A system for identifying email messages associated with phishing threats accesses an email message sent to a receiving computing device, where the email message is associated with a sender's email address. The system determines whether the sender's email address is associated with a token from a plurality of tokens stored in a token-email address mapping table. The system determines that the email message is associated with a phishing threat, in response to determining that the sender's email address is not associated with a token from a plurality of tokens from among a token-email mapping table.

In one embodiment, a monitoring process modifies a class definition of an object of a monitored process to include an injected field. The monitoring process may then execute a first interception point of the monitored process, and sets, at the first interception point, the injected field to a given value. Upon executing a second interception point of the monitored process, the monitoring process can then read, at the second interception point, the given value in the injected field, and can use the given value at the second interception point for a corresponding correlation operation between the first interception point and the second interception point.

Lawful intercept is supported by providing a network communications device target identifiers in encrypted form. Received encrypted target identifiers are stored in a non-volatile storage device. Before communications interception occurs, one or more encrypted target identifiers are loaded into active memory which is secure and not accessible by a network device operating system administrator. A decryption request is sent to a security device and the result loaded into the secure active memory. Plain text target identifier(s) returned by the security device are loaded directly into the active memory without being stored in the operating system administrator accessible storage device. In the case of a reset resulting in the contents of the active memory being lost, the active memory is repopulated by sending decryption requests using the stored encrypted target identifiers to indicate to the security device the target identifiers which need to be decrypted and reloaded into active memory.

Techniques and mechanisms for using passively collected network data to automatically generate a fingerprint prevalence database without the need for endpoint ground truth. The process first clusters all observations with the same fingerprint string and similar source and destination context. The process then annotates each cluster with descriptive information and uses a rule-based system to derive an informative name from that descriptive information, e.g., “winnt amp client” or “cross-platform browser”. Optionally, the learned database may be augmented by a user to clarify custom process labels. Additionally, the generated database may be used to report the inferred processes in the same way as databases generated with endpoint ground truth.

A key broker monitors network traffic metadata and determines which decryption keys are required at one or more packet brokers in order to decrypt relevant traffic required by various network monitoring devices. The key broker retrieves the required keys from a secure keystore distributes them, as needed, to the network packet brokers, and dynamically updates the decryption keys stored in the network packet brokers in response to changes in network traffic.

The present disclosure relates to a system and method for controlling data interception in a communication network. One or more requests from a user for accessing one or more microservices are received through an Application Programming Interface (API). Information associated with one or more requests is the detected and requests are classified as secured microservice request and non-secured microservice request. The information is detected through predefined rules. Authentication token is then issued for secured microservice based on the detecting. The authentication token stores information detected by the detector in a geo storage system. The one or more requests are then routed according to the authentication token towards one or more corresponding microservices of the one or more microservices.

This application provides a method and an apparatus for creating a virtualized network function instance VNFI. The method includes: generating, by a hardware-mediated execution enclave HMEE in a network functions virtualization NFV system, a private-public key pair, where a to-be-instantiated VNFI is deployed in the NFV system, and the HMEE and a to-be-instantiated first virtualized network function component VNFC are deployed in the VNFI; sending a public key in the private-public key pair to a security control device; receiving an encrypted security credential from the security control device, where the encrypted security credential is obtained by encrypting a security credential of a package of the first VNFC based on the public key, and the security credential is used to decrypt the package of the first VNFC; and decrypting the encrypted security credential based on a private key in the private-public key pair, to obtain the security credential.

One example method includes extracting an expected communication specification of a service that is in development in a build pipeline, stimulating the service to exercise communication variations of the service, capturing communication traffic involving the service and one or more endpoints, comparing the captured communication traffic to the expected communication specification, and based on the comparing, detecting, in the captured communication traffic, and flagging, any anomalous communication behavior of the service.

A key broker monitors network traffic metadata and determines which decryption keys are required at one or more packet brokers in order to decrypt relevant traffic required by various network monitoring devices. The key broker retrieves the required keys from a secure keystore distributes them, as needed, to the network packet brokers, and dynamically updates the decryption keys stored in the network packet brokers in response to changes in network traffic.

Aspects of the disclosure relate to an automated monitoring of proximate devices. A computing platform may cause a reporting device to detect a target device in a local network, retrieve network data associated with the target device, and send, to an intermediate server, the network data. The computing platform may send, to the intermediate server, a query. The intermediate server may send the network data in response to the query. Based on the network data, the computing platform may determine an amount of time that has elapsed since network activity was previously detected for the target device, and based on a determination that the amount of time exceeds a predetermined time threshold, the computing platform may generate an alert notification indicating that the target device may need to be traced. Subsequently, the alert notification may be sent to the reporting device.