A method for DoS attacks at an NF includes maintaining, at a first NF, an NF subscription database containing rules that specify maximum numbers of allowed subscriptions and corresponding rule criteria. The method further includes receiving, at the first NF and from a second NF, a subscription request for establishing a subscription. The method further includes determining, by the first NF, that the subscription request matches criteria for at least one rule in the NF subscription database and incrementing, by the first NF, at least one count of a number of subscriptions for the at least one rule. The method further includes determining, by the first NF, that the at least one count of the number of subscriptions exceeds a maximum number of allowed subscriptions for the at least one rule. The method further includes, in response to determining that the at least one count of the number of subscriptions exceeds the maximum number of allowed subscriptions for the at least one rule, preventing establishment of the subscription.

Systems and method are provided for mitigating hacking of restricted access telecommunication services. In response to an authentication response from a user device, an authentication failure type and authentication failure frequency may be determined. Based on the authentication failure type and authentication failure frequency, the user device is blocked from accessing the telecommunication service for a predetermined period of time, preventing the service from being congested by recurring unauthorized users.

A handling apparatus (14a) handles a server attack taking place on a network (1Na) or handles a server attack as requested by a security system provided on another network. In accordance with a determination that it is not possible to handle the server attack by the handling apparatus (14a), the control determination apparatus (12a) makes a request to another security system (1Sb) capable of handling the server attack to handle the server attack. A centralized control apparatus (11) determines whether the server attack taking place on the network (1Na) can be handled on another network.

Example implementations relate to the processing of refresh token requests at an API gateway. The API gateway determines a first time associated with receipt of the refresh token request and a second time associated with the generation of a current access token. The current access token and a refresh token in the refresh token request are provided by the API gateway to the client device for accessing a backend service. The API gateway determines whether a difference between the first time and the second time is within a pre-defined threshold duration. When the difference between the first time and the second time is within the pre-defined threshold, the API gateway denies the refresh token request for generating the new access token and transmits the current access token back to the client device.

Methods and systems for defending an infrastructure against a distributed denial of service (DDoS) attack use a software decoy installed in the infrastructure to deliberately attract a malware. An address or a domain name of a command and control (C&C) server is extracted from the malware. A client of the infrastructure uses the address or the domain name of the C&C server to connect to the C&C server. The client receives a command intended by the C&C server to cause the client to participate in the DDoS attack. The client forwards particulars of the DDoS attack to a cleaning component. The cleaning component discards incoming signals having one or more of the particulars of the DDoS attack. The address or domain name of the C&C server may be obfuscated in the malware, in which case reverse engineering is used to decipher the malware.

One or more computing devices, systems, and/or methods for monitoring levels of activity of client devices using a cluster of servers having a decentralized network architecture are provided, where over-counting, which may be caused by an uneven distribution of requests transmitted by the client devices to the cluster of servers, may be mitigated. For example, a request may be received by a first server, of the cluster of servers, from a client device. A first counter value associated with a level of activity of the client device may be incremented by a first number. One or more data packets may be transmitted to one or more servers of the cluster of servers. Each data packet of the one or more data packets may comprise an instruction to increment a counter value associated with the client device by a second number, which may be different than the first number.

A user equipment (“UE”) in a wireless communication network can receive a plurality of signals from a plurality of nodes. The UE can further determine a plurality of radio signal strength measurements. Each radio signal strength measurement can be associated with a signal of the plurality of signals received from the plurality of nodes. The UE can further determine whether there is an indication that a first node of the plurality of nodes may be an imposter node based on the plurality of radio signal strength measurements.

A device includes a processor and a memory. The processor effectuates operations including receiving signaling messages traversing a first interface or a second interface from the network traffic, translating the signaling messages into one or more events, detecting one or more anomalies by analyzing the one or more events, determining whether the one or more anomalies is indicative of an attack on a telecommunications network and performing a remediation action to the signaling messages resolving the attack when the one or more anomalies is indicative of an attack on the telecommunications network.

A device includes a processor and a memory. The processor effectuates operations including receiving signaling messages traversing a first interface or a second interface from the network traffic, translating the signaling messages into one or more events, detecting one or more anomalies by analyzing the one or more events, determining whether the one or more anomalies is indicative of an attack on a telecommunications network and performing a remediation action to the signaling messages resolving the attack when the one or more anomalies is indicative of an attack on the telecommunications network.

A computer method and system to determine one or more sub-groups of protected network servers for receiving common network filter settings for mitigating Denial of Services (Dos) attacks. Network traffic associated with the plurality of network servers is captured and collated for each of the plurality of network servers. The collated network traffic is then analyzed to determine a profile of one or more network services provided by each of the plurality of network servers. Each of the plurality of network servers is then tagged with one or more network services determined provided by each network server based upon analysis of the collated network traffic. Metadata is then determined from the collated network traffic that is associated with each of the plurality of network servers. A determination of sub-group clustering is made of one or more of the plurality of network servers contingent upon the one or more determined network service tags and the determined meta data associated with each of the plurality of network servers. Common DoS mitigation actions may then be prescribed for each of the determined sub-group clusters of network servers.