A method for reducing unwanted data traffic in a computer network due to a Distributed Reflection Denial of Service (DRDoS) attack. The method comprises operating a filtering module in a normal mode or a blocking mode to allow or block requests from being communicated within a computer network in response to data from a honeypot device in the computer network. The method allows the honeypot device to continue to monitor further attack requests that are received during the DRDoS attack.

A security system detects anomalous activity in a network. The system logs user activity, which can include ports used, compares users to find similar users, sorts similar users into cohorts, and compares new user activity to logged behavior of the cohort. The comparison can include a divergence calculation. Origins of user activity can also be used to determine anomalous network activity. The hostname, username, IP address, and timestamp can be used to calculate aggregate scores and convoluted scores.

In one embodiment, an elimination point device in a network obtains a master secret from a network controller. The elimination point device assesses, using the master secret, whether an incoming packet received by the elimination point device from a redundant path between the elimination point device and a replication point device in the network includes a valid message integrity check (MIC). The elimination point device determines whether the incoming packet was injected maliciously into the redundant path, based on the assessment of the incoming packet. The elimination point device initiates performance of a mitigation action in the network, when the elimination point device determines that the incoming packet was injected maliciously into the redundant path.

A security system detects anomalous activity in a network. The system logs user activity, which can include ports used, compares users to find similar users, sorts similar users into cohorts, and compares new user activity to logged behavior of the cohort. The comparison can include a divergence calculation. Origins of user activity can also be used to determine anomalous network activity. The hostname, username, IP address, and timestamp can be used to calculate aggregate scores and convoluted scores.

This invention relates to a method of blocking or passing messages sent via a firewall, based on parsing, of symbols strings contained in said messages, among different keywords, assigning to said messages either a blocking class or a passing class, comprising: performing a dimensionality reduction step for said different classes on a training set of messages whose classes are known, and then classifying one or more unknown messages among said different classes with reduced dimensionality, said dimensionality reduction step being performed on said training set of messages by machine learning including processing, for several first matrices and for several second matrices, a parameter representative of a product of two first and second matrices to assess to which given class a given message belongs: first matrix representing a first array of keywords versus symbols strings contained in a first given message, second matrix representing the values of differences between said first array and a second array of keywords versus symbols strings contained in a second given message different from first given message but known to belong to same class as first given message, wherein: a quantum singular value estimation is performed on first matrix, a quantum singular value estimation is performed on second matrix, both quantum singular value estimation of first matrix and quantum singular value estimation of second matrix are combined together, via quantum calculation, so as to get at a quantum singular value estimation of said product of both first and second matrices, said quantum singular value estimation of said product of both first and second matrices being said parameter representative of said product of two first and second matrices processed to assess to which given class said first given message belongs.

The disclosure relates to computer-based communication systems, such as the Internet, and in particular systems and methods for defending against DoS attacks (denial of service attacks) on Internet servers.

A system, method and computer readable storage medium that analyzes network traffic intercepts data communications occurring between one or more hosts and a preselected target host in a protected network. The intercepted data communication includes a plurality of data packets. The intercepted data communications are analyzed to determine volumetric incoming and outgoing traffic flows for the received data packets. The determined volumetric incoming traffic flow for the received packets is graphically represented by a first region. The determined volumetric outgoing traffic flow for the received packets is graphically represented by a second region. The graphical representation includes a plurality of nodes interconnected by a plurality of links. The plurality of nodes represents the hosts. The plurality of links indicate operational relationship between the preselected target host, the one or more hosts, communication ports and communication services used in the data communications.

An apparatus may comprise a processing resource operatively coupled to a memory resource and a frame determination component operatively coupled to the processing resource and the memory resource. The frame determination component may cause a counter corresponding to a particular station associated to the apparatus to be stored in the memory resource, the counter to be incremented in response to receipt of a transmission frame containing an invalid starting sequence number (SEN) and a deauthentication frame to be transmitted in response to receipt of a threshold number of transmission frames containing the invalid.

A method of monitoring a network is provided. The method includes receiving a packet of network traffic, determining a source IP address of the packet, consulting a database of source IP addresses, each source IP address having an associated probability of threat indicator (PTI) that indicates a probability of threat posed by the source IP address. The packet's source IP address' PTI is assigned to the packet as the packet's PTI, and one or more inspection checks are selected to be performed on the packet, wherein the selection of the inspection checks is a function of the packet's source IP address PTI. The method further includes performing the selected inspection checks, assigning treatment of the packet based on a result of the inspection checks performed, and adjusting the packet's source IP address' PTI or the packet's PTI based on the result of the one or more inspection checks performed.

In one embodiment, an elimination point device in a network obtains a master secret from a network controller. The elimination point device assesses, using the master secret, whether an incoming packet received by the elimination point device from a redundant path between the elimination point device and a replication point device in the network includes a valid message integrity check (MIC). The elimination point device determines whether the incoming packet was injected maliciously into the redundant path, based on the assessment of the incoming packet. The elimination point device initiates performance of a mitigation action in the network, when the elimination point device determines that the incoming packet was injected maliciously into the redundant path.