Abstract: The present disclosure relates to a blockchain-based host security monitoring method and apparatus, a computer readable medium and an electronic device. The host security monitoring method in the embodiments of the present disclosure comprises: monitoring traffic data of a host in network communication, and determining whether the traffic data is malicious traffic; if the traffic data is malicious traffic, obtaining security state information of the host, and saving the security state information to a security state blockchain; generating an invasion log corresponding to the malicious traffic, and saving the invasion log and the security state information to a log storage blockchain.

Abstract: In an attack monitoring center apparatus, an event log transmitted from an attack monitoring terminal apparatus is received via a communication network. A first pattern and a second pattern are read from an event log occurrence pattern database which describes event log occurrence patterns. The first pattern is referred to in response to an abnormality being detected in the attack monitoring center apparatus; the second pattern is referred to in response to an abnormality being detected in the attack monitoring terminal apparatus. An abnormality is detected based on the event log and the first pattern. The second pattern is transmitted to the attack monitoring terminal apparatus in response to detecting the abnormality based on the event log and the first pattern.

Abstract: In various examples, there is a method of enabling an attestable update of a firmware layer that provides a unique identity of a computing device. An immutable firmware layer is used to access a unique device secret. The immutable layer is used to derive a hardware device identity (HDI) from the unique device secret. The immutable layer is used to derive a compound device identity (CDI) from a measurement of the firmware layer and the unique device secret. The CDI and HDI are made available to the firmware layer. The firmware layer is used to issue a local certificate to endorse a device identity key, derived from the CDI, the local certificate signed by a key derived from the HDI.

Abstract: A system and method for detecting a cybersecurity object in an operating system-level virtualization is presented. The method includes detecting an identifier of a code object in a software artifact, wherein the software artifact represents a software container deployed in a cloud computing environment; determining a location of the code object based on the software artifact; inspecting the code object for a cybersecurity object, wherein the cybersecurity object indicates a cybersecurity threat; detecting a cybersecurity object in the code object; and initiating a remediation action based on the cybersecurity object in response to detecting the cybersecurity object in the code object.

Abstract: The disclosure relates to a method and a device for authenticating an FPGA configuration. The method includes at least partly reading the configuration of a FPGA by the FPGA itself and calculating a first checksum using the read configuration. The method further includes providing an authentication response which confirms that the FPGA configuration is authentic when the first checksum matches a specified checksum, wherein the reading, calculating, and providing are carried out in an obfuscated manner. The authentication response confirming that the FPGA configuration is authentic is not provided or is only provided with a very low degree of probability when the first checksum and the specified checksum do not match. In this regard, an FPGA may check its own configuration.

Abstract: A computer implemented malware protection method to mitigate malware spread within a set of communicating computer systems from an infected computer system is disclosed.

Abstract: The present invention provides improved techniques that can be used to identify hidden content and/or advertisements on a digital display page and to tell the illegitimate pieces of hidden content apart from legitimate ones, which provide reduced levels of false results. For example, a technique involves performing a plurality of analyses on a digital display page to determine whether the digital display page includes content is hidden, wherein each analysis may determine a different result based on whether content in the digital display page is delivered but hidden, comparing the resulting determinations of the analyses, when the analyses all determine that the content is not hidden, classifying the digital display page as not including hidden content, and when at least one analysis determines that the content is not hidden and at least one analysis determines that the content is hidden, classifying the digital display page as including hidden content.

Abstract: At an advertising server: adding tracking code to advertisements served by the advertising server, wherein the tracking code is configured to cause web browsers displaying the served advertisements to transmit their contents to a security server. At the security server: scanning the received advertisements to detect presence of malicious code, and storing results of the scanning in a database. At the advertising server: prior to serving a new advertisement that has won in RTB, querying the database for scan results associated with the new advertisement. When the scan results indicate a malicious advertisement, preventing a serving of the new advertisement. When the scan results indicate a safe advertisement, allowing a serving the new advertisement. When no scan results are available for the new advertisement, adding the tracking code to the new advertisement and serving it, such that its contents are scanned by the security server.

Abstract: Classifying electronic communications is disclosed. An electronic communication is received. A first likelihood that a potential recipient of the electronic communication would conclude that the communication was transmitted on behalf of an authoritative entity is determined. An assessment of a second likelihood that the received communication was transmitted with authorization from the purported authoritative entity is performed. The electronic communication is classified based at least in part on the first and second likelihoods.

