Presented herein are techniques for remediating a distributed denial of service attack. A methodology includes, at a network device, such as a constrained resource Internet of Things (IoT) device, receiving from an authorization server cryptographic material sufficient to validate and decrypt tokens carried in packets, detecting a denial of service attack that employs packets containing invalid tokens, and in response to detecting the denial of service attack, signaling a remediation server for assistance to remediate the denial of service attack, and sending to the remediation server the cryptographic material over a secure communication channel such that the remediation server enables validation and decryption of tokens carried in packets, subsequent to detection of the denial of service attack, that are destined for the network device.

A method for processing network traffic data includes receiving a packet, and determining whether the packet is a previously dropped packet that is being retransmitted. A method for processing network traffic content includes receiving a plurality of headers, the plurality of headers having respective first field values, and determining whether the first field values of the respective headers form a first prescribed pattern. A method for processing network traffic content includes receiving a plurality of packets, and determining an existence of a flooding attack without tracking each of the plurality of packets with a SYN bit.

Described is a system for detecting attacks on mobile networks. The system includes the relevant hardware and components to perform a variety of operations including continuously measuring time-varying signals at each node in a network. The system determines network flux on the time-varying signals of all nodes in the network and detects a network attack if the network flux exceeds a predetermined threshold. Further, a reactive protocol is initiated if the network flux exceeds the predetermined threshold.

A security system detects anomalous activity in a network. The system logs user activity, which can include ports used, compares users to find similar users, sorts similar users into cohorts, and compares new user activity to logged behavior of the cohort. The comparison can include a divergence calculation. Origins of user activity can also be used to determine anomalous network activity. The hostname, username, IP address, and timestamp can be used to calculate aggregate scores and convoluted scores.

Embodiments defend a node in a network, e.g., a server or website, against distributed denial of service (DDoS) attacks through use of a criterion of discrimination between messages that the defended network node considers important to receive, and all other messages addressed to the defended network node. The use of this new criterion upends the conventional approach to defense against DDoS attacks. Whereas the conventional defense methods attempt to identify attack packets in order to drop them, embodiments identify packets that comply with an indication of packets defined as important by the defending server, as determined by a verification performed using the criterion of discrimination, thus making sure the compliant packets are delivered to their destination, while providing functionality for all other packets (those not identified as compliant) to be dropped.

A security system detects anomalous activity in a network. The system logs user activity, which can include ports used, compares users to find similar users, sorts similar users into cohorts, and compares new user activity to logged behavior of the cohort. The comparison can include a divergence calculation. Origins of user activity can also be used to determine anomalous network activity. The hostname, username, IP address, and timestamp can be used to calculate aggregate scores and convoluted scores.

Presented herein are techniques for remediating a distributed denial of service attack. A methodology includes, at a network device, such as a constrained resource Internet of Things (IoT) device, receiving from an authorization server cryptographic material sufficient to validate and decrypt tokens carried in packets, detecting a denial of service attack that employs packets containing invalid tokens, and in response to detecting the denial of service attack, signaling a remediation server for assistance to remediate the denial of service attack, and sending to the remediation server the cryptographic material over a secure communication channel such that the remediation server enables validation and decryption of tokens carried in packets, subsequent to detection of the denial of service attack, that are destined for the network device.

A system, method and computer readable storage medium that analyzes network traffic intercepts data communications occurring between one or more hosts and a preselected target host in a protected network. The intercepted data communication includes a plurality of data packets. The intercepted data communications are analyzed to determine volumetric incoming and outgoing traffic flows for the received data packets. The determined volumetric incoming traffic flow for the received packets is graphically represented by a first region. The determined volumetric outgoing traffic flow for the received packets is graphically represented by a second region. The graphical representation includes a plurality of nodes interconnected by a plurality of links. The plurality of nodes represents the hosts. The plurality of links indicate operational relationship between the preselected target host, the one or more hosts, communication ports and communication services used in the data communications.

A method for processing network traffic data includes receiving a packet, and determining whether the packet is a previously dropped packet that is being retransmitted. A method for processing network traffic content includes receiving a plurality of headers, the plurality of headers having respective first field values, and determining whether the first field values of the respective headers form a first prescribed pattern. A method for processing network traffic content includes receiving a plurality of packets, and determining an existence of a flooding attack without tracking each of the plurality of packets with a SYN bit.

A security system detects anomalous activity in a network. The system logs user activity, which can include ports used, compares users to find similar users, sorts similar users into cohorts, and compares new user activity to logged behavior of the cohort. The comparison can include a divergence calculation. Origins of user activity can also be used to determine anomalous network activity. The hostname, username, IP address, and timestamp can be used to calculate aggregate scores and convoluted scores.