A web server operating in a container has resource and network limits applied to add an extra layer of security to the web server. If a monitor detects that the container's resource usage is approaching one or more of these limits, which may be indicative of a DDoS attack, (step 210) or identifies traffic sources exhibiting suspicious behaviour, such as frequently repeated requests from the same address, or from a related set of addresses, a restrictor function caps the resources allowed by the original Webserver container to allow it to recover from buffer overflow and protect servers running in other containers from overwhelming any shared resources. A duplicator function starts up replica containers with the same resource limits to take overflow traffic, and a load balancing function then directs incoming traffic to these overflow containers etc. Traffic from suspicious sources is directed by the load balancer to one or more specially-configured attack-assessment container(s) where a ‘dummy’ web server operates. The behaviour of these sources is analysed by a behaviour monitoring function over some time to determine if they are legitimate or malicious, which can control a firewall to block addresses identified as generating malicious traffic.

A pause command is sent to a Subscriber Identity Module (SIM) card of a cellular device in response to detecting a cyberattack against the cellular device on the cellular network. To mitigate the cyberattack, the SIM card temporarily disconnects the cellular device from the cellular network for a pause time. The SIM card prohibits the cellular device from connecting to the cellular network during the pause time and automatically allows the cellular device to reconnect to the cellular network after the pause time.

Malicious attacks by certain devices against a radio access network (RAN) can be detected and mitigated, while allowing communication of priority messages. A security management component (SMC) can determine whether a malicious attack against the RAN is occurring based on a defined baseline that indicates whether a malicious attack is occurring. The defined baseline is determined based on respective characteristics associated with respective devices that are determined based on analysis of information relating to the devices. In response to determining there is a malicious attack, SMC determines whether to block connections of devices to the RAN based on respective priority levels associated with respective messages being communicated by the devices. SMC blocks connections of devices communicating messages associated with priority levels that do not satisfy a defined threshold priority level, while managing communication connections to allow messages satisfying the defined threshold priority level to be communicated via the RAN.

Using a message bus controller to protect 5G core elements can include accessing, by a computing device that executes a message bus controller, a message in a message bus of a packet core of a cellular network. The message can be generated by a first network function and transmitted to a second network function via the message bus, wherein the second network function can subscribe to messages from the first network function. The computing device can determine if delivery of the message to the second network function should be restricted. If so, the computing device can drop the message, and if not, the computing device can allow a message flow associated with the message to resume.

Systems and methods are described that mitigates and/or prevents distributed denial-of-service (DDOS) attacks. In one implementation, a gateway include one or more processors configured to obtain network data from one or more entities associated with the gateway, provide the network data to a server, and obtain a set of entity identifiers from the server. The set of entity identifiers may be generated based on at least the network data. The one or more processors may be further configured to filter communications based on the set of entity identifiers.

A network device receives, from a requester, an access token request associated with subscribing a consumer network function (NF) to a resource provided by a producer NF, where the access token request includes a notification identifier identifying where the consumer NF is to receive content and/or notifications, associated with the resource, from the producer NF. The network device validates the requester and generates an access token and an access token response based on successfully validating the requester. The network device signs the notification identifier as a component of the access token response and sends the access token response, with the signed notification identifier, to the requester for use in requesting a subscription to the resource for the consumer NF from the producer NF.

An access point (AP) in a deployment may be attacked by a rogue AP. The rogue AP may transmit fake beacons that include a fake/incorrect basic service set (BSS) color that does not match the BSS color assigned to/used by the AP under attack. Due to this BSS color mismatch, stations associated to the AP under attack may switch to the fake/incorrect BSS color, and communications between the AP under attack and the stations may be disrupted, and can eventually lead to service denial. Systems and methods are provided for leveraging the BSS color feature to identify when a rogue AP is attacking another AP. Upon detecting an attack, the BSS color feature may be disabled to mitigate the level of service disruption to the AP under attack and the stations associated to that AP.

A cyber security threat detection system for one or more endpoints within a computing environment is disclosed. The system comprises a plurality of collector engines. Each of the collector engines is previously installed on an endpoint of a plurality of endpoints and configured to acquire statistical information at the endpoint. The statistical information includes behavioral information, resource information, and metric information associated with the endpoint. The system further comprises an aggregator engine configured to aggregate the statistical information from each of the endpoints into aggregated information. The system further comprises an analytics engine configured to receive the aggregated information, and to invoke learning models to output deviation information for each of the endpoints based on the aggregated information and expected fingerprints associated with the endpoints. The system further comprises an alerting engine configured to issue one or more alerts indicating one or more security threats have occurred for each of the endpoints in response to the deviation information for the endpoint.

An automated vehicle parking system uses a driver's authentication device, such as a mobile phone or portable tag, to identify the driver. Vehicle sensing terminals detect when and where a vehicle has parked and send wireless notifications to the vehicle owner's authentication device. The authentication device, the vehicle sensing terminal and a cloud server interact using secure wireless communications to validate the driver's qualifications and record the parking event. Vehicle sensing terminals detect when the vehicle leaves its parking space and the parking system automatically terminates the parking session. The authentication device handles the bulk of the communication with the cloud server to reduce consumption of the vehicle sensing terminal's power supply. The sensing and portable tag devices communicate using secure tokens that are encrypted with unique individual or group keys.

A server receives internet traffic from a client device. The server is one of multiple servers of a distributed cloud computing network which are each associated with a set of server identity(ies) including a server/data center certification identity. The server processes, at layer 3, the internet traffic including participating in a layer 3 DDoS protection service. If the traffic is not dropped by the layer 3 DDoS protection service, further processing is performed. The server determines whether it is permitted to process the traffic at layers 5-7 including whether it is associated with a server/data center certification identity that meets a selected criteria for the destination of the internet traffic. If the server does not meet the criteria, it transmits the traffic to another one of the multiple servers for processing the traffic at layers 5-7.