Abstract: This disclosure is related to using network flow information of a network to determine the trajectory of an attack. In some examples, an adjacency data structure is generated for a network. The adjacency data structure can include a machine of the network that has interacted with another machine of the network. The network can further include one or more deception mechanisms. The deception mechanisms can indicate that an attack is occurring when a machine interacts with one of the deception mechanisms. When the attack is occurring, attack trajectory information can be generated by locating in the adjacency data structure the machine that interacted with the deception mechanism. The attack trajectory information can correlate the information from the interaction with the deception mechanism, the interaction information of the network, and machine information for each machine to determine a possible trajectory of an adversary.

Abstract: Methods, systems, and computer-readable mediums are described herein to provide context-aware knowledge systems and methods for deploying deception mechanisms. In some examples, a deception profiler can be used to intelligently deploy the deception mechanisms for a network. For example, a method can include identifying a network for which to deploy one or more deception mechanisms. In such an example, a deception mechanism can emulate one or more characteristics of a machine on the network. The method can further include determining one or more asset densities and a summary statistic. An asset density can be associated with a number of assets connected to the network. The summary statistic can be associated with a number of historical attacks on the network.

Abstract: Methods, systems, and computer-readable mediums are described herein to provide context-aware knowledge systems and methods for deploying deception mechanisms. In some examples, a deception profiler can be used to intelligently deploy the deception mechanisms for a network. For example, a method can include identifying a network for which to deploy one or more deception mechanisms. In such an example, a deception mechanism can emulate one or more characteristics of a machine on the network. The method can further include determining one or more asset densities and a summary statistic. An asset density can be associated with a number of assets connected to the network. The summary statistic can be associated with a number of historical attacks on the network.

Abstract: This disclosure is related to using network flow information of a network to determine the trajectory of an attack. In some examples, an adjacency data structure is generated for a network. The adjacency data structure can include a machine of the network that has interacted with another machine of the network. The network can further include one or more deception mechanisms. The deception mechanisms can indicate that an attack is occurring when a machine interacts with one of the deception mechanisms. When the attack is occurring, attack trajectory information can be generated by locating in the adjacency data structure the machine that interacted with the deception mechanism. The attack trajectory information can correlate the information from the interaction with the deception mechanism, the interaction information of the network, and machine information for each machine to determine a possible trajectory of an adversary.

Abstract: Provided are methods, including computer-implemented methods or methods implemented by a network device, devices including network devices, and computer-program products for an active deception system. The active deception system can separate execution of services from deception mechanisms on a network. In particular, the active deception system can include a sensor on the network. The sensor can establish a two-way connection with a remote server executing the services. The sensor can receive communications from client devices and forward the communications to the remote server. While this forward can happen, the client devices might not be aware of the forward. In fact, the client device might only be aware that the sensor receives a communication and responds to the communication.

Abstract: Techniques are disclosed herein for systematically tracking the entire forwarding flow of an electronic message, such as an email. A determination is made to track an electronic message prior to it being relayed to an intended recipient. When the electronic message is forwarded by the intended recipient, a feedback message is sent by the forwarder to the originator of the electronic message. This may be used to allow the original author to review and authorize recipients of the forwarded message. The original author need not know up front to whom the message might be forwarded. Note that this not only provides security, but also provides for fine grained system for tracking the flow of messages, such as sensitive emails. The system can automatically assess the risk of authorizing the recipient to whom the message was forwarded to have access to the content based on machine learning, rules, etc.

Abstract: Techniques are disclosed herein for systematically tracking the entire forwarding flow of an electronic message, such as an email. A determination is made to track an electronic message prior to it being relayed to an intended recipient. When the electronic message is forwarded by the intended recipient, a feedback message is sent by the forwarder to the originator of the electronic message. This may be used to allow the original author to review and authorize recipients of the forwarded message. The original author need not know up front to whom the message might be forwarded. Note that this not only provides security, but also provides for fine grained system for tracking the flow of messages, such as sensitive emails. The system can automatically assess the risk of authorizing the recipient to whom the message was forwarded to have access to the content based on machine learning, rules, etc.

Abstract: A method and system for identifying a machine used for an online session with an online provider includes executing a lightweight fingerprint code from a provider interface during an online session to collect and transmit machine and session information; generating and storing a machine signature or identity including a machine effective speed calibration (MESC) which may be used to identify the machine when the machine is used in a subsequent online session by a method of matching the machine signature and MESC to a database of machine identities, analyzing a history of the machine's online sessions to identify one or more response indicators, such as fraud indicators, and executing one or more responses to the response indicators, such as disabling a password or denying an online transaction, where the response and response indicator may be provider-designated.

