A method for IP traceback is provided comprising receiving a traceback request including the identity of a traceback-deployed autonomous system closest to the destination node in a network routing path, recursively querying a traceback server associated with the traceback-deployed autonomous system to receive the identity of a preceding traceback-deployed autonomous system in the network routing path, and determining the network routing path based on the received identities of traceback-deployed autonomous systems. Additionally, authentication for traceback request is achieved using token delivery, wherein token is fragmented and marking of a packet is performed when a field on the packet matches at least one token fragment.

An overlay cyber security networked system and method that includes one or more devices configured to monitor physical-level signal information to determine a cyber security threat or breach event based on activity occurring with physical signals present at one or more components of a Process Control Network (PCN), enabling forensic analysis. The overlay cyber security networked system also provides information needed for real-time incident management by capturing logs of relevant events at various points in the network hierarchy starting at the analog signaling from the sensors to detect unauthorized variances in operational parameters, thereby providing a defense in depth security architecture for PCN-based systems.

In an example method, a computer system retrieves a plurality of data items. Each data item indicates a respective network route on the network. The computer system determines a route automaton based on the plurality of data items. The route automaton includes a representation of the network routes. The computer system determines one or more routing policies on the network based on the route automaton. The method can be used to detect one or more routing policies on a network.

A process to detect intrusions with an intrusion detection system is disclosed. The intrusion detection system identifies instance types, and each instance type includes an instance. A know compromised instance is identified from the plurality of instances. A link between the plurality instance types is traversed from the compromised instance to discover an additional compromised instance.

A method for operation of a deception management server, for detecting and hindering attackers who target containerized clusters of a network, including learning the network environment, including finding existing container instances, finding existing services and relationships, extracting naming conventions in the environment, and classifying the most important assets in the environment, creating deceptions based on the learning phase, the deceptions including one or more of (i) secrets, (ii) environment variables pointing to deceptive databases, web servers or active directories, (iii) mounts, (iv) additional container instances comprising one or more of file server, database, web applications and SSH, (v) URLs to external services, and (vi) namespaces to fictional environments, planting the created deceptions via a container orchestrator, via an SSH directly to the containers, or via the container registry, and issuing an alert when an attacker attempts to connect to a deceptive entity.

The described technology is generally directed towards spammer location detection, and in particular, to locating a spammer that makes multiple calls from a given location via a cellular communications network. In some examples, network equipment can obtain call trace records associated with the multiple calls, identify a group of call trace records based on a shared call trace feature, aggregate data from call trace records within the group, and determine an estimated location based on the aggregated data.

Various embodiments of apparatuses and methods for threat sensor deployment and management in a malware threat intelligence system are described. In some embodiments, the system comprises a plurality of threat sensors, deployed at different network addresses and physically located in different geographic regions in a provider network, which detect interactions from sources. In some embodiments, a threat sensor deployment and management service determines a deployment plan for the plurality of threat sensors, including each threat sensor's associated threat data collectors. The threat data collectors can be of different types such as utilizing different communication protocols or ports, or providing different kinds of responses to inbound communications. The different threat sensors can have different lifetimes. The service deploys the threat sensors based on the plan, collects data from the deployed threat sensors, adjusts the deployment plan based on the collected data and the threat sensor lifetimes, and then performs the adjustments.

Techniques are discussed for grouping access requests made to a computer system using a log of access requests that includes a plurality of log entries of that include (a) a plurality of traffic indicators of the corresponding access request and/or (b) a plurality of identity indicators of a respective remote computer system that made the corresponding access request. The plurality of log entries is analyzed using a plurality of network analysis rules that are useable to group log entries according to traffic and/or identity indicators. Based on the analyzing, a plurality of groups of log entries are identified, and each group of log entries is assigned a corresponding common actor identifier (common actor ID). The determination of whether to grant a particular access request uses one or more assigned common actor IDs.

A specifying device receives detection information from a security device that detects hacking into a network or an activity of a terminal related to infection, and specifies a state of the terminal from information of the terminal and content of activity of the terminal included in the detection information. The specifying device specifies, when specifying that the terminal is in the state of being infected with malware, a terminal that may be infected before performing the content of the activity of the terminal included in the detection information based on connection information stored in a configuration information storage device, and specifies a terminal located on a route, along which the infected terminal is likely to be used for hacking or for infection of the terminal in the future, as a candidate for an infected terminal likely to be infected.

Evaluating computers, devices, or endpoints on a network, such as a large network of computers in an enterprise environment. Detecting computers, devices, or endpoints that may present a security risk to the network or may be compromised in some way. Generating network traffic that, in some cases, should be ignored or should prompt specific, known responses. Detecting endpoint(s) that respond to such network traffic in an anomalous way, or otherwise attempt to perform certain operations based on such network traffic.