Abstract: Data prefiltering techniques for large scale data classification are disclosed herein. According to an implementation, a machine learning (ML) model can be trained to classify data elements. The ML model can be applied to a first data volume, resulting in determinations of data elements that belong in a relevant classification. The determined data elements can then be used to configure a prefilter. The prefilter can be applied to a second data volume to identify filtered data elements of types that are similar to the determined data elements. The filtered data elements can be provided to the ML model for classification.

Abstract: A system and method for verifying code bundles. One method includes receiving, from a client device, a request for information to verify an authorization of a code bundle, the code bundle associated with a first signed code segment and a second signed code segment. The method further includes generating a list of certificates associated with the code bundle and including a first certificate associated with the first signed code segment and a second certificate associated with the second signed code segment. The method further includes transmitting, to the client device, a message comprising the list of certificates, the list of certificates generated by a code sign management system (CSMS) and associated with the code bundle. The method further includes verifying, from the message causing the client device to verify the code bundle and based on the list of certificates, the code bundle.

Abstract: Systems and methods for providing network validations for cloud-based network architectures are described herein. For example, the system may receive a network requirement for a first cloud-based network architecture. The system may receive a first network action that corresponds to the network requirement when facilitated by the first cloud-based network architecture. The system may process the first network action through the first cloud-based network architecture. The system may receive a first indicium of security components used to process the first network action through the first cloud-based network architecture. The system may compare the first indicium to a known indicium for processing the first network action through an approved cloud-based network architecture. The system may generate a first network validation based on comparing the first indicium to the known indicium.

Abstract: A network device receives a network service request, for network service in a mobile network, from a user equipment device (UE), where the network service request includes a first service identifier (ID) and a subscription concealed ID (SUCI). The network device sends, to a Network Function (NF) in the mobile network, a SUCI deconcealment request that includes the SUCI. The network device receives, from the NF, a deconcealed Subscription Permanent Identifier (SUPI) decrypted from the SUCI. The network device verifies a validity of the first service ID for the deconcealed SUPI, and sends a service authorization response to the UE based on verification of the validity of the service ID from the UE.

Abstract: Aspects of the subject disclosure may include, for example, receiving, at a device, a message over a communication network from a remote source, determining if the message includes executable code and initiating a virtual machine in an isolated portion of the memory of the device responsive to the determining the message include executable code. Aspects of the subject disclosure further include executing, by the virtual machine, the executable code within the isolated portion of the memory, monitoring, by an artificial intelligence module, activities of the executable code during the executing the executable code and determining if the executable code comprises malicious code responsive to the monitoring activities of the executable code. Aspects of the disclosure further include deleting the executable code from the device in response to a determination that the executable code comprises malicious code. Other embodiments are disclosed.

Abstract: The systems and methods are provided that can enable the detection of certain modes of online interactions carried out by a user's computing device, for example, when an online app or webpage of an enterprise is accessed by the user's computing device. Certain exemplary implementations may utilize collector code that resides in the app or webpage opened by users accessing the enterprise service to measure and collect timing data to detect whether the user's computing device or associated browsing session is subjected to modes of manipulation such as the user browser's privacy mode being engaged, malware interacting with the browsing session, and/or some type of aggregator interacting with the browsing session. Such modes of manipulation can impact the utility and accuracy of certain forms of behavioral biometric algorithms, particularly those that utilize users' typing, timing, keystroke dwell, etc.

Abstract: A method includes emulating a browser in cooperation with a browser controller for providing a controlled environment to safely execute a web program, loading a web page into the browser, injecting, by executing the browser controller, a first program into the loaded web page, capturing a first visual representation of a HTML element of the web page at a first time after the loading, executing the web page in the browser, logging, via the first program, an execution of a second program embedded in the web page, capturing a second visual representation of the HTML element at a second time later than the first time after the execution of the second program, comparing the first and second visual representation to detect a visual change, identifying the execution of the second program as a cause of the visual change, and performing a remedial action related to the web page in response.

Abstract: Methods, storage systems and computer program products implement embodiments of the present invention for protecting a computing device, which includes a processor and a memory and is coupled to a storage device storing a set of one or more files. In embodiments of the present invention, a call to a specified function for execution by the processor is detected, and a stack trace for the call to the specified function is generated in the memory. Upon detecting, in the stack trace, a stack frame including a return address referencing a shellcode region in the memory, wherein the shellcode region includes executable code that was not loaded from any given file on the storage device, then the referenced executable code is compared to a list of malicious shellcode. Finally, a preventive action is initiated upon detecting a match between the referenced executable code and one of malicious shellcodes in the list.

