Abstract: A method, a computer program product, and a system for implementing a dynamic virtual database honeypot. The method includes relaying a query request received from a database client to a database and receiving, from the database, a response relating to the query request. The method also includes determining the query request is an attack on the database based on session information relating to the database and the database client, generating a honey token based on information contained within the response, generating an alternate response formatted in a same format as the response and containing artificial information that masks the information contained within the response. The method further includes inserting the honey token into the alternate response and transmitting the alternate response to the database client.

Abstract: In an approach for prohibiting voice attacks, a processor, in response to receiving a voice input from a source, determines, using a predetermined filter including an allowlist, that the voice input does not match any corresponding entry of the predetermined filter. A processor routes the voice input to an adversarial pipeline for processing. A processor identifies an adversarial example of the voice input using a predetermined connectionist temporal classification method. A processor generates a configurable distorted adversarial example using the adversarial example identified. In response to a user reply, a processor injects the configurable distorted adversarial example as noise into a voice stream of the user reply in real-time to alter the voice stream. A processor routes the altered voice stream to the source.

Abstract: A database protection system (DPS) mitigates injection attacks. DPS receives an unrestricted database query, extract a syntax tree, and evaluates whether it recognizes the query. To this end, DPS applies a hash function over the extracted syntax tree, and then determines whether the resulting hash has been seen by DPS before. If so, DPS retrieves a previously-generated prepared statement associated with the syntax tree, and that prepared statement is then forward to the database server in lieu of sending the original query. If the syntax tree is not recognized, DPS creates a new prepared statement, generates a hash of the syntax tree, and stores the hash and the new prepared statement, and forwards the new prepared statement. The prepared statements are configured based on the native wire protocol used by the database server, and DPS includes additional functionality by which it can learn the semantics of this protocol if necessary.

Abstract: An example operation may include one or more of receiving a set of structured query language (SQL) queries from one or more software applications, generating a set of SQL syntax trees that correspond to the set of SQL queries, identifying a unique subset of SQL syntax trees among the generated set of SQL syntax trees based on previously obtained SQL syntax trees, and transmitting the unique subset of SQL syntax trees to a computing system.

Abstract: A tiered machine learning-based infrastructure comprises a first machine learning (ML) tier configured to execute within an enterprise network environment and that learns statistics for a set of use cases locally, and to alert deviations from the learned distributions. Use cases typically are independent from one another. A second machine learning tier executes external to the enterprise network environment and provides further learning support, e.g., by determining a correlation among multiple independent use cases that are running locally in the first tier. Preferably, the second tier executes in a cloud compute environment for scalability and performance.

Abstract: A processor may generate an enforcement point. The enforcement point may include one or more adversarial detection models. The processor may receive user input data. The processor may analyze, at the enforcement point, the user input data. The processor may determine, from the analyzing, whether there is an adversarial attack in the user input data. The processor may generate an alert based on the determining.

Abstract: Context information of a handshake between a source entity and a target entity is obtained at a security proxy. The context information is transmitted from the security proxy to a key manager. The key manager maintains a first private key of the security proxy. A first handshake message is received from the key manager. The first handshake message is generated at least based on the context information and signed with the first private key. The first handshake message is then transmitted to the target entity.

Abstract: An example operation may include one or more of receiving a set of structured query language (SQL) queries from one or more software applications, generating a set of SQL syntax trees that correspond to the set of SQL queries, identifying a unique subset of SQL syntax trees among the generated set of SQL syntax trees based on previously obtained SQL syntax trees, and transmitting the unique subset of SQL syntax trees to a computing system.

Abstract: Embodiments provide a computer implemented method in a data processing comprising a processor and a memory including instructions, which are executed by the processor to cause the processor to implement the method of terminating a connection between a database server and a database client through an enforcement point, the method including: continuously monitoring, by the enforcement point, information related to a connection to a database, and parsing one or more queries; continuously comparing, by the enforcement point, the information with a predefined plurality of rules, and checking whether there is a rule violation; if there is a rule violation, assembling, by the enforcement point, a termination packet including an error message indicative of the rule violation; sending, by the enforcement point, the termination packet to the database client; and terminating, by the enforcement point, a connection between the enforcement point and the database client.

Abstract: A graphical indicator comprising a plurality of first header blocks, a plurality of second header blocks and a plurality of data blocks for forming an indicator matrix is provided. Each of the first and second header blocks has a header graphical micro-unit, and each of the data blocks has a data graphical micro-unit. An array area is formed by the second header blocks and the data blocks. A first virtual line and a second virtual line are respectively formed by virtual centers of the first and second header blocks, and an included angle between the first and second virtual lines is less than 90 degrees.

