Methods, apparatus and computer software products implement embodiments of the present invention that include defining, for a given software category, respective, disjoint sets of communication ports that are used by each of a plurality of software systems in the given software category, including at least first and second disjoint sets. A set of port scans are identified in data traffic transmitted between multiple nodes that communicate over a network, each of the port scans including an access, in the data traffic, of a plurality of the communication ports on a given destination node by a given source node during a predefined time period. Upon detecting a port scan by one of the nodes including accesses of at least one of the communication ports in the first set and at least one of the communication ports in the second set, a preventive action is initiated.

Various embodiments of apparatuses and methods for threat sensor deployment and management in a malware threat intelligence system are described. In some embodiments, the system comprises a plurality of threat sensors, deployed at different network addresses and physically located in different geographic regions in a provider network, which detect interactions from sources. In some embodiments, a threat sensor deployment and management service determines a deployment plan for the plurality of threat sensors, including each threat sensor's associated threat data collectors. The threat data collectors can be of different types such as utilizing different communication protocols or ports, or providing different kinds of responses to inbound communications. The different threat sensors can have different lifetimes. The service deploys the threat sensors based on the plan, collects data from the deployed threat sensors, adjusts the deployment plan based on the collected data and the threat sensor lifetimes, and then performs the adjustments.

A communication network authenticates the source of messages transmitted on a flat bus to determine the presence of spoofing events. A programmable intrusion detection device is connected to the bus at a fixed location and compiles templates for various tri-bit signal pulses that form the data transmitted as messages between network nodes. Each tri-bit template compares unique signal characteristics inherent in the signal waveform received by the device from each node, the unique characteristics being directly attributable to the physical topology of the network. In use, the device uses the templates to calculate an inferred source identifier for each message. The inferred source identifier is then compared against the declared source identifier, which is embedded in message metadata, to authenticate the message source. Any lack of reconciliation between the inferred and declared source identifiers causes the device to mark the message as spoofed and initiate a designated response.

A packet processing method and apparatus are provided. The method includes: on a forwarding path of an IPv6 packet, a key node (for example, a firewall) signs a packet, and a downstream apparatus of the key node verifies the signature, to determine whether the packet passes through the key node in a forwarding process. According to this application, the key node performs checking, to effectively prevent a packet which packet header is modified by attackers from bypassing the key node.

An attack analysis device includes: an obtainer that obtains in-vehicle network information indicating a configuration of an in-vehicle network including a plurality of external communication interfaces and a plurality of control Electronic Control Units (ECUs), and anomaly detection information indicating a result of detecting an anomaly in at least one node in the in-vehicle network; an attack path estimator that, based on the in-vehicle network information and the anomaly detection information, estimates an attack path in an attack on the in-vehicle network, the attack path including an entry point indicating an external communication interface that is a point of intrusion into the in-vehicle network in the attack and an attack target indicating a control ECU that is a target of the attack; and an outputter that outputs the attack path.

The disclosure provides an approach for detecting and preventing attacks in a network. Embodiments include receiving network traffic statistics of a system. Embodiments include determining a set of features of the system based on the network traffic statistics. Embodiments include inputting the set of features to a classification model that has been trained using historical features associated with labels indicating whether the historical features correspond to attacks. Embodiments include receiving, as output from the classification model, an indication of whether the system is a target of an attack. Embodiments include receiving additional statistics related to the system. Embodiments include analyzing, in response to the indication that the system is the target of the attack, the additional statistics to identify a source of the attack. Embodiments include performing an action to prevent the attack based on the source of the attack.

Disclosed, in one general aspect, is a network security system that includes a network traffic analysis tool operative to extract information about traffic with suspected attack support infrastructure addresses. An automated traffic pattern recognition tool is responsive to information extracted by the network traffic analysis tool and to enrichment data, and is operative to detect patterns in the extracted traffic information. An identification tool is responsive to the pattern recognition tool to identify victims associated with the suspected attack support infrastructure addresses based on patterns detected in the extracted traffic information. And the system includes storage that is responsive to the identification tool for storing the recorded suspected attack support infrastructure addresses and identified victims on an ongoing basis.

Systems and techniques for detecting suspicious file activity are described herein. System for identifying anomalous data events is adapted to monitor a networked file system and receive an indication of a suspicious event associated with a user and a file. The system is further adapted to perform a pattern of behavior analysis for the user, perform an adjacency by time analysis based on a set of events before the suspicious event and a set of events after the suspicious event, and perform an adjacency by location analysis using a set of files located in a location of the file. The system is further adapted to determine whether the suspicious event is an anomalous event based on the pattern of behavior analysis, the adjacency by time analysis, and the adjacency by location analysis and display a report for the user including the anomalous event.

Generation of an attack scenario to be used for risk analysis of a system to be analyzed is enabled without depending on the technique and the knowledge of a person who creates it. An analysis result acquisition means acquires a risk analysis result of a first risk analysis performed on a system to be analyzed. A condition acquisition means acquires conditions for an attack scenario to be used for a second risk analysis on the basis of an attack scenario table and the risk analysis result. An attack scenario generation means generates an attack scenario to be used for the second risk analysis on the basis of the conditions for the attack scenario acquired by the condition acquisition means.

Computer-implemented method of detecting potential cybersecurity threats from collected data pertaining to a monitored network, the collected data comprising network data and/or endpoint data. The method comprises structuring the collected data as at least one data matrix, each row of the data matrix being a datapoint and each column corresponding to a feature. The method also comprises identifying one or more datapoints as anomalous, thereby detecting a potential cybersecurity threat. The method also comprises extracting causal information about the anomalous datapoint based on an angular relationship between a second-pass coordinate vector of the anomalous datapoint and a second-pass coordinate vector of one or more features. The second-pass coordinate vectors are determined by applying a second-pass singular value decomposition (SVD) to a residuals matrix. The residuals matrix is computed between the data matrix and an approximation of the data matrix by applying a first-pass truncated SVD to the data matrix.