Abstract: Embodiments are disclosed for detecting and responding to potentially fraudulent transactions and other network access events via a system comprising a three-tiered network architecture. An example system comprises one or more user equipment devices configured with a thin client application (a first tier). The one or more user equipment devices are capable of communicating with a respective local authority controller and a local knowledge base (the second tier). The one or more local authority controllers and local knowledge bases are configured to interact with a master authority controller and master knowledge base (the third tier) to enable the efficient assessment of potentially localized fraudulent network activity and the passing of network access rule sets amongst the devices in each tier. Corresponding apparatuses and methods are also provided.

Abstract: Detecting a Denial of Service (DoS) attack in a network by a network edge router device whereby network traffic flows from the edge router to a core router in the network. Storing DoS attack traffic information in storage associated with the edge router which receives network traffic. Determining in the edge router if a portion of the received network traffic matches at least a portion of the stored DoS attack information. Determining in the edge router an alert condition exists if a portion of the received network traffic is determined to match at least a portion of the stored DoS attack information. Send an alert signal from the edge router to an attack mitigation device if it is determined an alert condition exists causing the attack mitigation device to transition to a mitigation state for mitigating effects of a DoS attack upon the network.

Abstract: A computer-based method is disclosed to facilitate managing data exfiltration risk in a computer network environment. The method includes collecting computer file management information associated with each respective one of a plurality of computer files in an organization's computer network environment from a computer operating system, collecting user activity information associated with each respective one of a plurality of user sessions by users having access to the organization's computer network environment with a plurality of session monitoring agents, correlating at least some of the collected user activity information to one or more of the computer files associated with the collected file management information; and assessing data exfiltration risk with respect to one or more of the computer files based at least in part on some of the file management information and the correlated user activity information associated with a file history chain.

Abstract: A resource-access management system detects whether a user is authorized to access resources. The system may include a user device being configured to include a sensor that detects sensor data associated with the user. Further, the system includes a client qualification engine that determines whether or not a client is authorized to access the resources by comparing the sensor data with a plurality of patterns for evaluating whether or not the user is an authorized user. User scores are generated based on the compared sensor data and the plurality of patterns. Further, a composite score corresponding to the user is generated using the sensor data, plurality of patterns, and one or more additional criteria. Whether the user is granted access to the resources, presented with unauthorized user tests, or blocked from access to the resources depends on the composite score and threshold values.

Abstract: Non-limiting embodiments of the present technology are directed to a system and a method for ensuring cybersecurity, namely, to a method for distributed malware inspection and a system implementing the method. The method comprises receiving input data identifying a potential malware; checking the potential malware based on the input data; adding check parameters and at least one result of the potential malware check into the transaction pool; receiving results of the distributed check of the potential malware from the plurality of networked computer devices; determining a harmfulness parameter based on results of the distributed malware check of the potential malware; in response to the harmfulness parameter of the potential malware exceeds a predetermined threshold value, identifying the potential malware as malware; storing the identified malware and associated data related to the identified malware in the distributed malware register.

Abstract: Improved tools and techniques for generating stateful rules for behavior-based threat detection enable threat analysts, who do not have advanced computer programming skills, to quickly and easily generate high-level representations of stateful behavioral rules, which are then compiled into a format suitable for execution by a stateful rule processing engine. In some examples, the high-level representations of stateful rules are coded in a high-level, domain specific language (DSL). The DSL may provide high-level primitives suitable for (1) expressing sequences of attack behaviors, (2) tagging computational entities (e.g., threads, processes, applications, systems, users, etc.) with states (e.g., user-defined states), and/or (3) performing operations on endpoint nodes (e.g., reporting activity, blocking activity, terminating processes, etc.).

Abstract: Disclosed is classifying a URL and a page accessed via the URL as phishing or not. URL embedder extracts characters in a predetermined set from the URL to produce a character string trained using ground truth classification of the URL, producing a URL embedding. HTML parser accesses content at the URL and extracts HTML tokens from the page. Further, HTML encoder, trained on HTML tokens extracted from pages at example URLs, each example URL accompanied by a ground truth image captured from the page accessed via the example URL, produces an HTML encoding of the extracted tokens. Also, phishing classifier layers, trained on the URL embedding and the HTML encoding of example URLs, processes a concatenated input of the URL embedding and the HTML encoding to produce a score of a phishing risk.

