A security apparatus for a local network is in communication with an external electronic communication system and a first electronic device. The apparatus includes a memory device configured to store computer-executable instructions, and a processor in operable communication with the memory device. The processor is configured to implement the stored computer-executable instructions to cause the apparatus to determine a complexity score for the first electronic device, establish a behavioral pattern for the first electronic device operating within the local network, calculate a confidence metric for the first electronic device based on the determined complexity score and the established behavioral pattern, and control access of the first electronic device to the external electronic network according to the calculated confidence metric.

A management entity obtains from a first wireless access point a Basic Service Set (BSS) color collision event detected by the first wireless access point. The first wireless access point uses a first BSS color. A color collision event occurs when the first wireless access point receives from a device in a BSS of a different physical wireless access point a frame or PHY Protocol Data Unit (PPDU) that includes the first BSS color. The management entity obtains from the first wireless access point an indication whether the color collision event has been detected for longer than a predetermined duration. When the color collision event has been detected for longer than the predetermined duration, the management computes a probability of the color collision event. The management entity determines whether the color collision event is malicious or benign, and determines whether to maintain the first BSS color.

Described are methods, systems, and media for detecting malicious activity in a network by performing operations comprising: feeding network packets from the network into a header crypto engine; sending the network packets from the header crypto engine to a work scheduler; divaricating the network packets using the work scheduler based on flow data and header data of the network packets to at least one of a firewall and a neural network processor; generating output data comprising: a first output data from the firewall according to rules of the firewall; a second output data from the neural network processor based on behavioral analysis performed by the neural network processor, wherein the second output data is used to update the rules in the firewall; and aggregating the output data from the firewall and the neural network processor to detect malicious activity in the network.

Disclosed herein is a method of checking a network attack in a named data networking (NDN) network. The method of checking a network attack according to an embodiment of the present disclosure may include checking an interest request, checking at least one of a content store (CS), a pending interest table (PIT) and a forwarding information base (FIB) and then checking data corresponding to the interest, checking a data success ratio based on at least one of the PIT and the FIB. determining a target attack path based on the data success ratio, and blocking the target attack path.

FlowSpec is a mechanism for distributing rules to routers in a network. Such rules may be used, for example, to drop traffic associated with a distributed denial of service attack. However, a malformed or incorrect FlowSpec announcement may, if distributed in the network, cause legitimate traffic to be dropped, degrading the service experienced by legitimate users. As such, systems and methods for avoiding the distribution of malformed FlowSpec announcements are provided.

Systems and methods for an improved DDoS mitigation approach are provided. According to one embodiment, a current threshold for a network connection characteristic is established within a Denial-of-Service (DoS) mitigation device logically interposed between a protected resource of a private network and multiple client devices residing external to the private network. A number of connections between the client devices and the protected network resource are tracked. During a period of time in which the number of connections exceeds a connection count threshold: (i) for each of the connections, a measured value for the network connection characteristic is compared to the current threshold; (ii) responsive to a determination that the measured value exceeds the current threshold, the connection is dropped; and (iii) the current threshold is periodically reduced, such that only those connections complying with the current threshold are maintained.

A method for mitigating location tracking and DoS attacks that utilize an AMF location service includes receiving, at an NF, an authentication response message from an HPLMN of a UE. The method further includes extracting, by the NF and from the authentication response message, a subscription identifier and an indicator of an authentication result for the UE. The method further includes storing, by the NF and in an AMF location service validation database, the subscription identifier and the indicator of the authentication result for the UE. The method further includes receiving, by the NF, an AMF location service message and using at least one of a subscription identifier extracted from the AMF location service message and contents of the AMF location service validation database, to classify the AMF location service message as a location tracking or DoS attack. The method further includes preventing the location tracking or DoS attack.

Embodiments of the present application disclose a forwarding method, a forwarding apparatus, and a forwarder for authentication information in the Internet of Things. The method is applied to a constrained node and includes: receiving authentication information; determining whether the authentication information is received for the first time; and if the authentication information is received not for the first time, forwarding the authentication information; or if the authentication information is received for the first time, determining whether the authentication information is valid authentication information, and if the authentication information is not valid authentication information, discarding the authentication information, or if the authentication information is valid authentication information, verifying the valid authentication information, and forwarding the valid authentication information after the verification succeeds. The embodiments of the present application can reduce resources of the constrained node, and improve performance of the Internet of Things.

Disclosed are systems and methods for distributed denial of service (DDoS) protection. One or more nodes in a plurality of routes between a first node and a second node are identified. The one or more nodes can be identified at a predefined interval, or in response to one or more operational metrics exceeding a threshold. Network addresses of the identified one or more nodes are modified.

Several methods are disclosed for detecting and mitigating Distributed Denial-of-Service (DDoS) attacks that are intended to exhaust network resources. The methods use DDoS mitigation devices to detect DDoS attacks using operationally based thresholds. The methods also keep track of ongoing attacks, have an understanding of “protected IP space,” and activate appropriate mitigation tactics based on the severity of the attack and the capabilities of the DDoS mitigation devices.