Abstract: Methods and systems for grayware analysis include running a software application in a sandbox. Activity information is collected from the software application that represents actions performed by the software application within an environment of the sandbox. The collected activity information is matched to a grayware activity description to identify the software application as performing a grayware activity. A corrective action is performed on the software application.

Abstract: An approach is disclosed that receives system events corresponding to event occurrences that occur at an information handling system. The system events are combined into a set of one or more coalesced events, wherein the combining is based on a root node associated with the system events. The coalesced events are then transmitted to a security information and event management (SIEM) system.

Abstract: A method of detecting deceptive web activity is implemented in an intermediary located between a requesting client device, and a server that hosts a web application. Following a bootstrap phase used to generate a database of information identifying characteristics of clients, the method begins by receiving a page directed to the client from the server. The server injects an invisible DOM element having a set of style properties associated therewith, with one of the set of style properties assigned a random value, to generate a modified page, which is returned to the client. As the client interacts with the modified page, the intermediary tracks the device's styles and uses them to identify the client from information in the database. Once the device is identified, the intermediary then detects whether a spoofing attack has occurred. By leveraging the tracked styles, a spoofing attack on the DOM element's styles may also be detected.

Abstract: A method, system, and computer program product for performing microservice-aware reference policy checking that accept stateful security policies. The method may include receiving a stateful security policy, where the stateful security policy has connection to previous data. The method may also include determining that the stateful security policy applies to a corresponding container. The method may also include enforcing the stateful security policy against the container. The system and computer program product may include similar steps.

Abstract: A stackable filesystem that transparently tracks process file writes for forensic analysis. The filesystem comprises a base filesystem, and an overlay filesystem. Processes see the union of the upper and lower filesystems, but process writes are only reflected in the overlay. By providing per-process views of the filesystem using this stackable approach, a forensic analyzer can record a process's file-based activity—i.e., file creation, deletion, modification. These activities are then analyzed to identify indicators of compromise (IoCs). These indicators are then fed into a forensics analysis engine, which then quickly decides whether a subject (e.g., process, user) is malicious. If so, the system takes some proactive action to alert a proper authority, to quarantine the potential attack, or to provide other remediation. The approach enables forensic analysis without requiring file access mediation, or conducting system event-level collection and analysis, making it a lightweight, and non-intrusive solution.

Abstract: An intrusion detection system (IDS) for a micro-services environment identifies attacks in substantially real-time and at a container-level. In this approach, behavior models are generated from container images using a binary analysis. A behavior model is a graph data structure having nodes and edges, wherein an edge represents a system call made by at least one process represented as a node in the graph data structure. The model is co-located with a running container, thereby enabling detection of anomalies as the container executes in a container environment on a hardware node. A per-container IDS function is instantiated by checking whether system call telemetry generated by an image's running container satisfies the associated behavior model that has been generated for the container image. If the telemetry indicates activity that deviates from the behavior model, an automated action is then initiated to attempt to address the attack, preferably while it is in progress.

Abstract: A method, system, and computer program product for performing microservice-aware reference policy checking that accept stateful security policies. The method may include receiving a security policy for a container that is part of a microservice architecture. The method may also include obtaining a first effect graph of the security policy, resulting in a security model for the container. The method may also include identifying execution behavior of the container. The method may also include generating a second effect graph of the execution behavior of the container, where the generating includes summarizing operations and interactions between entities in the execution behavior and results in a behavioral model. The method may also include comparing the behavioral model to the security model. The method may also include determining whether the container has deviated from the security policy based on the comparing. The method may also include enforcing the security policy against the container.

Abstract: A method of detecting deceptive web activity is implemented in an intermediary located between a requesting client device, and a server that hosts a web application. Following a bootstrap phase used to generate a database of information identifying characteristics of clients, the method begins by receiving a page directed to the client from the server. The server injects an invisible DOM element having a set of style properties associated therewith, with one of the set of style properties assigned a random value, to generate a modified page, which is returned to the client. As the client interacts with the modified page, the intermediary tracks the device's styles and uses them to identify the client from information in the database. Once the device is identified, the intermediary then detects whether a spoofing attack has occurred. By leveraging the tracked styles, a spoofing attack on the DOM element's styles may also be detected.

Abstract: A method, apparatus and computer program product for automated security policy synthesis and use in a container environment. In this approach, a binary analysis of a program associated with a container image is carried out within a binary analysis platform. During the binary analysis, the program is micro-executed directly inside the analysis platform to generate a graph that summarizes the program's expected interactions within the run-time container environment. The expected interactions are identified by analysis of one or more system calls and their arguments found during micro-executing the program. Once the graph is created, a security policy is then automatically synthesized from the graph and instantiated into the container environment. The policy embeds at least one system call argument. During run-time monitoring of an event sequence associated with the program executing in the container environment, an action is taken when the event sequence is determined to violate the security policy.

Abstract: A stackable filesystem architecture that curtails data theft and ensures file integrity protection. In this architecture, processes are grouped into ranked filesystem views, or “security domains.” Preferably, an order theory algorithm is utilized to determine a proper domain in which an application is run. In particular, a root domain provides a single view of the filesystem enabling transparent filesystem operations. Each security domain transparently creates multiple levels of stacking to protect the base filesystem, and to monitor file accesses without incurring significant performance overhead. By combining its layered architecture with view separation via security domains, the filesystem maintains data integrity and confidentiality.