Abstract: Systems and methods are described for transmitting broadcasts by Peripherals, receiving the broadcasts by Centrals, and communicating with a Backend by Centrals. Specifically, a Peripheral may generate and transmit an encrypted broadcast packet to a Central, the Central may transmit the encrypted observation information to the Backend, which may decrypt the broadcast packet. Additionally, a Central may transmit a request for authorization to connect to a Peripheral to the Backend. If authorized by the Backend, the Central may connect to the Peripheral. Further, a Central may receive a plurality of broadcasts over a period of time. The Central may store information about the broadcasts and, at the conclusion of the period of time, transmit the information about the broadcasts and the last-received broadcast to the Backend.

Abstract: Provided is an on-device Android malware detection method based on an adaptive model through transfer learning, including: determining whether an application is malicious or unfavorable from a list of applications installed on a device; decompiling, in the device, an Android package (APK) of the application installed on the device; transmitting the determined list and the decompiled APK file to a server in order to generate a head model in the server and use the generated head model for the transfer learning with a base model; performing malware analysis in the device using a transfer learning model received from the server for an application newly installed on the device; and providing a malware analysis result to a user through the device as a result, and since the malware analysis is performed on the device, it is possible to ensure the availability and real-time performance of enabling analysis outside of a network range.

Abstract: A system and a method are disclosed for verifying a suspicious electronic communication. To this end, a secure communications service may detect an electronic communication comprising an identifier of a purported originator of the electronic communication and an identifier of an intended recipient, and determine that an attribute of the electronic communication corresponds to a suspicious attribute. Responsively, the service may intercept the electronic communication and storing the electronic communication in purgatory memory, so as to prevent the electronic communication from being populated in a private repository of the intended recipient, transmit a verification message, and receive a reply to the verification message that verifies the authenticity of the electronic communication.

Abstract: Systems and methods are provided herein for scheduling a season recording. A series is provided to a user device, the series having a plurality of sequential seasons, and each season having a plurality of episodes. A request for recording the series is received from the user. In response, a last episode of the series watched by the user is identified. A relevant season of the plurality of seasons is then determined, such that the relevant season precedes another season of the plurality of seasons and includes the last episode watched by the user. Then, episodes of the relevant season that follow the last episode watched by the user are scheduled for recording, such that episodes of a season that precedes the relevant season are not scheduled for recording.

Abstract: This disclosure describes techniques for identifying the criticality of an asset in a network. In an example method, a first security metric of a first asset in a network, as well as network data that identifies data flows associated with a second asset in the network are identified. The second asset is a nearest neighbor of the first asset in the network. The method includes determining, based on the network data, a number of hosts in the network that exchanged data traffic with the second asset during a time period and generating a second security metric of the second asset based on the first security metric and the number of hosts. A security policy of the second asset is adjusted based on the security metric.

Abstract: A method includes scanning a plurality of hosts in a network to obtain risk information of each instance of vulnerability associated with each host during a period, calculating a vulnerability risk score (VRS) for each instance of the vulnerability based on the associated risk information, determining a number of vulnerabilities associated with each of the plurality of hosts during the period, obtaining a criticality score of each of the plurality of hosts, obtaining for each host, a representative VRS based at least in part on the VRS for each instance of vulnerability associated with the host, calculating a host risk score (HRS) for each host based on the representative VRS, the number of vulnerabilities and the criticality score of the host, calculating a network risk score (NRS) for the network based on the HRSs, and facilitating a security action based on the HRS for each host and the NRS.

Abstract: Systems and methods for recent file malware scanning are provided herein. In some embodiments, a security system may include a processor programmed to download one or more files; filter, by a first driver, the one or more downloaded files using a security zone identifier; scan, by the first driver, the filtered subset of one or more files for malware; store, by a second driver, a first set of information associated with each of the scanned files to indicate that each the filtered subset of one or more files have been scanned, wherein the first set of information is stored as metadata using alternative data stream (ADS) associated with each scanned file; monitor, by the second driver, changes to existing files based on the metadata stored; send instructions to rescan any existing file that has changed for malware; and update the information associated with any rescanned file's metadata using the ADS.

