A computing system for securely managing access to resources of a computing device receives an input at a secure login of a user interface. The computing system compares the input to a plurality of stored security measures and activates one of an operating system or a configuration of a false desktop system. A user interface of the false desktop system shares characteristics with a user interface of an operating system and restricts access to specified files, data stores, applications, networking functions, and/or ports associated with the computing system. When configured, the false desktop system or the operating system is enabled based on the location of the computing system. When configured, the false desktop system deletes files, data stores, and applications of the operating system.

Certain embodiments described herein relate to methods and systems for detecting unexpected behavior associated with a process. In certain embodiments, a method comprises receiving a memory allocation request, the request indicating one or more memory segments to be allocated in memory of a computing system. The method further comprises allocating the one or more memory segments in the memory based on the memory allocation request. The method further comprises allocating one or more decoy memory segments in the memory based on the memory allocation request. The method further comprises trapping an input/output (I/O) operation. The method further comprises detecting an unexpected behavior associated with the I/O operation based on determining that the I/O operation impacts at least one of the one or more decoy memory segments. The method further comprises performing one or more actions based on the detection.

Techniques are described for delayed serving of protected content. A request has been made by a client computing device for a requested resource comprising a first portion and a second portion that is initially withheld from the client computing device. First content comprising the first portion of the requested resource and reconnaissance code is served for execution on the client computing device. When executed at the client computing device, the reconnaissance code gathers data at the client computing device that indicates whether the client computing device is human-controlled or bot-controlled. The data gathered by the reconnaissance code is received. Based on the data, it is determined that the client computing device is not bot-controlled. In response to determining that the client computing device is not bot-controlled, the second portion of the requested resource is served to the client computing device.

A method includes generating a user profile for an authorized user of a mobile device based on behavior patterns associated with the authorized user. The method also includes detecting subsequent user behavior of a particular user during an attempt by the particular user to access the mobile device. The method also includes comparing the subsequent user behavior to the behavior patterns of the user profile to determine whether the particular user is authorized or unauthorized. In response to determining that the particular user is an unauthorized user, the method includes detecting activity by the unauthorized user and performing a countermeasure of a plurality of countermeasures in response to detecting the activity. Each countermeasure of the plurality of countermeasures has a different security level and corresponds to a degree of the activity.

A computer-implemented method, a computer program product, and a computer system for creating malware domain sinkholes by domain clustering. The computer system clusters malware domains into domain clusters. The computer system collects domain metrics in the domain clusters. The computer system sorts clustered malware domains in the respective ones of the domain clusters, based on the domain metrics. The computer system selects, from the clustered malware domains in the respective ones of the domain clusters, a predetermined number of top domains as candidates of respective domain sinkholes, wherein the respective domain sinkholes are created for the respective ones of the domain clusters.

Disclosed herein are methods, systems, and processes for recovering opaque credentials in deception systems. A plaintext credential is received at a honeypot and a plaintext lookup table is accessed. It is determined that the plaintext credential does not exist in the plaintext lookup table and the plaintext credential is added to the plaintext lookup table and a protocol specific plaintext lookup table. An opaque credential is generated for the plaintext credential and the opaque credential is added to a protocol specific opaque lookup table.

A controller emulator, coupled to an interface that exposes the controller emulator to inputs from external sources, provides one or more control signals to a process simulator and a deep learning process. In response, the process simulator simulates response data that is provided to the deep learning processor. The deep learning processor generates expected response data and expected behavioral pattern data for the one or more control signals, as well as actual behavioral pattern data for the simulated response data. A comparison of at least one of the simulated response data to the expected response data and the actual behavioral pattern data to the expected behavioral pattern data is performed to determine whether anomalous activity is detected. As a result of detecting anomalous activity, one or more operations are performed to address the anomalous activity.

Potentially malicious uniform resource locators and websites are safely and effectively investigated through live forensic browsing. Live data from an isolated browser feeds a security information and event management (SIEM) tool and other forensic tools during a browsing session, allowing investigators to direct the browsing in response to analysis results. Session data may be translated for SIEM ingestion. Browsing sessions may be manually or automatically customized to obscure their forensic nature, by routing selection, by bandwidth or latency adjustment, or by spoofing externally detectable characteristics such as geolocation, user agent, time zone, and language. Forensic activity by an investigator may also be obscured from discovery by an attacker as a result of spoofing the browser's context, such as plugin status and host machine physical characteristics. Human presence tests relied on by attackers may be satisfied without sacrificing a targeted system's cybersecurity or an investigator's access to forensic tools.

Systems for detecting unauthorized user and controlling dynamic user interface functionality are provided. The system may receive a request to access functionality that may include login credentials of a user. The request may also include additional information associated with a computing device from which the request is received. The request and additional data may be analyzing using one or more machine learning datasets to determine whether a user requesting access is an authorized user or an unauthorized user. If the user is an authorized user, the user may be authenticated to the system an authentic user interface having enabled functionality may be generated. If the user is an unauthorized user, a decoy user interface having functionality disabled may be generated.

System, methods, and other embodiments described herein relate to improving security of protected values in a memory. In one embodiment, a method includes, in response to receiving a write request indicating at least an item and a write value to write into the memory, determining whether a protected items list (PIL) indicates that the item is protected. The method includes replacing the write value of the write request with a protected value from the PIL that corresponds with the item when the item is listed in the PIL as being protected. The method further includes executing the write request to the memory.