A controller emulator, coupled to an interface that exposes the controller emulator to inputs from external sources, provides one or more control signals to a process simulator and a deep learning process. In response, the process simulator simulates response data that is provided to the deep learning processor. The deep learning processor generates expected response data and expected behavioral pattern data for the one or more control signals, as well as actual behavioral pattern data for the simulated response data. A comparison of at least one of the simulated response data to the expected response data and the actual behavioral pattern data to the expected behavioral pattern data is performed to determine whether anomalous activity is detected. As a result of detecting anomalous activity, one or more operations are performed to address the anomalous activity.

In general, the subject matter described in this disclosure can be embodied in methods, systems, and program products for linking to a search result. A computing system receives a query and provides, to a first computing device, multiple results that are responsive to the query. The computing system provides, to the first computing device, information that identifies a web address of a user selected result of multiple results that are responsive to query. The computing system receives a request from a second computing device for content responsive to the web address of the user selected result. The computing system provides, to the second computing device, information to cause the second computing device to present the multiple results that are responsive to the query in distinction to the user selected result, responsive to the second computing device not being authorized to access the user selected result.

A system and method of deployment of malware detection traps by at least one processor may include performing a first interrogation of a first Network Asset (NA) of a specific NA family; determining, based on the interrogation, a value of one or more first NA property data elements of the first NA; obtaining one or more second NA property data elements corresponding to the specific NA family; integrating the one or more first NA property data elements and the one or more second NA property data elements to generate a template data element, corresponding to the specific NA family; producing, from the template data element, a malware detection trap module; and deploying, on one or more computing devices of a computer network, one or more instantiations of the malware detection trap module as decoys of the first NA.

A device receives end user device information for end user devices associated with a network, and creates a data structure that includes the end user device information. The device creates a data structure that includes false account credentials, and maps the end user device information and the false account credentials to create a mapped data structure. The device provides the false account credentials to memory locations of corresponding ones of the end user devices, and provides information from the mapped data structure to one or more network devices associated with the network, wherein the information from the mapped data structure enables the one or more network devices to detect an unauthorized access attempt of the network using one or more of the false account credentials.

The disclosed computer-implemented method for preparing honeypot computer files may include (1) identifying, at a computing device, a search term used by a cyber attacker in an electronic search request, (2) identifying, without regard to a search access restriction, a sensitive computer document in search results stemming from the electronic search request, (3) creating, as a security action in response to the electronic search request, a honeypot computer file based on the sensitive computer document and including the identified search term, and (4) placing the honeypot computer file in the search results. Various other methods, systems, and computer-readable media are also disclosed.

Methods and systems for removing sensitive information from a digital image. An instruction to share a digital image is received. It is then determined that the digital image contains a depiction of a corporate display medium that is classified as sensitive based on a policy and, based on the determination that the digital image contains the depiction of the corporate display medium that is classified as sensitive based on the policy, the digital image is processed to modify the depiction. The digital image is shared.

Disclosed herein are methods, systems, and processes for recovering opaque credentials in deception systems. A plaintext credential is received at a honeypot and a plaintext lookup table is accessed. It is determined that the plaintext credential does not exist in the plaintext lookup table and the plaintext credential is added to the plaintext lookup table and a protocol specific plaintext lookup table. An opaque credential is generated for the plaintext credential and the opaque credential is added to a protocol specific opaque lookup table.

Disclosed herein are methods, systems, and processes for recovering opaque credentials in deception systems. A plaintext credential is received at a honeypot and a plaintext lookup table is accessed. It is determined that the plaintext credential does not exist in the plaintext lookup table and the plaintext credential is added to the plaintext lookup table and a protocol specific plaintext lookup table. An opaque credential is generated for the plaintext credential and the opaque credential is added to a protocol specific opaque lookup table. Attack context metadata associated with the original attack event is generated and stored in the protocol specific opaque lookup table in association with the plaintext credential and the opaque credential. If the honeypot receives the opaque credential from a subsequent attacker who initiates a subsequent attack event, the protocol specific opaque lookup table is accessed and the plaintext credential associated with the opaque credential is recovered. The plaintext credential, the opaque credential, and the attack context metadata are then exchanged with a credential exchange manager.

Provided are systems, methods, and computer-program products for deception mechanisms in a containerized environment. In various implementations, a deception platform can detect the configuration of a containerized environment, including namespaces, services, and configuration of the environment. The deception platform can determine appropriate decoy containerized services for the environment, and can deploy the decoy alongside production containerized service. The deception platform can further determine decoy breadcrumbs for luring attackers to the decoy containerized service. The decoy breadcrumbs can be injected into the environment at locations where an attacker will look for information for further infiltrating the environment. The deception platform can then monitor the decoy containerized service for unexpected accesses.

Systems and methods are described for inception of suspicious network traffic to allow detection of the beginning of common attacks by network security devices, such as NGFWs, UTM appliances and IPS appliances. According to one embodiment, inception engine running on network security appliance protecting a private network monitors a session between an external computing device and a server device associated with the private network. In response to receipt of suspicious traffic from external computing device indicative of an attack sequence, the inception engine blocks the suspicious traffic from reaching the server device and incepts the attack sequence by providing one or more responses to the external computing device, which are selected based on the attack sequence. Further, when the attack is confirmed, the inception engine diverts the traffic to a more capable deception device.