Methods, apparatus and computer software products implement embodiments of the present invention that include defining, for a given software category, respective, disjoint sets of communication ports that are used by each of a plurality of software systems in the given software category, including at least first and second disjoint sets. A set of port scans are identified in data traffic transmitted between multiple nodes that communicate over a network, each of the port scans including an access, in the data traffic, of a plurality of the communication ports on a given destination node by a given source node during a predefined time period. Upon detecting a port scan by one of the nodes including accesses of at least one of the communication ports in the first set and at least one of the communication ports in the second set, a preventive action is initiated.

A management system (200) configures logging in telecommunication networks executing one or more services (230) in a distributed workflow. To accomplish its function, the management system obtains vulnerability information for one or more services currently deployed in a communications network. The vulnerability information comprises, for each of the one or more services a vulnerability identifier (VID) identifying a vulnerability of the service and a vulnerability score indicating a severity of the vulnerability. So obtained, the management system configures a logging framework (220) to generate trace records (406, 424) for a service currently deployed in the communications network to include the VID and the vulnerability score of the service. The management system configures the logging framework to generate the trace records on a use case basis. Therefore, each of the trace records are generated to identify a particular use case and use case instance associated with the execution of the service.

Generation of an attack scenario to be used for risk analysis of a system to be analyzed is enabled without depending on the technique and the knowledge of a person who creates it. An analysis result acquisition means acquires a risk analysis result of a first risk analysis performed on a system to be analyzed. A condition acquisition means acquires conditions for an attack scenario to be used for a second risk analysis on the basis of an attack scenario table and the risk analysis result. An attack scenario generation means generates an attack scenario to be used for the second risk analysis on the basis of the conditions for the attack scenario acquired by the condition acquisition means.