A system for analyzing and clustering darknet traffic streams with word embeddings, comprising a data processing module which collects packets that are sent to non-existing IP addresses that belong to darknet's taps (blackholes) that are deployed over the internet: a port embedding module for performing port sequence embeddings by using a word embedding algorithm on the port sequences extracted from the data processing module while transforming the port sequences into a meaningful numerical feature vectors: a clustering module for performing temporal clustering of the feature vectors over time; and an alert logic and visualization module visualizes the data and provides alerts regarding a cluster that an analyst classified as malicious in the past.

Endpoints in a network execute a sensor module that intercepts commands. The sensor module compares a source of commands to a sanctioned list of applications received from a management server. If the source does not match a sanctioned application the command is ignored and a simulated acknowledgment is sent or, deception data is returned instead. In some embodiments, certain data is protected such that commands will be ignored or modified to refer to deception data where the source is not a sanctioned application. The source may be verified to be a sanctioned application by evaluating a certificate, hash, or path of the source. Responses from an active directory server may be intercepted and modified to reference a decoy server when not addressed to a sanctioned application. Requests to view network resources may be responded to with references to a decoy server.

Covert monitoring of an attacker host in a software defined perimeter network, includes: authenticating, by an SDP controller, a first and second host in the SDP network, where the first and second host, after authentication, establish an end-to-end encryption communication session; detecting, by the SDP controller, that the first host is an attacker host and the second host is a victim host; establishing, by the SDP controller as a copy of the victim host, a mimic host; and redirecting, by the SDP controller, communication from the attacker host to the mimic host including migrating, without disruption detectable by the attacker host, the communication session from the victim host to the mimic host, where the mimic host monitors communications with the attacker host.

A computer-implemented method for processing online banking transactions is disclosed. The computer-implemented method includes identifying a first transaction request utilizing an alternate PIN associated with an alternate account linked to a primary account. The computer-implemented method further includes determining that the first transaction request is invalid based on a PIN policy corresponding to the alternate PIN associated with the alternate account linked to the primary account. The computer-implemented method further includes responsive to determining that the first transaction request is invalid, dynamically altering an allowable transaction limit for the alternate account according to the PIN policy.

Systems, methods, and computer media for securing software applications are provided herein. By recording path data representing interactions between an application and other components, it can be determined what data an attacker has received by the time malicious activity is detected. During a session with an application, queries made to a dataset by the application can be recorded. After the session is found to be malicious, the session is transferred to a cloned application session in which access to the dataset is blocked. Based on the recorded queries, an alternative dataset for queries made in the cloned application session is generated that includes a subset of the original dataset, thus limiting future queries of the attacker in the cloned application session to data already received before the malicious activity was detected.

A method includes enabling a messaging server and providing credentials for the messaging server. A computing system is enabled and a malware application is received by the computing system. The malware application is executed by the computing system. The credentials are rendered accessible to the malware application via the computing system, and the malware application is enabled to transmit the credentials via network transmission from the computing system to a computer. An actor is enabled to access the messaging server over a network in response to the actor applying the credentials, and a first electronic message transmitted by the actor is received by the messaging server, the first electronic message including first content.

A method, a computer program product, and a system for implementing a dynamic virtual database honeypot. The method includes relaying a query request received from a database client to a database and receiving, from the database, a response relating to the query request. The method also includes determining the query request is an attack on the database based on session information relating to the database and the database client, generating a honey token based on information contained within the response, generating an alternate response formatted in a same format as the response and containing artificial information that masks the information contained within the response. The method further includes inserting the honey token into the alternate response and transmitting the alternate response to the database client.

A method in a cloud network to detect compromises within an enterprise network based on tokens tunneled outside of the enterprise network to the cloud network. The method includes receiving, at a tunnel gateway server within the cloud network, a first set of packets via a tunnel across a public network from a first server within the enterprise network, where the first set of packets were generated responsive to the first server receiving a second set of packets that originated from within the enterprise network and that included data and a source enterprise network address, where the first set of packets does not include the source enterprise network address and the data includes a token. The method further includes transmitting, by the tunnel gateway server, the data within a third set of packets to a second server that acts as if it were an enterprise server within the enterprise network.

A method and system for controlling access to external networks by an air-gapped endpoint is provided. The method includes providing, on the air-gapped endpoint, a plurality of isolated security zones by instantiating a plurality of corresponding virtual machines using a hypervisor; selecting one security zone of the plurality of isolated security zones; and tunneling a traffic from the selected security zone to a designated network location, wherein the tunneling is through a virtual private network (VPN).

The disclosed embodiments include a method performed by a network access node to thwart unauthorized activity on a network such as a 5G wireless network. For example, the method can include employing contextual information to determine risk to the 5G wireless network. A network access node can detect that a wireless device seeks to perform unauthorized activity, and then implements security measures such that the unauthorized activity is thwarted at the network access node.