Methods and system for detecting anomalous behavior in a home network is performed by an access point. The access point passively monitors, within the home network, network traffic corresponding to each of a number of devices associated with it, without an approval from any of the number of devices. In another aspect, the access point passively monitors, within the home network, individual traffic flows between the access point and the number of devices associated with it. The access point then compares, for each of the devices, one or more characteristics of the corresponding network traffic or the individual traffic flows with a baseline model of network behavior and identifies which of the number of devices is associated with anomalous behavior based on the comparison.

A cyber security system to detect attackers, including a data collector collecting data regarding a network, the data including network resources and users, a learning module analyzing data collected by the network data collector, determining therefrom groupings of the network resources into at least two groups, and assigning a customized decoy policy to each group of resources, wherein a decoy policy for a group of resources includes one or more decoy attack vectors, and one or more resources in the group in which the one or more decoy attack vectors are to be planted, and wherein an attack vector is an object of a first resource that may be used to access or discover a second resource, and a decoy deployer planting, for each group of resources, one or more decoy attack vectors in one or more resources in that group, in accordance with the decoy policy for that group.

A black market collection system for tracing distributors of mobile malware comprises: a black market collection module for collecting web sites suspected to be a black market or apk files suspected to be a black market app by a search related to black markets through portal sites, and creating a URL list of the collected web sites suspected to be a black market; an app static analysis module for obtaining a source code by decompiling the collected apk file and detecting a URL of a site address distributing a corresponding app; a site analysis module for collecting apk files by analyzing the URL or each URL pattern of thereof and creating an apk collection pattern rule related to paths of collecting the apk files; and a database for storing the URL list of the collected web sites suspected to be a black market and the created apk collection pattern rule.

The present invention relates to a device for detecting unwanted intrusions into an information network comprising a module for receiving raw data from the network, a plurality of search engines configured to detect an attack indicator and any derived data which may be corrupted, a distribution module suitable for allocating at least one search engine to each piece of raw data, an administrator module linked to the search engines and to the distribution module and configured to transmit each piece of derived data to said module as new raw data if it has not already been processed by said same search engine(s), so as to provide recursive analysis of each piece of raw data received by said receiving module. The invention further relates to a process implemented by a device of this type.

A method for cyber security, including detecting, by a decoy management server, a breach by an attacker of a specific resource within a network of resources in which users access the resources based on credentials, wherein each resource has a domain name server (DNS) record stored on a DNS server, changing, by the decoy management server, the DNS record for the breached resource on the DNS server, in response to the detecting, predicting, by the decoy management server, which credentials are compromised, based on credentials stored on the breached resource, and changing, by the decoy management server, those credentials that were predicted to be compromised, in response to the predicting which credentials.

In an example, there is disclosed a computing apparatus, having: a network interface to communicatively couple to a software-defined network (SDN); first one or more logic elements providing an SDN controller engine to provide a control function for the SDN; and second one or more logic elements providing a route tracing engine to: receive a tunneling notification from a network device agent, the tunneling notification associated with a network flow; and perform a backtracking traceroute operation to deterministically identify a source device for the flow. There is also disclosed a method of providing the foregoing, and one or more tangible, non-transitory computer-readable storage mediums for providing the foregoing.

The present disclosure relates to the field of network technologies, and discloses a method and apparatus for obtaining a user account. A real-name account of a user is obtained according to user information, and then a first anonymous account similar to the real-name account is obtained based on at least login device, information of the real-name account. The user may use an anonymous account to log m on a device on which the real-name account was once used to log in. Therefore, the anonymous account of the user can be obtained by using this hidden association.

A method and system are provided for performing a security inspection of a set of virtual images in a cloud infrastructure. The method includes merging the virtual images into a tree structure having a root and a plurality of leaves such that child leaves and a parent leaf to the child leaves have common ones of the virtual images. The method further includes identifying a security violation in a given one of the virtual images at a given one of the plurality of leaves. The method also includes applying a bisection method against a path in the tree from the root to the given one of the plurality of leaves to find a particular one of the virtual images that is a root cause of the security violation. The method additionally includes performing a corrective action for any of the plurality of images having the security violation.

A network flow monitoring and analysis system comprises flow labeling agent(s), sensor(s), controller(s), and correlation engines(s). The flow labeling agent(s) label at data packet flow unique and covert label(s). The sensor(s) observe data packet flow for the unique and covert label(s) and generate examination report(s) from the observations. The examination report(s) comprise information such as: location information; time information; target information; path information; and flow information. The controller(s) communicate instructions to the labeling agent(s) and sensor(s), receive event information and manage the correlation engine(s). The correlation engine(s) correlate information from information such as the target information; event information; path information; and flow information.

The embodiment of the present invention discloses a method for acquiring an identifier of a terminal in a network. The method includes: acquiring a device identifier of a current terminal which is registered in a network, herein the current terminal is a mobile user; and allocating a corresponding network identifier to the current terminal according to the device identifier of the current terminal such that the current terminal transmits data in the network by using the allocated network identifier, herein, the network identifier is a fixed public network Internet Protocol IP address or a fixed public network IP address and port number segment, allocated to the current terminal. The present invention further discloses a management network element and a computer storage medium.