Abstract: Provided are systems, methods, and computer-program products for using deceptions to detect network scans. In various implementations, a network device, configured as a decoy network device can be configured to determine a particular network address. The network device can determine that the particular network address is unassigned. The network device can configure itself with the particular network address, wherein the network device uses the particular network address to monitor network activity for a network scan. The network device can receive a packet addressed to the particular network address. The network device can determine that received packet is associated with a scan of the network, including associating the received packet with other packets in the monitored network activity. The network device can configure one or more security settings for the network when the received packet is determined to be associated with a scan of the network.

Abstract: Provided are systems, methods, and computer-program products for providing network deceptions using a network tunnel. In various implementations, a network device on a first network can be configured as a projection point. A projection point can be configured as one endpoint of a network tunnel. The other end of the network tunnel can terminate at a deception center. The deception center can host a second network, where the second network includes network devices configured as deception mechanisms. By assigning a deception mechanism a network address from the first network, the network address and the network tunnel enable the deception mechanism to appear as a node in the first network.

Abstract: This disclosure is related to using network flow information of a network to determine the trajectory of an attack. In some examples, an adjacency data structure is generated for a network. The adjacency data structure can include a machine of the network that has interacted with another machine of the network. The network can further include one or more deception mechanisms. The deception mechanisms can indicate that an attack is occurring when a machine interacts with one of the deception mechanisms. When the attack is occurring, attack trajectory information can be generated by locating in the adjacency data structure the machine that interacted with the deception mechanism. The attack trajectory information can correlate the information from the interaction with the deception mechanism, the interaction information of the network, and machine information for each machine to determine a possible trajectory of an adversary.

Abstract: Methods, systems, and computer-readable mediums are described herein to provide context-aware knowledge systems and methods for deploying deception mechanisms. In some examples, a deception profiler can be used to intelligently deploy the deception mechanisms for a network. For example, a method can include identifying a network for which to deploy one or more deception mechanisms. In such an example, a deception mechanism can emulate one or more characteristics of a machine on the network. The method can further include determining one or more asset densities and a summary statistic. An asset density can be associated with a number of assets connected to the network. The summary statistic can be associated with a number of historical attacks on the network.

Abstract: Provided are systems, methods, and computer-program products for using deceptions to detect network scans. In various implementations, a network device, configured as a decoy network device can be configured to determine a particular network address. The network device can determine that the particular network address is unassigned. The network device can configure itself with the particular network address, wherein the network device uses the particular network address to monitor network activity for a network scan. The network device can receive a packet addressed to the particular network address. The network device can determine that received packet is associated with a scan of the network, including associating the received packet with other packets in the monitored network activity. The network device can configure one or more security settings for the network when the received packet is determined to be associated with a scan of the network.

Abstract: Systems and methods for identifying potentially compromised devices using attributes of a known compromised device may be provided. In one embodiment, an attribute set can be constructed for the compromised hosts using data from these logs. Weights can be assigned to each attribute in the attribute set initially, and further weights can be learned using audits by a user. This attribute set can be used in the disclosed systems and methods for identifying hosts that are similar to compromised hosts. The similar items can be used as hosts for deception mechanisms, can be taken off the network as being likely compromised or likely to become compromised, or quarantined.

Abstract: Systems and methods for identifying potentially compromised devices using attributes of a known compromised device may be provided. In one embodiment, an attribute set can be constructed for the compromised hosts using data from these logs. Weights can be assigned to each attribute in the attribute set initially, and further weights can be learned using audits by a user. This attribute set can be used in the disclosed systems and methods for identifying hosts that are similar to compromised hosts. The similar items can be used as hosts for deception mechanisms, can be taken off the network as being likely compromised or likely to become compromised, or quarantined.

Abstract: Methods, systems, and computer-readable mediums are described herein to provide context-aware knowledge systems and methods for deploying deception mechanisms. In some examples, a deception profiler can be used to intelligently deploy the deception mechanisms for a network. For example, a method can include identifying a network for which to deploy one or more deception mechanisms. In such an example, a deception mechanism can emulate one or more characteristics of a machine on the network. The method can further include determining one or more asset densities and a summary statistic. An asset density can be associated with a number of assets connected to the network. The summary statistic can be associated with a number of historical attacks on the network.

Abstract: Provided are methods, network devices, and computer-program products for dynamically configuring a deception mechanism in response to network traffic from a possible network threat. In various implementations, a network deception system can receive a packet from a network. The network deception system can determine an intent associated with the packet by examining the contents of the packet. The network deception system can further configure a deception mechanism to respond to the intent, for example with the appropriate network communications, software or hardware configuration, and/or data.

Abstract: Provided are methods, network devices, and computer-program products for a network deception system. The network deception system can engage a network threat with a deception mechanism, and dynamically escalating the deception to maintain the engagement. The system can include super-low, low, and high-interaction deceptions. The super-low deceptions can respond to requests for address information, and requires few computing resources. When network traffic directed to the super-low deception requires a more complex response, the system can initiate a low-interaction deception. The low-interaction deception can emulate multiple devices, which can give the low-interaction deception away as a deception. Hence, when the network traffic includes an attempted connection, the system can initiate a high-interaction deception. The high-interaction more closely emulates a network device, and can be more difficult to identify as a deception.

Abstract: Provided are systems, methods, and computer-program products for providing network deceptions using a network tunnel. In various implementations, a network device on a first network can be configured as a projection point. A projection point can be configured as one endpoint of a network tunnel. The other end of the network tunnel can terminate at a deception center. The deception center can host a second network, where the second network includes network devices configured as deception mechanisms. By assigning a deception mechanism a network address from the first network, the network address and the network tunnel enable the deception mechanism to appear as a node in the first network.