Abstract: A system and method for securing an application through an application-aware runtime agent can include: acquiring a code profile, instrumenting the application with a runtime agent according to the code profile, enforcing the runtime agent on the execution of the application, and responding to the runtime agent. Enforcing the runtime agent on the execution of the application can include monitoring the execution flow, which comprises of monitoring the utilization of the controls through the execution of the application; detecting a threat, which comprises identifying a section of the execution flow as a potential security threat; and regulating the execution flow to prevent or ameliorate the security threat. Responding to the runtime agent can include responding to the security threat and providing a user interface that may output runtime agent diagnostics and trigger alerts.

Abstract: A notification message is received indicating an upload of a file to a cloud service. An analysis engine (which can execute one or more machine learning models or other analysis operations) can generate information that characterizes the file which can be indicative of a level of trustworthiness for the file. In response to the generated information, each of a plurality of judges are notified to commence or revisit a judging process. In response to the notifications, the judges (which can execute one or more machine learning models or other analysis operations) retrieve the generated information and determine a respective trustworthiness score for the file. These scores can be stored in a corresponding judge database and/or data can be provided which characterizes the determined trustworthiness scores to a consuming application or process. Related apparatus, systems, techniques and articles are also described.

Abstract: Methods and systems for detecting malware by monitoring client-side memory stacks are described. A request for a payment process is received and a client-side memory stack is populated with a series of functions corresponding to the requested payment process. The execution of each function is monitored to determine whether the series of functions and an order of execution of the functions from the client-side memory stack are the same as an expected series of functions and in an expected order corresponding to the payment process. The monitoring also determines whether the number and types of parameters called by the functions are the same as the expected number and types of parameters. The monitoring further determines whether the timing of the execution of the functions is the same as an expected timing. Remedial action is performed when the any of these factors is determined to be different than what is expected.

Abstract: A method and system for detecting and analyzing internet traffic from Internet of Things (IoT) devices is presented. A network telescope is employed to collect unsolicited data packets. The data packets are analyzed to determine whether they arise from a misconfigured device or from a malicious device (darknet sanitization) or from some other source. Traffic from misconfigured devices is filtered out. The data packets from malicious devices are analyzed and a classification model is trained to classify the data packets into originating from an IoT or from a non-IoT device. The classifier is then validated on a separate set of data. The data packets originating from malicious IoT devices are further analyzed by such techniques a clustering (e.g. agglomerative hierarchical clustering), geo-location analysis, methods of attack, and coordination of attacks.

Abstract: Techniques are described for assessing container images for vulnerabilities without actually scanning the container images. A vulnerability assessment system (VAS) is described that is configured to perform vulnerabilities assessment for container images. The VAS is configured to perform the vulnerability assessment without scanning the container images. In certain embodiments, the VAS calculates a vulnerability score for the container image where the vulnerability score is indicative of a probability that the container image contains a vulnerability.

Abstract: A threat intelligence gateway (TIG) may protect TCP/IP networks from network (e.g., Internet) threats by enforcing certain policies on in-transit packets that are crossing network boundaries. The policies may be composed of packet filtering rules with packet-matching criteria derived from cyber threat intelligence (CTI) associated with Internet threats. These CTI-derived packet-filtering rules may be created offline by policy creation and management servers, which may distribute the policies to subscribing TIGs that subsequently enforce the policies on in-transit packets. Each packet filtering rule may specify a disposition that may be applied to a matching in-transit packet, such as deny/block/drop the in-transit packet or pass/allow/forward the in-transit packet, and also may specify directives that may be applied to a matching in-transit packet, such as log, capture, spoof-tcp-rst, etc.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for pathogen detection. One of the methods includes providing, to a classifier, sensor data for a physical area, at a property, to cause the classifier to generate output data using the sensor data; receiving, from the classifier, the output data that indicates whether a pathogen was likely detected; detecting, using the output data, a likely pathogen in the physical area; determining whether to provide an alert given the detection of the likely pathogen; and in response to determining whether to provide the alert given the detection of the likely pathogen, selectively providing, to a device, the alert to cause the device to present the alert or determining to skip providing the alert.

Abstract: Examples of file analytics systems are described that may obtain metadata data and events data from a virtualized file server. The file analytics systems may detect one or more events from the events data matching a criteria indicating malicious activity. The file analytics systems may validate the detection of malicious activity. The validation may be performed by comparing the file type, such as the MIME type, of sample files before and after the suspected malicious activity. The systems may recover a share of the distributed file server including the one or more affected files by replacing the one or more affected files with stored versions of the one or more affected files from a snapshot of the share taken prior to the detected malicious activity.

