Systems and methods for intelligent data routing based on data type are provided. A proxy installed on a client device receives a data stream and scans the data stream for classification parameters associated with sensitive data. A data stream may be broken down, for example, to data packets, classified using known libraries containing characteristics of a classification, and routed based on applicable policies governing each classification. The routed data packets are constantly monitored and may be re-routed to a network designed to handle highly sensitive data, a network designed to handle data with high security risk, or to another applicable service infrastructure as needed, before reaching the intended recipient. The classification libraries may be updated based on the monitored data and change in classification of the data packet.

Techniques are disclosed relating to computer network security. In some embodiments, a computing system generates a plurality of executable binaries that include alerting beacons for a computer network associated with a transaction service. The computing system then deploys, within the computer network, the plurality of executable binaries as traps to detect privilege escalation attempts within the computer network. In some embodiments, the computing system detects that one or more alerting beacons included in the plurality of executable binaries have been triggered. In response to the detecting, the computing system may transmit, to a security management system, a notification indicating the one or more triggered alerting beacons. The disclosed detection techniques may advantageously reduce breaches in network security, which in turn may reduce or prevent the loss of private data.

Techniques to facilitate prevention of malicious attacks on a web service are disclosed herein. In at least one implementation, a computing system intercepts a web request directed to a web server providing the web service. The computing system identifies whether or not the web request is malicious. When the web request is identified as malicious, the computing system redirects the web request to an isolated mitigation server configured to mimic responses of the web server. The isolated mitigation server processes the web request to generate artificial content based on the web request that appears to be genuine content provided by the web server, and presents the artificial content in response to the web request.

Methods, apparatuses and computer program products implement embodiments of the present invention that include protecting a computer system coupled to a storage device by detecting an executing process that performed a specific type of modification to a number of files stored on the storage device. A processor compares the detected number to a specified threshold and initiates, on the executing process, a preventive action in response to determining that the detected number exceeds the specified threshold.

A method to secure a production environment in a network begins by associating a set of resources into a simulated environment layer configured to simulate at least a portion of the production environment. A preferred approach to building the simulated environment layer utilizes generative adversarial network (GAN) machine learning modeling. Upon detecting a suspect user attempting to interact with the production environment, one or more requests received from the suspect user are routed to the simulated environment layer as opposed to the production environment. At least one behavior of the simulated environment layer is then modified as the suspect user interacts within the simulated environment layer. The modified behavior facilitates that an attack initiated by the suspect user can proceed. Information (such as the user's tactics, techniques and procedures (TPPs), or other Indicators of Compromise (IoCs) associated with the attack is captured for analysis and subsequent action.

Disclosed herein are method, system, and computer-readable storage medium embodiments for reinforcement learning applied to application responses using deception technology. An embodiment includes configuring at least one computer processor to perform operations that include detecting an unauthorized access attempt associated with an attacker, and recording an input log that includes inputs received from the attacker. An embodiment may further include operations of generating a state representation corresponding to an execution state of at least one software application, computing one or more predicted inputs, based at least in part on the input log and the state representation, and modifying, via at least one software agent, the execution state of at least the software application, based at least in part on the one or more predicted input. Types of attacks (unauthorized access attempts) may include cross-site scripting, cross-site request forgery, SQL injection, code injection, brute-force attack, buffer-overflow attack, or a combination thereof.

A method includes: detecting, by a computing device, connection of a universal serial bus device to a computer; determining, by the computing device, that the computer is in a locked mode; detecting, by the computer device, input to the computer within a predetermined time of detecting the connection; determining, by the computing device as a result of the computer being locked and detecting the input, that the input is a threat to the computer; creating, by the computing device, a temporary virtual environment; receiving, by the computing device, the input into the temporary virtual environment; processing, by the computing device, the input in the temporary virtual environment; and recording, by the computing device, information related to the input.

A system for detecting malware is described. The system features a traffic analysis device and a network device. The traffic analysis device is configured to receive data over a communication network, selectively filter the data, and output a first portion of the data to the network device. The network device is communicatively coupled with and remotely located from the traffic analysis device. The network device features software that, upon execution, (i) monitors behaviors of one or more virtual machines processing the first portion of the data received as output from the traffic analysis device, and (ii) detects, based on the monitored behaviors, a presence of malware in the first virtual machine.

The present invention relates to methods, network devices, and machine-readable media for an integrated environment for automated processing of reports of suspicious messages, and furthermore, to a network for distributing information about detected phishing attacks.

Aspects of the disclosure relate to improving user responses to cyber security threats. A computing platform may generate a test communication to simulate a potential cyber threat activity. Then, the computing platform may send, via the communication interface, the test communication to a user device associated with a target user. Then, the computing platform may receive, via the communication interface and from the user device, a response to the test communication. Subsequently, the computing platform may determine, based on the response, a threat awareness level for the target user, where the threat awareness level is indicative of a susceptibility of the target user to the potential cyber threat activity. Then, the computing platform may send, to the target user and based on the threat awareness level, an alert notification to counter the cyber threat activity.