A framework for efficiently and automatically exploring a data network and accurately identifying network threats, which comprises a plurality of software and hardware-based agents, distributed over the data network. The agents are capable of adjusting or reconfiguring, on the fly, the behavior of the agents and their ability to collect data in a targeted manner, so as to investigate suspicious incidents and alerts and collect data that was not yet collected by the system; collecting forensic data by executing tasks defined in workflows, being distributed threat intercepting programs and reporting about the collected forensic data, back to a Central Control Unit (C&C). Distributed threat intercepting programs (workflows) are used to provide instructions to agents, to perform branching and provide instructions to the Central Control Unit (C&C), which orchestrates the agents to assure proper execution of the workflows; analyzes the collected information and presents ongoing status to an operator supervising the data network.

A method for querying a knowledgebase of malicious hosts numbered from 1 through N. The method includes providing a network of computers, which has a plurality of unknown malicious host machines. In a specific embodiment, the malicious host machines are disposed throughout the network of computers, which includes a worldwide network of computers, e.g., Internet. The method includes querying a knowledge base including a plurality of known malicious hosts, which are numbered from 1 through N, where N is an integer greater than 1. In a preferred embodiment, the knowledge base is coupled to the network of computers. The method includes receiving first information associated with an unknown host from the network; identifying an unknown host and querying the knowledge base to determine if the unknown host is one of the known malicious hosts in the knowledge base. The method also includes outputting second information associated with the unknown host based upon the querying process.

Systems described herein preemptively detect newly registered network domains that are likely to be malicious before network behavior of the domains is actually observed. A network security device (e.g., a router) receives domain registration data that associates network domains with keys and generating a graph representing the domain registration data. Each edge of the graph connects a vertex representing a domain and a vertex representing a registration attribute (e.g., a registrant email address). The network security device identifies a connected component of the graph that meets a graph robustness threshold. The network security device determines whether a domain of the connected component whose behavior has not yet been observed is malicious using a predictive model based on existing maliciousness labels for other domains of the connected component.

In some embodiments, a network event initiation detection engine may access a time series event data store containing indications for each of a series of received network events, including a time value. The network event initiation detection engine may then perform a statistical analysis on the information in the time series event data store, including the time values. The statistical analysis may be, for example, associated with durations of time existing between events. Based on the statistical analysis, a result may be output associated with a network event initiation likelihood. The result might indicate, for example, that an event was machine-initiated, human-initiated, etc.

A method and system are provided for performing a security inspection of a set of virtual images in a cloud infrastructure. The method includes merging the virtual images into a tree structure having a root and a plurality of leaves such that child leaves and a parent leaf to the child leaves have common ones of the virtual images. The method further includes identifying a security violation in a given one of the virtual images at a given one of the plurality of leaves. The method also includes applying a bisection method against a path in the tree from the root to the given one of the plurality of leaves to find a particular one of the virtual images that is a root cause of the security violation. The method additionally includes performing a corrective action for any of the plurality of images having the security violation.

A deception management system to detect attackers within a dynamically changing network of computer resources, including a deployment governor dynamically designating deception policies, each deception policy including names of non-existing web servers, and levels of diversity for planting the names of non-existing web servers in browser histories of web browsers within resources of the network, the levels of diversity specifying how densely the name of each non-existing web server is planted within resources of the network, a deception deployer dynamically planting the names of non-existing web servers in the browser histories of the web browsers in resources in the network, in accordance with the levels of diversity of the current deception policy, and a notification processor transmitting an alert to an administrator of the network in response to an attempt to access one of the non-existing web servers.

Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for incident response are disclosed. In one aspect, a computer-implemented method includes receiving data identifying two or more groups of actions performed to remediate a computer security threat. The method includes determining first unique paths from a first action of each of the two or more groups of actions to a second action of each of the two or more groups of actions, and determining second unique paths from the second action of each of the two or more groups of actions to a third action of each of the two or more groups of actions. The method also includes combining common paths among the first unique paths and the second unique paths, identifying one of the common paths that appears most frequently, and determining a core path that includes a subset of the actions of the two or more groups of actions based on the one of the common paths that appears most frequently.

Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for incident response are disclosed. In one aspect, a system includes a cognitive engine that is configured to receive data identifying actions performed in response to a computer security threat. Based on the data identifying the actions performed in response to the computer security threat, the system generates one or more workflows and a particular workflow that are associated with the computer security threat and that each identify one or more actions to remediate the computer security threat. The system also includes a scoring system and event triage engine that is configured to analyze the actions of the one or more workflows and of the particular workflow, and based on analyzing the actions of the one or more workflows and of the particular workflow, select a primary workflow as a workflow to respond to the computer security threat. The system also includes an automated incident investigation engine that is configured to receive an alert that identifies the computer security threat, and process the computer security threat according to the primary workflow that is associated with the computer security threat and that identifies one or more actions to remediate the computer security threat.

This disclosure is related to using network flow information of a network to determine the trajectory of an attack. In some examples, an adjacency data structure is generated for a network. The adjacency data structure can include a machine of the network that has interacted with another machine of the network. The network can further include one or more deception mechanisms. The deception mechanisms can indicate that an attack is occurring when a machine interacts with one of the deception mechanisms. When the attack is occurring, attack trajectory information can be generated by locating in the adjacency data structure the machine that interacted with the deception mechanism. The attack trajectory information can correlate the information from the interaction with the deception mechanism, the interaction information of the network, and machine information for each machine to determine a possible trajectory of an adversary.

A network surveillance system, including a management server within a network of resources in which users access the resources in the network based on credentials, including a deployment module planting honeytokens in resources in the network, wherein a honeytoken is an object in memory or storage of a first resource that may be used by an attacker to access a second resource using decoy credentials, and wherein the deployment module plants a first honeytoken in a first resource, R.sub.1, used to access a second resource, R.sub.2, using first decoy credentials, and plants a second honeytoken in R.sub.2, used to access a third resource, R.sub.3, using second decoy credentials, and an alert module alerting that an attacker is intruding the network only in response to both an attempt to access R.sub.2 using the first decoy credentials, and a subsequent attempt to access R.sub.3 using the second decoy credentials.