Abstract: An information processing system is configured to acquire log data of a system including a network and a plurality of constituent elements that communicate via the network, and output information of one or more attack vectors including information of constituent elements related to the one or more attack vectors, based on the log data and network configuration information of the system in a case where an attack is detected in the system.

Abstract: Adaptive scanning is described. The adaptive scanning may include performing a passive scan of communications associated with a device, where the passive scan comprises observing one or more communications of the device over a network. One or more attributes associated with the device based on the passive scan are determined and an active scan of the device is performed based on the one or more attributes based on the passive scan. The active scan is customized for the device based on the one or more attributes determined based on the passive scan and the active scan comprises sending one or more requests to the device. One or more attributes associated with the device may be determined based on the active scan. The one or more attributes based on the passive scan and the one or more results based on the active scan associated with the device are stored.

Abstract: This application discloses a data packet processing method performed by an electronic device. The data packet processing method includes: obtaining a target network data packet; generating data packet fingerprints of the target network data packet, the data packet fingerprints including a target traffic attribute fingerprint and a target traffic payload fingerprint; determining a type of the target network data packet according to an occurrence frequency of the target traffic payload fingerprint in a fingerprint database and the target traffic attribute fingerprint, the fingerprint database including historical traffic payload fingerprints of a plurality of historical network data packets; and blocking a network connection of the target network data packet when the type of the target network data packet is an abnormal type.

Abstract: This disclosure describes techniques for an email security system to detect a malicious email and take remedial actions in response to the detected malicious email. The techniques described herein may enable the email security system to detect whether an email is malicious based on whether one or more files attached to the email are malicious. In some cases, the email security system determines whether an email attachment file is malicious based on a set of features that are specific to both a classification of the email (e.g., a semantic classification of the email) and a format of the email attachment file.

Abstract: The methods described herein include receiving a plurality of packets associated with a file, each of the plurality of packets comprising content, and a source domain; extracting one or more features from content of a first packet of the plurality of packets; applying a trained machine learning model to the extracted one or more features to determine a probability of maliciousness associated with the first packet; responsive to determining that the probability maliciousness of the first packet is between a first threshold value and a second threshold value, labeling the first packet as having an uncertain maliciousness; extracting one or more features from content of a second packet of the plurality of packets; and applying the trained machine learning model to the extracted one or more features of the first packet and the second packet to determine a probability of maliciousness associated with the second packet.

Abstract: Techniques for utilizing a network gateway provisioned in a software-defined network to verify service readiness of one or more security service(s) of a service chain prior to redirecting network traffic along a given data-path to the security service(s). The gateway may be configured to open a specific port on a network device hosting a security service to transmit network policies and/or test network traffic to the security service. The network gateway may host a virtual source and/or a virtual destination and cause the virtual source to send test network traffic through the security service via the port and to the virtual destination. The gateway may then utilize the received test network traffic to determine whether a given security service satisfies a threshold health and/or functionality measurement. Once it is determined that the security service satisfies the thresholds, the gateway may cause network traffic to be redirected to the security service.

Abstract: A method includes defining, using a first neural network, and based on a plurality of inputs, a first state associated with (1) an entity and (2) a first node from a plurality of nodes included in a reinforcement learning model. The reinforcement learning model determines, based on a reward, (1) a second state associated with a second node and (2) an indication of an action associated with a transition from the first state to the second state. The method also includes generating, using a second neural network, an implementation of the action based on the first state, the second state, and the indication of the action. In response to the implementation of the action being transmitted to the entity, a success metric, determined based on an outcome of the implementation of the action, is received. A third state associated with the entity is determined based on the success metric.

Abstract: Systems, methods, and computer-readable media for performing threat remediation through a switch fabric of a virtualized network environment. Data traffic passing into a virtualized network environment including a plurality of virtual machines running on a switch fabric is monitored. A network threat introduced through at a least a portion of the data traffic is identified at the switch fabric. One or more remedial measures are performed in the network environment based on the identification of the network threat in the virtualized network environment.