Abstract: An approach is disclosed that enforces restrictions to data in a filesystem based on metadata for a file including a name for an attribute, a type, and a location in the file for the type. A file specific metadata includes an owner, contact information, access rights including an owner consent-based access policy, users of the system who can access the file and the type of access allowed by the users based on a purpose for the access. The operating system (OS) enforces an access to attribute entries of the file based on the purpose and selected metadata in the associated metadata. The restrictions for file access are driven by the file structure metadata which identifies types of information, where in the file each type of information is located, and consent information which specifies what type of information is accessible to a requestor retrieving data for a specific purpose.

Abstract: The present disclosure relates to a method and an apparatus for training a model for detecting anomalies in network data traffic between devices in a first part of a network and devices in a second part of the network. The method comprises collecting feature samples of network data traffic at a monitoring point between a first and a second part of the network, and training the model for detecting anomalies on the collected feature samples using a plurality of anomaly detection, AD, trees. The training comprises creating the plurality of AD trees using respective subsets of the collected feature samples, at least some of the AD tree comprising subspace selection nodes and anomaly-catching nodes to a predetermined AD tree depth limit.

Abstract: A threat intelligence gateway (TIG) may protect TCP/IP networks from network (e.g., Internet) threats by enforcing certain policies on in-transit packets that are crossing network boundaries. The policies may be composed of packet filtering rules with packet-matching criteria derived from cyber threat intelligence (CTI) associated with Internet threats. These CTI-derived packet-filtering rules may be created offline by policy creation and management servers, which may distribute the policies to subscribing TIGs that subsequently enforce the policies on in-transit packets. Each packet filtering rule may specify a disposition that may be applied to a matching in-transit packet, such as deny/block/drop the in-transit packet or pass/allow/forward the in-transit packet, and also may specify directives that may be applied to a matching in-transit packet, such as log, capture, spoof-tcp-rst, etc.

Abstract: Systems and methods include receiving a domain of interest; performing an analysis of the domain to extract namespaces of the domain, hosts associated with the domain, subdomains associated with the domain, namespaces of the subdomains, and addresses including address ranges of any identified namespaces; performing a Common Vulnerabilities and Exposures (CVE) search based on the analysis to identify a CVE list associated with the domain; determining weightings of the namespaces of the domain and the subdomains to provide a name list; obtaining cloud monitoring content associated with the domain; and utilizing the name list, the CVE list, and the cloud monitoring content to determine a risk associated with the domain.

Abstract: Systems, devices, computer-implemented methods, and tangible non-transitory computer readable media for providing multi-platform application integration and data synchronization with third-party applications. For example, a computer-implemented method performed by a computing device may include obtaining third-party application data associated with a third-party application that is separate from a computing system that comprises organizational data of an organization, analyzing the third-party application data based on one or more rules associated with the computing system and integration information for integrating the third-party application with the organizational data of the organization, processing the third-party application data based on the integration information associated with the third-party application, and performing one or more operations associated with the organizational data based on processing the third-party application data.

Abstract: A threat intelligence gateway (TIG) may protect TCP/IP networks from network (e.g., Internet) threats by enforcing certain policies on in-transit packets that are crossing network boundaries. The policies may be composed of packet filtering rules with packet-matching criteria derived from cyber threat intelligence (CTI) associated with Internet threats. These CTI-derived packet-filtering rules may be created offline by policy creation and management servers, which may distribute the policies to subscribing TIGs that subsequently enforce the policies on in-transit packets. Each packet filtering rule may specify a disposition that may be applied to a matching in-transit packet, such as deny/block/drop the in-transit packet or pass/allow/forward the in-transit packet, and also may specify directives that may be applied to a matching in-transit packet, such as log, capture, spoof-tcp-rst, etc.

Abstract: A method, including: receiving an email message, the email message being generated by a computing device; detecting whether a condition associated with the email message is satisfied, the condition including a condition for detecting whether the email message is sent by an automailer that is executing on the computing device; forwarding the email message to an email server, when the condition is satisfied; and discarding the email message, when the condition is not satisfied.

Abstract: The use of browser context in detecting malware is disclosed. A client device requests content from a remote server. Data received by the client device from the remote server is transmitted to an external scanner for analysis by the external scanner. The external scanner is configured to use a browser executed in an instrumented virtual machine environment to analyze the data provided by the client device. The client device is configured to act as a proxy on behalf of the external scanner.

