In one embodiment, a device, includes a network interface to receive a SYN packet from a client via a packet data network to establish a connection with a server, and a processor to run an express data path (XDP) to accelerate at least a part of a SYN cookie connection process.

Systems and methods include receiving a copy of a template file of security rules where the template file includes a plurality of rule tags and one or more dependency tags that define relationships and dependencies between any rules associated with the plurality of rule tags; scanning the template file including, for each respective rule tag of the plurality of rule tags checking if an enabled flag is set for the respective rule tag, when the enable flag is set, looking up a respective rule in a rule database and replacing the respective rule tag with the respective rule, and when the enable flag is not set, removing the respective rule tag from the template file; and providing an output file including a plurality of rules having the relationships and dependencies, where the output file is used for security scanning.

A first message is received from a first communication device. The first message comprises an authentication token. For example, the authentication token may be a username/password. A determination is made if the first message also comprises a valid temporary password. The temporary password is used to prevent a Denial-of-Service (DOS) attack. In response to the first message comprising the valid temporary password, a determination is made if the authentication token is valid. In response to the authentication token being valid, the first message is responded to in a normal manner. If the first message does not contain the temporary password, the first message is handled based on a DOS message handling process.

A communication brokering device receives, from a first device, a measurement of at least one of a bit-error-rate (BER) or a signal-to-noise ratio (SNR) associated with receipt of a transmission at the first device. The communication brokering device determines whether the first device is vulnerable to message interception or eavesdropping based on the measurement of the at least one of the BER or the SNR. The communication brokering device controls communications between at least one second device and the first device based on the determination of whether the first device is vulnerable to message interception or eavesdropping.

A method, device, and system for network traffic analysis are provided. The method comprises obtaining traffic data of current time interval, recording the traffic data in a Chinese Remainder Theorem based Reversible Sketch (CRT-RS) based on a hash operation comprising Modulo operations, detecting abnormal buckets in the CRT-RS based on a change between the traffic data of current time interval and traffic data of previous time interval, and recovering abnormal source address associated information based on the abnormal buckets, wherein the modulus of the Modulo operations are selected from the modulus in Chinese Remainder Theorem (CRT) as pairwise coprime integers and the CRT-RS includes a plurality of buckets. The step of detecting uses a Modified Multi-chart Cumulative Sum.

A computer-implemented method and device for analyzing network packet traffic flow affected by a network security device in a communication network. Received in a network monitoring device is packet traffic flow data from a network security device that filters network traffic based upon prescribed security filter settings. The network monitoring device analyzes the received packet traffic flow data by correlating the received traffic flow data with the security filter settings prescribed in the network security device. Certain statistics are identified regarding the network traffic flow affected by the security filter settings of the network security device based upon the correlating of the received traffic flow data with the security filter settings prescribed in the network security device. A report regarding the identified statistics is preferably sent to a network administrator.

A method and system for generating dynamic applicative signatures of by application layer flood attack tools are provided. The method includes determining a plurality of different attributes of requests received during an on-going DDoS attack; clustering at least one attribute of the plurality of different attributes, wherein the clustering is based on values of the plurality of different attributes; determining clusters of attributes representing most frequent structures of the requests received during the on-going DDoS attack; and generating, based on the determined clusters of attributes, signature of an application layer flood attack tool executing the on-going DDoS attack.

Systems and methods for providing a threat intelligence system include a system provider device that downloads, through communication over a network and from one or more targeted websites, a plurality of images of a first environment. Based on an OCR process, the system provider device may extract a set of textual data corresponding to a subset of images of the plurality of images, where the subset of images depict text. The system provider device stores the set of textual data in an indexed and searchable database. The system provider device assigns a threat assessment score to each image based on the set of textual data, and the threat assessment score may be updated based on comparison of the set of textual data with other sets of textual data. Based on the threat assessment score being greater than a threshold value, the system provider device may generate a security alert.

Disclosed is a device for configuring and implementing network security for a connected network node, and for shifting the network security closer to the attack point of origin. In particular, the device may activate attack protections on different Multi-Access Edge Computing (“MEC”) devices that are physically located near or at the attack point of origin. The device may detect an attack signature based on one or more received data packets, and may provide a response with an extended header field, the attack signature, and/or other attack protection instructions. The responses may be passed to an address of a suspected attacker. MEC devices along the network path may detect and receive the responses, and implement attack protections in response. The responses may also be passed to a multicast or broadcast address that the MEC device may use to receive responses.

Provided is a method for assigning a time-to-live (“TTL”) value for a domain name system (“DNS”) record at a recursive DNS server. The method comprises obtaining, from a client, the TTL value for the DNS record; and storing, in a memory of the recursive DNS server, the TLL value, an identifier of the client, and the DNS record.