Packets may be received by a packet security gateway. Responsive to a determination that an overload condition has occurred in one or more networks associated with the packet security gateway, a first group of packet filtering rules may be applied to at least some of the packets. Applying the first group of packet filtering rules may include allowing at least a first portion of the packets to continue toward their respective destinations. Responsive to a determination that the overload condition has been mitigated, a second group of packet filtering rules may be applied to at least some of the packets. Applying the second group of packet filtering rules may include allowing at least a second portion of the packets to continue toward their respective destinations.

Methods, systems, and devices for wireless communications are described. An encoding device may encode a set of source symbols using one or more raptor codes to generate a first set of encoded symbols and may transmit the first set of encoded symbols to a decoding device. The decoding device may successfully recover a source symbol of the set of source symbols from the first set of encoded symbols and may transmit an indication of the source symbol to the encoding device. The encoding device may encode one or more source symbols of the set of source symbols using the one or more raptor codes to generate a second set of encoded symbols based on receiving the indication of the source symbol and may transmit the second set of encoded symbols to the decoding device.

A computer-implemented method of analysing anomalous network traffic in a telecommunications network, said telecommunications network comprising a plurality of network entities (120, 110) and a security analyser (130-3), wherein the method comprises the steps of: receiving at the security analyser a network communication from a first network entity; identifying the first network entity; by means of the security analyser: analysing the network communication and/or a performance of the first network entity thereby to identify the network communication as an anomalous communication (310); in response to identifying the network communication as an anomalous communication, communicating an instruction to the identified first network entity to respond with origin information regarding the anomalous communication, wherein the origin information identifies a preceding network entity from which the anomalous communication was directly received by the first network entity (320, 330); and commencing with the preceding network entity, iteratively communicating an instruction to a preceding network entity to respond with origin information for identifying another preceding network entity from which the anomalous communication was directly received until a source network entity from which the anomalous communication originated is identified (380, 390; and applying a security policy to the identified source network entity (370).

A method includes obtaining a first plurality of encrypted traffic flows traversing a communication network, performing a first classification, wherein a result of the first classification identifies a traffic type associated with each encrypted traffic flow of the first plurality of encrypted traffic flows, and wherein the first classification is based on a traffic pattern of the each encrypted traffic flow, performing a second classification, wherein a result of the second classification identifies a traffic type associated with each server name indication from which the first plurality of encrypted traffic flows is associated, and wherein the second classification is based on the result of the first classification, and performing a third classification identifying a traffic type associated with each encrypted traffic flow of the first plurality of encrypted traffic flows, wherein the third classification is based on a combination of the results of the first classification and the second classification.

A method of identifying network devices includes transforming a first data set of feature-rich device characteristics of devices with known device identities to a second data set comprising feature-poor device characteristics with the known device identities. A third data set of feature-poor device characteristics of devices with known identities is collected. A statistical model is derived comprising one or more adjustments to the transformed data set, the statistical model reflecting a difference in statistical distribution between one or more characteristics of the second data set of transformed device characteristics and one or more corresponding and/or related characteristics of the third data set of feature-poor device characteristics. A device identification module is trained based on the second data set of feature-poor characteristics and the statistical model adjustments, the trained device identification module operable to use feature-poor device characteristics to identify network devices.

An inline malicious traffic detector captures handshake messages in a session with a security protocol. The inline malicious traffic detector comprises a classifier that generates a verdict for the session indicating malicious or benign. The classifier is trained on labelled sessions using custom features generated from handshake messages. Based on determining that the session is malicious using features of the handshake messages, the inline malicious traffic detector blocks the session.

Systems and methods are provided for the control of an industrial asset, such as a power generating asset. Accordingly, an interceptor module receives a state-change instruction from a state module that directs a change from a first state condition to a second state condition. The first and second state conditions direct modes of operation of at least one sub module of the controller of the industrial asset. The interceptor module then correlates the state-change instruction to a state-change classification. Based on the state-change classification, the interceptor module identifies an indication of a mode-switching attack. In response to the identification of the mode-switching attack, at least one mitigation response is implemented.

Disclosed in some examples are methods, systems, devices, and machine-readable mediums which monitor for file system element transfers to and from both the endpoint and authorized accounts on network-based service providers (e.g., cloud-based storage). The system uses the capabilities of monitoring both the network-based service and the client computing device to filter out legitimate uploads to authorized network-based services and legitimate downloads to authorized computing devices. By matching events, it filters out events that are likely legitimate, the system may provide more accurate information, notifications, awareness, and unmatched event indications.

Systems and methods for receiving information on network firewall policy configurations are disclosed. Based on the received firewall configuration information, a configuration of a firewall and/or subnet of network devices is automatically provisioned and/or configured to control network traffic to and from the subnet.

Apparatus and methods are disclosed for implementing bandwidth throttling to regulate network traffic as can be used in, for example, vulnerability scanning and detection applications in a computer network environment. According to one embodiment, a method of routing network packets in a networked device having plural network interfaces combines applying traffic class and network interface throttling for marking network packets with a differentiated service code based on input received from a profiler application, throttling the bandwidth of network packets based on a threshold for a designated network interface for the packet, throttling the bandwidth of the bandwidth-throttled packets based on a threshold for its respective differentiated service code, and emitting network packets on each respective designated network interface.