Systems and methods for generating rules in a networking environment having one or more sensor computers logically connected to compromised computers are provided. The rules comprise detection data used by a sensor computer to detect a potential security threat and a specified remediation measure that is caused to be performed when the security threat is detected. A security control computer generates the rules from record of series of actions created by the sensor computer, generates a rule, and distributes the rule to the sensor computers. The sensor computers periodically poll a central database for new rules and store a copy of each rule locally. Using the locally stored rules, the sensor computers can more efficiently and accurately respond to security threats.

Various embodiments of the present technology generally relate to systems and methods for network intrusion detection. In certain embodiments, a network traffic analysis system may comprise one or more processors, and a memory having stored thereon instructions. The instructions, upon execution, may cause the one or more processors to receive, from a first network function (NF) in a communication exchange on a 5G network, a first copy of traffic from the communication exchange, determine whether a second copy of traffic corresponding to the first copy of traffic has been received from a second NF in the communication exchange, and in response to not receiving the second copy of traffic, issue a security notification to the first NF indicating a network intrusion.

A deception management system to detect attackers within a dynamically changing network, including a deployment governor dynamically designating a deception policy that includes one or more decoy attack vectors, one or more resources of the network in which the decoy attack vectors are generated, and a schedule for generating the decoy attack vectors in the resources, wherein an attack vector is an object in a first resource that may be used by an attacker to access or discover a second resource, and wherein the network of resources is dynamically changing, a deception deployer dynamically generating decoy attack vectors on resources in the network, in accordance with the current deception policy, a deception adaptor dynamically extracting characteristics of the network, and a deception diversifier dynamically triggering changes in the deception policy based on changes in the network as detected from the network characteristics extracted by the deception adaptor.

A network surveillance system including a deception management server within a network, including a deployment module managing and planting decoy attack vectors in network resources, wherein an attack vector is an object in memory or storage of a first resource that may be used to access a second resource, and decoy servers accessible from resources in the network via decoy attack vectors, each decoy server including a forensic alert module causing a real-time forensic application to be transmitted to a destination resource in the network when the decoy server is being accessed by a specific resource in the network via a decoy attack vector, wherein the forensic application, when launched in the destination resource, identifies a process running within the specific resource that is accessing that decoy server, logs the activities performed by the thus-identified process in a forensic report, and transmits the forensic report to the deception management server.

A command and control server identifying apparatus provides data received by malware upon execution of the malware with a tag that allows to uniquely identify communication destination information of a source of the data, and tracks propagation of the data provided with the tag. Then, the command and control server identifying apparatus obtains a tag of data referred to by a branch instruction executed by the malware among tracked data. Then, the command and control server identifying apparatus identifies communication destination information of a command and control server that issues a command to the malware, based on communication destination information of a source associated with the obtained tag.

There is provided an identification apparatus. A storage unit stores an operation history as a history of an operation executed in at least one information processing apparatus. An acquisition unit acquires malware spread information including information indicating malware. An identification unit identifies, based on the operation history, an intrusion route of the malware indicated by the malware spread information acquired by the acquisition unit, generates at least one piece of malware spread information corresponding to at least one operation included in the intrusion route in the operation history, and identifies, in the operation history, for each of the at least one piece of malware spread information, at least one operation of spreading the malware by setting, as a direct or indirect start point, the malware indicated by the malware spread information.

Provided is an e-mail relay device including: an e-mail receiving unit that acquires an e-mail to be delivered before the e-mail reaches a transmission destination, the e-mail being transmitted from a transmission source mailer through simple mail transfer protocol (SMTP); a request notification unit that transmits, after the e-mail receiving unit acquires the e-mail to be delivered, a notification e-mail for allowing communication with a predetermined authentication server through IP by using a transmission source e-mail address of the e-mail to be delivered as a destination; a transmission source IP address acquisition unit that acquires, in a case where the transmission source terminal communicates with the predetermined authentication server after the notification e-mail is transmitted, an IP address of a transmission source terminal contained in an IP header of an IP packet transmitted/received during the communication; and a determination unit that determines the reliability of the e-mail to be delivered based on the IP address of the transmission source terminal.

A method is presented that enables a server to make use of client or third party resources. The client request data contains data about the network location of the client. The server may store this location data of each client. Before or after execution of the request, the server determines if the server is in or close to an overload situation. If the server is not in an overload situation, no further changes are needed. If the server is in or close to an overload situation, the server selects a new location in the network from the database with all client locations. The server allocates a new instance of the server function at a resource provider on (or close to) this new location. The server may select one or more clients from the database. The selected clients are transparently redirected to the offloaded server function. Subsequent requests from clients are handled by the offloaded server function. The offloaded server function employs the same functionality and thus may decide to offload a server function to another network location.

An apparatus for performing threat analysis and risk assessment (TARA) includes an input device configured to receive an input of a user. The apparatus also includes a processor configured to generate a threat scenario based on information about a specific damage scenario, when a specific damage scenario requiring threat analysis is selected through the input device. The processor is also configured to determine information about an attack path depending on the technical services based on a pre-stored database. The processor is additionally configured to derive a security goal based on the information about the attack path.

Embodiments detect cross site scripting attacks. An embodiment captures a web request and captures a response to the captured web request. In turn, it is determined if one or more elements associated with the captured web request and one or more elements of the captured response, in combination, cause a malicious action. A cross site scripting attack is then declared in response to determining the one or more elements associated with the captured web request and the one or more elements of the captured response, in combination, cause a malicious action. Embodiments can take one or more protection actions in response to declaring a cross site scripting attack.