The present invention relates to a device for detecting unwanted intrusions into an information network comprising a module for receiving raw data from the network, a plurality of search engines configured to detect an attack indicator and any derived data which may be corrupted, a distribution module suitable for allocating at least one search engine to each piece of raw data, an administrator module linked to the search engines and to the distribution module and configured to transmit each piece of derived data to said module as new raw data if it has not already been processed by said same search engine(s), so as to provide recursive analysis of each piece of raw data received by said receiving module. The invention further relates to a process implemented by a device of this type.

The present invention relates to a device for detecting unwanted intrusions into an information network comprising a module for receiving raw data from the network, a plurality of search engines configured to detect an attack indicator and any derived data which may be corrupted, a distribution module suitable for allocating at least one search engine to each piece of raw data, an administrator module linked to the search engines and to the distribution module and configured to transmit each piece of derived data to said module as new raw data if it has not already been processed by said same search engine(s), so as to provide recursive analysis of each piece of raw data received by said receiving module. The invention further relates to a process implemented by a device of this type.

An aircraft includes an aircraft network having nodes and links and a sandbox network in communication with the aircraft network. The sandbox network simulates the aircraft network and includes sandbox nodes corresponding to the nodes of the aircraft network, a first set of sandbox links corresponding to the links of the aircraft network, and a second set of sandbox links providing communication between sandbox nodes not in communication via the first set of sandbox links. Computer executable instructions, when executed, perform the steps of: generating network traffic over the sandbox network such that the sandbox network models a behavior of the aircraft network; identifying a suspicious activity on the aircraft network; routing the suspicious activity from the aircraft network to the sandbox network; and analyzing the suspicious activity as the suspicious activity traverses through the sandbox network.

A method for cyber security, including detecting, by a management server, a breach by an attacker of a resource within a network of resources, wherein access to the resources via network connections is governed by a firewall, predicting, by the management server, which servers in the network are compromised, based on connections created during the breach, and creating, by the management server, firewall rules to block access to the predicted compromised servers from the breached resource, in response to said predicting which servers.

A deception management system (DMS) to detect attackers within a network of computer resources, including a discovery tool auto-learning the network naming conventions for user names, workstation names, server names and shared folder names, and a deception deployer generating one or more decoy attack vectors in the one or more resources in the network based on the network conventions learned by the discovery tool, so that the decoy attack vectors conform with the network conventions, wherein an attack vector is an object in a first resource of the network that has a potential to lead an attacker to access or discover a second resource of the network.

A network surveillance system, including a management server within a network of resources in which users access the resources in the network based on credentials, including a deployment module planting honeytokens in resources in the network, wherein a honeytoken is an object in memory or storage of a first resource that may be used by an attacker to access a second resource using decoy credentials, and wherein the deployment module plants a first honeytoken in a first resource, R.sub.1, used to access a second resource, R.sub.2, using first decoy credentials, and plants a second honeytoken in R.sub.2, used to access a third resource, R.sub.3, using second decoy credentials, and an alert module alerting that an attacker is intruding the network only in response to both an attempt to access R.sub.2 using the first decoy credentials, and a subsequent attempt to access R.sub.3 using the second decoy credentials.

Current CAPTCHA tests are designed to be difficult for a bot and simple for a human-user to answer; however, as artificial intelligence improves, bots are more capable of using techniques such as optical character recognition to resolve current CAPTCHAs in similar manners as human-users. By maintaining a library of security tests and/or questions based on products purchased by the human-user, and using those questions as a CAPTCHA challenge in order to determine if the user is a human-user on how the user responds, CAPTCHA challenges may be directed toward determining a human-user based on responses exhibiting humanity.

Detecting fraud in a contact center including receiving an incoming Real-Time Transport Protocol (RTP) media stream associated with a contact, and determining, based on a real-time biometric analysis of the incoming RTP media stream, that the contact is a potential fraudulent contact. The incoming RTP media stream comprises at least one of an audio stream or a video stream. At least one characteristic related to one or more of an audio quality or a video quality of the incoming RTP media stream is altered without altering any characteristics of an outgoing RTP media stream from the contact center to the potential fraudulent contact, and an altered incoming RTP media stream associated with the potential fraudulent contact is received. In some embodiments, at least one subsequent communications session is automatically scheduled and initiated and a subsequent incoming RTP media stream is received during each subsequent communications session.

A method for detecting an attack on a work environment connected to a communication network includes: electronically emulating, by a network security device connected to the communication network, the work environment; registering, by the network security device, network traffic; comparing, by the network security device, the registered network traffic with predefined network traffic; and triggering, by the network security device, a first attack warning signal in the event of a deviation between the registered network traffic and the predefined network traffic.

An information handling system performs a method for analyzing attacks against a networked system of information handling systems. The method includes detecting a threat indicator, representing the threat indicator in part by numerical parameters, normalizing the numerical parameters, calculating one or more measures of association between the threat indicator and other threat indicators, finding an association of the threat indicator with another threat indicator based upon the normalized numerical parameters, and assigning to the threat indicator a probability that a threat actor group caused the attack, wherein the threat actor group was assigned to the other threat indicator. In some embodiments, the normalizing may include transforming a distribution of the numerical parameters to a distribution with a standard deviation of 1 and a mean of 0. In some embodiments, the normalizing may include applying an empirical cumulative distribution function. In some embodiments, the one or more measures of association between the threat indicator and other threat indicators may include a Kendall's tau between the threat indicator and the other threat indicators, a covariance between the threat indicator and the other threat indicators; or a conditional entropy between the threat indicator and the other threat indicators.