Abstract: Methods, systems, and storage media for generating polls in an end-to-end encrypted messaging platform are disclosed. Exemplary implementations may: initiate, by an initiator, a poll comprising a poll name, an ending time, and response choices; generate a message to a group of users regarding the poll; for each user of the group of users, generate a key pair comprising a chain key and a signature key; receive, from a user of the group of users, a selection comprising at least one of the response choices; and cause display of the selection through the poll.

Abstract: A method for characterizing application layer denial-of-service (DDoS) attacks comprises generating a plurality of dynamic applicative signatures by analyzing at the application layer application layer requests received during an on-going DDoS attack, a dynamic applicative signature characterizing each received request based on frequent application layer attributes appearing in the received requests, wherein the requests are represented as a set of paraphrases, each paraphrase representing a specific aspect of a request's structure, the frequent application layer attributes being determined based on frequency of paraphrases in the set; characterizing each of the received requests based on one of the dynamic applicative signatures, the characterization providing an indication for each request whether a request is generated by an attack tool executing the on-going DDoS attack; and causing a mitigation action on the received request generated by the attack tool based on the generated dynamic applicative signatur

Abstract: The present invention provides an information security incident diagnosis system for assisting in detecting whether a target network system has been hacked. First, a plurality of activities records of one or more computing devices in a target network system are collected. Then, a discrete space metric tree is generated according to the plurality of activities records, and a clustering operation is performed on the discrete space metric tree to generate one or more event clusters associated with one or more suspicious event categories. Each event cluster may form a guide tree corresponding to the event cluster through single linkage clustering analysis to indicate a merging order from high to low similarity. The merging order is used for recursively performing a graph generating operation to convert a plurality of activities records corresponding to the one or more event clusters into a hierarchical directed acyclic graph (HDAG).

Abstract: The disclosed embodiments relate to a cyber threat information processing apparatus, a cyber threat information processing method, and a storage medium storing a cyber threat information processing program. A disclosed embodiment provides a cyber threat information processing method including: a step to classify at least one executable file into a set of code blocks corresponding to at least one malware by performing conversion of such executable file and provide the classified set of block codes; a step to select one or more code blocks included in the classified set of code blocks and generate a new set of code blocks by combining such selected code blocks; and a step to predict new malware based on the set of code blocks generated as above and provide information about the new malware predicted.

Abstract: Systems and methods for detecting malicious behavior in a network by analyzing process interaction ratios (PIRs) are provided. According to one embodiment, information regarding historical process activity is maintained. The historical process activity includes information regarding various processes hosted by computing devices of a private network. Information regarding process activity within the private network is received for a current observation period. For each process, for each testing time period of a number of testing time periods within the current observation period, a PIR is determined based on (i) a number of unique computing devices that hosted the process and (ii) a number of unique users that executed the process. A particular process is identified as potentially malicious when a measure of deviation of the PIR of the particular process from a historical PIR mean of the particular process exceeds a pre-defined or configurable threshold during a testing time period.

Abstract: A computerized method and system for mobile application clip detection and capturing on a mobile computing device includes receiving a user consent for capturing screen content by a content capture executable. The method and system includes executing the content capture executable in a background and monitoring processing operations in a foreground of the mobile computing device. Upon detecting capturable content from a application executable executing in the foreground, buffering screen content in a first memory device for a first period of time. The method and system includes executing the content capture executable in the foreground, including receiving a clip generation command from the user and generating a content clip from at least a portion of the screen content in the first memory device. Therein, in response to a clip distribution command, the clip is distributed across a networked connection.

Abstract: Programmable devices, hierarchical parallel machines and methods for providing state information are described. In one such programmable device, programmable elements are provided. The programmable elements are configured to implement one or more finite state machines. The programmable elements are configured to receive an N-digit input and provide a M-digit output as a function of the N-digit input. The M-digit output includes state information from less than all of the programmable elements. Other programmable devices, hierarchical parallel machines and methods are also disclosed.

Abstract: A trusted component is suggested to be added to off the shelf computing systems such as PCs or smartphone providing secure functions for access management and credential protection—safe authentication, maintaining session integrity and validation of content modification. An additional advantage of the solution that it detects malware/hacking attempts on first try allowing of taking action while oblivious to the malware/hacker to avoid retaliation. The trusted component may be any type of computing system that could be regarded trusted.

