An aircraft includes an aircraft network having a plurality of nodes that are segregated into a plurality of zones, each zone defining a different level of potential threat to the aircraft network. Each of the plurality of nodes has computer executable instructions that can receive data from another of the plurality of nodes; inspect net flow across the aircraft network based on a source location of the data; and identify a security event based on the received data, the plurality of potential entry points, a plurality of potential attack vectors that include vectors between nodes organized in the same zone and vectors between nodes organized in different zones, and a model of the dataflow of the aircraft network.

The method for tracking a cyber hacking is provided. The method of connection fingerprint generation and stepping-stone traceback based on NetFlow includes receiving a traceback request including IP packet attribute information of a victim and an attacker which corresponds to a target connection that is the last connection on a connection chain, generating a fingerprint for an associated connection based on the IP packet attribute information and requesting a NetFlow collector for relevant information, detecting a stepping-stone connection to the target connection which is generated at the time of generation of the fingerprint and instructing to check whether sorted candidate connections are present on the same connection chain as the target connection, and determining an order of the candidate connections based on an attacker host when the candidate connections are determined to be present on the same connection chain as the target connection.

A deception management system (DMS) to detect attackers within a network of computer resources, including a discovery tool auto-learning the network naming conventions for user names, workstation names, server names and shared folder names, and a deception deployer generating one or more decoy attack vectors in the one or more resources in the network based on the network conventions learned by the discovery tool, so that the decoy attack vectors conform with the network conventions, wherein an attack vector is an object in a first resource of the network that has a potential to lead an attacker to access or discover a second resource of the network.

A system for augmenting an attacker map of a network of resources, including a deception management server within a network of resources, generating an attacker map for the network, the attacker map including one or more attack paths traversing some or all of the resources, each attack path corresponding to one or more successive attack vectors, wherein an attack vector is an object in memory or storage of a first resource of the network that may potentially lead an attacker to a second resource of the network, and a deployment module for planting one or more decoy attack vectors in some of all of the resources of the network, wherein the deception management server generates an augmented attacker map by augmenting the attack paths based on the decoy attack vectors added by the deployment module.

A method of discovering suspect IP addresses, the method including, at a client computer: monitoring the computer for malware; on detection of malware, obtaining a list of IP addresses with which a connection has been made or attempted at the client computer within a preceding time frame; sending the list of IP addresses to a central server; and receiving from the central server a blacklist of suspect IP addresses to allow the client computer to block connections with IP addresses within said blacklist.

A computer method for maintaining a hack trap by employing a Malware Diagnostics software module on every client system on the Internet. The Malware Diagnostics module includes a hacker spyware that communicates with a central data vault. The primary steps of the present method include: 1) deployment, by identifying the IP and MAC address of the hacker and downloading the Malware Diagnostics spyware; 2) monitoring, the Malware Diagnostics spyware covertly monitoring the hacker; 3) reporting, the Malware Diagnostics software module on the client system and the Malware Diagnostics downloadable infecting the hacker's system both reporting to a central geolocation server; 4) analyzing, the central geolocation server applying analytics to determine the geolocation and identity of the hacker; and 5) prosecuting, the central geolocation server preparing an indictment against the hacker for signature by the victim, as a formal accusation that the hacker has committed a crime.

A technique allows associating host applications and user agents in network traffic and detecting possible malware without relying on signatures of the user agents. A database of host applications and user agents is maintained, allowing automatic update of the database when a new application or new application to user agent mapping is discovered. Partial matches may be made when a change is made to the application, allowing learning the new mapping automatically. If an application is associated with more than a threshold number of user agents, an indication may be generated that the application is suspicious and possibly malware.

A real-time, information-security, border-endpoint system and process to block a zero-day threat is disclosed. Data, traffic, patterns, and payloads for incoming and outgoing border control devices (or edge devices) delineating protected from unprotected areas of a network, or close to the border of such, can be monitored, analyzed, compared, and processed by artificial intelligence (AI), which can be used to identify suspect traffic based on differences between the two and historical information compiled from prior Advanced Persistent Threats. Mitigation, countermeasures, reporting, quarantining, blocking, patching, and other features are disclosed as well.

A method for monitoring includes defining a plurality of different types of administrative activities in a computer system. Each administrative activity in the plurality includes an action performed by one of the computers in the system that can be invoked only by a user having an elevated level of privileges in the system. The administrative activities performed by at least a group of the computers in the system are tracked automatically. Upon detecting that a given computer in the system has performed an anomalous combination of at least two of the different types of administrative activities, an action is initiated to inhibit malicious exploitation of the given computer.

An aircraft includes an aircraft network having nodes and links and a sandbox network in communication with the aircraft network. The sandbox network simulates the aircraft network and includes sandbox nodes corresponding to the nodes of the aircraft network, a first set of sandbox links corresponding to the links of the aircraft network, and a second set of sandbox links providing communication between sandbox nodes not in communication via the first set of sandbox links. Computer executable instructions, when executed, perform the steps of: generating network traffic over the sandbox network such that the sandbox network models a behavior of the aircraft network; identifying a suspicious activity on the aircraft network; routing the suspicious activity from the aircraft network to the sandbox network; and analyzing the suspicious activity as the suspicious activity traverses through the sandbox network.