A communication system includes a first quantum key distribution device and an intermediary device. The first quantum key distribution device is configured to be coupled to a second quantum key distribution device over a quantum channel and to generate a shared key with the second quantum key distribution device based on a quantum state transmitted along the quantum channel. The intermediary device is disposed along a communication pathway within a network between a sender device and a receiver device. The intermediary device is communicatively connected to the first quantum key distribution device and configured to utilize the shared key to authenticate one or more data packets communicated from the sender device along the communication pathway by examining the one or more data packets for a presence of an information pattern that is associated with the shared key.

The present disclosure discloses a method and a protection device under a direct routing mode, belonging to a field of network security. The method includes: when receiving a data packet of a target request, determining a packet type of the data packet; if the packet type is SYN packet, returning an SYN_ACK packet carrying a target SEQ value; if the packet type is ACK packet, determining whether the ACK packet is legitimate based on the target SEQ value; if the ACK packet is legitimate, marking a preset field in a subsequent PUSH_ACK packet and forwarding the PUSH_ACK packet to a service server, to make the service server process the target request based on the PUSH_ACK packet with the marked preset field. By adopting the present disclosure, a protection quality of a load-balancing device under the direct routing mode may be improved.

Systems and methods perform selective rate limiting with a distributed set of agents and a remote controller. An agent receives a packet from a client, and inspects the packet using different rules. Each rule may include at least one different (i) rule definition with traffic dimensions identifying a different attack, (ii) signal with which to identify attack traffic matching the rule definition, (iii) threshold specifying a condition, and (iv) action to implement based on the condition of the threshold being satisfied. The agent provides the signal in response to the packet matching the traffic dimensions from the rule definition of a particular rule. The controller updates a value linked to the signal and a client identifier of the client, and implements the action of the particular rule across the distributed set of agents in response to the value satisfying the condition for the particular rule threshold.

Systems and methods for file sharing over secure connections. An example method comprises: receiving a client request identifying a file sharing host and a file residing on the file sharing host; establishing a secure client connection; responsive to identifying a management connection with the file sharing host, transmitting an identifier and a parameter of the secure client connection via the management connection; receiving a host request to establish a secure host connection, the host request comprising the identifier of the secure client connection; establishing the secure host connection using the parameter of the secure client connection identified by the received identifier; forwarding, over the secure host connection, a first data packet received over the secure client connection, the first data packet comprising at least part of the client request; and forwarding, over the secure client connection, a second data packet received over the secure host connection, the second data packet comprising at least part of the file identified by the client request.

The system and methods discussed herein provide for filtering out noisy application signatures to improve the precision of first packet application classification. In some implementations, the system receive application signatures from devices along with their network identifiers. Based upon the frequency at which identical application signatures appear as originating from distinct network environments, the system determines the validity of application signatures and avoids storing irrelevant information for routing network traffic.

The present invention discloses an external terminal protection device for data flow control and a corresponding protection system. The external terminal protection device includes: an interface control module, used for providing a plurality of data interfaces respectively connected to a protected host and one or more external devices; and a system control module, used for monitoring in real time a data transmission state of each data interface in the interface control module, and controlling the data flow of each data interface. The present invention realizes the functions of performing protocol filtering and auditing on various types of data flow without installing flow monitoring and security protection software on the protected host, and achieves the effects of low-latency network auditing and high-reliability protocol filtering, thereby comprehensively eliminating potential security hazards such as Trojan Horse virus implantation and flow anomaly that may be generated by the interfaces.

A method for implementing a server anti-attack includes that: after receiving a first link request, the server may determine a target request type of the first link request based on feature information of the first link request; determine, based on the target request type of the first link request, a number of requests that are initiated by a source IP address within a first preset period and have a request type consistent with the target request type; and, in the condition that the number of requests is greater than a preset threshold, determine a target attack type of the first link request, reject the first link request, and add the source IP address to the first collection.

A proxy server receives, from multiple visitors of multiple client devices, a plurality of requests for actions to be performed on identified network resources belonging to a plurality of origin servers. At least some of the origin servers belong to different domains and are owned by different entities. The proxy server and the origin servers are also owned by different entities. The proxy server analyzes each request it receives to determine whether that request poses a threat and whether the visitor belonging to the request poses a threat. The proxy server blocks those requests from visitors that pose a threat or in which the request itself poses a threat. The proxy server transmits the requests that are not a threat and is from a visitor that is not a threat to the appropriate origin server.

A firewall includes a verification unit for comparing messages transiting between the two communication elements with data, called reference data, contained in a database and for detecting, where applicable, a lack of conformity of a message in transit with respect to the reference data. The reference data includes predetermined messages and at least authorized values for fields of the predetermined messages. A central unit for generates an alert signal in the event of the verification unit detecting a lack of conformity of a message in transit. A transmission interface is configured to transmit any alert signal to at least one alert signal management device, which will generate an appropriate protective action when an alert signal is generated.

Techniques for Diameter security with next generation firewall are disclosed. In some embodiments, a system/process/computer program product for Diameter security with next generation firewall includes monitoring Diameter protocol traffic on a service provider network at a security platform; and filtering the Diameter protocol traffic at the security platform based on a security policy.