A system and method for generating insights on distributed denial of service (DDoS) attacks are provided. The method includes receiving a plurality of data feeds from a plurality of data sources; processing the plurality of received data feeds to generate enriched data sets; and analyzing the enriched data sets to generate insights information about a DDoS attack that have been participated in at least one DDoS attack.

A method and system for predicting subsequent cyber-attacks in attack campaigns are provided. The method includes receiving events data related to cyber-attacks occurring in a network during a predefined time window; extracting at least one sequence from the received events data at least one attack vector; generating a sequence signature for each of the at least one extracted sequence; comparing each sequence signature to a representation of historic sequence signatures to determine at least partially matching sequence signature; and based on the matching sequence, determining at least one subsequent cyber-attack in a respective sequence.

Generally described, the present disclosure is directed to managing request routing functionality corresponding to resource requests for one or more resources associated with a content provider. The processing of the DNS requests by the service provider can include the selective filtering of DNS queries associated with a DNS query-based attack. A service provider can assign DNS servers corresponding to a distributed set of network addresses, or portions of network addresses, such that DNS queries exceeding a threshold, such as in DNS query-based attacks, can be filtered in a manner that can mitigate performance impact on for the content provider or service provider.

The present disclosure relates to a control unit arrangement (6, 6, 6) that is adapted to acquire instructions relating to one or more certain predefined scheduling communication patterns for communication between a wireless communication node (2) and a served user terminal (3a, 3b, 3c) comprised in a wireless communication system (1), and to determine if the user terminal (3a, 3b, 3c) is scheduled according to any one of the predefined scheduling communication patterns for a number of times that exceeds a predetermined number of times. If that is the case, the control unit arrangement (6, 6, 6) is adapted to report the user terminal (3a, 3b, 3c) to a communication traffic handling function (4, 5) comprised in the wireless communication system (1).

A monitor apparatus, method, and non-transitory computer readable storage medium thereof are provided. The monitor method is adapted for an electronic computing apparatus, wherein the electronic computing apparatus stores a smart contract and a blockchain ledger of a blockchain system. The monitor method periodically executes the following steps: (a) obtaining a piece of behavior information of a first electronic apparatus at a time point, (b) retrieving, via the smart contract, a plurality of pieces of previous behavior information within a time interval from the blockchain ledger, wherein the time interval is defined by the time point, and each piece of previous behavior information corresponds to one of a plurality of second electronic apparatuses and the first electronic apparatus, (c) determining a legality of the piece of behavior information according to the pieces of previous behavior information, and (d) writing the behavior information into the blockchain ledger.

Implementations of the present disclosure involve a system and/or method for identifying and mitigating malicious network threats. Network data associated is retrieved from various sources across a network and analyzed to identify a malicious network threat. When a threat is found, the system performs a mitigating action to neutralize the malicious network threat

The topology identification unit 4 identifies a network topology of devices included in the system to be diagnosed. The detection unit 5 detects first attack routes that indicate flows of attacks that can be executed in the system to be diagnosed, based on security information about each device. The damage identification unit 8 identifies damage information that indicates content of damage of devices on the first attack routes when the devices are attacked. The detection unit 5 detects, based on the security information and the identified damage information, second attack routes that indicate flows of attacks that can be executed resulting from the content of damage.

The attack vectors for some denial-of-service cyber attacks on the Internet's Domain Name System (DNS) are bad, bogus, or unregistered domain name DNS requests to resolve domain names that are not registered in the DNS. Some other cyber attacks steal sensitive data by encoding the data in bogus domain names, or domain names otherwise not registered in the DNS, that are transferred across networks in bogus DNS requests. A DNS gatekeeper may filter in-transit packets containing DNS requests and may efficiently determine if a request's domain name is registered in the DNS. When the domain name is not registered in the DNS, the DNS gatekeeper may take one of a plurality of protective actions. The DNS gatekeeper drops requests determined not to be legitimate, which may prevent an attack.

A device for detecting a command and control channel includes: a session log collector for collecting log information of sessions generated between at least one communication device of the first network and at least one communication device of the second network; an analyzer for generating test data for respective sessions based on the log information, and calculating a test data distribution based on test data of the sessions; and a determiner for extracting a test data value corresponding to an abnormal distribution from the test data distribution based on an abnormal distribution determination standard, and estimating sessions relating to the extracted test data value as a command and control channel.

In one embodiment, a networking device in a network causes formation of device clusters of devices in the network. The devices in a particular cluster exhibit similar characteristics. The networking device receives feedback from a device identity service regarding the device clusters. The feedback is based in part on the device identity service probing the devices. The networking device adjusts the device clusters based on the feedback from the device identity service. The networking device performs anomaly detection in the network using the adjusted device clusters.