In one embodiment, a networking device in a network causes formation of device clusters of devices in the network. The devices in a particular cluster exhibit similar characteristics. The networking device receives feedback from a device identity service regarding the device clusters. The feedback is based in part on the device identity service probing the devices. The networking device adjusts the device clusters based on the feedback from the device identity service. The networking device performs anomaly detection in the network using the adjusted device clusters.

Methods and systems for an integrated solution to the rate based denial of service attacks targeting the Session Initiation Protocol are provided. According to one embodiment, header, state, rate and content anomalies are prevented and network policy enforcement is provided for session initiation protocol (SIP). A hardware-based apparatus helps identify SIP rate-thresholds through continuous and adaptive learning. The apparatus can determine SIP header and SIP state anomalies and drop packets containing those anomalies. SIP requests and responses are inspected for known malicious contents using a Content Inspection Engine. The apparatus integrates advantageous solutions to prevent anomalous packets and enables a policy based packet filter for SIP.

A method for mitigating location tracking and DoS attacks that utilize an AMF location service includes receiving, at an NF, an authentication response message from an HPLMN of a UE. The method further includes extracting, by the NF and from the authentication response message, a subscription identifier and an indicator of an authentication result for the UE. The method further includes storing, by the NF and in an AMF location service validation database, the subscription identifier and the indicator of the authentication result for the UE. The method further includes receiving, by the NF, an AMF location service message and using at least one of a subscription identifier extracted from the AMF location service message and contents of the AMF location service validation database, to classify the AMF location service message as a location tracking or DoS attack. The method further includes preventing the location tracking or DoS attack.

In one embodiment, a device in a network detects an anomaly in the network using an anomaly detector. The anomaly corresponds to an anomalous behavior exhibited by one or more nodes in the network. The device computes an anomaly score for the anomaly that represents a measure of the anomalous behavior. The device adjusts the anomaly score using a boost score. The boost score is generated by a boosting function that accounts for domain-specific biases of the anomaly detector. The device reports the anomaly to a supervisory device based on whether the adjusted anomaly score exceeds a reporting threshold.

Disclosed are a system and a method for detecting a malicious code using visualization in order to allow a user to intuitively detect behavior of client terminals infected with a malicious code. The system for detecting a malicious code using visualization includes a data collection module which collects DNS packets, a parameter extraction module which extracts parameters for visualization from the collected DNS packets, a data loading module which loads the extracted parameters; a blacklist management module which manages blacklist domain, a filter module which filters unnecessary data from the loaded data, and a visualization generation module which generates visualization patterns using the extracted parameters.

A system includes one or more “BotMagnet” modules that are exposed to infection by malicious code. The BotMagnets may include one or more virtual machines hosing operating systems in which malicious code may be installed and executed without exposing sensitive data or other parts of a network. In particular, outbound traffic may be transmitted to a Sinkhole module that implements a service requested by the outbound traffic and transmits responses to the malicious code executing within the BotMagnet. The Sinkhole module may implement a proxy mode in which traffic received by the Sinkhole module is transmitted to a destination specified in the traffic but modified to reference the Sinkhole as the source. Events occurring on the BotMagnet and Sinkhole are correlated and used to characterize the malicious code. The characterization may be transmitted to other computer systems in order to detect instances of the malicious code.

A method for reducing unwanted data traffic in a computer network due to a Distributed Reflection Denial of Service (DRDoS) attack. The method comprises operating a filtering module in a normal mode or a blocking mode to allow or block requests from being communicated within a computer network in response to data from a honeypot device in the computer network. The method allows the honeypot device to continue to monitor further attack requests that are received during the DRDoS attack.

Techniques for detecting and mitigating Denial of Service (DoS) attacks in distributed networking environment are disclosed. In certain embodiments, a DoS detection and mitigation system is disclosed that automatically monitors and analyzes network traffic data in a distributed networking environment using a set of pre-defined threshold criteria. The system includes capabilities for automatically invoking various mitigation techniques that take actions on malicious traffic based on the analysis and the pre-defined threshold criteria. The system includes capabilities for automatically detecting and mitigating “outbound” DoS attacks by analyzing network traffic data originating from an entity within the network to a public network (e.g., the Internet) outside the network as well as detect and mitigate “east-west” DoS attacks by analyzing network traffic data originating from a first entity located in a first data center of the network to a second entity located in a second data center of the network.

A denial-of-service detection system includes a denial-of-service detection subsystem coupled to a plurality of storage systems via a network. The denial-of-service detection subsystem receives current first storage system data for each of a plurality of different storage system operating metrics from a first storage system included in the plurality of storage systems. Based on a historical storage system data for each of the plurality of different storage system operating metrics that was previously received from the plurality of storage devices, the denial-of-service subsystem detects an operating anomaly in the current first storage system data for at least one of the plurality of different storage system operating metrics, identifies a time-series similarity in a subset of respective time-series of the current first storage system data for each of the plurality of different storage system operating metrics for which the operating anomaly was detected and, in response, performs a denial-of-service remediation action.

The topology identification unit 4 identifies a network topology of devices included in the system to be diagnosed. The detection unit 5 detects first attack routes that indicate flows of attacks that can be executed in the system to be diagnosed, based on security information about each device. The damage identification unit 8 identifies damage information that indicates content of damage of devices on the first attack routes when the devices are attacked. The detection unit 5 detects, based on the security information and the identified damage information, second attack routes that indicate flows of attacks that can be executed resulting from the content of damage.