Abstract: A method and system for generating anomaly-detection rules for communication protocols are provided. The method includes receiving communication data; constructing at least one N-gram from the received communication data; analyzing the at least one N-gram by comparing the constructed at least one N-gram with a repository of N-gram analyses to identify conditional probabilities of certain characteristics; and generating anomaly-detection rules based on the N-gram analysis.

Abstract: Systems and methods for formatting data are disclosed. For example, a system may include at least one memory storing instructions and one or more processors configured to execute the instructions to perform operations. The operations may include receiving data comprising a plurality of sequences of data values and training a recurrent neural network model to output conditional probabilities of subsequent data values based on preceding data values in the data value sequences. The operations may include generating conditional probabilities using the trained recurrent neural network model and the received data. The operations may include determining a data format of a subset of the data value sequences, based on the generated conditional probabilities, and reformatting at least one of the data value sequences according to the determined data format.

Abstract: In an approach for smart test data workload generation, a processor receives a plurality of expected image frames for a user interface application to be tested. The plurality of expected image frames is pre-defined and represents a series of workflows and operations of the user interface application to be expected based on a design requirement. A processor calculates a first set of hash-values for each corresponding expected image frame. A processor samples the user interface application with a frequency to a plurality of testing image frames during a test run on the user interface application. A processor calculates a second set of hash-values for each sampled testing image frame. A processor compares the first set of hash-values to the second set of hash-values. A processor verifies that the second set of hash-values matches the first set of hash-values.

Abstract: Provided is a gateway device capable of reducing influence on intra-vehicle network communication from a cyber security attack that infringes availability represented by a DoS attack from an extra-vehicle network.

Abstract: The communication control apparatus (10) performs a receiving process, a counting process, and a determination process. The receiving process is a process for receiving a request packet to query a predetermined server. The counting process is a process for counting, based on a source address of the request packet, in multiple stages corresponding to different ranges of address areas that include the source address. The determination process is a process for determining an address area corresponding to a stage, from the multiple stage, in which a count value by the counting process exceeds a predetermined threshold value as an unauthorized access address area.

Abstract: A behavioral monitor executing in user space generates a plurality of filters corresponding to a plurality of processes executing in the user space. A first process transmits a system call to a corresponding filter of the plurality of filters in kernel space. The first process receives a signal from the corresponding filter. The first process analyzes the arguments submitted in the system call. The first process determines that the arguments may be associated with malicious activity. The first process generates an event and transmitting the event to the behavioral monitor. The behavioral monitor analyzes the event to determine whether the event is associated with malicious activity. The behavioral monitor causes a process group associated with the first process to cease executing and restores a previous version of the at least one file modified by the process group.

Abstract: A computer-implemented method of managing computer vulnerabilities is disclosed. The method comprises detecting one or more processes running on a particular computing system during a particular period of time including now; and determining a set of active vulnerabilities that are associated with the one or more processes from a plurality of vulnerabilities. The method also comprises determining, for each vulnerability of the set of active vulnerabilities, context metadata related to a process or an application associated with the vulnerability, including how often the application has been executed, for how long the process has run, or when in the particular period of time the process was, is, or will be running. The method further comprises ranking the set of active vulnerabilities based on the context metadata for each active vulnerability to obtain a ranked order; and transmitting information related to the ranking to a device.

Abstract: An embodiment includes a method of application vulnerability assessment and prioritization. The method includes ingesting modelling data from data sources for application vulnerabilities. The method includes transforming at least a portion of the modelling data to covariate vectors. The method includes extracting keywords and phrases from the modelling data and statistically measuring relevance of files of the modelling data based on the extracted keywords and phrases. The method includes generating threat levels of the application vulnerabilities based on the covariate vectors and the measured relevance. The method includes outputting the threat levels to a network management system. The method includes implementing, at a first endpoint device of the network, a first patch to address one of the application vulnerabilities.

Abstract: The technology disclosed prevents phishing attacks where a malicious attacker creates a malicious file in a cloud-based store and shares it with endpoint users. A user, opening the shared document, is redirected to a malicious website where a corporation's critical data may be compromised. The cloud-based method applies a set of rules and policies to allow the shared document or block the shared document from the network, based on identifying the ownership or originator of the shared document. Documents from blacklisted websites are blocked. Documents from trusted sources are allowed access to the network. Unknown documents are blocked and threat-scanned to determine if they contain malicious content. If analysis proves a blocked document to be safe, it may be released into the network along with subsequent documents having the same ownership or originator.