Abstract: There is provided a conversion apparatus with which a secure computation execution environment may be easily constructed. The conversion apparatus comprises an input part and a conversion part. The input part inputs a source code. The conversion part converts the input source code so that a secure computation compiler processes it based on setting information relating to secret computation executed by a plurality of secure computation servers.

Abstract: This document discloses a system and method for detecting and classifying potential malicious network behaviours or characteristics contained within data traffic. In particular, this document discloses a system comprising a data pre-processing module for processing the received data traffic before the processed data traffic is provided to an alert module communicatively connected to the data pre-processing module. The alert module, which comprises a trained autoencoder and a classifier neural network trained via self-taught learning, then determines, based on a set of partially labelled training data, whether potential malicious network behaviours that typically present themselves as network traffic anomalies are contained within the processed data traffic.

Abstract: A method for processing log data in a server system is disclosed. The method includes: extracting level information associated with the log data, wherein the level information comprises at least one log level indicative of severity of a log event; filtering the log data based at least in part on the level information to generate filtered log data; and correcting, using a processor, the level information in response to determining that the level information of the filtered log data does not match the log event.

Abstract: This document describes a device and method for a device to reinforce the control flow integrity of a software application as the application is being executed on the device.

Abstract: A method performed by a cybersecurity system includes monitoring multiple network functions (NFs) of a service-based architecture (SBA) of a 5G network. The NFs are communicatively interconnected over an HTTP/2 interface. The cybersecurity system detects potentially malicious network traffic communicated over the HTTP/2 interface, identifies a NFs or associated services that are susceptible to a cyberattack based on the potentially malicious network traffic and deploys resources to secure the NFs or associated services. In one example, the resources are prioritized for a most frequently used (MFU) or most recently used (MRU) NF or associated service.

Abstract: Systems and methods are disclosed for securing an application running on a guest. An example method includes detecting, by a guest running on a virtual machine, that a set of physical memory pages is allocated to an application. The virtual machine runs on a hypervisor, and the application runs on the guest. During runtime, the guest may send a request to the hypervisor to set the set of physical memory pages to an executable-by-user mode in the hypervisor's page tables.

Abstract: Discussed is a memory having an application area that stores at least one application; a flash bootloader (FBL) area that includes codes for updating the application area; and a BUM module that is activated after a defect is detected in the FBL area, deletes the FBL area, writes binary code information of an FBL image into the FBL area, determines whether the binary code written into the FBL area matches binary code information of the FBL image, and is deactivated when the two binary code information match. The FBL image and the BUM module may be provided in the application area.

Abstract: According to examples, an apparatus may include a processor and a computer readable medium on which is stored machine readable instructions that may cause the processor to receive a request for a webpage from a web browser. The processor may send webpage code of the webpage to the web browser and the webpage may load a secure webpage for a sensitive data field that is separate from the webpage. A secure server may provide the secure webpage, which may correspond to an identifier that points to the secure server. By receiving the sensitive data into the sensitive data field of the secure webpage, the sensitive data may be protected from a script loaded in the webpage. In addition, the processor may receive the sensitive data from the secure server.

Abstract: Described are examples for curating threat intelligence data including receiving threat intelligence data comprising a list of entities, one or more associations between entities, a reputation score for each entity, and/or a confidence value corresponding to the one or more associations. An updated reputation score for at least one of a first type of entities can be determined based at least in part on the confidence value and/or on determining a reputation score of at least one of a second type of entities to which the at least one of the first type of entities is associated in the one or more associations. The reputation score of the at least one of the first type of entities can be updated, in the threat intelligence data, to the updated reputation score.

Abstract: An IDS ECU includes: an anomalous frame detector that detects an anomalous frame; a connector communicator that transmits an anomaly-related request frame to a connector that is a transmitter of the anomalous frame, to request a response from the connector, and receives, from the connector, an anomaly-related response frame generated by the connector based on the anomaly-related request frame and indicating the transmitter; a network anomaly determiner that calculates, from the anomaly-related response frame, the number of anomalous connectors indicating the number of connectors that transmitted the anomaly-related response frame, and determines that an in-vehicle network system is: in a first anomalous state when the number is 0; and in a second anomalous state when the number is not 0; and a network anomaly handler that handles the first or second anomalous state determined by the network anomaly determiner.

