Methods and systems for defending an infrastructure against a distributed denial of service (DDoS) attack use a software decoy installed in the infrastructure to deliberately attract a malware. An address or a domain name of a command and control (C&C) server is extracted from the malware. A client of the infrastructure uses the address or the domain name of the C&C server to connect to the C&C server. The client receives a command intended by the C&C server to cause the client to participate in the DDoS attack. The client forwards particulars of the DDoS attack to a cleaning component. The cleaning component discards incoming signals having one or more of the particulars of the DDoS attack. The address or domain name of the C&C server may be obfuscated in the malware, in which case reverse engineering is used to decipher the malware.

Aspects of the disclosure relate to identifying domain name lookalikes. A computing platform may generate a plurality of lookalike domain names for an input domain name. The computing platform may generate, by applying a hash algorithm to the plurality of lookalike domain names, a dictionary index. The computing platform may identify a first domain name. The computing platform may identify, by performing a lookup function in the dictionary index using the first domain name, that the first domain name is a lookalike domain name corresponding to the input domain name. The computing platform may send, to a user device, one or more commands directing the user device to display a user interface that includes the lookalike domain name, which may cause the user device to display the user interface.

A method for detecting threat pathways using sequence graphs includes constructing a sequence graph from a set of data containing information about activities in a telecommunications service provider network, where the sequence graph represents a subset of the activities that occurs as a sequence, providing an embedding of the sequence graph as input to a machine learning model, wherein the machine learning model has been trained to detect when an input embedding of a sequence graph is likely to indicate a threat activity, determining, based on an output of the machine learning model, whether the subset of the activities is indicative of the threat activity, and initiating a remedial action to mitigate the threat activity.

Disclosed herein are methods, systems, and processes for recovering opaque credentials in deception systems. A plaintext credential is received at a honeypot and a plaintext lookup table is accessed. It is determined that the plaintext credential does not exist in the plaintext lookup table and the plaintext credential is added to the plaintext lookup table and a protocol specific plaintext lookup table. An opaque credential is generated for the plaintext credential and the opaque credential is added to a protocol specific opaque lookup table.

There are provided systems and methods for injecting computing code for detection of malicious computing attacks during suspicious device behavior. A service provider, such as an electronic transaction processor for digital transactions, may detect activities of a computing device when using computing services. The service provider may determine that those activities are suspicious or high risk. In order to determine if the computing device is being used by a malicious user, such as to perform an automated computing attack against the service provider, the service provider may determine one or more probes that may be inserted to a corresponding user interface displayable by the computing device. The probe may attempt to differentiate between real human users and automated and/or malicious users. Computing code for the probe may be injected into the computing code for the user interface and may be provided when the user interface is output.

A computer-implemented method that secures cloud services from imposters automatically activating an imposter security service (ISS) responsive to receiving an imposter identifier (IID) of an imposter from an identity access and management system (IAMS). The ISS comprises a manipulation mapping table (MMT) that stores configurable factors to assist in control of execution of a cloud service security element (CSSE) in a respective cloud service of the cloud services. The ISS also comprises a decision engine (DE) that interacts with the MMT. The method exchanges imposter security information between the ISS and the CSSE and between the MMT and the DE, and directs the imposter security information to be sent to security information and event management (SIEM).

A non-transitory, processor-readable medium includes code representing instructions to cause a processor to perform a method. The method includes receiving, from a traffic filter at a boundary of a network, a network communication and determining the network communication is a first anomalous communication associated with a service that does not exist within the network, uses a non-readable character set, or includes a malicious payload. The method further includes, at least partially based on the determining, generating a first rule, at least partially based on an analysis of a subset of partial or exact fingerprints of the first anomalous communication. The first rule is communicated to the traffic filter for the traffic filter to filter, from network communications external to the network, a second anomalous communication.

Disclosed herein are methods, systems, and processes for provisioning and deploying deception computing systems with dynamic and flexible personalities. A network connection is received from a source Internet Protocol (IP) address at a honeypot. In response to receiving the network connection, a personality state table is accessed and a determination is made as to whether a personality that corresponds to the source IP address exists in the personality state table. If the personality exists, the personality is designated to the source IP address. If the personality does not exist, an attack characteristic of the network connection is determined and an alternate personality that is substantially similar to the attack characteristic is designated to the source IP address.

A system and computer-implemented method of monitoring a network is provided. The method includes receiving a packet of network traffic, wherein the packet has an associated source and destination address pair, where this pair constitutes a connection pair. The method further includes comparing the packet to a plurality of patterns and/or compare a source or destination address of the packet to known malicious addresses, and upon determining that the packet matches a pattern of the plurality of patterns or the source or destination address of the packet matches a known malicious address. The method further includes deploying a honeypot in a container for the pattern matching the packet, if not yet deployed, and forwarding all network traffic for the connection pair to the honeypot.

There are provided systems and methods for protecting from directory enumeration using honeypot pages within a network directory. A service provider, such as an electronic transaction processor for digital transactions, may have an internal network that is utilized by employees, developers, and other end users within the organization of the service provider. When internal devices become compromised or internal users act maliciously, they may attempt to enumerate a directory to find hidden pages that have secret or sensitive data. The service provider may therefore detect a scan of an internal directory having files paths to files and pages and may deploy honeypot pages that change an error status. Further, the service provider may add a process or operation to log additional data on these honeypot pages and/or change a byte size of the corresponding pages to confuse the enumeration attempt and obtain true source information.