Abstract: This disclosure is related to using network flow information of a network to determine the trajectory of an attack. In some examples, an adjacency data structure is generated for a network. The adjacency data structure can include a machine of the network that has interacted with another machine of the network. The network can further include one or more deception mechanisms. The deception mechanisms can indicate that an attack is occurring when a machine interacts with one of the deception mechanisms. When the attack is occurring, attack trajectory information can be generated by locating in the adjacency data structure the machine that interacted with the deception mechanism. The attack trajectory information can correlate the information from the interaction with the deception mechanism, the interaction information of the network, and machine information for each machine to determine a possible trajectory of an adversary.

Abstract: Provided are methods, network devices, and computer-program products for detecting infiltration of an endpoint, and rerouting network traffic to and from the endpoint when infiltration is detected. In various implementations, a network device on a network can be configured to monitor access to the network device. The network device can further be configured to determine that a condition has occurred. The condition can indicate a suspect access to the network device has occurred. The network device can further be configured to determine a new access protocol for the network device. The network device can further be configured to use the new access protocol to cause communication between the network device and the network to be redirected to a high-interaction network. Redirecting the communication can disable communication between the network device and the network and enables communication between the network device and the high-interaction network.

Abstract: Methods and systems are presented of presenting false and/or decoy content to an intruder operating on a computer system by obfuscating critical files on a computer storage device with data that directs subsequent infiltration and propagation to designated decoy hosts and decoy applications. Method and systems are provided for selectively presenting different contents to different viewers/users of application resource files for the purpose of preventing the valuable content from being read, tampered with, exfiltrated, or used as a means to perform subsequent attacks on network resources.

Abstract: Provided are methods, including computer-implemented methods or methods implemented by a network device, devices including network devices, and computer-program products for an active deception system. The active deception system can separate execution of services from deception mechanisms on a network. In particular, the active deception system can include a sensor on the network. The sensor can establish a two-way connection with a remote server executing the services. The sensor can receive communications from client devices and forward the communications to the remote server. While this forward can happen, the client devices might not be aware of the forward. In fact, the client device might only be aware that the sensor receives a communication and responds to the communication.

Abstract: Provided are methods, devices, and computer-program products for hiding one or more deception mechanisms. In some examples, the one or more deception mechanisms can be hidden from network scans. In other examples, the one or more deception mechanisms can be hidden to convince attackers that there are no deception mechanisms. In some implementations, a device, computer-program product, and method for hiding a deception mechanism is provided. For example, a method can include identifying a deception mechanism executing on a computing device. The deception mechanism can be associated with address information. In some examples, the address information can include an Internet Protocol (IP) address and a Media Access Control (MAC) address. The method can further include determining that the deception mechanism is being projected on a site network. The method can further include determining to hide a deception mechanism and hiding the deception mechanism.

Abstract: A shadow network, which can be a virtual reproduction of a real, physical, base computer network, is described. Shadow networks duplicate the topology, services, host, and network traffic of the base network using shadow hosts, which are low interaction, minimal-resource-using host emulators. The shadow networks are connected to the base network through virtual switches, etc. in order to form a large obfuscated network. When a hacker probes into a host emulator, a more resource-intensive virtual machine can be swapped in to take its place. When a connection is attempted from a host emulator to a physical computer, the a host emulator can step in to take the place of the physical computer, and software defined networking (SDN) can prevent collisions between the duplicated IP addresses. Replicating the shadow networks within the network introduces problems for hackers and allows a system administrator easier ways to identify intrusions.

Abstract: Provided are systems, methods, and computer-program products for classifying an email as malicious. In some implementations, a malicious detection engine may configure a decoy email address. The decoy email address may include a username that is associated with the malicious email detection engine. Email directed to the decoy email address may be received by the malicious email detection engine. The malicious email detection engine may further make the decoy email address publicly available, and may receive a suspect email addressed to the decoy email address. The suspect email may include a header and content. The malicious email detection engine may analyze the header using a header analysis engine, and the content using a high-interaction network. The malicious email detection engine may determine a status for the suspect email, determination using the header and content analysis, wherein the status indicates whether the suspect email was malicious.

Abstract: Provided are systems, methods, and computer-program products for a targeted threat intelligence engine, implemented in a network device. The network device may receive incident data, which may include information derived starting at detection of an attack on the network until detection of an event. The network device may include analytic engines that run in a predetermined order. An analytic engine can analyze incident data of a certain data type, and can produce a result indicating whether a piece of data is associated with the attack. The network device may produce a report of the attack, which may include correlating the results from the analytic engines. The report may provide information about a sequence of events that occurred in the course of the attack. The network device may use the record of the attack to generate indicators, which may describe the attack, and may facilitate configuring security for a network.

Abstract: Provided are methods, network devices, and computer-program products for targeted threat intelligence using a high-interaction network. In some implementations, a network device in a network may receive suspect network traffic. The suspect network traffic may include network traffic identified as potentially causing harm to the network. The network device may determine that the suspect traffic is associated with an unknown threat. The network device may further analyze the suspect network traffic using a high-interaction network. In various implementations, the high-interaction network may be configured to emulate at least a part of the network. In various implementations, analyzing the suspect network traffic may include determining a behavior of the suspect network traffic in the high-interaction network. The network device may further generate indicators, where the indicators may describe the suspect network traffic.