The disclosed embodiments provide a system for mitigating a distributed denial-of-service (DDoS) attack. During operation, the system analyzes application layer in historical traffic to an online system to determine historical volumes of member traffic from a set of regions to the online system, wherein the member traffic is generated by members of the online system. Next, the system calculates allocations of query rates for the set of regions based on the historical volumes of member traffic from the set of regions. During a DDoS attack, the system outputs the allocations of the query rates for use in blocking different portions of the requests from different regions in the set of regions to the online system.

A method for reducing unwanted data traffic in a computer network due to a Distributed Reflection Denial of Service (DRDoS) attack. The method comprises operating a filtering module in a normal mode or a blocking mode to allow or block requests from being communicated within a computer network in response to data from a honeypot device in the computer network. The method allows the honeypot device to continue to monitor further attack requests that are received during the DRDoS attack.

Embodiments of the present disclosure disclose a method for defending against a User Datagram Protocol (UDP) attack and a defense device. The method is implemented by a defense device, the defense device comprising a memory, a processor, and a bus system. The method comprising: detecting, by the defense device, whether a target host is attacked by a UDP attack from an attack device; obtaining, by the defense device, an Internet Control Message Protocol (ICMP) data packet sent back by the target host to the attack device, in response to the target host being attacked by the attack device; extracting, by the defense device, information about target ports in the ICMP data packet; and performing, by the defense device according to the information about the target ports, interception processing on UDP data packets sent by the attack device to the target ports.

In the present invention, unauthorized access from outside a facility to a device disposed inside the facility is detected by effectively using the output from a mirror port of a network switch. A gateway device has: a monitored data acquisition unit for saving in a monitored data storage unit, as monitored data, packet data that is outputted from a mirror port of a switch, the packet data being outputted from a device being monitored; an unauthorized access detection unit for detecting unauthorized access by determining whether the monitored data is abnormal on the basis of a comparison between the monitored data and assessment rules; and an unauthorized access notification unit for notifying a server of a monitoring center, which is connected to an external network via an external communication unit, that unauthorized access has been detected.

Aspects of the present disclosure involve systems, methods, computer program products, and the like, for an orchestrator device associated with a scrubbing environment of a telecommunications network that receives one or more announced routing protocol advertisements from a customer device under an attack. In response to receiving the announcement, the orchestrator may configure one or more scrubbing devices of the network to begin providing the scrubbing service to packets matching the received routing announcement. A scrubbing service state for the customer may also be obtained or determined by the orchestrator. With the received route announcement and the customer profile and state information, the orchestrator may provide instructions to configure the scrubbing devices of the network based on the received information to dynamically automate scrubbing techniques without the need for a network administrator to manually configure the scrubbing environment or devices.

A device bootstrap method and a terminal configured to send a bootstrap request to a server, wherein the bootstrap request includes a node identifier (ID) and a transmission channel parameter of the terminal, receiving an acknowledgment message carrying a transmission channel selected by the server, where the transmission channel is determined based on the transmission channel parameter, receiving a temporary ID indication message including a temporary ID and a temporary key sent by a forwarding apparatus, where the forwarding apparatus is a network element that is configured to send a message to the terminal through the transmission channel selected by the server, and wherein the terminal is further configured to establish a secure communication channel with the server according to the temporary ID and the temporary key.

A cyber security threat detection system for one or more endpoints within a computing environment is disclosed. The system comprises a plurality of collector engines. Each of the collector engines is previously installed on an endpoint of a plurality of endpoints and configured to acquire statistical information at the endpoint. The statistical information includes behavioral information, resource information, and metric information associated with the endpoint. The system further comprises an aggregator engine configured to aggregate the statistical information from each of the endpoints into aggregated information. The system further comprises an analytics engine configured to receive the aggregated information, and to invoke learning models to output deviation information for each of the endpoints based on the aggregated information and expected fingerprints associated with the endpoints. The system further comprises an alerting engine configured to issue one or more alerts indicating one or more security threats have occurred for each of the endpoints in response to the deviation information for the endpoint.

A method of detecting patterns in network traffic is provided. The method includes receiving a plurality of packets of network traffic, each packet having a payload populated with payload data and selecting payload lengths that occurred most frequently. For each of the selected payload lengths, a pattern template is generated using characters per position of the payload that satisfy a frequency criterion. A bit encoding scheme is assigned for each of the selected payload lengths and its associated pattern template. Each packet of the plurality of packets that has a payload length equal to any of the selected payload lengths and payload content that matches a pattern template generated for the payload is encoded into a single value. The single value uses the bit encoding scheme for the payload length and the pattern template matched. Each potential combination of fields representing the respective payload length and the pattern template is stored, with either all bits set per field when the field is active or no bits set per field when the field is inactive. A bitwise operation is performed on each encoded packet with the stored potential combinations. Results of the bitwise operation are stored in a sparse memory array. The results of the sparse array are sorted based on a number of the active fields and a number of occurrences of the respective results of the bitwise operation. The results of the sorting are provided to a mitigation device as an indication of whether an attack is underway and/or what type of attack is underway.

A computer implemented method to identify a malicious database request including receiving a database query for retrieving data from a database; classifying the received query based on query instructions contained in the query to identify a class of query for the query, the class of query having associated attributes defining expected characteristics of queries of the class when executed by the database; monitoring characteristics of the received query executed to retrieve data from the database; and responsive to a determination that the monitored characteristics deviate from the expected characteristics, identifying the query as malicious.

A DDoS attack mitigation system includes a plurality of stateless network devices connected to a network. The system also includes one or more DPI devices connected to the plurality of stateless devices. The system further includes a controller connected to the plurality of stateless devices and connected to the DPI devices. The controller includes logic integrated with and/or executable by a processor. The controller is configured to receive a signal from a first DPI device and analyze the received signal. The controller is further configured to update a network traffic policy to redirect at least some of network traffic destined for the first DPI device to one or more DPI devices different from the first DPI device based on the analyzed signal and to send a signal indicative of the updated network policy to at least some of the plurality of stateless devices.