A system is disclosed. The system can include a network monitoring device connected to a communications network. The network monitoring device to store a probabilistic data structure indicating one or more domain names; receive a response data packet from the DNS server, the response data packet comprising a first domain name transmitted in a query to the DNS server and an affirmative response code; update the probabilistic data structure with the first domain name identified from the response data packet; responsive to detecting an attack on the network, retrieve a query message, the query message containing a second domain name; query the updated probabilistic data structure with the second domain name; and restrict transmission of the query message or communication by the computing device with the DNS server.

Method and system for detecting a Denial-of-Service (DOS) attack on a network. The method includes sampling a traffic carried by the network between data processing devices, the traffic comprising data packets transmitted between the data processing devices, determining statistically estimated features of the traffic based on the sampling thereof, executing one or more heuristic algorithm based on the statistically estimated features, the one or more heuristic algorithms being configured to generate a confidence score indicative of a probability that at least some of the data packets constitute a DOS attack and comparing the confidence score with a confidence threshold to determine whether a mitigation order is to be generated.

A system and a method are disclosed for identifying network threats based on hierarchical classification. The system receives packet flows from a data network and determines flow features for the received packet flows based on data from the packet flows. The system also classifies each packet flow into a flow class based on flow features of the packet flow. Based on a criterion, the system selects packet flows from the received packet flows and places the selected packet flows into an event set that represents an event on the network. The system determines event set features for the event set based on the flow features of the selected packet flows. The system then classifies the event set into a set class based on the determined event set features. Based on the set class, the computer system may report a threat incident on an internetworking device that originated the selected packet flows.

A device for detecting a command and control channel includes: a session log collector for collecting log information of sessions generated between at least one communication device of the first network and at least one communication device of the second network; an analyzer for generating test data for respective sessions based on the log information, and calculating a test data distribution based on test data of the sessions; and a determiner for extracting a test data value corresponding to an abnormal distribution from the test data distribution based on an abnormal distribution determination standard, and estimating sessions relating to the extracted test data value as a command and control channel.

A communication device may receive, from a first external device, attack detection information indicating that a specific attack has been detected; in a case where the attack detection information is received from the first external device and a first program for addressing the specific attack exists, update a second program stored in the communication device by using the first program; and in a case where the attack detection information is received from the first external device and the first program does not exist, execute a first addressing process for addressing the specific attack, the first addressing process being indicated by specific addressing information received from a first server.

This application provides a training method for a detection model, a system, a device, and a storage medium, belongs to the field of network security technologies, and further relates to application of an AI technology in the field of network security technologies. Some embodiments of this application provide a method for training a detection model by using federated learning. In the method, a gateway device serves as a participant of federated learning, and a server aggregates model parameters and delivers shared malicious samples for the gateway device. When the gateway device performs model training, the gateway device exchanges information such as the model parameters and the shared samples with the server, to obtain a detection model through training.

A security apparatus for a local network is in communication with an external electronic communication system and a first electronic device. The apparatus includes a memory device configured to store computer-executable instructions, and a processor in operable communication with the memory device. The processor is configured to implement the stored computer-executable instructions to cause the apparatus to determine a complexity score for the first electronic device, establish a behavioral pattern for the first electronic device operating within the local network, calculate a confidence metric for the first electronic device based on the determined complexity score and the established behavioral pattern, and control access of the first electronic device to the external electronic network according to the calculated confidence metric.

Systems and methods are provided for mitigating undesirable service disruptions in a communications network. Based on a determination that an access failure rate exceeds a threshold, it may be determined that a particular service is degraded or that a requesting user device is not authorized to access the service. One or more mitigation protocols may be used to block subsequent attempts by the requesting user device, a set of user devices associated with the requesting user device, or an area associated with the requesting user device to request access to the service.

A system is disclosed. The system can include a network monitoring device connected to a communications network. The network monitoring device to store a probabilistic data structure indicating one or more domain names; receive a response data packet from the DNS server, the response data packet comprising a first domain name transmitted in a query to the DNS server and an affirmative response code; update the probabilistic data structure with the first domain name identified from the response data packet; responsive to detecting an attack on the network, retrieve a query message, the query message containing a second domain name; query the updated probabilistic data structure with the second domain name; and restrict transmission of the query message or communication by the computing device with the DNS server.

The attack vectors for some denial-of-service cyber attacks on the Internet's Domain Name System (DNS) are bad, bogus, or unregistered domain name DNS requests to resolve domain names that are not registered in the DNS. Some other cyber attacks steal sensitive data by encoding the data in bogus domain names, or domain names otherwise not registered in the DNS, that are transferred across networks in bogus DNS requests. A DNS gatekeeper may filter in-transit packets containing DNS requests and may efficiently determine if a request's domain name is registered in the DNS. When the domain name is not registered in the DNS, the DNS gatekeeper may take one of a plurality of protective actions. The DNS gatekeeper drops requests determined not to be legitimate, which may prevent an attack.