Disclosed herein is a system for limiting the rate at which system management interrupts can suspend normal execution of a central processing unit (CPU) by switching the operating mode of the CPU from one of the real mode or the protected mode to the system management mode. The rate limits imposed by the system provides a protective layer against cyberattacks (e.g., a distributed denial-of-service (DDoS) attack) from malicious actors and ensures the CPU can be more efficient regarding the execution of workloads (e.g., processing threads).

A method for mitigating a denial of service attack includes determining, for a client, a number of requests being transmitted to a server and determining, for the client, that the number of requests for a time period is greater than a top talker threshold. The method includes classifying the client as a top talker based on the number of requests being greater than the top talker threshold and identifying, for the client, additional requests being transmitted to the server. The method also includes determining whether a number of the additional requests matches one or more attack patterns and preventing one or more of the additional requests from being transmitted to the server if the number of additional requests that matches one or more attack patterns is greater than a first threshold.

The systems and methods described herein can provide a protocol escalation path in response to a client system's request or in response to a triggering event. For example, the computing system can provide an indication to a client system that the client system can upgrade from a regular connection channel to an upgraded connection channel if the client system can solve a certain proof-of-work. The computing system may also receive a request from the client system to access an upgraded connection channel. The upgraded connection channel may provide more bandwidth, stability, higher priority, etc., alone or in combination, comparing to the regular connection channel.

A device may detect an attack. The device may receive, from a client device, a request for a resource. The device may determine, based on detecting the attack, a computationally expensive problem to be provided to the client device, where the computationally expensive problem requires a computation by the client device to solve the computationally expensive problem. The device may instruct the client device to provide a solution to the computationally expensive problem. The device may receive, from the client device, the solution to the computationally expensive problem. The device may selectively provide the client device with access to the resource based on the solution.

A method and associated system for mitigating a Distributed Denial of Service (DDoS) attack on a target device including, receiving a plurality of data packets at a mitigation device, counting a number of occurrences of each destination address signature within each of a plurality of consecutive data packet windows, classifying each data packet window of the plurality of consecutive data packet windows as a potential attack window if the number of occurrences of any one destination address signature within the data packet window exceeds a destination address signature threshold value. The method further includes, determining a total number of potential attack windows within a sliding time window and limiting the transmission of the plurality of data packets from the mitigation device if a total number of potential attack windows within the sliding time window exceeds a potential attack window threshold value.

In the present invention, unauthorized access from outside a facility to a device disposed inside the facility is detected by effectively using the output from a mirror port of a network switch. A gateway device has: a monitored data acquisition unit for saving in a monitored data storage unit, as monitored data, packet data that is outputted from a mirror port of a switch, the packet data being outputted from a device being monitored; an unauthorized access detection unit for detecting unauthorized access by determining whether the monitored data is abnormal on the basis of a comparison between the monitored data and assessment rules; and an unauthorized access notification unit for notifying a server of a monitoring center, which is connected to an external network via an external communication unit, that unauthorized access has been detected.

This disclosure describes techniques that facilitate dynamic filtering and blocking of Denial of Service (DoS) Internet Protocol (IP) attacks via a Real-time Filtering policy (RFP) Server. The RFP server may transmit an anti-attack packet towards a source IP address that has been identified as initiating a DoS IP attack. The anti-attack packet may include an Explicit Congestion Notification (ECN) value that echoes congestion to the source IP address, thereby alerting the source IP address that the RFP server is aware of the intended DoS IP attack. Further, the RFP server may generate, modify, and share filter criteria with one or more MGM node(s) of a multicast network, thereby improving DoS IP attack detection capabilities across the multicast network. Filter criteria may include, but is not limited to, source IP address, destination IP address, file size of IP packets, and a frequency by which IP packets are delivered.

Presented herein are techniques for mitigating a distributed denial of service attack. A method includes, at a network security device, such as a firewall, monitoring network traffic, flowing through the firewall, destined for a network device, determining whether the network traffic is below a predetermined amount, while the network traffic is below the predetermined amount, sending to the network device a plurality of probes, receiving responses from the network device in response to the probes, and setting one or more thresholds for subsequent traffic destined for the network device based on the responses received from the network device.

Systems and methods for inhibiting attacks with a network are provided. In some embodiments, methods for inhibiting attacks by forwarding packets through a plurality of intermediate nodes when being transmitted from a source node to a destination node are provided, the methods comprising: receiving a packet at one of the plurality of intermediate nodes; determining at the selected intermediate node whether the packet has been sent to the correct one of the plurality of intermediate nodes based on a pseudo random function; and forwarding the packet to the destination node, based on the determining. In some embodiments an intermediate node is selected based on a pseudo random function. In some embodiments, systems and methods for establishing access to a multi-path network are provided.

In one embodiment, a device in a network receives traffic data regarding a plurality of observed traffic flows. The device maps one or more characteristics of the observed traffic flows from the traffic data to traffic characteristics associated with a targeted deployment environment. The device generates synthetic traffic data based on the mapped traffic characteristics associated with the targeted deployment environment. The device trains a machine learning-based traffic classifier using the synthetic traffic data.