Security system for protecting a vehicle electronic system by selectively intervening in the communications path in order to prevent the arrival of malicious messages at ECUs, in particular at the safety critical ECUs. The security system includes a filter which prevents illegal messages sent by any system or device communicating over a vehicle communications bus from reaching their destination. The filter may, at its discretion according to preconfigured rules, send messages as is, block messages, change the content of the messages, request authentication or limit the rate such messages can be delivered, by buffering the messages and sending them only in preconfigured intervals.

A device processes a communication between a source and user equipment. The user equipment is one of a plurality of user equipment connected to a network and the user equipment is associated with an entity. The device determines that the communication is associated with an anomalous traffic pattern. The device implements a provisional blocking of traffic between the source and the plurality of user equipment connected to the network and generates a filtering rule based on determining the anomalous traffic pattern, where the filtering rule prescribes that traffic between the source and the second user equipment is to be blocked. The device transmits a notification to the entity associated with the user equipment that requests that the entity affirm the filtering rule, and the device blocks traffic between the source and the user equipment based on the entity affirming the filtering rule.

The disclosure provides an approach for pre-filtering traffic in a logical network. One method includes receiving, by a hypervisor, a packet from a virtual computing instance (VCI) and determining a service path for the packet based on a service table. The method further includes setting, by the hypervisor, a pre-filter component as a next hop for the packet based on the service path. The method further includes receiving, by the pre-filter component, the packet. The method further includes making a determination, by the pre-filter component, of whether the packet requires processing by the security component. The method further includes performing, by the pre-filter component, based on the determination, one of: forwarding the packet to its destination and bypassing the security component; or forwarding the packet to the security component.

Security rule feedback systems and methods include capturing network traffic data, the network traffic data including a plurality of traffic records. The traffic records are grouped into first and second traffic records having corresponding first and second source address identifiers, first and second source port identifiers, first and second destination address identifiers, and first and second destination port identifiers. Network interfaces associated with the first and second records are identified based on source address identifiers. Security rule populations are associated to the network interfaces. A determination is made as to a direction of network traffic, based on the security rule populations. Thereby, dispensable security rules may be identified.

Provided is an intrusion detection technique configured to: obtain kernel-filter criteria indicative of which network traffic is to be deemed potentially malicious, determine that a network packet is resident in a networking stack, access at least part of the network packet, apply the kernel-filter criteria to the at least part of the network packet and, based on applying the kernel-filter criteria, determining that the network packet is potentially malicious, associate the network packet with an identifier of an application executing in userspace of the operating system and to which or from which the network packet is sent, and report the network packet in association with the identifier of the application to an intrusion-detection agent executing in userspace of the operating system of the host computing device, the intrusion-detection agent being different from the application to which or from which the network packet is sent.

A network device obtains Border Gateway Protocol (BGP) flow specification (FlowSpec) information, and generates, based on the BGP FlowSpec information, a first forwarding information base (FIB) table entry including a first prefix and an action, where the BGP FlowSpec information indicates to perform an action on traffic matching a filter condition, where the filter condition includes an attribute of a destination address, where the first FIB table entry indicates the network device to perform the action on the traffic matching the first prefix, and where an attribute of the first prefix is the same as the attribute of the destination address in the filter condition.

A relay device includes a first input/output unit (111), a second input/output unit (112), a security monitoring unit (121) that determines whether or not a packet input to the first input/output unit (111) or the second input/output unit (112) is normal, and a relay unit (113) that outputs a packet determined to be normal by the security monitoring unit (121) from the first input/output unit (111) or the second input/output unit (112); the security monitoring unit (121) uses a whitelist to perform whitelist-based attack detection to determine whether or not a packet is normal, and uses a learning model learned through machine learning to perform machine-learning-based attack detection on a packet that is not determined to be normal through the whitelist-based attack detection, to determine whether or not the packet is normal.

A method and an apparatus are provided for deploying a security access control policy in the field of network security. The method, executed by a cloud management platform, includes: determining, according to an application creation instruction, an application template used for an application that needs to be created and a security profile corresponding to the application template; instructing a virtualization platform to create, according to the application template, a corresponding virtual machine for each application component in the application, and obtaining an IP address of each virtual machine created by the virtualization platform; generating a group of security access control policies corresponding to the application according to the IP address of each virtual machine and by using the security profile; and delivering the group of security access control policies to a corresponding firewall. Therefore, a security access control policy is automatically deployed.

This application discloses a method and an apparatus for defending against a network attack, to resolve a problem that network defense costs are relatively high. The method includes: a network security device receives a first packet sent by an external device, and matches a destination IP address of the first packet with configuration information of a fake network. If an IP address of a node in the configuration information of the fake network has a same subnet prefix as the destination IP address, the network security device processes the first packet based on a fake network policy; if no IP address of a node in the configuration information of the fake network has a same subnet prefix as the destination IP address, the network security device processes the first packet based on a firewall policy.

Systems and method of detecting and blocking malicious attacks on a computer network, including: receiving, by a memory constrained gateway in communication with the computer network, a communication request from at least one device, identifying the type of the at least one device based on the received communication request, verifying that the device is of an allowed type from a predetermined list of allowed device types, checking at least one signature of the received communication request of the allowed device to detect malicious signatures, and blocking communication requests from devices with at least one malicious signature.