Abstract: The present disclosure generally relates to a system and method for defending a utilities system against cyber-physical attacks associated with anomalies in a physical process operative in the utilities system. The defense system comprises: a set of sensors for collecting physical data associated with the physical process; a set of controller devices for monitoring process states of the physical process based on the physical data from the sensors; a set of verification devices for monitoring the physical process based on the physical data from the sensors, the physical data enabling the verification devices to detect the anomalies based on a set of invariants predefined for the physical process; and a set of actuators controllable by the controller devices or verification devices to remedy the anomalies and regulate the physical process, thereby defending the utilities system against the cyber-physical attacks.

Abstract: In some aspects, a computing system can generate entity links between a primary entity object identifying a primary entity for multiple accounts and secondary entity objects identifying secondary entities from the accounts. The computing system can determine a rate at which secondary users change on the accounts. The computing system can update, based on the determined rate, the primary entity object to include a fraud-facilitation flag. The computing system can also service a query from a client system regarding a presence of a fraud warning for a target consumer associated with a consumer system that accesses a service provided with the client system. For instance, the computing system can generate a fraud warning based on the target consumer being identified in a secondary entity object associated with the primary entity object having the fraud-facilitation flag. The computing system can transmit the fraud warning to the client system.

Abstract: An apparatus comprises a processing device configured to receive, at a user interface of a trust platform configured to manage cloud assets operating in clouds of multiple cloud service providers, a request by a user to access a given cloud asset on which one or more workloads of a given entity run. The processing device is also configured to generate, on the given cloud asset utilizing application programming interfaces of the trust platform, a temporary user account responsive to determining that the requesting user is registered with the trust platform as an authorized user for the given entity and the given asset. The processing device is further configured to provide access credentials for the temporary user account to the requesting user, to monitor use of the temporary user account, and to remove the temporary user account from the given cloud asset based at least in part on the monitored use.

Abstract: A computing device for informing about malicious web resources and a method for informing about malicious web resources performed on this computing device are claimed. The claimed method includes performing operations wherein: obtaining references to a plurality of web resources; identifying malicious web resources in a specified set of web resources; establishing web resources associated with each of the identified malicious web resources; detecting malicious web resources in the identified related web resources; identifying at least one authorized entity associated with each of the identified malicious web resources; generating at least one report for at least one of the established authorized entities based on information about the detected malicious web resources associated with this authorized entity; sending each generated report to the appropriate authorized entity on the basis of the contact details of the authorized entity.

Abstract: Embodiments provide for maliciousness scores to be determined for IP addresses and/or network domains. For example, a request to evaluate malicious activity with respect to an IP address/network domain may be received. Multiple, and in some cases disparate, third-party systems may provide malicious activity information associated with the IP address and/or network domain. A feature set may be extracted from the malicious activity information and statistical values may be calculated from the extracted data and added to the feature set. The features set may be provided to a machine learning model as input and a maliciousness score/classification may be returned. A remedial action may be performed in accordance with the output of the machine learning model.

Abstract: A computer implemented method is described for management of development and deployment of a service based architecture. A graph data structure is generated for the development and deployment of the service based architecture. The graph data structure includes multiple layers which include a core layer and a catalog layer. The graph data structure relates an initial tenant and one or more additional tenants or neighboring tenants in the core layer. The management device assigns a catalog data structure to the catalog layer of the graph data structure. The catalog data structure includes addresses for the initial tenant and the one or more additional tenants for respective hosted locations within the service based architecture. A service offering is described as one or more item nodes in the graph data structure. The graph data structure associates the item node to the catalog data structure of the catalog layer and the initial tenant in the core layer.

Abstract: Techniques for detecting network intrusions are disclosed. An example intrusion detection system includes a storage device to store audit data generated by a network traffic analyzer in accordance with an audit policy that determines an auditing level. The system also includes a processor to receive a case defined by a case definition, wherein the case definition comprises a plurality of symptoms and each symptom is defined by a separate symptom definition. The processor performs queries of the audit data in accordance with each of the symptoms to generate captured symptom data. The symptoms are scored based on the captured symptom data to generate symptom scores, and the symptom scores are summed to generate a case score. If the case score exceeds an alert threshold specified by the case definition, the processor issues an alert.

