Abstract: A method for monitoring a computing system including multiple endpoints, includes monitoring, in at least some of the endpoints, operating-system (OS) system calls relating to a transport protocol having no handshake mechanism. First and second endpoints, which exchange a flow of packets with one another using the transport protocol, are identified from among the multiple endpoints. A deduction is made, from the monitored system calls, which of the first and second endpoints acts as a server in the flow of packets, and which of the first and second endpoints acts as a client in the flow of packets.

Abstract: A method for monitoring a computing system including multiple endpoints, includes monitoring, in at least some of the endpoints, operating-system (OS) system calls relating to a transport protocol having no handshake mechanism. First and second endpoints, which exchange a flow of packets with one another using the transport protocol, are identified from among the multiple endpoints. A deduction is made, from the monitored system calls, which of the first and second endpoints acts as a server in the flow of packets, and which of the first and second endpoints acts as a client in the flow of packets.

Abstract: A method includes, in a computer, running a hypervisor that allocates resources of a memory and of a network to one or more Virtual Machines (VMs), which run VM processes and communicate over network connections. First information is extracted by monitoring the network connections in the hypervisor. Second information is extracted by directly accessing, in the hypervisor, regions of the memory assigned to the VMs. An association is established between a given network connection and a given VM process, by correlating the first information with the second information.

Abstract: A method includes, in a computer, running a hypervisor that allocates resources of a memory and of a network to one or more Virtual Machines (VMs), which run VM processes and communicate over network connections. First information is extracted by monitoring the network connections in the hypervisor. Second information is extracted by directly accessing, in the hypervisor, regions of the memory assigned to the VMs. An association is established between a given network connection and a given VM process, by correlating the first information with the second information.

Abstract: A method includes monitoring communication traffic that is exchanged over a computer network. One or more authentication attempts that have failed are identified in at least part of the monitored communication traffic. Hostile activity is detected in the computer network by analyzing the failed authentication attempts.

Abstract: A method includes monitoring communication traffic that is exchanged over a computer network. One or more authentication attempts that have failed are identified in at least part of the monitored communication traffic. Hostile activity is detected in the computer network by analyzing the failed authentication attempts.

Abstract: A method includes, in a computer network that includes multiple endpoints, configuring a network element to forward one or more specified packets from a selected endpoint to a detection unit. A malicious network-mapping software running on the selected endpoint is identified by analyzing the forwarded packets in the detection unit.