Abstract: Aspects of the disclosure relate to dynamically controlling access to linked content in electronic communications. A computing platform may receive, from a user computing device, a request for a uniform resource locator associated with an email message and may evaluate the request using one or more isolation criteria. Based on evaluating the request, the computing platform may identify that the request meets at least one isolation condition associated with the one or more isolation criteria. In response to identifying that the request meets the at least one isolation condition associated with the one or more isolation criteria, the computing platform may initiate a browser mirroring session with the user computing device to provide the user computing device with limited access to a resource corresponding to the uniform resource locator associated with the email message.

Abstract: Disclosed are a message sending method and apparatus. The method includes: a front-end device receiving a message preview instruction and sending the message preview instruction to a server; the server determining, on the basis of the message preview instruction, whether a message currently corresponding to a message type satisfies a sending rule, and if so, making an electronic message correspond to the message type, and sending the electronic message to the front-end device; the front-end device outputting and displaying the electronic message for a user to view; and the user triggering a message sending instruction after confirming same, so as to complete the sending of the electronic message.

Abstract: The described technology is generally directed towards secure collaborative processing of private inputs. A secure execution engine can process encrypted data contributed by multiple parties, without revealing the encrypted data to any of the parties. The encrypted data can be processed according to any program written in a high-level programming language, while the secure execution engine handles cryptographic processing.

Abstract: In general, in one aspect, a method includes receiving software code with an invalid characteristic, repeatedly attempting to execute the software code with the invalid characteristic on a device, and in response to successful execution of the software code with the invalid characteristic, taking an action. The action may include an action to remediate the device.

Abstract: Examples of the present disclosure describe systems and methods for a behavioral threat detection virtual machine. In examples, the virtual machine executes a rule comprising rule instructions. A rule may comprise one or more wait rule instructions that causes the virtual machine to pause execution. As events are added to an event queue for the rule virtual machine, the behavioral threat detection virtual machine evaluates such events in order to identify a positive or, in some instances, a negative match. When a matching event is identified, rule execution resumes. Eventually, a determination is made as a result of processing events and wait packets, thereby indicating the presence or absence of a malicious or potentially malicious behavior, among other examples. Thus, among other things, the behavioral threat detection virtual machine maintains a state associated with rule execution and processes events to identify behaviors accordingly.

Abstract: A method and network are provided for monitoring a network during a DDoS attack. The method includes establishing a flow record for flows designated for tarpitting and a state machine, each state of multiple states of the state machine having an associated handler function. The handler function associated with a current state of a state machine associated with a flow is invoked to perform one or more actions associated with the flow or the flow record for applying at least one tarpitting technique of one or more candidate tarpitting techniques associated with the flow record, and return a next state, which is used to update the current state of the state machine. The handler function associated with the current state of the state machine is repeatedly invoked, wherein each invocation of the handler function potentially applies different tarpitting techniques.

Abstract: A method including receiving, by a security device from a network device, an initial security instruction set including a plurality of initial security instructions associated with operation of the security device; receiving, by the security device from the network device, an event signal associated with the security device carrying out a network-facing operation; transmitting, by the security device to the network device based on receiving the event signal, a security instruction associated with the security device carrying out the network-facing operation, the security instruction being from among the plurality of initial security instructions; receiving, by the security device from the network device based on transmitting the security instruction, communication information to enable the security device to carry out the network-facing operation; and carrying out, by the security device, the network-facing operation based on utilizing the communication information is disclosed.

Abstract: Method of detecting malware in a computer storage medium is described. The method involves connecting the computer storage medium to an air-gapped anti-malware device. Scanning the computer storage medium for malware.

Abstract: This application discloses a cyber threat deception method and system, and a forwarding device. The forwarding device obtains a deception target set, where the deception target set includes a deception target, and the deception target includes an unused internet protocol (IP) address or an unopened port number on a used IP address. The forwarding device receives an IP packet from a host, and determines whether a destination party that the IP packet requests to access belongs to the deception target set. If the destination party that the IP packet requests to access belongs to the deception target set, the forwarding device sends the IP packet to a honeypot management server. The forwarding device receives a response packet, returned by the honeypot management server, of the corresponding IP packet. The forwarding device sends the response packet to the host.