Abstract: The present disclosure provides for improved computational efficiency and security in a network by determining the physical location of network connected components, without requiring the components to self-locate. The locations of devices remotely connected to a site within the network are geolocated so that the physical location of that site may be inferred from a centralized point to the remote devices' locations. This calculate site location may be compared against a known site location to improve a generalized algorithm for determining the calculated location of a site with an unknown location, and may be applied to devices that are locally connected to the network, which may be otherwise incapable of being geolocated.

Abstract: The threat of malicious parties exposing users' credentials from one system and applying the exposed credentials to a different system to gain unauthorized access is addressed in the present disclosure by systems and methods to preemptively and reactively mitigate the risk of users reusing passwords between systems. A security device passively monitors traffic comprising authorization requests within a network to reactively identify an ongoing attack based on its use of exposed credentials in the authorization request and identifies accounts that are vulnerable to attacks using exposed credentials by actively attempting to log into those accounts with exposed passwords from other networks. The systems and methods reduce the number of false positives associated with attack identification and strengthens the network against potential attacks, thus improving the network's security and reducing the amount of resources needed to securely manage the network.

Abstract: Monitoring of a life cycle of a connection of a network client device to a network via monitoring time synchronization traffic flowing between one or more network client devices and a time server in a network is provided. A system for monitoring a life cycle of a connection of a network client device to a network includes a security device operable to identify a true identity of the one or more network client devices, identify a network client device's connections to and disconnections from the network, determine which network client devices have been associated with a particular internet protocol (IP) address, and generate an output of connection and disconnection information associated with a network client device. In some examples, the security device is operable to detect anomalies and malicious patterns in the network.

Abstract: Brute force attacks on a given account with various password attempts are a common threat to computer security. When a suspected brute force on an account is detected, systems may lock the account from access, which is frustrating to users and time consuming for administrators in the event of a false positive. To reduce the number of false positives, brute force counterattacks are taught in the present disclosure. A brute force counterattack is used to learn whether the login attempts change the passwords attempted, and are to be classified as malicious, or keep the attempted password the same in multiple attempts, and are to be classified as benign.

Abstract: A method, system and computer program for recoupling Kerberos Authentication and Authorization requests, the method including the steps of: (a) extracting authorization information, including a copy of a Ticket Granting Ticket (TGT), from an authorization request; (b) retrieving authentication information including the TGT, the authentication information having been previously extracted from an authentication transaction and stored; (c) cross-referencing the extracted authorization information with the retrieved authentication information, such that a discrepancy between the cross-referenced information invokes a security event alert.

Abstract: Monitoring of a life cycle of a connection of a network client device to a network via monitoring time synchronization traffic flowing between one or more network client devices and a time server in a network is provided. A system for monitoring a life cycle of a connection of a network client device to a network includes a security device operable to identify a true identity of the one or more network client devices, identify a network client device's connections to and disconnections from the network, determine which network client devices have been associated with a particular internet protocol (IP) address, and generate an output of connection and disconnection information associated with a network client device. In some examples, the security device is operable to detect anomalies and malicious patterns in the network.

Abstract: Monitoring of a life cycle of a connection of a network client device to a network via monitoring time synchronization traffic flowing between one or more network client devices and a time server in a network is provided. A system for monitoring a life cycle of a connection of a network client device to a network includes a security device operable to identify a true identity of the one or more network client devices, identify a network client device's connections to and disconnections from the network, determine which network client devices have been associated with a particular internet protocol (IP) address, and generate an output of connection and disconnection information associated with a network client device. In some examples, the security device is operable to detect anomalies and malicious patterns in the network.

Abstract: Monitoring of a life cycle of a connection of a network client device to a network via monitoring time synchronization traffic flowing between one or more network client devices and a time server in a network is provided. A system for monitoring a life cycle of a connection of a network client device to a network includes a security device operable to identify a true identity of the one or more network client devices, identify a network client device's connections to and disconnections from the network, determine which network client devices have been associated with a particular internet protocol (IP) address, and generate an output of connection and disconnection information associated with a network client device. In some examples, the security device is operable to detect anomalies and malicious patterns in the network.

Abstract: A method, system and computer program for recoupling Kerberos Authentication and Authorization requests, the method including the steps of (a) extracting authorization information, including a copy of a Ticket Granting Ticket (TGT), from an authorization request; (b) retrieving authentication information including the TOT, the authentication information having been previously extracted from an authentication transaction and stored; (c) cross-referencing the extracted authorization information with the retrieved authentication information, such that a discrepancy between the cross-referenced information invokes a security event alert.

Abstract: A method system and computer program product for protecting Directory Services (DS) by monitoring traffic to the DS; deciding to block a client access request in the monitored traffic originating from a network client; synthesizing an error message based at least in part on the client access request; and sending the synthesized error message to the network client, causing the network client to abort access request process such as an authentication process or an authorization process.

Abstract: A system and method for protecting a networked organizational data storage facility, which is accessible by a network environment, by mapping the network environment, profiling the network environment and filtering the network traffic based on said profiling of the network environment.

Abstract: A system and method for protecting a networked organizational data storage facility, which is accessible by a network environment, by mapping the network environment, profiling the network environment and filtering the network traffic based on said profiling of the network environment.