Abstract: The invention relates to a computer system and computer-implemented method for clearing possible malware from electronic documents, comprising the following steps: receiving an electronic original document on a control computer (1); transmitting the electronic original document to a display computer (2); transmitting the document content of the original document via a presentation signal (3) from the display computer (2) to the control computer (1); the control computer (1) creating an electronic document copy from the presentation signal (3).

Abstract: A method includes receiving, at a server from a user device, a user query to a large language model (LLM), creating an LLM query from the user query, inserting a system prohibited request into the LLM query to generate a revised LLM query, and sending the revised LLM query to the LLM. The method further includes receiving, from the LLM, a first LLM response to the LLM query, testing the first LLM response to detect whether a prohibited response to the system prohibited request is included in the first LLM response, and setting a prompt injection signal based on whether the prohibited response to the system prohibited request is included in the first LLM response.

Abstract: A method may include collecting, by a software agent connected to a target application, a set of observations of executing the target application while in a logging mode. The set of observations identifies instances of operations of the target application. The method may also include transmitting the set of observations to a security service, and receiving an allow list and a confidence estimator model from the security service. The security service generalizes the operations into multiple general operations in the allow list and trains the confidence estimator model based on the set of observations. The method may in addition include transitioning, by the software agent, to a blocking mode, and controlling, according to the allow list and the confidence estimator model, performance by the target application of second instances of second operations while in blocking mode.

Abstract: A system is provided. The system includes a data storage system and a client device communicatively coupled to the data storage device. The client device includes a processing device to receive a data request directed to the data storage system, translate the data request to a backend protocol of the data storage system, and retrieve one or more portions of data from the data storage system based on the translated data request. In some embodiments, the processing device is a data processing unit of the client device dedicated to executing a protocol endpoint of the data storage system.

Abstract: A technique and method for detection and display of the cybersecurity risk context of a cloud environment initiates an inspection of cybersecurity objects within a cloud environment utilizing an inspection environment and stores information pertaining to discovered cybersecurity objects within the inspected cloud environment in a storage environment. The technique and method further generate a cybersecurity risk context for the inspected cloud environment based on the observations made concerning the cybersecurity objects contained within it. The technique and method further configure a web browser running on a client device to automatically display the generated cybersecurity risk context to a user, either through a web page overlay or through a toolbar plugin which has been installed in the web browser and configured to enable inspections of a cloud environment, once the user has navigated to a web page containing cybersecurity object identifiers.

Abstract: A log management device includes a log collection unit configured to receive a log generated by a security sensor, a storage unit configured to store the log, a statistical analysis unit configured to obtain a statistical calculation result by performing statistical analysis on a plurality of the logs, a control unit configured to determine which of the log and the statistical calculation result is to be sent according to a predetermined condition, and a transmission unit configured to transmit at least one of the log or the statistical calculation result according to the predetermined condition.

Abstract: The invention relates to a system and method that relates to creation of a digital fingerprint library for storing information of a document containing protected information. The system mainly includes a fragment generator, a fingerprint value generator, and the digital fingerprint library. The fragment generator generates fragments of the document using a sliding window method. Fragment length is determined heuristically, can be hardcoded in the program or be a parameter in GUI. The fingerprint value generator generates a fingerprint value, e.g., its hash, for each fragment. The fingerprint value represents the information related to respective fragments. The digital fingerprint library then stores the fingerprint value. Fingerprint values of individual fragments serve as key values to provide a mechanism for comparing fragments of unknown files to the digital fingerprint library.

Abstract: A microprocessor includes a cache memory, a store queue, and a load/store unit. Each entry of the store queue holds store data associated with a store instruction. The load/store unit, during execution of a load instruction, makes a determination that an entry of the store queue holds store data that includes some but not all bytes of load data requested by the load instruction, cancels execution of the load instruction in response to the determination, and writes to an entry of a structure from which the load instruction is subsequently issuable for re-execution an identifier of a store instruction that is older in program order than the load instruction and an indication that the load instruction is not eligible to re-execute until the identified older store instruction updates the cache memory with store data.

Abstract: An encryption terminal includes a terminal communication unit that receives an encryption algorithm for creating ciphertext from plaintext, the encryption algorithm being encrypted using a first one-time key in a one-time pad method, a terminal storage unit that stores a key table containing a second one-time key corresponding to the first one-time key, and a decryption unit that decrypts the encrypted encryption algorithm by using the second one-time key.

