Abstract: A method of identifying a device includes receiving a device transaction request from a remote device, receiving a first device fingerprint of the remote device, and receiving a second device fingerprint of a known device. The first device fingerprint is compared with the second device fingerprint and a first metric indicative of a similarity of the first device fingerprint and the second device fingerprint is generated. A third device fingerprint corresponding to an expected current value of the second device fingerprint is generated, and the first device fingerprint is compared with the third device fingerprint to generate a second metric indicative of a similarity of the first device fingerprint and the third device fingerprint. A response to the transaction request is formulated based on the first metric and the second metric.

Abstract: This disclosure is related to using network flow information of a network to determine the trajectory of an attack. In some examples, an adjacency data structure is generated for a network. The adjacency data structure can include a machine of the network that has interacted with another machine of the network. The network can further include one or more deception mechanisms. The deception mechanisms can indicate that an attack is occurring when a machine interacts with one of the deception mechanisms. When the attack is occurring, attack trajectory information can be generated by locating in the adjacency data structure the machine that interacted with the deception mechanism. The attack trajectory information can correlate the information from the interaction with the deception mechanism, the interaction information of the network, and machine information for each machine to determine a possible trajectory of an adversary.

Abstract: Methods, systems, and computer-readable mediums are described herein to provide context-aware knowledge systems and methods for deploying deception mechanisms. In some examples, a deception profiler can be used to intelligently deploy the deception mechanisms for a network. For example, a method can include identifying a network for which to deploy one or more deception mechanisms. In such an example, a deception mechanism can emulate one or more characteristics of a machine on the network. The method can further include determining one or more asset densities and a summary statistic. An asset density can be associated with a number of assets connected to the network. The summary statistic can be associated with a number of historical attacks on the network.

Abstract: Methods, systems, and computer-readable mediums are described herein to provide context-aware knowledge systems and methods for deploying deception mechanisms. In some examples, a deception profiler can be used to intelligently deploy the deception mechanisms for a network. For example, a method can include identifying a network for which to deploy one or more deception mechanisms. In such an example, a deception mechanism can emulate one or more characteristics of a machine on the network. The method can further include determining one or more asset densities and a summary statistic. An asset density can be associated with a number of assets connected to the network. The summary statistic can be associated with a number of historical attacks on the network.

Abstract: This disclosure is related to using network flow information of a network to determine the trajectory of an attack. In some examples, an adjacency data structure is generated for a network. The adjacency data structure can include a machine of the network that has interacted with another machine of the network. The network can further include one or more deception mechanisms. The deception mechanisms can indicate that an attack is occurring when a machine interacts with one of the deception mechanisms. When the attack is occurring, attack trajectory information can be generated by locating in the adjacency data structure the machine that interacted with the deception mechanism. The attack trajectory information can correlate the information from the interaction with the deception mechanism, the interaction information of the network, and machine information for each machine to determine a possible trajectory of an adversary.

Abstract: A method for accessing network services from external networks includes receiving at a cloud-based server a bridge setup request from a private communication system, establishing a bridge connection between the cloud-based server and the private communication system, establishing a communication path between the cloud-based server and a cloud-based application, receiving a request from a cloud-based entity that is directed to an enterprise service hosted within the private communication system, transmitting the request to the enterprise service over the bridge connection, receiving a response from the enterprise service over the bridge connection, and transmitting the response to the cloud-based entity. Related computer program products and systems are also disclosed.

Abstract: Provided are methods, devices, and computer-program products for hiding one or more deception mechanisms. In some examples, the one or more deception mechanisms can be hidden from network scans. In other examples, the one or more deception mechanisms can be hidden to convince attackers that there are no deception mechanisms. In some implementations, a device, computer-program product, and method for hiding a deception mechanism is provided. For example, a method can include identifying a deception mechanism executing on a computing device. The deception mechanism can be associated with address information. In some examples, the address information can include an Internet Protocol (IP) address and a Media Access Control (MAC) address. The method can further include determining that the deception mechanism is being projected on a site network. The method can further include determining to hide a deception mechanism and hiding the deception mechanism.

Abstract: A method of identifying a device includes receiving a device transaction request from a remote device, receiving a first device fingerprint of the remote device, and receiving a second device fingerprint of a known device. The first device fingerprint is compared with the second device fingerprint and a first metric indicative of a similarity of the first device fingerprint and the second device fingerprint is generated. A third device fingerprint corresponding to an expected current value of the second device fingerprint is generated, and the first device fingerprint is compared with the third device fingerprint to generate a second metric indicative of a similarity of the first device fingerprint and the third device fingerprint. A response to the transaction request is formulated based on the first metric and the second metric.

Abstract: A method for accessing network services from external networks includes receiving at a cloud-based server a bridge setup request from a private communication system, establishing a bridge connection between the cloud-based server and the private communication system, establishing a communication path between the cloud-based server and a cloud-based application, receiving a request from a cloud-based entity that is directed to an enterprise service hosted within the private communication system, transmitting the request to the enterprise service over the bridge connection, receiving a response from the enterprise service over the bridge connection, and transmitting the response to the cloud-based entity. Related computer program products and systems are also disclosed.