The attack vectors for some denial-of-service cyber attacks on the Internet's Domain Name System (DNS) are bad, bogus, or unregistered domain name DNS requests to resolve domain names that are not registered in the DNS. Some other cyber attacks steal sensitive data by encoding the data in bogus domain names, or domain names otherwise not registered in the DNS, that are transferred across networks in bogus DNS requests. A DNS gatekeeper may filter in-transit packets containing DNS requests and may efficiently determine if a request's domain name is registered in the DNS. When the domain name is not registered in the DNS, the DNS gatekeeper may take one of a plurality of protective actions. The DNS gatekeeper drops requests determined not to be legitimate, which may prevent an attack.

A management entity obtains from a first wireless access point a Basic Service Set (BSS) color collision event detected by the first wireless access point. The first wireless access point uses a first BSS color. A color collision event occurs when the first wireless access point receives from a device in a BSS of a different physical wireless access point a frame or PHY Protocol Data Unit (PPDU) that includes the first BSS color. The management entity obtains from the first wireless access point an indication whether the color collision event has been detected for longer than a predetermined duration. When the color collision event has been detected for longer than the predetermined duration, the management computes a probability of the color collision event. The management entity determines whether the color collision event is malicious or benign, and determines whether to maintain the first BSS color.

The disclosed computer-implemented method for delegating endpoint security operations to a nearby computing device may include (i) receiving device state data from one or more computing devices, (ii) determining a device state reputation for each of the one or more computing devices based on the device state data, (iii) selecting a device from the one or more computing devices based on the device state reputation for each of the one or more computing devices, and (iv) in response to selecting the device, delegating one or more operations for a security action to the selected device. Various other methods, systems, and computer-readable media are also disclosed.

In various embodiments, a device classification service clusters devices in a network into a device type cluster based on attributes associated with the devices. The device classification service tracks changes to the device type cluster over time. The device classification service detects an attack on the device classification service by one or more of the devices based on the tracked changes to the device type cluster. The device classification service initiates a mitigation action for the detected attack on the device classification service.

A method and a system of restricting data packet transmission of an apparatus at a network node. The network node, during a first time period, updates a whitelist and does not restrict data packet transmission according to the whitelist. After the first time period, the network node determines corresponding destination address of each of the data packets and allows the data packets to be sent to the corresponding destination address if a criteria is satisfactory. The network node does not allow the data packets to be sent to the corresponding destination address if the criteria is not satisfactory. The whitelist is comprised of at least one destination address. The criteria is based on the at least one destination address. The whitelist list is stored in non-transitory computer readable storage medium in the network node.

In an anomaly detection method that determines whether each frame in observation data constituted by a collection of frames sent and received over a communication network system is anomalous, a difference between a data distribution of a feature amount extracted from the frame in the observation data and a data distribution for a collection of frames sent and received over the communication network system, obtained at a different timing from the observation data, is calculated. A frame having a feature amount for which the difference is predetermined value or higher is determined to be an anomalous frame. An anomaly contribution level of feature amounts extracted from the frame determined to be an anomalous frame is calculated, and an anomalous payload part, which is at least one part of the payload corresponding to the feature amount for which the anomaly contribution level is at least the predetermined value, is output.

An illegal signal detection apparatus includes: CPU and memory. The CPU is configured to perform: reading normal signal input to communication network at first cycle and abnormal signal input to the communication network at second cycle shorter than the first cycle; counting number of the abnormal signal read in the reading; and determining whether count value corresponding to the number of the abnormal signal read in the reading is equal to or greater than predetermined threshold value when abnormal state in which the abnormal signal is read in predetermined unit time period continuously occurs for predetermined time period. The CPU is configured to perform: the counting including weighting the count value so that the count value increases as compared with the number of the abnormal signal read in the reading with increase in the number of the abnormal signal read in the reading.

Disclosed herein are a lightweight intrusion detection method and apparatus for a vehicle network. The lightweight intrusion detection method may include collecting Ethernet packets from a domain gateway of a vehicle that provides a mirroring port, performing a primary intrusion detection check on the Ethernet packets using a rule-based intrusion detection technique, and performing a secondary intrusion detection check on the Ethernet packets using a machine learning-based intrusion detection technique when no intrusion attack is detected as a result of the primary intrusion detection check.

A signaling attack prevention method and apparatus, where the method includes receiving a general packet radio service (GPRS) Tunneling Protocol (GTP-C) message from a serving gateway (SGW), determining whether the GTP-C message is received from an eighth data interface (S8), determining whether a first characteristic parameter of the GTP-C message is valid when the GTP-C message is received from the S8 interface, where the first characteristic parameter includes at least one of an international mobile subscriber identity (IMSI) of a user, or an identifier of a message source end of the GTP-C message, and discarding the GTP-C message or returning, to the SGW, a GTP-C response message carrying an error code cause value when the first characteristic parameter of the GTP-C message is invalid.

A monitoring service obtains request data specifying entries corresponding to requests received by a Domain Name System service to obtain an Internet Protocol address for a resource and to requests received by a web service to access the resource. The monitoring service uses that request data to generate a request frequency value corresponding to the received requests and compares this value to a baseline request frequency value. If the request frequency value exceeds the baseline request frequency value by a maximum threshold value, the monitoring service performs an operation to redirect network traffic originally directed towards the web service.