In one embodiment, a method comprises: generating and maintaining, by a network device in a secure peer-to-peer data network, a secure private key and a corresponding secure public key; establishing, by the network device, a two-way trusted relationship with a second network device in the secure peer-to-peer data network; generating by the network device a temporal key, and encrypting a data packet payload using the temporal key into an encrypted payload; encrypting, by the network device, the temporal key into an encrypted temporal key using a second secure public key of the second network device; and generating and outputting a secure data packet comprising the encrypted temporal key and the encrypted payload, enabling a receiving network device to verify the secure data packet is not a copy based on a determined absence of a prior prescribed hash of at least a portion of the encrypted temporal key.

Methods and systems for defending an infrastructure against a distributed denial of service (DDoS) attack use a software decoy installed in the infrastructure to deliberately attract a malware. An address or a domain name of a command and control (C&C) server is extracted from the malware. A client of the infrastructure uses the address or the domain name of the C&C server to connect to the C&C server. The client receives a command intended by the C&C server to cause the client to participate in the DDoS attack. The client forwards particulars of the DDoS attack to a cleaning component. The cleaning component discards incoming signals having one or more of the particulars of the DDoS attack. The address or domain name of the C&C server may be obfuscated in the malware, in which case reverse engineering is used to decipher the malware.

Embodiments of the present disclosure describe methods, apparatuses, storage media, and systems for performing a restricted local operator services (RLOS) authorization procedure. Various embodiments enable a network to authorize a user equipment (UE) with an RLOS access or subscription properly while aiding in minimizing or preventing potential denial-of-service (DoS) attacks. Other embodiments may be described and claimed.

One or more computing devices, systems, and/or methods for monitoring levels of activity of client devices using a cluster of servers having a decentralized network architecture are provided, where over-counting, which may be caused by an uneven distribution of requests transmitted by the client devices to the cluster of servers, may be mitigated. For example, a request may be received by a first server, of the cluster of servers, from a client device. A first counter value associated with a level of activity of the client device may be incremented by a first number. One or more data packets may be transmitted to one or more servers of the cluster of servers. Each data packet of the one or more data packets may comprise an instruction to increment a counter value associated with the client device by a second number, which may be different than the first number.

A network security system that analyzes data from network attacks to determine which attacks came from the same attacker, even if the attacker tries to disguise its identity by spreading attacks out over time and attacking from multiple IP addresses. Intrusion detection systems or firewalls may log data for each attack, such as the time of the attack, the type of attack, and the source and target addresses. Embodiments may augment this data with derived attributes that may profile the attacker's behavior. For example, some attackers may spread out attacks over time, but always attack on the same day of the week; some attackers may spread out attacks over different IP addresses, but these addresses may all be in the same country. The original and augmented data may be clustered using an algorithm such as DBSCAN, and each attacker may be identified with one of the resulting clusters.

Systems and methods for improved DDoS mitigation by utilizing lightweight and tuned mitigation techniques are provided. A lightweight, tuned DDoS system provides protection from DDoS attacks by hosting a container hypervisor on a server that is isolated from other server processes. The container hypervisor may include protection containers and forensic containers. Traffic received at the server is directed through the protection containers to filter out malicious traffic prior to valid traffic being sent to other system processes. The protection containers may be specifically tuned to the service provided by the server. Additionally, malicious traffic may be directed from the protection containers to the forensics containers for extraction of forensic information to be directed to external threat intelligence systems for analysis. As threats change, the threat intelligence system may periodically send modification information to the server to modify the protection schemes of the protection containers in the container hypervisor.

Apparatus and methods for mitigating network attacks, such as by dynamically re-routing traffic. Various disclosed embodiments manipulate path-based routing of the backbone network to insert a scrubbing appliance within the backbone network topology, rather than using traditional network addressed tunnels in the edge network. In one implementation, traffic entering the backbone network ingress peer routers (from either another backbone network, or an edge network) is normally destination-address routed via the backbone to its appropriate egress router based on a path label; however, when a Distributed Denial of Service (DDoS) attack is detected, the ingress peer router inserts an additional hop into the path label that redirects dirty traffic to a substantially centralized scrubbing appliance. The benefits of the disclosed solutions include, among other things, significantly reduced attack response/recovery times without significant capital outlays.

Methods, systems, and apparatus for detecting and mitigating anomalous network traffic. With at least one processor in a network, information regarding network traffic flows is obtained and a classification model is generated based on the obtained information, the classification model comprising one or more classification rules for classifying network traffic as normal or anomalous. With the at least one processor in the network, the network traffic is classified as anomalous or normal based on the generated classification model and at least one mitigation action is initiated based on the network traffic being classified as anomalous.

A method for preventing denial of service attacks which are distributed attacks is applied in a target service provider server, a platform server, and a botnet service provider server. The target service provider server determines a first SDN controller according to an attack protection request, and issues a first flow rule. The target service provider server directs data flow of a network equipment to a first cleaning center and controls the first cleaning center to identify the attacking or malicious element in the data flow according to the first flow rule. The platform server receives the attacking element in the data flow sent by the target service provider server, and regards the same as malicious traffic. The platform server generates an attack report, and sends the attack report to the botnet service provider server to notify the botnet service provider server to clean or filter out the malicious traffic.

A device includes a processor and a memory. The processor effectuates operations including receiving signaling messages traversing a first interface or a second interface from the network traffic, translating the signaling messages into one or more events, detecting one or more anomalies by analyzing the one or more events, determining whether the one or more anomalies is indicative of an attack on a telecommunications network and performing a remediation action to the signaling messages resolving the attack when the one or more anomalies is indicative of an attack on the telecommunications network.