Abstract: Devices, systems, and methods of detecting user identity, differentiating between users of a computerized service, and detecting a cyber-attacker. A user utilizes a desktop computer, a laptop computer, a smartphone, a tablet, or other electronic device, to interact with a banking website or application, a retailer website or application, or other computerized service. Input-unit interactions are monitored, logged, and analyzed. Based on several types of analysis of the input-unit interactions, a score is generated to reflect fraud-relatedness or attack-relatedness of the input-unit interactions. Based on the score, the system estimates or determines whether the user is an attacker, and initiates attach-mitigation operations or fraud-mitigation operations.

Abstract: A method and system for detecting anomalous network activity in a cloud-based compute environment. The method comprises receiving configuration data and network activity observations for a set of virtual entities in the cloud-based compute environment; creating a profile for each virtual entity in the set of virtual entities, when the virtual entity does not already have an associated profile; dynamically updating the virtual entity of a profile with the respective network activity observations of the virtual entity; and determining whether anomalies have been detected.

Abstract: Techniques are described for enabling analysts and other users of an IT operations platform to identify certain data objects managed by the platform (for example, events, files, notes, actions results, etc.) as “evidence” when such data objects are believed to be of particular significance to an investigation or other matter. For example, an event generated based on data ingested from an anti-virus service and representing a security-related incident might include artifacts indicating an asset identifier, a hash value of a suspected malicious file, a file path on the infected endpoint, and so forth. An analyst can use various interfaces and interface elements of an IT operations platform to indicate which of such events and/or artifacts, if any, represent evidence in the context of the investigation that the analyst is conducting. In response, the IT operations platform can perform various automated actions.

Abstract: An application downloaded from the network onto a target (production) machine can be validated in a sandbox environment. An execution report can be generated during the validation. When the validated application is executed on the target machine, operations performed by the application are limited based on the execution report.

Abstract: A method, computer program product, and a system where a processor(s) determines that a destination has been retained as a link in an application. The processor(s) monitors connections of the application to the destination retained as the link, where connecting is providing a locator of the destination to a server(s) to obtain an address for the destination. The processor(s) determines an average time period measured from providing the locator to the server(s) to obtaining the address. The processor(s) retains the returned address for each connection within a given time period. The processor(s) determines that the application has initiated a new connection to the destination and the new connection is incomplete after a time period calculated relative to the average time period has lapsed. The processor(s) provides selectable options in a user interface of the application that are the retained address(es).

Abstract: A threat information evaluation apparatus that evaluates threat information includes an allocation unit that allocates threat information in an input threat information list to a security operator or an evaluation unit, and an evaluation unit that evaluates the threat information allocated to the evaluation unit. The allocation unit calculates an estimation accuracy on the basis of evaluation performed by the evaluation unit and evaluation determined by the security operator, and allocates the threat information on the basis of the estimation accuracy.

Abstract: Embodiments are provided for integrating feedback into alert managing processes having defined alert policies. These policies define conditions that, when satisfied by certain detected activities, triggers an alert to be sent to a client. A determination is made that a current detected activity does satisfy the condition(s). Subsequent to determining that the set of conditions is satisfied and prior to actually generating the alert, the current detected activity is determined to share a relationship with previously received feedback that caused the alert policy to be modified. After being modified, the alert policy specified whether the alert is to be sent to the client, modified and then sent, suspended, or disabled. The alert is then either generated or refrained from being generated based on the alert policy.

Abstract: A local area social networking server limits social networking activity to people likely to be in close physical proximity to one another and likely to be engaged in similar activities, even people previously unknown to each other, by only permitting social networking between computing devices that are connected to one another through a common local area network. The server identifies recipient devices for a message that (i) are coupled to the same local area network as the sending device, (ii) are associated with demographic characteristics that match those specified for the message as intended recipients, and (iii) are indicated by receptivity data to be receptive to the message and the sender.

Abstract: Techniques to facilitate network security analysis and attack response are disclosed herein. In at least one implementation, a passive analysis system receives a copy of network traffic, performs deep analysis on the copy of network traffic, and generates security data points based on the deep analysis. The passive analysis system then provides the security data points to an active inline security device, wherein the active inline security device compares incoming network traffic to the security data points to detect security events.

