Techniques for securing control and user plane separation in mobile networks (e.g., service provider networks for mobile subscribers, such as for 4G/5G networks) are disclosed. In some embodiments, a system/process/computer program product for securing control and user plane separation in mobile networks in accordance with some embodiments includes monitoring network traffic on a mobile network at a security platform to identify an Packet Forwarding Control Protocol (PFCP) message associated with a new session, in which the mobile network includes a 4G network or a 5G network; extracting a plurality of parameters from the PFCP message at the security platform; and enforcing a security policy at the security platform on the new session based on one or more of the plurality of parameters to secure control and user plane separation in the mobile network.

Disclosed are a system of defending against a DDoS attack based on an SDN and a method thereof. According to the present invention, when the HTTP Request message suspected for the attack arrives at the web server, the web server sends the HTTP Request message to the SDN controller located in the network, and the SDN controller determines the DDoS attack instead of the web server which is the attack target and blocks the traffic from the attacker through the nodes on the network according to the determination result of the SDN controller. Thereby, the traffic suspected as the DDoS attack that exhausts available connection resources of the web server is input to the SDN controller instead of the web server. Thereby the web server can be protected from the DDoS attack and the maintenance of the normal operation of the web server can be secured.

A dynamic denial of service (DDoS) mitigation system comprising a BGP address family exchange connected to at least one DDoS mitigation route reflector, and at least one DDoS mitigation route reflector being an address family identifier specific route reflector, where each DDoS mitigation route reflector advertises BGP content in a first address family to the BGP family exchange. The BGP address family exchange translates the BGP content from the first address family to a destination address family and announces the translated content to a destination route reflector, and wherein the destination address family includes a flow specification diversion route.

Aspects of the present disclosure involve systems, methods, computer program products, and the like, for an orchestrator device associated with a scrubbing environment of a telecommunications network that receives one or more announced routing protocol advertisements from a customer device under an attack. In response to receiving the announcement, the orchestrator may configure one or more scrubbing devices of the network to begin providing the scrubbing service to packets matching the received routing announcement. A scrubbing service state for the customer may also be obtained or determined by the orchestrator. With the received route announcement and the customer profile and state information, the orchestrator may provide instructions to configure the scrubbing devices of the network based on the received information to dynamically automate scrubbing techniques without the need for a network administrator to manually configure the scrubbing environment or devices.

A method of detecting patterns in network traffic is provided. The method includes receiving a plurality of packets of network traffic, each packet having a payload populated with payload data and selecting payload lengths that occurred most frequently. For each of the selected payload lengths, a pattern template is generated using characters per position of the payload that satisfy a frequency criterion. A bit encoding scheme is assigned for each of the selected payload lengths and its associated pattern template. Each packet of the plurality of packets that has a payload length equal to any of the selected payload lengths and payload content that matches a pattern template generated for the payload is encoded into a single value. The single value uses the bit encoding scheme for the payload length and the pattern template matched. Each potential combination of fields representing the respective payload length and the pattern template is stored, with either all bits set per field when the field is active or no bits set per field when the field is inactive. A bitwise operation is performed on each encoded packet with the stored potential combinations. Results of the bitwise operation are stored in a sparse memory array. The results of the sparse array are sorted based on a number of the active fields and a number of occurrences of the respective results of the bitwise operation. The results of the sorting are provided to a mitigation device as an indication of whether an attack is underway and/or what type of attack is underway.

In one aspect, a computerized method for implementing an automatic centralized firewall for industrial Internet of Things-based (IIOT) wide area network (WAN) fabric includes the step of providing an automatic centralized firewall in an IIOT-based WAN fabric. The method includes the step of strictly operating the automatic centralized firewall in a white-listed manner. The method includes the step of automatically discovering a set of subnet end points and a set of network address ranges for each network in the IIOT-based WAN fabric. The method includes the step of providing a set of flow rues at both ends of each machine network in the WAN fabric.

The techniques described in this disclosure provide resilient and reactive on-demand Distributed Denial-of-Service (DDoS) mitigation services using an exchange. For example, an exchange comprises a first virtual network for switching mixed traffic (including dirty (DDoS) traffic and clean (non-DDoS) traffic)) from one or more networks to one or more DDoS scrubbing centers; and a second virtual network for switching the clean traffic from the one or more DDoS scrubbing centers to the one or more networks, wherein the exchange is configured to receive the mixed traffic from the one or more networks and switch, using the first virtual network, the mixed traffic to a selected DDoS scrubbing center of the one or more DDoS scrubbing centers, and wherein the exchange is configured to receive the clean traffic from the selected DDoS scrubbing center and switch, using the second virtual network, the clean traffic to the one or more networks.

A method for protecting a stream of packets in a network composed of packet router nodes and stream transmitter and receiver nodes. The receiver node is connected to a router node handling routing of a packet to the receiver node according to an expected value of a protection parameter included in at least one field of a packet of the stream. The method is implemented by a device associated with the receiver node and includes: transmitting to the router node connected to the receiver node a message containing the expected value of the protection parameter. A method is also provided for filtering a stream of packets, which is implemented by the router node connected to the receiver node and includes: receiving from a device associated with the receiver node a message containing the expected value of the protection parameter, and filtering packets not containing the expected value of the parameter.

Aspects of the present disclosure involve systems, methods, computer program products, and the like, for an orchestrator device associated with a scrubbing environment of a telecommunications network that receives one or more announced routing protocol advertisements from a customer device under an attack. In response to receiving the announcement, the orchestrator may configure one or more scrubbing devices of the network to begin providing the scrubbing service to packets matching the received routing announcement. A scrubbing service state for the customer may also be obtained or determined by the orchestrator. With the received route announcement and the customer profile and state information, the orchestrator may provide instructions to configure the scrubbing devices of the network based on the received information to dynamically automate scrubbing techniques without the need for a network administrator to manually configure the scrubbing environment or devices.

Embodiments are directed to monitoring network traffic over a network using one or more network monitoring computers. A monitoring engine may be instantiated to perform actions, including: monitoring network traffic to identify client requests provided by clients and server responses provided by servers in response to the client requests; determining request metrics associated with the client requests; and determining response metrics associated with the server responses. An analysis engine may be instantiated that performs actions, including: comparing the request metrics with the response metrics; determining atypical behavior associated with the clients based on the comparison such that the atypical behavior includes an absence of adaption by the clients to changes in the server responses; and providing alerts that may identify the clients be associated with the atypical behavior.