Abstract: Methods, devices, and systems are described for diverting a computer hacker from a physical or other targeted production computer to a decoy software-based host emulator that emulates the physical computer. The decoy has the exact same IP address as the physical computer. In order to avoid packet collisions, a programmable physical switch and a virtual networking switch are employed, both of which can use software-defined networking (SDN). The virtual switch prevents packets from the decoy from flowing out of its virtual network until commanded. Upon a command, the physical switch redirects specific flows to the virtual switch, and the virtual switch opens specific flows from the decoy. The specific flows are those with packets containing the hacker's computer IP address, production computer IP address, and production computer port. The packets are associated with TCP connections or UDP sessions. The decoy host emulator can be a virtual machine (VM) running alongside many other VMs in a single computer.

Abstract: Methods, devices, and systems are described for diverting a computer hacker from a physical or other targeted production computer to a decoy software-based host emulator that emulates the physical computer. The decoy has the exact same IP address as the physical computer. In order to avoid packet collisions, a programmable physical switch and a virtual networking switch are employed, both of which can use software-defined networking (SDN). The virtual switch prevents packets from the decoy from flowing out of its virtual network until commanded. Upon a command, the physical switch redirects specific flows to the virtual switch, and the virtual switch opens specific flows from the decoy. The specific flows are those with packets containing the hacker's computer IP address, production computer IP address, and production computer port. The packets are associated with TCP connections or UDP sessions. The decoy host emulator can be a virtual machine (VM) running alongside many other VMs in a single computer.

Abstract: A security information and event management (SIEM) system includes a data storage sub-system that stores (1) security data pertaining to security-related events and states of a production computer system, (2) security business objects (SBOs) as an abstraction layer over the security data, and (3) workflows which each include a set of the SBOs organized in a workflow-specific manner. Each SBO represents a security-related aspect of the production system and includes data queries to generate output data pertaining to the security-related aspect. Each workflow embodies a complex multi-step security analysis operation. In operation, security users of the SIEM system execute the workflows including the respective security business objects, resulting in a set of result data which identifies security threats and vulnerabilities of the production computer system.

Abstract: A behavioral security analysis system comprises a computational semantic parser configured to process data associated with a security information and event management (SIEM) system to generate a plurality of logical descriptors, and a learning engine coupled to the computational semantic parser and configured to generate a plurality of behavioral security descriptors based at least in part on at least a subset of the logical descriptors. The behavioral security descriptors are made accessible to an alerting engine of the SIEM system and utilized to generate one or more security alerts.

Abstract: A processing device comprises a processor coupled to a memory and implements a host-based intrusion detection system configured to permit detection of tampering with at least one software component installed on the processing device. The host-based intrusion detection system comprises a forward-secure logging module configured to record information characterizing a plurality of events occurring in the device in such a manner that modification of the recorded information characterizing the events is indicative of a tampering attack and can be detected by an authority. For example, the recorded information may comprise at least one forward-secure logging record R having entries r1 . . . rn corresponding to respective ones of the events wherein any erasure or other modification of a particular pre-existing entry ri in R by an attacker is detectable by the authority upon inspection of R.

Abstract: There is disclosed techniques for generating alerts in an event management system which comprises event management device and risk assessment device. In one example, a method comprises the following steps. There is received data in an event management device related to events associated with an asset in a network environment. The received data is filtered in order to provide an input to risk assessment device. The filtered data is forwarded to risk assessment device. A score indicative of risk based on filtered data is determined in risk assessment device. The score is forwarded to event management device and received in event management device. A score chart is generated in the event management device. The score chart includes the score and enables the prioritization of threats based on their respective scores.