Abstract: A method of communication between nodes in a telecommunications network. Each node maintains a copy of a shared digital ledger, is identified by a respective identification code and implements a software application configured to manage the transmission of data packets and maintain the shared digital ledger. The method includes: memorizing a list of identification codes, each code identifying a respective node included in a subset of nodes of the network, identifying a receiver node to transmit the data packet, generating a data packet to be delivered to a recipient node, transmitting to the first node of the minimum sequence of nodes the data packet, issuing a request to the network nodes to record the data packet transmission in the distributed ledger, and when a data packet is received, the method requires that each receiver node, other than the recipient node of the data packet, repeats at least some steps.

Abstract: A system for processing data within a Trusted Execution Environment (TEE) of a processor is provided. The system may include: a trust manager unit for verifying identity of a partner and issuing a communication key to the partner upon said verification of identity; at least one interface for receiving encrypted data from the partner encrypted using the communication key; a secure database within the TEE for storing the encrypted data with a storage key and for preventing unauthorized access of the encrypted data within the TEE; and a recommendation engine for decrypting and analyzing the encrypted data to generate recommendations based on the decrypted data.

Abstract: Methods and systems for managing threats to data processing systems are disclosed. To manage the threats, multiple threat management models may be utilized. The threat management models may include centralized models that rely on operable connectivity to particular systems, and distributed models that do not rely on operable connectivity to the particular systems. The data processing systems may flexibly switch between use of these models to respond to changes in operably connectivity of a distributed system.

Abstract: The disclosure provides computing platforms, systems, methods, and storage media for delivering contextual feedback to a user of a potential cybersecurity attack, such as a phishing attack. In an aspect, the disclosure provides: configuring, via a processor, a plurality of rules, each rule associated with an indicator of suspicious activity and a feedback snippet corresponding to the indicator; receiving, at the processor, a report of a potentially malicious electronic communication; triggering, at the processor, a rule of the plurality of rules based on the associated indicator and the report of the electronic communication; generating, at the processor, feedback comprising the feedback snippet associated with each triggered rule; automatically providing the feedback to the user.

Abstract: A processor-implemented method generates adversarial example objects. One or more processors represent an adversarial input generation process as a graph. The processor(s) explore the graph, such that a sequence of edges on the graph are explored. The processor(s) create, based on the exploring, an adversarial example object, and utilize the created adversarial example object to harden an existing process model against vulnerabilities.

Abstract: A non-transitory computer-readable recording medium has stored therein a program that causes a computer to execute a process. The process includes acquiring a check program for checking data processing on data from a server in a blockchain network, executing the check program, giving a first signature of the server to a check result generated by executing the data processing during the execution of the check program, and publishing the check result with the first signature in the blockchain network.

Abstract: A disinfecting tracking network for creating healthier environments. The system and methods for tracking and utilizing this information to build and maintain healthier environments with a laboratory approach to data inputs. This system is a cloud based system with IOT interface and APIs to enable broad reaching inputs for analysis. This system creates a safer ecosystem and cross statistic sharing of performance parameters.

Abstract: A data management system may include a monitoring device comprising a sensor, a memory storing executable instructions, and a processor. The sensor may generate sensor data and transmits the sensor data to a third-party system. The processor may receive the sensor data from the third-party system and associate the sensor data with a user account. The user account may include additional sensor data from other monitoring devices and such that the sensor data together with the additional sensor data comprises aggregated sensor data. The processor may determine a risk value of the aggregated sensor data is greater than a risk threshold and flag the user account in response to determining the risk value of the sensor data is greater than the risk threshold. The processor may also transmit a signal indicative of the flagged user account to an application of a user device.

Abstract: A system and method for detecting cyberattacks involves monitoring and analyzing incoming email received over the internet using enterprise telemetry; extracting observations from an enterprise telemetry data feeds and transmitting to a summarization module for summarizing a potential indicator of compromise pertaining to the email monitored and analyzed by the network telemetry; storing the observation summarization data in a graph database; querying over the internet an external cybersecurity threat intelligence provider, upon identification of a true-positive network threat, for enriching information and artifacts contained within the true-positive network threat, receiving over the internet enriching information and artifacts from the external cybersecurity threat intelligence provider, and storing the received enriching information and artifacts in the graph database; and identifying a new indicator of compromise using data stored in the graph database.

