In an embodiment, a computer implemented method receives flow data for a network flows. The method extracts a tuple from the flow data and calculates long-term and short-term trends based at least in part on the tuple. The long-term and short-term trends are compared to determine whether a potential network anomaly exists. If a potential network anomaly does exist, the method initiates a heavy hitter detection algorithm. The method forms a low-complexity intermediate stage of processing that enables a high-complexity heavy hitter detection algorithm to execute when heavy hitters are likely to be detected.

Techniques for allowing client devices to securely request services from remote servers without using a reproducible token on the client are disclosed. In an embodiment, the host-portion of a destination address, in whole or in part, is used as an authentication token to identify an end-user, to be a selector to retrieve a security or other policy, or to provide device-specific or user-specific content. In an embodiment, repeated unauthorized attempts to access services are monitored to allow a human or artificial network agent to take appropriate defensive action against attacks.

The invention relates to a method for selectively configuring a container that contains an application, wherein user-authentication data are received by a container management component and forwarded via a container applicant to an authorisation server. This server transmits an authorisation response, on the basis of which a decision is made as to whether the application is allowed to be run in the container.

A method for securing network communication between containers by a terminal, includes: a step of installing an HSI (Hyperion Secure Interface) for communication with a secure bridge included in an NIC (Network Interface Chip) in a secure container through a manager module; a step of changing a source address of a transmission packet to a specific token on the basis of a map of the HSI through the manager module; a step of delivering the transmission packet to the secure bridge through the HSI; a step of determining whether the specific token of the transmission packet is valid; and a step of changing the specific token to the source address and delivering the transmission packet to a target container when the specific token is valid.

In order to appropriately manage address information that may be a target of access control, a management apparatus includes an address information obtain section configured to obtain address information as a management target for access control via a communication network, and a setting section configured to set, for the address information, an effective management period of the management target for the access control, based on information related to the address information.

A handling apparatus (14a) handles a server attack taking place on a network (1Na) or handles a server attack as requested by a security system provided on another network. In accordance with a determination that it is not possible to handle the server attack by the handling apparatus (14a), the control determination apparatus (12a) makes a request to another security system (1Sb) capable of handling the server attack to handle the server attack. A centralized control apparatus (11) determines whether the server attack taking place on the network (1Na) can be handled on another network.

This application discloses a method and an apparatus for defending against a network attack, to resolve a problem that network defense costs are relatively high. The method includes: a network security device receives a first packet sent by an external device, and matches a destination IP address of the first packet with configuration information of a fake network. If an IP address of a node in the configuration information of the fake network has a same subnet prefix as the destination IP address, the network security device processes the first packet based on a fake network policy; if no IP address of a node in the configuration information of the fake network has a same subnet prefix as the destination IP address, the network security device processes the first packet based on a firewall policy.

Techniques and screening messages based on tags in an automotive environment, such as, messages communicated via a communication bus, like the CAN bus. Messages can be tagged with either a binary or probabilistic tag indicating whether the message is fraudulent. ECUs coupled to the CAN bus can receive the messages and the message tags and can determine whether to fully consume the message based on the tag.

A method for automatically sensing attack behaviors, the method including: distributing a service request from a network switch to a response module, where the response module includes a main controller configured for data interaction processing and an auxiliary controller configured for interactive data processing; generating, by the main controller and the auxiliary controller in the response module, respective response data according to the service request, respectively; and comparing the respective response data of the main controller with the respective response data of the auxiliary controller; if a result of comparison is inconsistent, indicating the network switch is abnormal, an administrator is informed, and the response data generated by the auxiliary controller is fed back to the network switch; and, if the result of comparison is consistent, the response data generated by the main controller is fed back to the network switch.

A method for characterizing network traffic is provided. The method includes maintaining a database identifying a plurality of digital certificates and a number of Internet Protocol addresses associated with each of the plurality of digital certificates, capturing network traffic over a network connection at a network connected device, analyzing the network traffic by determining the digital certificates associated with Internet Protocol addresses associated with the network traffic and a number of Internet Protocol addresses associated with each of the digital certificates and updating the database, and characterizing at least one of the Internet Protocol addresses associated with one of the digital certificates based on the number of Internet Protocol addresses associated with the one of the digital certificates.