Methods and systems to resolve a distributed denial of service (DDoS) attack in a wireless network are disclosed. In one embodiment, a method comprises receiving signaling messages along with samples of spurious traffic sourced from one or more end devices, where the one or more end devices connect to the wireless network for internet connectivity. The method continues with determining, based the samples, that there is a DDoS attack occurring in which a set of one or more of the end devices is acting as bots in a botnet, and are thus are infected end devices, and causing denial of radio resource allocation to the set of one or more of the infected end devices.

A malicious attack detection method includes: receiving, by a controller, a Packet-in message sent by a switch, where the Packet-in message includes a source host identifier and a destination host identifier of a data packet for which the switch does not find a flow entry; when determining that a host indicated by the destination host identifier does not exist in an SDN network, sending, by the controller, an abnormal flow entry to the switch; receiving, by the controller, a triggering count sent by the switch, where the triggering count is a quantity of times that the abnormal flow entry is triggered; and determining, according to the triggering count, whether a malicious attack is initiated. According to the method, a malicious attack from a host can be detected, a data processing volume of a controller can be reduced, and performance of the controller can be improved.

Methods, systems, and program products for analyzing cyber-attacks on computing systems of a business are disclosed. The methods may include detecting each of the plurality of cyber-attacks. The plurality of cyber-attacks may target information systems stored on at least one information technology (IT) component of an infrastructure of the computing system of the business. The methods may also include determining cyber-attack data relating to the plurality of cyber-attacks, identifying a business impact on the business for each of the plurality of cyber-attacks. The identified business impact on the business for the plurality of cyber-attacks may be based on predetermined business impact data and the determined cyber-attack data. Additionally, the method may include prioritizing the plurality of cyber-attacks attempted on the computing system based on the identified business impact on the business for each of the plurality of cyber-attacks.

Techniques for polluting phishing campaign responses with content that includes fake sensitive information of a type that is being sought in phishing messages. Embodiments disclosed herein identify phishing messages that are designed to fraudulently obtain sensitive information. Rather than simply quarantining these phishing messages from users' accounts to prevent users from providing real sensitive information, embodiments disclosed herein analyze these phishing messages to determine what type(s) of information is being sought and then respond to these phishing messages with fake sensitive information of these type(s). For example, if a phishing message is seeking sensitive credit card and/or banking account information, some fake information of this type(s) may be generated and sent in response to the phishing message. In various implementations, a natural language processing (NLP) model may be used to analyze the phishing message and/or generate a response thereto.

A method and system are provided for performing a security inspection of a set of virtual images. The method includes merging the virtual images into a tree structure having a root and a plurality of leaves such that child leaves and a parent leaf to the child leaves have common ones of the virtual images. The method further includes applying a bisection method against a path in the tree from the root to a given one of the plurality of leaves having a given one of the virtual images in which a security violation has been identified to find a particular one of the virtual images that is a root cause of the security violation. The method also includes performing a corrective action for any of the plurality of images having the security violation.

A cyber security system comprising circuitry of a decoy deployer planting one or more decoy lateral attack vectors in each of a first and a second group of resources within a common enterprise network of resources, the first and second groups of resources having different characteristics in terms of subnets, naming conventions, DNS aliases, listening ports, users and their privileges, and installed applications, wherein a lateral attack vector is an object of a first resource within the network that has a potential to be used by an attacker who discovered the first resource to further discover information regarding a second resource within the network, the second resource being previously undiscovered by the attacker, and wherein the decoy lateral attack vectors in the first group conform to the characteristics of the first group, and the decoy lateral attack vectors in the second group conform to the characteristics of the second group.

A method for detecting an attack on a work environment connected to a communication network includes: electronically emulating, by a network security device connected to the communication network, the work environment; registering, by the network security device, network traffic; comparing, by the network security device, the registered network traffic with predefined network traffic; and triggering, by the network security device, a first attack warning signal in the event of a deviation between the registered network traffic and the predefined network traffic.

The present disclosure is directed towards systems and methods for evaluating or mitigating a network attack. A device determines one or more client internet protocol addresses associated with the attack on the service. The device assigns a severity score to the attack based on a type of the attack. The device identifies a probability of a user account accessing the service during an attack window based on the type of attack. The device generates an impact score for the user account based on the severity score and the probability of the user account accessing the service during the attack window. The device selects a mitigation policy for the user account based on the impact score.

A computer-implemented method for creating a deception computing system may include (i) identifying, by a computing device, a dataset of security alert signatures from a set of client devices, (ii) determining, by the computing device, a set of software vulnerabilities based on the dataset of security alert signatures, (iii) clustering, by the computing device, the set of software vulnerabilities to increase a length of at least one potential attack path within a predetermined number of honeypot machines, and (iv) distributing, by the computing device and based on clusters of software vulnerabilities, a set of vulnerable software among a set of honeypot machines within a honeynet. Various other methods, systems, and computer-readable media are also disclosed.

The method for tracking a cyber hacking is provided. The method of connection fingerprint generation and stepping-stone traceback based on NetFlow includes receiving a traceback request including IP packet attribute information of a victim and an attacker which corresponds to a target connection that is the last connection on a connection chain, generating a fingerprint for an associated connection based on the IP packet attribute information and requesting a NetFlow collector for relevant information, detecting a stepping-stone connection to the target connection which is generated at the time of generation of the fingerprint and instructing to check whether sorted candidate connections are present on the same connection chain as the target connection, and determining an order of the candidate connections based on an attacker host when the candidate connections are determined to be present on the same connection chain as the target connection.