A method includes identifying a potentially malicious node using a rating assigned to nodes within the network and decrementing the rating based on detected dropped messages to identify a potentially malicious node. The malicious node is identified based on location information obtained from the nodes within the network and comparable distances from the potentially malicious node. The method further includes ending communications with the malicious node and selecting a new parent node based on a presumption that any of the plurality of nodes other than the malicious node are non-malicious.

Described is a system for detecting attacks on mobile networks. The system includes the relevant hardware and components to perform a variety of operations including continuously measuring time-varying signals at each node in a network. The system determines network flux on the time-varying signals of all nodes in the network and detects a network attack if the network flux exceeds a predetermined threshold. Further, a reactive protocol is initiated if the network flux exceeds the predetermined threshold.

Methods and systems for synchronizing state information amongst monitoring nodes for DDoS attack mitigation are disclosed. Embodiments of the present technology may include a method for synchronizing state information amongst monitoring nodes, the method including identifying a packet as a state-related packet by inspecting the packet below a TCP/IP stack in a monitoring node and implementing state synchronization operations below the TCP/IP stack of the monitoring node in response to identifying the packet as a state-related packet, wherein the state synchronization operations include updating an allowlist stored as a key-value map in the monitoring node based on the identified packet and generating a state update packet based on the identified packet.

A method for reducing unwanted data traffic in a computer network due to a Distributed Reflection Denial of Service (DRDoS) attack. The method comprises operating a filtering module in a normal mode or a blocking mode to allow or block requests from being communicated within a computer network in response to data from a honeypot device in the computer network. The method allows the honeypot device to continue to monitor further attack requests that are received during the DRDoS attack.

A threat detection system for a mobile communication system, and a global device and a local device thereof are provided. The threat detection system is used for detecting and defensing low and slow distributed denial-of-service (LSDDoS) attacks. The global device is located in a core network of the mobile communication system, and is used for training a tensor neural network (TNN) model to build a threat classifier. The threat classifier is used for the local device to identify a plurality of threat types. The local device inputs the to-be-identified data into the threat classifier to generate a classification result corresponding to one of the threat types.

A method of monitoring a network is provided. The method includes receiving a packet of network traffic, determining a source IP address of the packet, consulting a database of source IP addresses, each source IP address having an associated probability of threat indicator (PTI) that indicates a probability of threat posed by the source IP address. The packet's source IP address' PTI is assigned to the packet as the packet's PTI, and one or more inspection checks are selected to be performed on the packet, wherein the selection of the inspection checks is a function of the packet's source IP address PTI. The method further includes performing the selected inspection checks, assigning treatment of the packet based on a result of the inspection checks performed, and adjusting the packet's source IP address' PTI or the packet's PTI based on the result of the one or more inspection checks performed.

This invention relates to a method of blocking or passing messages sent via a firewall, based on parsing, of symbols strings contained in said messages, among different keywords, assigning to said messages either a blocking class or a passing class, comprising: performing a dimensionality reduction step for said different classes on a training set of messages whose classes are known, and then classifying one or more unknown messages among said different classes with reduced dimensionality, said dimensionality reduction step being performed on said training set of messages by machine learning including processing, for several first matrices and for several second matrices, a parameter representative of a product of two first and second matrices to assess to which given class a given message belongs: first matrix representing a first array of keywords versus symbols strings contained in a first given message, second matrix representing the values of differences between said first array and a second array of keywords versus symbols strings contained in a second given message different from first given message but known to belong to same class as first given message, wherein: a quantum singular value estimation is performed on first matrix, a quantum singular value estimation is performed on second matrix, both quantum singular value estimation of first matrix and quantum singular value estimation of second matrix are combined together, via quantum calculation, so as to get at a quantum singular value estimation of said product of both first and second matrices, said quantum singular value estimation of said product of both first and second matrices being said parameter representative of said product of two first and second matrices processed to assess to which given class said first given message belongs.

A security system detects anomalous activity in a network. The system logs user activity, which can include ports used, compares users to find similar users, sorts similar users into cohorts, and compares new user activity to logged behavior of the cohort. The comparison can include a divergence calculation. Origins of user activity can also be used to determine anomalous network activity. The hostname, username, IP address, and timestamp can be used to calculate aggregate scores and convoluted scores.

A system and computer-implemented method of managing botnet attacks to a computer network is provided. The system and method includes receiving a DNS request included in network traffic, each DNS request included in the network traffic and including a domain name of a target host and identifying a source address of a source host, wherein the translation of the domain name, if translated, provides an IP address to the source host that requested the translation. The domain name of the DNS request is compared to a botnet domain repository, wherein the botnet domain repository includes one or more entries, each entry having a confirmation indicator that indicates whether the entry corresponds to a confirmed botnet. If determined by the comparison that the domain name of the DNS request is included in the botnet domain repository, then the source address of the DNS request is stored or updated in an infected host repository and a control signal is output to cause any future network traffic from the source address to be diverted to an administrator configured address. Each source address stored in the infected host repository identifies a host known to be infected.

A computer method and system for detecting denial of service network attacks by analyzing intercepted data packets on a network to determine a user account associated with a preselected target host sought to be accessed via a user account login attempt. Determine if the login attempt exceeds a predetermined login value for previous failed login attempts associated with the user account sought to be accessed. Determine a geographic location associated with the login attempt if determined the login attempt exceeded the predetermined login value. Determine if a prior login attempt to the user account sought to be accessed was successful from the determined geographic location. Authenticate the login attempt to the user account sought to be accessed in the event it was determined a prior successful login attempt was made to the user account from the determined geographic location or no prior login attempts originated from the determined geographic location.