This application discloses a method and an apparatus for defending against a network attack, to resolve a problem that network defense costs are relatively high. The method includes: a network security device receives a first packet sent by an external device, and matches a destination IP address of the first packet with configuration information of a fake network. If an IP address of a node in the configuration information of the fake network has a same subnet prefix as the destination IP address, the network security device processes the first packet based on a fake network policy; if no IP address of a node in the configuration information of the fake network has a same subnet prefix as the destination IP address, the network security device processes the first packet based on a firewall policy.

A honeypot file is cryptographically secured with a cryptographic key. The key, or related key material, is then placed on a central keystore and the file is placed on a data store within the enterprise network. Unauthorized access to the honeypot file can then be detecting by monitoring use of the associated key material, which usefully facilitates detection of file access at any time when, and from any location where, cryptographic access to the file is initiated.

Disclosed herein are systems and method for automated malicious code replacement. In one exemplary aspect, a method may comprise scanning for malicious content in a file comprising a script written in an interpretable programming language, wherein the malicious content triggers malicious activity on a computing device that stores the file. The method may comprise detecting a malware injection in the file based on the scanning, wherein the malware injection comprises at least one operator that enables the malicious activity. The method may comprise identifying a benign operator that can replace the at least one operator to prevent execution of the malicious activity without causing a syntax error. The method may comprise updating the file by replacing the at least one operator with the benign operator.

A honeypot identification method based on cyberspace mapping provides improved accuracy and efficiency of identifying a honeypot. One or more open ports corresponding to a target Internet Protocol address and a target open port for login are determined. Account login information of the target open port is acquired. A service of the target open port is logged into to acquire system environment information. Cyberspace mapping data is determined based on the one or more open ports, port fingerprint information of the one or more open ports, and the system environment information. A honeypot identification result of the target Internet Protocol address is obtained based on the cyberspace mapping data.

Method and apparatus for protecting computer resources from malicious attack including baseline sentinels and warrior sentinels. Baseline sentinels are deployed on a network serving only as decoys and containing no company data. When any attempt to communicate with a baseline sentinel is detected, a host of warrior sentinels (also containing no company data) are deployed to act as additional decoys, diminishing the chance that a malicious attack will reach a valuable computer resource and collecting information on the malicious attacker. Once the malicious attack stops or is defeated, the warrior sentinels are retired and the system resets to baseline sentinels.

A system and method for generating decoy files for protection against ransomware attacks is disclosed. The system includes a deep learning engine, wherein the deep learning engine is configured to extract a plurality of features from most recently used user files in a folder, convert the plurality of features to a vector format, estimate error of the plurality of features to a target vector, and generate decoy files if the error is less than a predefined threshold.

A computer-implemented method for computing or modeling the risk of a cyber security breach to an asset begins by gathering coverage information from network sensors, endpoint agents, and decoys related to the asset, as well as gathering importance information related to the asset, alerts and anomalies from an enterprise and vulnerability information related to the asset. From this, a threat-score is computed for the asset. Connections or coupling information is gathered between users and assets, users and data, and assets and data, which is fused to generate a 3-dimensional vector representation of coverage, importance, and threat-score of the assets, users and data. From this 3-dimensional vector, an asset risk score is computed to provide the asset risk score.

A method for securing time synchronization in a server ECU, including: initializing time synchronization of the components; storing a unique clock identification of a grandmaster clock; identifying a shadow controller; transmitting the synchronization messages; querying the sending time with the shadow controller; inserting the time in the follow-up message via the controller that forms the grandmaster clock, and retransmitting the time; sending additional messages relating to time synchronization via selected network devices that do not provide the previously determined grandmaster clock. The time information sent in the additional messages relating to time synchronization and also the clock parameters relevant for determining the best clock by means of BMCA and the domain number match those of the previously determined grandmaster clock, or are comparable with them. The additional messages relating to time synchronization contain a unique clock identification corresponding to the identification of the respective selected network device.

Methods for generating data models using a generative adversarial network can begin by receiving a data model generation request by a model optimizer from an interface. The model optimizer can provision computing resources with a data model. As a further step, a synthetic dataset for training the data model can be generated using a generative network of a generative adversarial network, the generative network trained to generate output data differing at least a predetermined amount from a reference dataset according to a similarity metric. The computing resources can train the data model using the synthetic dataset. The model optimizer can evaluate performance criteria of the data model and, based on the evaluation of the performance criteria of the data model, store the data model and metadata of the data model in a model storage. The data model can then be used to process production data.

Methods and systems for monitoring activity on a network. The systems may include a host computer executing a non-honeypot service. The host computer may also include a control module configured to enable or disable a honeypot service on the host computer in response to at least one of computational resource availability and configured tolerance for degraded service.