Abstract: A device configuration method for a vehicle in a fleet of vehicles comprises, at a computing device communicatively coupled to electronic devices provided in the vehicle, obtaining at least one template configuration file assigned to the computing device based on a user selection, the at least one template configuration file specific to the fleet of vehicles and comprising first configuration data indicative of a manner in which the computing device is to interface with the electronic devices, and second configuration data indicative of a desired setting for at least one configuration parameter of one or more electronic devices, automatically self-configuring for operation based on the first configuration data, and transmitting, at least in part, the second configuration data to the one or more electronic devices to cause the one or more electronic devices to adjust the at least one configuration parameter to the desired setting.

Abstract: Techniques for providing identity protection are disclosed. A system, process, and/or computer program product for providing identity protection includes monitoring a plurality of sites, extracting predetermined user information for a user from the plurality of monitored sites to generate a profile of the user, analyzing, using a model, the profile of the user to detect whether one or more security vulnerabilities exist for social engineering attacks for one or more enterprise resources associated with the user, and performing an action in response to the one or more detected security vulnerabilities based on a policy.

Abstract: Examples of the present disclosure describe systems and methods for behavioral threat detection definition. In an example, a behavior rule comprising a set of rule instructions is used to define one or more events indicative of a behavior. For example, a set of events from which one event must be matched may be defined or a set of events from which all events must be matched may be defined. In some examples, events are matched based on an event name or type, or may be matched based on one or more parameters. Exact and/or inexact matching may be used. The set of rule instructions ultimately specifies one or more halt instructions, thereby indicating that a determination as to the presence of the behavior has been made. Example determinations include, but are not limited to, a match determination, a non-match determination, or an indication that additional monitoring should be performed.

Abstract: Methods, apparatus, systems and articles of manufacture are disclosed. An example apparatus includes at least one memory, instructions in the apparatus, at least one processor to execute the instructions to, in response to identifying malicious data: a) in response to determining that the at least one processor is controlled by the first operating system type, block a download from being executed, and b) in response to determining a switch from the first operating system type to the second operating system type, remove, from the at least one memory, an object downloaded in the download.

Abstract: A device inputs a first source code, which is source code of the software to be monitored; builds the first source code to generate a first binary; generates a first CFG based on the first binary; embeds a tamper detection feature and tamper detection feature calling functions in a first source code based on the first CFG to generate a second source code, builds a second source code to generate a second binary; generates a second CFG based on the second binary; creates an allowed list based on the second binary and the second CFG, and outputs the second binary and the allowed list. Here, in creating the allowed list, the monitoring range for the tamper detection feature calling functions is determined based on the second CFG, and a list of hash values of the monitoring range for the tamper detection feature calling functions is created as an allowed list.

Abstract: A system for automated sensitive information discovery, monitoring, and remediation using an agent associated to a data source and including: a module detecting the occurrence of events indicative of access to data; an module identifying the events classified as potentially threatening; a module extracting data associated to each potentially threatening event; and a module performing data analysis of the extracted data and determining a sensitivity score for the data to file associated to the potentially threatening event. The system also comprises a central platform in data communication with the agent and including: a module analyzing data received from the agent and identifying a potential security risk relative to one of a user or group of users associated to the data source, the data source, a specific file or a specific data type stored on the data source; and a control module triggering remediation actions upon detection of a security risk.

Abstract: Methods, apparatus, and processor-readable storage media for detection of anomalous behavior on online platforms using machine learning techniques are provided herein. An example method includes obtaining a set of machine learning models configured to detect anomalous behavior associated with users interacting with an online platform and performing an incremental machine learning process on one or more of the machine learning models in the set. The incremental machine learning process may include obtaining data related to interactions of users with the online platform, updating at least one of the machine learning models in the set based on the obtained data, comparing the machine learning models, and selecting one of the machine learning models from the set to be used by the online platform based on the comparison. The method may further include determining, utilizing the selected machine learning model, that a given user is exhibiting anomalous behavior on the online platform.

Abstract: Live and legitimate user traffic is used with in depth knowledge of the business logic for an API specification to perform security testing on a set of APIs. The present system intercepts and analyzes application program interface (API) traffic, identifies user session data, and identifies traffic suitable to duplicate. The identified traffic is duplicated and modified by addition of malicious code. The modified code is then sent to its intended API destination, where it is processed as normal. The resulting response and other traffic as well as the API system and optionally other systems, such as datastore systems, are analyzed to determine if the malicious code resulted in a valid attack. Results from the modified code attack attempts are reported to a user.