Abstract: Embodiments provide a system and method for stateless session synchronization between inspectors for high availability deployments. Man in the Middle inspectors of a communication session between a client and server exchange a shared key that is used as a common seed value in a mapping function algorithm. Each inspector generates identical key-pairs using the common mapping function algorithm, and the inspectors generate the session keys from the key-pairs. Inspectors use the session keys to decrypt and either actively or passively inspect data transferred in a session between a client and server.

Abstract: A technique for network attack tainting and tracking includes monitoring data packets received from a network for a malicious request. Responsive to detecting a malicious request, a forensic token is created having information pertaining to the malicious request that is configured to be stored by a source of the malicious request and discoverable regarding involvement of the source in the malicious request. The forensic token is injected into a response message, and the response message is then transmitted to the source of the request as a response to the request.

Abstract: Embodiments are directed to a method of monitoring a suspicious file, including: receiving, from a web server, a first file; encrypting, by an intermediary network device, the first file; transferring the encrypted file, from the intermediary network device, to an end device; transferring the first file, from the intermediary network device, to a malware analysis device for a malware analysis; and receiving a malware analysis result, from the malware analysis device. If the malware analysis result indicates the first file is not a malware, requesting a key; decrypting the encrypted file using the key; and accessing the decrypted file.

Abstract: Countering phishing attacks by generating multiple synthetic victims, where each of the synthetic victims includes synthetic victim information that represents a computer user identity and includes associated sensitive information, where the computer user identity and its associated sensitive information are fictitious in that they are not known to be associated with a legitimate computer user, providing any of the synthetic victim information of the synthetic victims to a computer-hosted phishing site, storing the synthetic victim information in a computer-accessible database, receiving from a computer-hosted target site information provided to the computer-hosted target site by a requestor, identifying in the computer-accessible database database synthetic victim information matching the requestor information, and notifying the computer-hosted target site that the requestor information is of a synthetic victim.

Abstract: A network-based appliance includes a mechanism to set-up and selectively use an “out-of-band” encryption channel. The mechanism comprises a packet parser, and a packet dispatcher, and it is integrated with an existing network layer stack that typically is not visible to host applications. In lieu of simply encrypting all data it receives, the mechanism instead analyzes one or more attributes, e.g., protocol type, application type, current encryption strength, content payload, etc., associated with a packet transmission to determine whether further encryption is required. The evaluation may include a deep packet inspection (DPI) when the information at the network layer (e.g., IP address, port number, etc.) is not sufficient to determine if the payload in the packet needs to be further encrypted. Based on the result of the analysis, packets are dispatched to the encryption channel as and when necessary.

Abstract: An intelligent network management device including an analytic unit, conducting an analysis according to received packets in order to determine whether a given event is occurred; and a processing unit, generating and sending a control instruction to a SDN controller to change configurations of a SDN switch when the analytic unit determined the given event has been occurred.

Abstract: Embodiments can provide a computer implemented method in a data processing system comprising a processor and a memory comprising instructions, which are executed by the processor to cause the processor to implement a system for network protection, the method comprising determining, by the processor, if an incoming connection comprising one or more packets has a false latency larger than a trigger latency; determining, by the processor, if an attack is currently in progress; and if the attack is in progress, injecting, by the processor, at least one of the one or more packets of the incoming connection or one or more packets of an outgoing connection with a false latency.

Abstract: Embodiments for graph computing are provided. A graph including a plurality explicit nodes and at least one implicit node is generated. A first of the plurality of explicit nodes and a second of the plurality of explicit nodes are traversed between utilizing deductive reasoning. A third of the plurality of explicit nodes and a fourth of the plurality of explicit nodes are traversed between through the at least one implicit node utilizing inductive reasoning.

Abstract: A computer-implemented method, a computer program product, and a computer system for creating malware domain sinkholes by domain clustering. The computer system clusters malware domains into domain clusters. The computer system collects domain metrics in the domain clusters. The computer system sorts clustered malware domains in the respective ones of the domain clusters, based on the domain metrics. The computer system selects, from the clustered malware domains in the respective ones of the domain clusters, a predetermined number of top domains as candidates of respective domain sinkholes, wherein the respective domain sinkholes are created for the respective ones of the domain clusters.

Abstract: A network-based appliance includes a mechanism to set-up and selectively use an “out-of-band” encryption channel. The mechanism comprises a packet parser, and a packet dispatcher, and it is integrated with an existing network layer stack that typically is not visible to host applications. In lieu of simply encrypting all data it receives, the mechanism instead analyzes one or more attributes, e.g., protocol type, application type, current encryption strength, content payload, etc., associated with a packet transmission to determine whether further encryption is required. The evaluation may include a deep packet inspection (DPI) when the information at the network layer (e.g., IP address, port number, etc.) is not sufficient to determine if the payload in the packet needs to be further encrypted. Based on the result of the analysis, packets are dispatched to the encryption channel as and when necessary.