The present disclosure relates to securing workloads of a network by identifying compromised elements in communication with the network and preventing their access to network resources. In one aspect, a method includes monitoring network traffic at network elements of a network; detecting a compromised element in communication with one or more of the network elements, the compromised element being associated with at least one network threat; and based on a defined network policy, applying one of a number of different access prevention schemes to the compromised element to prevent access to the network by the compromised element.

A method for predicting one or more events includes generating, for features of each of at least two feature types, an intermediate representation using a representation learning model for the at least two feature types. The intermediate representations of the at least two feature types are analyzed using a neural network and at least one neural network model so as to provide a joint representation for predicting certain events. One or more actions to be taken can be determined based on the one or more events predicted by the joint representation.

A method for querying a knowledge base of malicious hosts numbered from 1 through N. The method includes providing a network of computers, which has a plurality of unknown malicious host machines. In a specific embodiment, the malicious host machines are disposed throughout the network of computers, which includes a worldwide network of computers. The method includes querying a knowledge base including a plurality of known malicious hosts, which are numbered from 1 through N, where N is an integer greater than 1. In a preferred embodiment, the knowledge base is coupled to the network of computers. The method includes receiving first information associated with an unknown host from the network; identifying an unknown host and querying the knowledge base to determine if the unknown host is one of the known malicious hosts in the knowledge base, and outputting second information associated with the unknown host based upon the querying process.

The present teaching generally relates to detecting abnormal user activity associated with an entity. In a non-limiting embodiment, baseline distribution data representing a baseline distribution characterizing normal user activities for an entity may be obtained. Information related to online user activities with respect to the entity may be received, distribution data representation a dynamic distribution may be determined based, at least in part, on the information. One or more measures characterizing a difference between the baseline distribution and the dynamic distribution may be computed, and in real-time it may be assessed whether the information indicates abnormal user activity. If the first information indicates abnormal user activity, then output data including the distribution data and the one or more measures may be generated.

An exemplary computer-implemented method includes obtaining at least one teleportation invite block that records a virtual universe teleportation invite marked by at least one parameter. The teleportation invite identifies a virtual universe user as an invitee. Responsive to the parameter, assess whether the virtual universe teleportation invite is potentially malicious, and alert the invitee in case the virtual universe teleportation invite is potentially malicious. Another exemplary computer-implemented method includes obtaining at least one complaint block that records a complaint made against a virtual universe user; obtaining a plurality of traversal blocks that record virtual universe traversal events by the virtual universe user; identifying a pattern of harassment by analyzing a first plurality of traversal blocks that precede the complaint block; identifying a risk of future harassment by analyzing a second plurality of traversal blocks that follow the complaint block; and issuing an alert regarding the risk of future harassment.

The invention relates generally to an alternate display generation based on user identification of unauthorized users. When the user is identified as an unauthorized user, the organization may present an alternative interface to the unauthorized user. The organization monitors how the unauthorized user utilizes the alternative interface, such as action requests that the unauthorized user may take through the use of the alternative interface. In response to any action requests from the unauthorized user, the organization may take alternative actions in order to make it seem that the unauthorized user was successful in the action request. In this way, the organization may monitor the use of the alternative interface by the unauthorized user, and capture additional information from the unauthorized user in order to identify, track, and/or prevent access by unauthorized users in the future.

A method and an apparatus for improving network security. The method includes obtaining, by a control node, alarm information, where the alarm information includes address information of an attack source that attacks a subnet of at least two subnets and identification information of the attacked subnet of the at least two subnets, using, by the control node, the alarm information to sort the attack sources in descending order of threat levels, and using a sorting result as a blacklist, and sending, by the control node, the obtained blacklist to at least one subnet that is not attacked yet in the network system. The method and apparatus are applicable to collaborative defense among multiple subnets.

A non-transitory recording medium recording a cyber-attack analysis supporting program that causes a computer to execute a process, the process includes: accepting registration of information of one or more items regarding a cyber-attack event in response to detection of malware in an information processing system of a monitoring target; and displaying the information registered regarding the cyber-attack event in a state in which each of the one or more items is coupled as a subordinate node to a representative node of the cyber-attack event.

Systems, methods, and computer-readable storage media for intrusion protection on autonomous vehicles. As threats are detected, the nature of the threat is analyzed. A tiered response to the threat is then implemented, with an ultimate implementation including putting the autonomous vehicle in a turtle mode, and intermediate implementations including isolation of various subsystems. As the threats are identified and the autonomous vehicle implements the tiered responses, the autonomous vehicle records data regarding the efficiency the responses in diminishing the threat, then modifies the code which forms the autonomous algorithms such that, over time, the autonomous vehicle improves how it recognizes and responds to threats.

Evaluating computers, devices, or endpoints on a network, such as a large network of computers in an enterprise environment. Detecting computers, devices, or endpoints that may present a security risk to the network or may be compromised in some way. Generating network traffic that, in some cases, should be ignored or should prompt specific, known responses. Detecting endpoint(s) that respond to such network traffic in an anomalous way, or otherwise attempt to perform certain operations based on such network traffic.