Embodiments of the present disclosure relate to methods, devices and computer readable storage medium for tracing an attack source in a service function chain overlay network. In example embodiments, a request for tracing an attack source of an attacking data is sent at the attack tracer to a first service function chain domain of a plurality of service function chain domains through which the attacking data flow passes subsequently. The request includes flow characteristics of the attacking data flow. Then, the attack tracer receives a first set of results of flow matching based on the flow characteristics from the first service function chain domain. The attack tracer identifies the attack source in the plurality of service function chain domains at least in part based on the first set of results. In this way, the attack source may be traced efficiently in the service function chain overlay network.

A method for automated determination of IP address information of malicious attacks. An intrusion detection system may receive an index tree for storing IP addresses in one or more nodes of the index tree in a predefined sorting order. The instruction detection system may receive a data structure including a first set of one or more IP addresses from a honeypot system. The intrusion detection may receive unstructured data indicative of a second set of one or more IP addresses from a predefined data source. The intrusion detection system may process the unstructured data to determine the second set of one or more IP addresses. The intrusion detection system may insert each IP address of the first and second sets of one or more IP addresses into one or more nodes of the index tree.

The network management apparatus includes a processor coupled to memory and configured to calculate a communication route of traffic that each of a plurality of edge routers transfers to an attack target device that is attacked from outside the network, select a first router where the communication routes of a plurality of flows of traffic that is transferred to the attack target device merge, instruct the first router to restrict transfer of the traffic of the attack, detect a change in traffic of the attack in response to a restriction on transfer of the traffic of the attack, and identify an edge router of an inflow source from a part of the plurality of edge routers or the edge router of the inflow source of the traffic of the attack from rest of the plurality of edge routers.

A telecommunications defence system (TDS) comprises: at least one shield server; at least one target server communicating with the shield server and with a client telecommunications system (ClientTS), via a telecommunications network (TN). The target server is provided in a geographical location of the TN that is nearer the ClientTS than the shield server. The TDS further comprises an attack detection application (AttackDetectAPP), a communication application (CommAPP) and a shielding application (ShieldApp). The AttachDetectAPP, when executed on the target server, detects an attack aimed at the ClientTS via the TN and generates an attack source identification signal. The CommAPP transmits the identification signal to the shield server. The ShieldAPP, when executed on the shield server, causes the shield server to generate a shield signal in response to the transmitted identification signal, to provide at least one shield operative to shield the ClientTS from the attack.

A comprehensive security operation platform with artificial intelligence capabilities which may collaborate and/or automate tasks, including complex and/or redundant security tasks. An automated system may assist security analysts and security operations center managers in discovering security incidents. A comprehensive security operations platform may combine intelligent automation scale and collaborative human social learning, wisdom and experience. An automated system may empower security analysts to resolve incidents faster and reduce redundancy through collaboration with peers in virtual war rooms. An automated system may automate security analyst work by executing tasks from the war room or by following playbooks defined by the security analysts.

Techniques for providing contextual forensic data based on user activities. A first method includes identifying a user action in user activity data, wherein the user action is a discrete event initiated by a user, wherein the user action is performed with respect to a portion of a system; and correlating the identified user action with at least one system change, wherein the at least one system change is related to the portion of the system, wherein the at least one system change occurred after the user action. A second method includes taking a first snapshot before a user action occurs, wherein the user action is a discrete event initiated by a user, wherein the first snapshot is taken of at least a portion of a system; and taking a second snapshot after the user action occurs, wherein the second snapshot is taken of the at least a portion of the system.

A tracing mechanism is provided for analyzing session-based attacks. An exemplary method comprises: detecting a potential attack associated with a session from a potential attacker based on predefined anomaly detection criteria; adding a tracing flag identifier to a response packet; sending a notification to a cloud provider of the potential attack, wherein the notification comprises the tracing flag identifier; and sending the response packet to the potential attacker, wherein, in response to receiving the response packet with the tracing flag identifier, the cloud provider: determines a source of the potential attack based on a destination of the response packet; forwards the response packet to the potential attacker based on the destination of the response packet; and monitors the determined source to evaluate the potential attack. The response packet is optionally delayed by a predefined time duration and/or until the cloud provider has acknowledged receipt of the notification.

Methods and systems for identifying a source of leak of confidential information are described herein. The methods and systems related to a file sharing system that may generate a copy of a shared file that is unique each user. The file management system may determine a plurality of differences within each version of the file. A table of differences is maintained by the file management system, for comparison against any leaked version of the file. The file management system compares each generated version of the file against previously generated versions to ensure enough differences are included to determine a unique identity of the user associated with any leaked file.

A lateral movement path detector is disclosed. Data is gathered via programmatic access to a management service director through a REST API endpoint. The data is grouped into a graph having nodes of users, groups, and devices. The nodes coupled together via edges. A visualization of the graph is provided to illustrate lateral paths of the management service directory.

Embodiments for detecting malicious modification of data in a network, by: setting, by a first layer of network resources, a number of markers associated with input/output (I/O) operations of the network; saving the markers, location, and associated metadata in a marker database; reading, by a second layer of the network resources, the markers corresponding to relevant I/O operations; and verifying each scanned I/O operation against a corresponding marker to determine whether or not data for a scanned specific I/O operation has been improperly modified for the first and second layers and any intermediate layer resulting in a fault condition, and if so, taking remedial action to flag or abort the specific I/O operation.