Systems and methods are disclosed for identifying human users on a network. One method includes receiving network data comprising data transmitted over a network over predetermined time period, the network data comprising a plurality of usernames and a plurality of events, wherein each of the plurality of events is associated with at least one of the plurality of usernames; determining a plurality of pairs, each pair of the plurality of pairs comprising a username of the plurality of usernames and an associated event of the plurality of events; determining qualifying pairs of the plurality of pairs, the qualifying pairs corresponding to a subset of the plurality of pairs that meet or exceed one or more predetermined event frequency thresholds; determining non-qualifying pairs of the plurality of pairs, the non-qualifying pairs corresponding to the subset of the plurality of pairs that do not meet or exceed one or more predetermined event frequency thresholds; generating at least one distribution associated with the qualifying pairs and non-qualifying pairs; and based on the at least one distribution, determining if at least one username of the plurality of usernames is associated with a human user or a non-human user.

Computer systems and methods for improving the security and efficiency of client computers interacting with server computers through an intermediary computer using one or more polymorphic protocols are discussed herein. In an embodiment, a computer system comprises a memory; one or more processors coupled to the memory and configured to: generate a modified identifier for a original object based on a original identifier and a nonce; render one or more instructions that include the nonce and define a modified object that corresponds to the original object and includes the modified identifier; send the one or more instructions to a client computer, wherein the one or more instructions, when executed by the client computer, are configured to cause the client computer to send a request from the client computer with the modified identifier and the nonce; receive, from the client computer, a request with a challenge identifier and a challenge nonce; generate a test identifier based on the original identifier and the challenge nonce; determine whether the test identifier matches the challenge identifier.

A method for automated determination of IP address information of malicious attacks. An intrusion detection system may receive an index tree for storing IP addresses in one or more nodes of the index tree in a predefined sorting order. The instruction detection system may receive a data structure including a first set of one or more IP addresses from a honeypot system. The intrusion detection may receive unstructured data indicative of a second set of one or more IP addresses from a predefined data source. The intrusion detection system may process the unstructured data to determine the second set of one or more IP addresses. The intrusion detection system may insert each IP address of the first and second sets of one or more IP addresses into one or more nodes of the index tree.

A threat response platform to act as a bridge between non-inline security programs and inline security programs. The threat response platform receives event reports, relating to client devices, from the non-inline security programs and creates incident reports for a user. The incident reports describe the event report and also additional data gathered by an active correlation system of the threat response platform. The active correlation system automatically gathers various types of data that are potentially useful to a user in determining whether the reported event is an incidence of malware operating on the client device or a false positive. The active correlation system places a temporary agent on the client device to identify indications of compromise.

The present disclosure relates to techniques for automated and adaptive cloud security management. Embodiments provide for, at an electronic device configured to interface with a cloud computing environment, initiating one or more transactions in the cloud computing environment using a first identifier to cause a first service of the cloud computing environment to generate a first set of data including the first identifier and a second identifier, and a second service of the cloud computing environment to generate a second set of data including a third identifier and a fourth identifier. Embodiments also provide for automatically determining whether the first identifier corresponds to the third identifier, and, in accordance with a determination that the first identifier corresponds to the third identifier, associating the second identifier and the fourth identifier to generate a linkage between the first and second services.

Traffic into and out of an organization-level network is monitored. A request for an encryption key from ransomware infecting a computer in the organization-level network to a remote command and control server is detected. A simulated reply to the ransomware is generated. A known encryption key for which the corresponding decryption key is also known is substituted for the encryption key supplied by the C&C server. The simulated reply containing the substituted known key is then supplied to the ransomware, such that the ransomware uses the known encryption key to encrypt files accessible from the computing device, and requests payment in order to provide a decryption key. Instead of paying the ransom, the encrypted files are decrypted using the known decryption key corresponding to the known encryption key which was provided to the ransomware.

In one embodiment, a device obtains certificate information for a plurality of network addresses. The device constructs, based on the certificate information, a bipartite graph that maps nodes representing common names from the certificate information to nodes representing autonomous systems. The device determines edge counts from the bipartite graph for the nodes representing the autonomous systems. The device identifies, based on the edge counts, a particular one of the common names as botnet-related by comparing edge counts for the autonomous systems associated with that particular common name to edge counts for the autonomous systems associated with one or more of the other common names.

Non-harmful data mimicking computer network attacks may be inserted in a computer network. Anomalous real network connections may be generated between a plurality of computing systems in the network. Data mimicking an attack may also be generated. The generated data may be transmitted between the plurality of computing systems using the real network connections and measured to determine whether an attack is detected.

Techniques are provided that facilitate responding to cyberattacks using counter intelligence (CI) bot technology. In one embodiment, a first system is disclosed that comprises a processor and a memory. The memory can store executable instructions that, when executed by the processor, facilitate performance of operations including receiving a request from a second system requesting assistance in association with a cyberattack on the second system, wherein the request comprises information indicating a type of the cyberattack. The operations further comprise selecting a counter intelligence bot configured to respond to the type of cyberattack, and directing the counter intelligence bot to respond to the cyberattack, wherein the directing comprises enabling the counter intelligence bot to respond to the cyberattack by establishing a gateway with the second system and employing the gateway to intercept and respond to traffic associated with the cyberattack on behalf of the second system.

Non-harmful data mimicking computer network attacks may be inserted in a computer network. Anomalous real network connections may be generated between a plurality of computing systems in the network. Data mimicking an attack may also be generated. The generated data may be transmitted between the plurality of computing systems using the real network connections and measured to determine whether an attack is detected.