Abstract: A method, system, and computer program product for performing microservice-aware reference policy checking that accept stateful security policies. The method may include receiving a security policy for a container that is part of a microservice architecture. The method may also include obtaining a first effect graph of the security policy, resulting in a security model for the container. The method may also include identifying execution behavior of the container. The method may also include generating a second effect graph of the execution behavior of the container, where the generating includes summarizing operations and interactions between entities in the execution behavior and results in a behavioral model. The method may also include comparing the behavioral model to the security model. The method may also include determining whether the container has deviated from the security policy based on the comparing. The method may also include enforcing the security policy against the container.

Abstract: An intrusion detection system (IDS) for a micro-services environment identifies attacks in substantially real-time and at a container-level. In this approach, behavior models are generated from container images using a binary analysis. A behavior model is a graph data structure having nodes and edges, wherein an edge represents a system call made by at least one process represented as a node in the graph data structure. The model is co-located with a running container, thereby enabling detection of anomalies as the container executes in a container environment on a hardware node. A per-container IDS function is instantiated by checking whether system call telemetry generated by an image's running container satisfies the associated behavior model that has been generated for the container image. If the telemetry indicates activity that deviates from the behavior model, an automated action is then initiated to attempt to address the attack, preferably while it is in progress.

Abstract: A decoy filesystem that curtails data theft and ensures file integrity protection through deception is described. To protect a base filesystem, the approach herein involves transparently creating multiple levels of stacking to enable various protection features, namely, monitoring file accesses, hiding and redacting sensitive files with baits, and injecting decoys onto fake system views that are purveyed to untrusted subjects, all while maintaining a pristine state to legitimate processes. In one implementation, a kernel hot-patch is used to seamlessly integrate the new filesystem module into live and existing environments.

Abstract: A decoy filesystem that curtails data theft and ensures file integrity protection through deception is described. To protect a base filesystem, the approach herein involves transparently creating multiple levels of stacking to enable various protection features, namely, monitoring file accesses, hiding and redacting sensitive files with baits, and injecting decoys onto fake system views that are purveyed to untrusted subjects, all while maintaining a pristine state to legitimate processes. In one implementation, a kernel hot-patch is used to seamlessly integrate the new filesystem module into live and existing environments.

Abstract: Decoy network ports and services are projected onto existing production workloads to facilitate cyber deception, without the need to modify production machines. The approach may be implemented in a production network that includes two segments. A production machine is reachable via the first segment, while a decoy machine that offers the network service expected from the production machine is reachable via the second segment. A deception router is configured in front of the two segments, and it is not visible on the link and network layers. The router inspects network traffic destined for the production machine. Based on a set of one or more conditions being met, the router determines whether to relay network packets to the production machine, or to redirect the packet to the decoy machine.

Abstract: Rapid deployments of application-level deceptions (i.e., booby traps) implant cyber deceptions into running legacy applications both on production and decoy systems. Once a booby trap is tripped, the affected code is moved into a decoy sandbox for further monitoring and forensics. To this end, this disclosure provides for unprivileged, lightweight application sandboxing to facilitate monitoring and analysis of attacks as they occur, all without the overhead of current state-of-the-art approaches. Preferably, the approach transparently moves the suspicious process to an embedded decoy sandbox, with no disruption of the application workflow (i.e., no process restart or reload). Further, the action of switching execution from the original operating environment to the sandbox preferably is triggered from within the running process.

Abstract: A decoy filesystem that curtails data theft and ensures file integrity protection through deception is described. To protect a base filesystem, the approach herein involves transparently creating multiple levels of stacking to enable various protection features, namely, monitoring file accesses, hiding and redacting sensitive files with baits, and injecting decoys onto fake system views that are purveyed to untrusted subjects, all while maintaining a pristine state to legitimate processes. In one implementation, a kernel hot-patch is used to seamlessly integrate the new filesystem module into live and existing environments.

Abstract: A stackable filesystem that transparently tracks process file writes for forensic analysis. The filesystem comprises a base filesystem, and an overlay filesystem. Processes see the union of the upper and lower filesystems, but process writes are only reflected in the overlay. By providing per-process views of the filesystem using this stackable approach, a forensic analyzer can record a process's file-based activity—i.e., file creation, deletion, modification. These activities are then analyzed to identify indicators of compromise (IoCs). These indicators are then fed into a forensics analysis engine, which then quickly decides whether a subject (e.g., process, user) is malicious. If so, the system takes some proactive action to alert a proper authority, to quarantine the potential attack, or to provide other remediation. The approach enables forensic analysis without requiring file access mediation, or conducting system event-level collection and analysis, making it a lightweight, and non-intrusive solution.

Abstract: A stackable filesystem architecture that curtails data theft and ensures file integrity protection. In this architecture, processes are grouped into ranked filesystem views, or “security domains.” Preferably, an order theory algorithm is utilized to determine a proper domain in which an application is run. In particular, a root domain provides a single view of the filesystem enabling transparent filesystem operations. Each security domain transparently creates multiple levels of stacking to protect the base filesystem, and to monitor file accesses without incurring significant performance overhead. By combining its layered architecture with view separation via security domains, the filesystem maintains data integrity and confidentiality.

Abstract: This disclosure provides for rapid deployments of application-level deceptions (i.e., booby traps) to implant cyber deceptions into running legacy applications both on production and decoy systems, with no downtime and minimal performance overhead compared with the original application. An application-level booby trap is a piece of code injected into an application, and which provides an active defense or deception in response to an attack. A booby trap does not influence program execution under normal operation, and preferably elicits a response that can be defined by a security analyst. In operation, a booby trap is compiled into a bitcode using a patch synthesis process, and it is then injected into a running application, where it is compiled further into machine code, and linked directly with the existing application constructs. The original function also is modified with a function trampoline, and subsequent calls to the original function are then directed to the new function.