Abstract: An apparatus includes an interface and a processor. The interface is configured to receive attributes of communication connections of multiple workloads running in a computing system. The processor is configured to automatically segment the multiple workloads into groups based on the attributes of the communication connections, wherein the workloads in each group collectively run a respective application.

Abstract: An apparatus for computer-network security includes a network interface and a processor. The network interface is configured for communicating over a communication network. The processor is configured to detect a request from a first computer to access a non-existent shared resource of a second computer, to send to the first computer, responsively to the request, a response that imitates a genuine grant of access to the non-existent shared resource, so as to initiate an interaction between the first computer and the shared resource, and to process the interaction so as to identify a malicious activity attempted by the first computer.

Abstract: An apparatus for securing a cloud-provider system includes one or more network interfaces and one or more processors. The network interfaces are configured for connecting to a network. The processors are configured to allocate resources of the cloud-provider system for use by tenants of the cloud-provider system, to allocate to the tenants one or more Internet Protocol (IP) address ranges, to assign multiple IP addresses, scattered across the IP address ranges, for use by one or more honeypot servers, and to secure the cloud-provider system against hostile attacks, by processing network traffic associated with the assigned IP addresses using at least the honeypot servers.

Abstract: An apparatus includes an interface and a processor. The interface is configured to receive attributes of communication connections of multiple workloads running in a computing system. The processor is configured to automatically segment the multiple workloads into groups based on the attributes of the communication connections, wherein the workloads in each group collectively run a respective application.

Abstract: An apparatus for computer-network security includes a network interface and a processor. The network interface is configured for communicating over a communication network. The processor is configured to detect a request from a first computer to access a non-existent shared resource of a second computer, to send to the first computer, responsively to the request, a response that imitates a genuine grant of access to the non-existent shared resource, so as to initiate an interaction between the first computer and the shared resource, and to process the interaction so as to identify a malicious activity attempted by the first computer.

Abstract: An apparatus for securing a cloud-provider system includes one or more network interfaces and one or more processors. The network interfaces are configured for connecting to a network. The processors are configured to allocate resources of the cloud-provider system for use by tenants of the cloud-provider system, to allocate to the tenants one or more Internet Protocol (IP) address ranges, to assign multiple IP addresses, scattered across the IP address ranges, for use by one or more honeypot servers, and to secure the cloud-provider system against hostile attacks, by processing network traffic associated with the assigned IP addresses using at least the honeypot servers.

Abstract: A method includes monitoring communication traffic that is exchanged over a computer network. One or more authentication attempts that have failed are identified in at least part of the monitored communication traffic. Hostile activity is detected in the computer network by analyzing the failed authentication attempts.

Abstract: A method for network security includes, in a computer network that exchanges traffic among multiple network endpoints using one or more network switches, configuring at least one network switch to transfer at least some of the traffic for inspection. Only a portion of the traffic, which is suspected of carrying executable software code, is selected from the transferred traffic. The selected portion of the traffic is inspected, so as to verify whether any of the executable software code is malicious.

Abstract: A method includes monitoring communication traffic that is exchanged over a computer network. One or more authentication attempts that have failed are identified in at least part of the monitored communication traffic. Hostile activity is detected in the computer network by analyzing the failed authentication attempts.

Abstract: A method includes, in a computer network that includes multiple endpoints, configuring a network element to forward one or more specified packets from a selected endpoint to a detection unit. A malicious network-mapping software running on the selected endpoint is identified by analyzing the forwarded packets in the detection unit.

Abstract: A method for network security includes, in a computer network that exchanges traffic among multiple network endpoints using one or more network switches, configuring at least one network switch to transfer at least some of the traffic for inspection. Only a portion of the traffic, which is suspected of carrying executable software code, is selected from the transferred traffic. The selected portion of the traffic is inspected, so as to verify whether any of the executable software code is malicious.