Techniques for providing contextual forensic data based on user activities. A first method includes identifying a user action in user activity data, wherein the user action is a discrete event initiated by a user, wherein the user action is performed with respect to a portion of a system; and correlating the identified user action with at least one system change, wherein the at least one system change is related to the portion of the system, wherein the at least one system change occurred after the user action. A second method includes taking a first snapshot before a user action occurs, wherein the user action is a discrete event initiated by a user, wherein the first snapshot is taken of at least a portion of a system; and taking a second snapshot after the user action occurs, wherein the second snapshot is taken of the at least a portion of the system.

A command and control server identifying apparatus provides data received by malware upon execution of the malware with a tag that allows to uniquely identify communication destination information of a source of the data, and tracks propagation of the data provided with the tag. Then, the command and control server identifying apparatus obtains a tag of data referred to by a branch instruction executed by the malware among tracked data. Then, the command and control server identifying apparatus identifies communication destination information of a command and control server that issues a command to the malware, based on communication destination information of a source associated with the obtained tag.

There is provided an identification apparatus. A storage unit stores an operation history as a history of an operation executed in at least one information processing apparatus. An acquisition unit acquires malware spread information including information indicating malware. An identification unit identifies, based on the operation history, an intrusion route of the malware indicated by the malware spread information acquired by the acquisition unit, generates at least one piece of malware spread information corresponding to at least one operation included in the intrusion route in the operation history, and identifies, in the operation history, for each of the at least one piece of malware spread information, at least one operation of spreading the malware by setting, as a direct or indirect start point, the malware indicated by the malware spread information.

A method for operation of a deception management server, for detecting and hindering attackers who target containerized clusters of a network, including learning the network environment, including finding existing container instances, finding existing services and relationships, extracting naming conventions in the environment, and classifying the most important assets in the environment, creating deceptions based on the learning phase, the deceptions including one or more of (i) secrets, (ii) environment variables pointing to deceptive databases, web servers or active directories, (iii) mounts, (iv) additional container instances comprising one or more of file server, database, web applications and SSH, (v) URLs to external services, and (vi) namespaces to fictional environments, planting the created deceptions via a container orchestrator, via an SSH directly to the containers, or via the container registry, and issuing an alert when an attacker attempts to connect to a deceptive entity.

In a particular embodiment, a network protocol modification system is configured to identify a malicious attack on a particular computing system, and modify a protocol (e.g., Border Gateway Protocol) that dictates a path of network traffic to the particular computing system. The system may, for example, modify a protocol (e.g., Border Gateway Protocol) that dictates the path of network traffic to the particular computing system for: (1) all network traffic; (2) any network traffic from one or more particular sources; and/or (3) any other suitable combination of traffic. In some embodiments, the system may interface with one or more ISP or other systems in order to propagate network protocol updates. In particular embodiments, the system is particularly configured to mitigate one or more DDoS attacks against a particular target network or service.

A communication network authenticates the source of messages transmitted on a flat bus to determine the presence of spoofing events. A programmable intrusion detection device is connected to the bus at a fixed location and compiles templates for various tri-bit signal pulses that form the data transmitted as messages between network nodes. Each tri-bit template compares unique signal characteristics inherent in the signal waveform received by the device from each node, the unique characteristics being directly attributable to the physical topology of the network. In use, the device uses the templates to calculate an inferred source identifier for each message. The inferred source identifier is then compared against the declared source identifier, which is embedded in message metadata, to authenticate the message source. Any lack of reconciliation between the inferred and declared source identifiers causes the device to mark the message as spoofed and initiate a designated response.

Provided is an e-mail relay device including: an e-mail receiving unit that acquires an e-mail to be delivered before the e-mail reaches a transmission destination, the e-mail being transmitted from a transmission source mailer through simple mail transfer protocol (SMTP); a request notification unit that transmits, after the e-mail receiving unit acquires the e-mail to be delivered, a notification e-mail for allowing communication with a predetermined authentication server through IP by using a transmission source e-mail address of the e-mail to be delivered as a destination; a transmission source IP address acquisition unit that acquires, in a case where the transmission source terminal communicates with the predetermined authentication server after the notification e-mail is transmitted, an IP address of a transmission source terminal contained in an IP header of an IP packet transmitted/received during the communication; and a determination unit that determines the reliability of the e-mail to be delivered based on the IP address of the transmission source terminal.

A system to detect attackers who attempt to breach an enterprise network and attackers who have already breached the enterprise network, including an open source intelligence (OSINT) discoverer scanning the Internet to discover data related to an enterprise that is available online, an OSINT replacer generating deceptive files by replacing placeholders within template files with deceptive information, based on the data discovered by the OSINT discoverer, an OSINT distributor planting the deceptive files generated by the OSINT replacer within designated OSINT resources, and a deception management server that alerts an administrator in response to an attacker attempting to make a connection within the network using information in a deceptive file planted by the OSINT distributor.

Systems, methods, and computer-readable storage media for intrusion protection on autonomous vehicles. As threats are detected, the nature of the threat is analyzed. A tiered response to the threat is then implemented, with an ultimate implementation including putting the autonomous vehicle in a turtle mode, and intermediate implementations including isolation of various subsystems. As the threats are identified and the autonomous vehicle implements the tiered responses, the autonomous vehicle records data regarding the efficiency the responses in diminishing the threat, then modifies the code which forms the autonomous algorithms such that, over time, the autonomous vehicle improves how it recognizes and responds to threats.

The invention aims to backtrack a virus infection route with more detail than in the conventional case. CPUs of client devices respectively monitor operations, and cause storage devices to store operation histories. The CPU determines, upon detecting a virus, the time and date at which the virus was first saved in the client device based on the operation history stored in the storage device, and determines a virus intrusion route based on the operation content that was executed at the determined time and date.