An attack tracking system includes multiple hosts in which first event data concerning object behavior are collected and pieces of host-based event information are created therefrom; a tracking information database server storing the pieces of host-based event information; a tracking information analysis server creating behavior events by defining malware behavior from the pieces of host-based event information, retrieving targets to be analyzed from the pieces of host-based event information and the behavior events based on a preset input value, creating first tracking contexts for identifying the malware behavior by analyzing the relationship between the pieces of host-based event information and the relationship between a set of the pieces of host-based event information and a set of the behavior events, and creating second tracking contexts tracking malware routes and behavior events between the multiple hosts by analyzing the correlation between the first tracking contexts.

A monitoring apparatus comprises a specifying part, a storing part, and a restoring part. The specifying part specifies an access source. The storing part stores changed item(s) in the environment caused by the activity of the access source. The restoring part restores an environment that is referred to when responding to an operation(s) of the access source based on the changed item(s) of the environment stored by the storing part.

Telemetry data concerning multiple samples convicted as malware by different endpoints is tracked over time. During a period of time in which telemetry data concerning convicted samples are tracked, specific samples can be convicted multiple times, both on a single endpoint and/or on multiple endpoints. The tracked telemetry data concerning the convicted samples is analyzed, and data that is indicative of false positives is identified. Convictions of samples can be exonerated as false positives, based on the results of analyzing the tracked telemetry data. More specifically, multiple data points from the tracked telemetry data that comprise evidence of false positives can be quantified and weighted. Where the evidence of false positives exceeds a given threshold, convictions of a given sample can be exonerated.

A method for managing cloud based applications is described. In one embodiment, the method includes detecting initiation of an application, detecting an action performed relative to the application, capturing the data associated with the detected action before the application encrypts the at least portion of the data, analyzing the captured data, and applying a network management policy to a packet flow based at least in part on the analyzing the captured data. In some cases, the application is configured to encrypt at least a portion of data associated with the detected action.

A method and system are provided for performing a security inspection of a set of virtual images. The method includes merging the virtual images into a tree structure having a root and a plurality of leaves such that child leaves and a parent leaf to the child leaves have common ones of the virtual images. The method further includes applying a bisection method against a path in the tree from the root to a given one of the plurality of leaves having a given one of the virtual images in which a security violation has been identified to find a particular one of the virtual images that is a root cause of the security violation. The method also includes performing a corrective action for any of the plurality of images having the security violation.

For enhancing security in a complex network by a computer processor device, a processor collaborates with at least one additional processor device in a higher hierarchical order in the complex network. A Media Access Control (MAC) address of an offending network device is shared between the processor devices such that access of the offending network device to portions of the complex network under the supervisory control of the processor devices may be subsequently blocked.

A technique for locating a wireless communication attack includes monitoring of Bluetooth communications activity by a Bluetooth capable communication device. Any monitored communication activity is analyzed against parameters that are predefined to detect a communication attempt by a suspected criminal device to an illicit device. If the communication attempt by the suspected criminal device is detected by the analysis, a communication to the criminal device is controlled so as to delay completion of the communication to the criminal device in order to provide time to locate the criminal device.

A network surveillance method to detect attackers, including planting one or more honeytokens in one or more resources in a network of computers in which users access the resources in the network based on credentials, wherein a honeytoken is an object in memory or storage of a first resource that may be used by an attacker to access a second resource using decoy credentials, including planting a first honeytoken in a first resource, R.sub.1, used to access a second resource, R.sub.2, using first decoy credentials, and planting a second honeytoken in R.sub.1, used to access a third resource, R.sub.3, using second decoy credentials, and alerting that an attacker is intruding the network only in response to both (i) an attempt to access R.sub.2 using the first decoy credentials, and (ii) a subsequent attempt to access R.sub.3 using the second decoy credentials.

A network traffic control device, and a security policy configuration method. The network traffic control device identifies a source, a destination, and an application type of an input data stream; executes, based a predetermined enterprise organizational structure, first upward tracing processing to obtain a first source upward tracing point and a first destination upward tracing point; and generating a first security policy, where a source in a match condition of the first security policy is configured to the first source upward tracing point, a destination in the match condition of the first security policy is configured to the first destination upward tracing point. According to the security policy configuration method implemented by the network traffic control device, a security policy can be automatically generated, which reduces difficulty in configuring the security policy and increases a configuration success rate.

An attack situation visualization device includes: a memory that stores instructions; and at least one processer configured to process the instructions to: analyze a log in which information about a cyberattack is recorded and specify at least either of a source of a communication related to the cyberattack and a destination of a communication related to the cyberattack; and generate display information allowing display of an image in which an image representing a map, a source image representing the source, and a destination image representing the destination are arranged on the map, wherein, the at least one processer configured to process the instructions to generate the display information including an attack situation image visualizing at least either of a traffic volume and a communication frequency of a communication related to the cyberattack between the source and the destination.