Abstract: A method for prevention of malware infection of a user device. A first request for a first web page is received from the user device. Transmitting, to a website associated with the requested first web page and in response to the first request a second request for the first web page. In response to the second request, receiving a first set of data associated with the first web page. Generating, based on a first set of data in the first domain format, a first set of graphical images representing respective portions of the first set of data in a second domain format. Transmitting, to the user device, the first set of graphical images with correlation data configured to enable a user to interact with the graphical images on the user device in a manner that is substantially the same as though the user device had received the first web page in the first domain format and the first web page had been rendered from the first domain format by a program operating on the user device.

Abstract: Disclosed is a hybridoma cell strain that secretes anti-dinitolmide monoclonal antibodies applicable to the field of food safety immunoassay methods. The hybridoma cell strain DAS3H10 that secretes anti-dinitolmide monoclonal antibodies has been deposited in Comprehensive Microbiology Center of China Microbial Culture Collection Management Committee (CGMCC), addressed in No. 1 Hospital No. 3 Institute of Microbiology of the Chinese Academy of Sciences, North Chenxi Road, Beijing Chaoyang District in Beijing. It is classified as a monoclonal cell strain. The deposit date is Nov. 28, 2019, and the deposit number is MCCC No. 19165. The monoclonal antibody secreted by the hybridoma cell strain DAS3H10 has a good affinity and high sensitivity to dinitolmide. Because of IC50 to dinitolmide up to 9.01 ng/mL, the monoclonal antibody could be used to prepare dinitolmide immunoassay kits and colloidal gold test strips, and can further provide a powerful means for detecting dinitolmide in animal-derived foods.

Abstract: According to some embodiments of the disclosure, a method includes receiving an electronic communication directed to a data resource, determining, by a machine learning (ML) web application firewall (WAF), an attack probability of the electronic communication based on a plurality of features, wherein subsets of the plurality of features are arranged in a plurality of feature groups, adjusting the attack probability based on respective feature weights of the plurality of feature groups.

Abstract: One example method includes integrating user space applications with kernel space events including primitives. The events are intercepted in kernel space and processed in user space. The events can be stored in a session cache that allows a holistic view of behavior to be determined with regard to resources of the computing system. The events in the session cache can be correlated to user or process behavior by provided a time-based view of the events.

Abstract: Disclosed herein are systems and method for restoring files from a backup, the method including: retrieving a time indicator from a time server associated with a backup server; synchronizing time between the backup server and a computing device performing a backup, based on the time indicator; performing the backup of files from the computing device to the backup server, wherein a malicious process modifies at least one file being backed up at an incident time during the backup and performs an attempt to change a time of the computing device such that a modification timestamp of the at least one file precedes the incident time; blocking the attempt to change the time of the computing device; subsequent to completing the backup, detecting the malicious process infecting the computing device; and performing a restoration of the backup on the computing device.

Abstract: There may be situations in which it is desirable to dynamically implement a rule on the firewall in response to detecting a particular pattern of user activity. However, the software code required for tracking user activity, identifying patterns of user activity, and deciding what action to take may be relatively complex. Deploying such software code on a firewall increases the complexity of the firewall. For example, the firewall can no longer be “stateless”. In some embodiments, the destination server works in combination with the firewall. The destination server monitors traffic to determine particular patterns of user activity. In response to a particular pattern of user activity being detected, an appropriate rule is established and the firewall is sent a command to implement the rule.

Abstract: Provided is a resource monitoring apparatus including a log generation unit for extracting a method requested from a hardware abstraction layer and generating a log; a log classification unit for classifying the generated log according to a type of an interface connected to the method; and a log determination unit for identifying a malicious activity from the classified log based on pattern information of the log set differently depending on the type of the interface.

Abstract: A method and a computing device for identifying malicious web resource are provided. The method comprises: obtaining a given link of a plurality of links, the given link referring to an initial malicious web resource; retrieving, from a database, simulated user parameters indicative of a simulated user environment and at least one user behavior vector including values indicative of simulated user actions with the initial malicious web resource; based on the simulated user parameters and the simulated user actions, determining at least one redirect chain, a given one of the at least one redirect chain including web resources defining a transition sequence from the initial malicious web resource to a respective target malicious web resource; generating, based on the at least one redirect chain, a redirect graph; and analyzing the redirect graph to determine a plurality of user redirect rules for further use in identifying in-use malicious web resources.