Abstract: A method, apparatus, and system for generating a profile of a person. The method may include storing a plurality of names, each name being associated with a plurality of name characteristics unique to the name, such as nativity, religion, gender, family social status, and time period. In response to receiving a name to be profiled, one or more associated name characteristics may be used to infer one or more user characteristics such as age, interests, habits, economic potential, and likelihood of buying something at a given point of time. The user characteristics may be provided as a profile of the person.

Abstract: A method and system for identifying a machine used for an online session with an online provider includes executing a lightweight fingerprint code from a provider interface during an online session to collect and transmit machine and session information; generating and storing a machine signature or identity including a machine effective speed calibration (MESC) which may be used to identify the machine when the machine is used in a subsequent online session by a method of matching the machine signature and MESC to a database of machine identities, analyzing a history of the machine's online sessions to identify one or more response indicators, such as fraud indicators, and executing one or more responses to the response indicators, such as disabling a password or denying an online transaction, where the response and response indicator may be provider-designated.

Abstract: A method and system for identifying a machine used for an online session with an online provider includes executing a lightweight fingerprint code from a provider interface during an online session to collect and transmit machine and session information; generating and storing a machine signature or identity including a machine effective speed calibration (MESC) which may be used to identify the machine when the machine is used in a subsequent online session by a method of matching the machine signature and MESC to a database of machine identities, analyzing a history of the machine's online sessions to identify one or more response indicators, such as fraud indicators, and executing one or more responses to the response indicators, such as disabling a password or denying an online transaction, where the response and response indicator may be provider-designated.

Abstract: Systems and methods for enhancing the convenience, reliability and security of transactions are provided. In authenticating a user attempting to engage in a transaction, a machine-readable indicia may be optically acquired and a challenge derived therefrom sent to a one-time password (OTP) application running on a mobile or other device. The device may then generate a response OTP using, at least in part, the derived challenge. The response may be read by a user and used in-band or may alternatively be sent by the mobile device out-of-band to an authentication server, which may respond with an authentication response operable to authenticate the user.

Abstract: A system and method is provided for determining a risk associated with a login transaction. A password received during the login attempt and determination is made regarding whether the received password is derived form user information. A risk is determined based on a determination that the received password is derived from the user information.

Abstract: Methods, apparatus, and systems for using multiple one-time passwords (OTPs) to authenticate a user to access goods or services provided by a single service provider. An electronic computing device associated with the user may include multiple OTP generators for generating multiple OTPs, where each OTP is associated with an OTP identifier that uniquely identifies the OTP from other OTPs. The electronic computing device sends OTP information including the generated OTP and OTP identifier to an authentication server which determines whether a stored OTP corresponding to the received OTP identifier matches the received OTP and, if there is a match, authenticates the user to access goods or services from a single service provider.

Abstract: A system and method is provided for determining a risk associated with a login transaction. A password received during the login attempt and determination is made regarding whether the received password is derived form user information. A risk is determined based on a determination that the received password is derived from the user information.

Abstract: A method and system for identifying a machine used for an online session with an online provider includes executing a lightweight fingerprint code from a provider interface during an online session to collect and transmit machine and session information; generating and storing a machine signature or identity including a machine effective speed calibration (MESC) which may be used to identify the machine when the machine is used in a subsequent online session by a method of matching the machine signature and MESC to a database of machine identities, analyzing a history of the machine's online sessions to identify one or more response indicators, such as fraud indicators, and executing one or more responses to the response indicators, such as disabling a password or denying an online transaction, where the response and response indicator may be provider-designated.

Abstract: A method and system for identifying a machine used for an online session with an online provider includes executing a lightweight fingerprint code from a provider interface during an online session to collect and transmit machine and session information; generating and storing a machine signature or identity including a machine effective speed calibration (MESC) which may be used to identify the machine when the machine is used in a subsequent online session by a method of matching the machine signature and MESC to a database of machine identities, analyzing a history of the machine's online sessions to identify one or more response indicators, such as fraud indicators, and executing one or more responses to the response indicators, such as disabling a password or denying an online transaction, where the response and response indicator may be provider-designated.