Abstract: Web server security is assessed. Some embodiments analyze data exchanged with a web server to determine a risk associated with accessing the web server. For example, one or more of a type of web application accessed via the web server, a type of interpreted language used to implement the web server, and/or a type and/or version of an http server operable on the web server are examined. Based on the analysis, the risk associated with accessing the web server is determined. Some embodiments then block access to the web server based on the analysis. Alternatively, in some embodiments, a user may be alerted to the risk, and then allowed to proceed upon accepting the risks. Some embodiments share the determined risk assessment with other client devices via a web server risk data store.

Abstract: The invention makes it possible to reuse a verification script without manually modifying the internal parameters of the verification script. A verification automation apparatus 1 adapts a verification script to a system that is to be verified. The verification automation apparatus 1 includes: a verification script acquisition unit 101 that acquires a verification script that includes an execution script for verification work and execution enabling requirements for executing the execution script; a verification configuration search unit 104 that searches the system to be verified, for configurations for which the execution script is executable, using environment information regarding the system to be verified, and the execution enabling requirements; and an execution script materializing unit 105 that materializes the execution script based on the configuration that has been found through the search, so as to be executable in the system to be verified.

Abstract: The implementations described herein provide a tool for identifying security issues and applying security policies to the service(s) and/or microservices. Rather than a user (such as an administrator) reactively diagnosing security incidents, the systems and methods described herein may provide a tool by which the user can proactively monitor the use of the services and microservices for security issues and control the user of such microservices and services via policies. The systems and methods allow API granular policy control to determine which APIs may be granted or denies access based on a variety of criteria, such as but not limited to the source of the request, the specific API being called, temporal conditions, geography and so forth. The user can identify security concerns or issues on a per API basis.

Abstract: A computer system includes an operating system, a memory coupled to the operating system, and a processor (e.g., an anti-debug processor) coupled to the operating system. The operating system receives, from a debug process, a request to create an essential debug object for attachment to a target process. The anti-debug processor scans a kernel memory of the operating system for the essential debug object and verifies a presence of the essential debug object in the kernel memory, and scans the kernel memory to identify a process that has stored in the kernel memory the essential debug object. The anti-debug processor then halts the debug process, without using an internal interface or function of the operating system, thereby preventing the debug process from attaching to the target process.

Abstract: Aspects of the present disclosure relate to threat detection of executable files. A plurality of static data points may be extracted from an executable file without decrypting or unpacking the executable file. The executable file may then be analyzed without decrypting or unpacking the executable file. Analysis of the executable file may comprise applying a classifier to the plurality of extracted static data points. The classifier may be trained from data comprising known malicious executable files, known benign executable files and known unwanted executable files. Based upon analysis of the executable file, a determination can be made as to whether the executable file is harmful.

Abstract: The present application relates to ensuring data consistency between a modular device and an external system. Techniques are described for ensuring data consistency between devices at a control device using configuration signatures. A control device can receive and store a baseline configuration signature for a first modular device. Upon initialization of the first modular device, the control device can receive a current configuration signature from the first modular device. The control device can compare the current configuration signature with the baseline configuration signature and, if a mismatch is found, generate a notification indicating that data subsequently received from the first modular device is of uncertain integrity.

Abstract: Embodiments of the disclosure provide a method and system for task orchestration. A method may include: providing, by a task master control unit, an execution instruction of a task related to a module in an application container to a node agent service unit in an auxiliary application container bound to the application container, the auxiliary application container sharing a file system with the application container; and executing, by the node agent service unit, a command for completing the task, in response to acquiring the execution instruction of the task.

Abstract: Disclosed is a method and system for verifying a regex group. The method comprises verifying of a regex group by creating a flow id through a processor for the regex group when source reaches the sink. The flow id is used for tracking the flow of the regex group. The processor checks in case the flow id is a previously tested flow id. When the flow id is not the previously tested flow id, the processor passes one or more run tasks through a processor forming a queue. The processor tests for one or more vulnerabilities to be associated with the regex group based on the passing, wherein the testing is used to qualify the regex group as a valid regex group.

Abstract: A network-accessible service such as a web site may authenticate users through a login process. In order to detect possibly fraudulent login events, the service may implement a framework based on recorded login events. For example, attributes of multiple recorded login events may be analyzed to create a framework that can be applied to attributes of newly received login requests to predict whether the newly received login requests are fraudulent. The framework may comprise criteria, algorithms, rules, models, and/or techniques, and may be constructed using various means such as pattern recognition, machine learning, and/or cluster analysis.