A detection apparatus includes processing circuitry configured to store attack information including detection time, attack attribute, and communication destination of a DDoS attack, and extract, from a collection of the attack information, a combination of the attack information according to the detection time, the attack attribute, and the communication destination as a coincident attack, an intermittent attack, or an identical target attack.

A system and method for file type identification involving extraction of a file-print of a file, the file-print being a unique or practically-unique representation of statistical characteristics associated with the distribution of bits in the binary contents of the file, similar to a fingerprint. The file-print is then passed to a machine learning algorithm that has been trained to recognize file types from their file-prints. The machine learning algorithm returns a predicted file type and, in some cases, a probability of correctness of the prediction. The file may then be encoded using an encoding algorithm chosen based on the predicted file type.

Techniques for securing control and user plane separation in mobile networks (e.g., service provider networks for mobile subscribers, such as for 4G/5G networks) are disclosed. In some embodiments, a system/process/computer program product for securing control and user plane separation in mobile networks in accordance with some embodiments includes monitoring network traffic on a mobile network at a security platform to identify an Packet Forwarding Control Protocol (PFCP) message associated with a new session, in which the mobile network includes a 4G network or a 5G network; extracting a plurality of parameters from the PFCP message at the security platform; and enforcing a security policy at the security platform on the new session based on one or more of the plurality of parameters to secure control and user plane separation in the mobile network.

A method of collaboration between protecting services associated with one or more domains. Such a method includes: getting a first agent used by a first protecting service to identify an attack on at least one resource managed by a domain protected by the first protecting service; and transmitting, to at least one second agent used by a second protecting service having taken out a subscription to at least one information-sharing service offered by the first protecting service, at least one piece of information relating to the attack identified by the first agent.

An authentication result update method and a communications apparatus, where the authentication result update method includes: determining that an authentication result of a terminal device in a first serving network needs to be updated; and sending a first service invocation request to an authentication server, where the first service invocation request is used to request to update the authentication result stored in a unified data management device, where visited network spoofing can be prevented after authentication is completed, and where network security can be improved.

A server receives internet traffic from a client device. The server is one of multiple servers of a distributed cloud computing network which are each associated with a set of server identity(ies) including a server/data center certification identity. The server processes, at layer 3, the internet traffic including participating in a layer 3 DDoS protection service. If the traffic is not dropped by the layer 3 DDoS protection service, further processing is performed. The server determines whether it is permitted to process the traffic at layers 5-7 including whether it is associated with a server/data center certification identity that meets a selected criteria for the destination of the internet traffic. If the server does not meet the criteria, it transmits the traffic to another one of the multiple servers for processing the traffic at layers 5-7.

A method for reducing unwanted data traffic in a computer network due to a Distributed Reflection Denial of Service (DRDoS) attack. The method comprises operating a filtering module in a normal mode or a blocking mode to allow or block requests from being communicated within a computer network in response to data from a honeypot device in the computer network. The method allows the honeypot device to continue to monitor further attack requests that are received during the DRDoS attack.

A DDOS attack preventer implements an unconventional way of detecting and preventing DDOS attacks. The attack preventer receives and analyzes requests from a particular IP address or device. The attack preventer will track various characteristics of each request (e.g., characteristics of the data in the requests, characteristics of the input used to generate the requests, and characteristics of the device used to generate the requests). The attack preventer will analyze these characteristics to determine whether the requests are human-generated or machine-generated. If the requests are human-generated, the attack preventer services the requests. If the requests are machine-generated, the attack preventer rejects the requests.

A method for processing a denial of service (DOS) includes: receiving a de-authentication/disassociation (D/D) frame by an access point (AP), determining by the AP a state of security association establishment between the AP and a client device, maintaining a connection between the AP and the client device if the security association is incomplete, sending a probe packet from the AP to the client device if security association is complete and the connection between the AP and the client device is in a non-PMF (protected management frames) setting, maintaining the connection if the client device responds to the probe packet, and terminating the connection if the client device does not respond to the probe packet.

A threat detection system for a mobile communication system, and a global device and a local device thereof are provided. The threat detection system is used for detecting and defensing low and slow distributed denial-of-service (LSDDoS) attacks. The global device is located in a core network of the mobile communication system, and is used for training a tensor neural network (TNN) model to build a threat classifier. The threat classifier is used for the local device to identify a plurality of threat types. The local device inputs the to-be-identified data into the threat classifier to generate a classification result corresponding to one of the threat types.