Provided is an intrusion detection technique configured to: obtain kernel-filter criteria indicative of which network traffic is to be deemed potentially malicious, determine that a network packet is resident in a networking stack, access at least part of the network packet, apply the kernel-filter criteria to the at least part of the network packet and, based on applying the kernel-filter criteria, determining that the network packet is potentially malicious, associate the network packet with an identifier of an application executing in userspace of the operating system and to which or from which the network packet is sent, and report the network packet in association with the identifier of the application to an intrusion-detection agent executing in userspace of the operating system of the host computing device, the intrusion-detection agent being different from the application to which or from which the network packet is sent.

Various embodiments described herein disclose an endpoint modeling and grouping management system that can collect data from endpoint computer devices in a network. In some embodiments, agents installed on the endpoints can collect real-time information at the kernel level providing the system with deep visibility. In some embodiments, the endpoint modeling and grouping management system can identify similarities in behavior in response to assessing the data collected by the agents. In some embodiments, the endpoint modeling and grouping management system can dynamically model groups such as logical groups, and cluster endpoints based on the similarities and/or differences in behavior of the endpoints. In some embodiments, the endpoint modeling and grouping management system transmits the behavioral models to the agents to allow the agents to identify anomalies and/or security threats autonomously.

An analysis engine of an anomaly detection system receives an input captured by a monitoring device, determines, based on a currently used anomaly detection model, that the input represents an object or event that should not be classified as an anomaly, and determines, based on a previously used model, that the input was previously classified as an anomaly. In response, the analysis engine determines a respective classification result for the input based on additional models used between the currently and previously used models, determines, based on the respective classification results, that it is likely that the anomaly detection system has been deliberately re-trained to falsely classify the input, and initiates an action to correctly classify the input as representing an object or event that should be classified as an anomaly. The anomaly detection models and classification results may be stored in a training repository for the anomaly detection system.

Adaptive normal profiles are generated at a hierarchical scope corresponding to a set of endpoints and a process. Abnormal endpoint activity is detected by verifying whether event data tracking activity on the set of endpoints conforms to the adaptive normal profiles. False positives are reduced by verifying alarms correspond to normal endpoint activity. Abnormal event data is forwarded to a causality chain identifier that identifies abnormal chains of processes for the abnormal endpoint activity. A trained threat detection model receives abnormal causality chains from the causality chain identifier and indicates a likelihood of corresponding to a malicious attack that indicates abnormal endpoint behavior.

Examples of the present disclosure describe systems and methods for a behavioral threat detection engine. In examples, the behavioral threat detection engine manages execution of one or more virtual machines, wherein each virtual machine processes a rule in relation to a context. The behavioral threat detection engine uses any of a variety of techniques to identify when events occur. Accordingly, the behavioral threat detection engine provides event indications, in the form of event packets, to one or more virtual machines, such that corresponding rules are able to process the events accordingly. Eventually, a rule may make a determination as to the presence or absence of a behavior. As a result, execution of the associated virtual machine may be halted, thereby indicating to the behavioral threat detection engine that a determination has been made. Thus a behavioral threat detection engine employs a behavior-based approach to detecting malicious or potentially malicious behaviors.

The present disclosure relates to a blockchain-based host security monitoring method and apparatus, a computer readable medium and an electronic device. The host security monitoring method in the embodiments of the present disclosure comprises: monitoring traffic data of a host in network communication, and determining whether the traffic data is malicious traffic; if the traffic data is malicious traffic, obtaining security state information of the host, and saving the security state information to a security state blockchain; generating an invasion log corresponding to the malicious traffic, and saving the invasion log and the security state information to a log storage blockchain.

Disclosed is an approach that applies a fuzzy logic model that may involve fuzzy-matching a plurality of address fields to determine a common physical address, and determining a number of communiques directed to that address with reference to a threshold that may determine an excessive number of communiques. The plurality of address fields may also be fuzzy-matched to information in a fraud-risk database which may comprise a fraud-risk address. One or more matches may be presented to a user who may adjust the views of the various matches, track various trends within the data, and harmonize the various address fields relating to a physical address.

Disclosed are methods, systems, devices, circuits and functionally related machine executable instructions for cybersecurity of a transportation management network, based on operational commands. A unit policy generation module generates expected behavior policies for transportation management network units—based on the signals/data-streams received by the behavior monitoring server and/or based on data, from one or more resources, indicative of the transportation network's activity. Generated policies are relayed to respective agents associated with the policy-generated/profiled unit. Expected behavior policies of the transportation management network units are based on Railway Signaling to and from systems used to control railway traffic safety and trains collision prevention.

A controller that is separate from a processor of the system verifies controller code for execution on the controller. In response to verifying the controller code, the controller verifies system boot code.

In one embodiment, a device in a network observes traffic between a client and a server for an encrypted session. The device makes a determination that a server certificate should be obtained from the server. The device, based on the determination, sends a handshake probe to the server. The device extracts server certificate information from a handshake response from the server that the server sent in response to the handshake probe. The device uses the extracted server certificate information to analyze the traffic between the client and the server.