.

Abstract: An approach for identifying suspect network sites in a network environment entails using one or more malware analysis modules to identify distribution sites that host malicious content and/or benign content. The approach then uses a linking analysis module to identify landing sites that are linked to the distribution sites. These linked sites are identified as suspect sites for further analysis. This analysis can be characterized as “bottom up” because it is initiated by the detection of potentially problematic distribution sites. The approach can also perform linking analysis to identify a suspect network site based on a number of alternating paths between that network site and a set of distribution sites that are known to host malicious content. The approach can also train a classifier module to predict whether an unknown landing site is a malicious landing site or a benign landing site.

Abstract: Various embodiments provide techniques for graph clustering. In one or more embodiments, a participation graph is obtained that represents relationships between entities. An auxiliary graph is constructed based on the participation graph. The auxiliary graph may be constructed such that the auxiliary graph is less dense than the participation graph and is therefore computationally less complex to analyze. Clusters in the auxiliary graph are determined by solving an objective function defined for the auxiliary graph. Clusters determined for the auxiliary graph may then be utilized to ascertain clusters in the participation graph that solve a related objective function defined for the participation graph.

Abstract: An approach for identifying suspect network sites in a network environment entails using one or more malware analysis modules to identify distribution sites that host malicious content and/or benign content. The approach then uses a linking analysis module to identify landing sites that are linked to the distribution sites. These linked sites are identified as suspect sites for further analysis. This analysis can be characterized as “bottom up” because it is initiated by the detection of potentially problematic distribution sites. The approach can also perform linking analysis to identify a suspect network site based on a number of alternating paths between that network site and a set of distribution sites that are known to host malicious content. The approach can also train a classifier module to predict whether an unknown landing site is a malicious landing site or a benign landing site.