Managed devices containing a Trusted Platform Module (TPM) to provide a trusted environment generate a device certificate at initialization of the TPM and send the device certificate to a management console for storing in a certificate database. Upon detecting a file of interest, the TPM signs the file, adding to a signature list created by previous managed devices. The signature list can be used to analyze the spread of the file across the system of managed devices, including tracking the file to the first managed device to have had a copy, without requiring real-time access to the managed devices during the spread of the file. In some embodiments, additional security measures may be taken responsive to determining the first managed device and the path the file has taken across the system of managed devices.

A system for analyzing and clustering darknet traffic streams with word embeddings, comprising a data processing module which collects packets that are sent to non-existing IP addresses that belong to darknet's taps (blackholes) that are deployed over the internet; a port embedding module for performing port sequence embeddings by using a word embedding algorithm on the port sequences extracted from the data processing module while transforming the port sequences into a meaningful numerical feature vectors; a clustering module for performing temporal clustering of the feature vectors over time; and an alert logic and visualization module visualizes the data and provides alerts regarding a cluster that an analyst classified as malicious in the past.

The invention relates generally to an alternate display generation based on user identification of unauthorized users. When the user is identified as an unauthorized user, the organization may present an alternative interface to the unauthorized user. The organization monitors how the unauthorized user utilizes the alternative interface, such as action requests that the unauthorized user may take through the use of the alternative interface. In response to any action requests from the unauthorized user, the organization may take alternative actions in order to make it seem that the unauthorized user was successful in the action request. In this way, the organization may monitor the use of the alternative interface by the unauthorized user, and capture additional information from the unauthorized user in order to identify, track, and/or prevent access by unauthorized users in the future.

A disclosed method may include (1) determining that a packet traversing a network device has been selected for conditional tracing by (A) comparing a characteristic of the packet against a firewall rule that calls for all packets exhibiting the characteristic to be conditionally debugged while traversing the network device and (B) determining, based at least in part on the comparison, that the firewall rule applies to the packet due at least in part to the packet exhibiting the characteristic, (2) tracing a journey of the packet within the network device in response to the determination by collecting information about the packet's journey through a network stack of the network device, and then (3) performing at least one action on the network device based at least in part on the information collected about the packet's journey through the network stack. Various other systems, methods, and computer-readable media are also disclosed.

Systems and methods for inspection of traffic between UE and the core network to mitigate DDoS attacks on mobile networks are provided. According to one embodiment, the method involves parsing SCTP packets and monitoring header anomalies to block anomalous packet floods. According to another embodiment, a memory table maintains requesting S1AP-IDs which have sent certain monitored commands and then blocking those which are sending these messages at abnormally high rates. According to yet another embodiment, a packet classifier parses the GTP-U protocol, unwraps the encapsulated IP packet and then monitors layer 3, 4 and 7 rate-based attacks such as UDP, ICMP, SYN, HTTP GET floods and drops them to protect the targeted Internet server as well as mobile infrastructure (e.g., the MME, the SGW, the PGW, and the PDN) downstream from the DDoS mitigation system.

A process to detect intrusions with an intrusion detection system is disclosed. The intrusion detection system identifies instance types, and each instance type includes an instance. A know compromised instance is identified from the plurality of instances. A link between the plurality instance types is traversed from the compromised instance to discover an additional compromised instance.

An analysis ECU acquires information related to a first flow and information related to a second flow, the first flow and the second flow organizing packets transferred in a monitored system into respective groups. The analysis ECU acquires information related to a conversion that takes the first flow as input and the second flow as output. The analysis ECU acknowledges alert information generated in the monitored system and including information capable of identifying at least one flow. The analysis ECU generates, when the second flow is identified by the alert information, route information that includes at least one of the information related to the conversion and the information related to the first flow associated with the second flow in the information related to the conversion.

Techniques for phishing protection using cloning detection are described herein. The techniques described herein can include a server which hosts a website detecting that a fetcher is a cloning toolkit or an entity known for using a cloning toolkit. The techniques can also include a server which hosts a downloadable application (such as a mobile application) detecting that a fetcher for the application is a cloning toolkit or an entity known for using a cloning toolkit. The detection can be done in several ways, such as by analyzing data logs for patterns associated with cloning toolkits or entities known for using cloning toolkits. The techniques described herein can also include a part of an end user device (such as a part of a mobile device) detecting a clone (such as a clone website or application) that was cloned by a cloning toolkit. Then, upon detection, security actions can be taken.

In some examples, a terminal can establish wireless communication with a base station. The terminal can determine a challenge, transmit the challenge, receive a response, and determine that the response is valid. The terminal can, in response, establish a secure network tunnel to a network node. In some examples, a terminal can determine a first communication parameter associated with communication with the base station. The terminal can receive data indicating a second communication parameter via a secure network tunnel. The terminal can determine that the communication parameters do not match, and, in response, provide an indication that an attack is under way against the network terminal. Some example terminals transmit a challenge, determine a response status associated with the challenge, and determine that an attack is under way based on the response status.

A method for protecting a network having multiple network subscribers against a cyberattack, in which bits or bit sequences of a message are transmitted between the network subscribers in the network via different voltage levels on at least one transmission route of the network. For this purpose, at least one characteristic of the voltage levels or of the transmitted bits or bit sequences is actively modified in at least one of the network subscribers or on the at least one transmission route and the origin of the transmitted bits or of the at least one transmission route is determined on the basis of the at least one characteristic. The cyberattack on the network is detected or the cyberattack on the network is localized in the network as a function of the ascertained origin.