A method for mitigating a denial of service attack includes determining, for a client, a number of requests being transmitted to a server and determining, for the client, that the number of requests for a time period is greater than a top talker threshold. The method includes classifying the client as a top talker based on the number of requests being greater than the top talker threshold and identifying, for the client, additional requests being transmitted to the server. The method also includes determining whether a number of the additional requests matches one or more attack patterns and preventing one or more of the additional requests from being transmitted to the server if the number of additional requests that matches one or more attack patterns is greater than a first threshold.

Gateways monitor communications between their LAN devices and the WAN and count the number of requests per LAN device to target IP addresses. If the number of requests for a LAN device to a target IP address exceeds a first value X, an alert message is transmitted at destination to all other gateways, the message including the target IP address. Gateways monitor the sum of request counter values based on alert messages received per target IP address. If the sum exceeds a second value VALUE_DDOS, a DDoS attack is detected. Gateways having detected a DDoS attack verify if they have a LAN device which transmitted a number of requests to the attacked IP address that exceeds value X and where appropriate puts such LAN device in quarantine by blocking data communication from the device to the WAN.

A computer-implemented method for dynamically varying web application firewall security processes based on cache hit results may include (i) identifying, at a computing device, a request directed to a web application resource protected by the computing device, (ii) determining, in response to identifying the request, whether a response to the request will be served from a cache stored on the computing device, (iii) determining, based at least in part on whether the response to the request will be served from the cache, a level of security processing to apply to the request, and (iv) applying the determined level of security processing to the request. Various other methods, systems, and computer-readable media are also disclosed.

A method for detecting a cyberattack on an electronic device is provided. The method is performed by the electronic device itself. The method includes collecting data at the electronic device. Further, the method includes classifying the collected data as regular data or malicious data using a supervised machine-learning model for the cyberattack. The method additionally includes determining whether the electronic device is under the cyberattack based on the classification of the collected data.

A system and method for mitigating a distributed denial-of-service (DDoS) attack in a networked computing system. At least one DDoS honeypot in operative communication with a central controller in the networked computing system is configured to receive a data packet from a network, determine a source address of the data packet, and send the source address to the central controller. The central controller is configured to initiate a mitigation action based on the source address and one or more mitigation rules, wherein a determination of whether the received data packet is part of the DDoS attack is based on one or more detection rules.

A DDoS attack mitigation system includes a plurality of stateless network devices connected to a network. The system also includes one or more DPI devices connected to the plurality of stateless devices. The system further includes a controller connected to the plurality of stateless devices and connected to the DPI devices. The controller includes logic integrated with and/or executable by a processor. The controller is configured to receive a signal from a first DPI device and analyze the received signal. The controller is further configured to update a network traffic policy to redirect at least some of network traffic destined for the first DPI device to one or more DPI devices different from the first DPI device based on the analyzed signal and to send a signal indicative of the updated network policy to at least some of the plurality of stateless devices.

Systems and methods are described for IP Address allocation. A computerized method includes receiving at a wireless access gateway a request from a subscriber to connect to a network, allocating a first IP address to the subscriber from a first pool of IP addresses at the wireless access gateway, and assigning a second IP address to the subscriber from a second pool of IP addresses at the wireless access gateway when the subscriber requests a network service.

There is provided a solution as to how the authentication and thus the authorization of the webRTC IMS Client can be achieved in the IMS of the mobile network operator. The WIC (20) is using an ID to register with IMS, which may be an IMPU, an IMPI, gGRUU etc. The WIC (20) may be preconfigured by the WWSF (30) with the eP-CSCF (40) address and authentication information, but if not, then this information should be retrieved via the WWSF (30) or from the IMS directly or via other device management procedures e.g. OMA DM. It is further assumed that the subscriber has already a valid webRTC account/membership and this can be validated, authenticated and authorized by the WWSF (30).

A method and a device are provided for categorizing a Stream Control Transmission Protocol (SCTP) receiver terminal (120) as a malicious SCTP receiver terminal, which generates spoofed optimistic SCTP selective acknowledgement (SACK) packet for exploiting a SCTP transmitter terminal as a flood source for Denial-of-Service attacks. The SCTP receiver terminal (120) generates data enriched SCTP SACK packets (170). Each data enriched SCTP SACK packet comprises a cumulative payload essence of all successfully received data packets (200). The SCTP transmitter terminal (110) performs a data enriched SACK validation in which it computes the cumulative payload essence of all successfully transmitted data packets (200), and compares the computed value with the cumulative payload essence contained in the received data enriched SACK. The SCTP transmitter terminal detects a spoofed optimistic SACK packet if the comparison results in a difference.

Aspects of the present disclosure involve systems, methods, computer program products, and the like, for an orchestrator device associated with a scrubbing environment of a telecommunications network that receives one or more announced routing protocol advertisements from a customer device under an attack. In response to receiving the announcement, the orchestrator may configure one or more scrubbing devices of the network to begin providing the scrubbing service to packets matching the received routing announcement. A scrubbing service state for the customer may also be obtained or determined by the orchestrator. With the received route announcement and the customer profile and state information, the orchestrator may provide instructions to configure the scrubbing devices of the network based on the received information to dynamically automate scrubbing techniques without the need for a network administrator to manually configure the scrubbing environment or devices.