Remote Triggered Black Holes (RTBHs) can be precisely placed on networks that are not directly physically connected to a target of an attack. A network source of a potential attack can be determined. A path between the network source and the target can be identified, and a determination can be made as to which networks along that path subscribe to an attack mitigation service. From multiple identified subscriber networks, a subscriber network can be identified that is determined to be appropriate for placement of a black hole to mitigate the attack. Once selected, the identified network can receive attack information and acknowledge placement of the black hole. The subscriber network can then begin discarding traffic for the attack target. A subscriber-owned list of network prefixes can be reviewed before allowing RTBH injection for a corresponding address space.

Systems and methods are provided for mitigating denial-of-service attacks that can disrupt onboarding internet-of-things (IoT) devices onto a network and ensuring legitimate IoT devices are onboarded. Example implementations include receiving, at an access point (AP) from a device, a chirp signal comprising a hash of data including a first public key of an IoT device. Upon verification of the first public key, the AP generates a context based on a first public key received from the authenticator. The context comprises information for onboarding the IoT device without subsequent communications between the AP, configurator and the authenticator. The AP can use the context to create and transmit authentication authorization requests responsive to chirp signals. In some examples, a chirp table can be created by a configurator for tracking severing APs. The chirp table can be utilized in provisioning APs for future chirp signals as needed.

A method for detecting patterns using statistical analysis is provided. The method includes receiving a subset of structured data having a plurality of fields. A plurality of value combinations is generated for the plurality of fields using a statistical combination function. Each combination of the generated plurality of value combinations is stored as a separate entry in a results table. The entry in the results table includes a counter associated with the stored combination. A value of the counter is incremented for every occurrence of the stored combination in the generated plurality of value combinations. The results table is sorted based on the counters' values and based on a number of fields in each combination. One or more entries having highest counter values are identified in the results table.

This application discloses a distributed denial of service attack detection method. The method includes: obtaining a data stream sent to a protection object device in each detection period, obtaining total duration of each data stream; dividing each data stream into a long data stream or a short data stream based on the total duration of each data stream; adding, based on a detection period through which the long data stream goes, total data traffic of the long data stream to statistical traffic; adding data traffic of a short data stream in each detection period to the data traffic, of the long data stream, that is added to a corresponding detection period, to determine statistical traffic in each detection period; and if there is a detection period in which the statistical traffic exceeds a preset traffic threshold, determining that the protection object device undergoes a DDoS attack in the detection period.

Apparatus and methods are provided for tracking and validating behavior and communication patterns of sensors on an Internet-of-Things (IoT) network. Preferably, a tracking node is assigned to monitor activity of a target node. The tracking node may hand-off monitoring responsibility to another node on the network. A tracking node may intercept communications of a target node. A first tracking node may monitor activity of the target node in a first geographic location. A second tracking node may monitor activity of the target node in a second geographic location. Two or more tracking node may monitor activity of the target node in a geographic location.

The present invention relates to methods, systems and apparatus for providing efficient packet flow fillrate adjustments and providing protection against distributed denial of service attacks. One exemplary embodiment in accordance with the invention is a method of operating a communication system including the steps of receiving, at a session border controller, a first SIP invite request message; making a decision, at the session border controller, as to whether the first SIP invite request originated from an Integrated Access Device or an IP-PBX device; generating, at the SBC, a packet flow fillrate based on said decision as to whether the SIP invite request originated at an Integrated Access Device or an Internet Protocol-Private Branch Exchange (IP-PBX) device.

A method for detecting patterns using statistical analysis is provided. The method includes receiving a subset of structured data having a plurality of fields. A plurality of value combinations is generated for the plurality of fields using a statistical combination function. Each combination of the generated plurality of value combinations is stored as a separate entry in a results table. The entry in the results table includes a counter associated with the stored combination. A value of the counter is incremented for every occurrence of the stored combination in the generated plurality of value combinations. The results table is sorted based on the counters' values and based on a number of fields in each combination. One or more entries having highest counter values are identified in the results table.

A method and system for protecting cloud-hosted applications against application-layer slow DDoS attacks are provided. The system include a processing circuitry; and a memory connected to the processor, the memory contains instructions that when executed by the processing circuitry, configure the system to: collect telemetries from a plurality of sources deployed in a plurality of public cloud computing platforms, wherein each of the plurality of public cloud computing platforms hosts an instance of a protected cloud-hosted application; provide a set of rate-based and rate-invariant features based on the collected telemetries; evaluate each feature in the set of rate-based and rate-invariant features to determine whether a behavior of each feature and a behavior of the set of rate-based and rate-invariant features indicate a potential application-layer slow DDoS attack; and cause execution of a mitigation action, when an indication of a potential application-layer slow DDoS attack is determined.

The disclosed computer-implemented method includes applying transport protocol heuristics to selective acknowledgement (SACK) messages received at a network adapter from a network node. The transport protocol heuristics identify threshold values for operational functions that are performed when processing the SACK messages. The method further includes determining, by applying the transport protocol heuristics to the SACK messages received from the network node, that the threshold values for the transport protocol heuristics have been reached. In response to determining that the threshold values have been reached, the method includes identifying the network node as a security threat and taking remedial actions to mitigate the security threat. Various other methods, systems, and computer-readable media are also disclosed.

A computer method and system for determining patterns in network traffic packets having structured subfields for generating filter candidate regular expressions for DDoS attack mitigation. Stored packets are analyzed to extract a query name for each stored packet. Each query name is segregated into subfields. A Results-table is generated utilizing the segregated subfields of the query names. A Field-length table is generated that contains the length of the Field Values (Field-length) for each Field Name and an associated counter indicating how many instances the Field-length for a Field Name is present in the extracted query names. The Field-length table is analyzed to determine patterns of equal length in the Results table. Utilizing the Patterns table, unique combinations of the Field Values are generated as a filter candidate regular expression for DDoS attack mitigation purposes.