Abstract: Systems, methods and computer readable media are provided to control anycast traffic using a software defined network controller. Telemetry and event data is gathered from a plurality of service nodes in the network. The telemetry and event data sent by an event broker to an analytic application with a resource conditions at each of the plurality of service nodes is determined based on the telemetry and event data. Traffic routing change recommendations are provided to a software defined network controller based on resource conditions at each of the plurality of service nodes and a set of predetermined policies.

Abstract: A processing system having at least one processor may obtain domain name system (DNS) traffic records of a DNS platform, the DNS traffic records associated with a source device having a first status and that is submitting DNS queries, where a first-tier DNS authoritative server of the DNS platform is configured to forward the DNS queries from the source device to at least a first second-tier DNS authoritative server of the DNS platform designated for the first status. The processing system may further detect anomalous DNS traffic records from the DNS traffic records, identify a change of the source device from a first status to a second status, based upon the detecting the anomalous DNS traffic records, and reconfigure the first-tier DNS authoritative server to redirect the DNS queries from the source device to at least a second second-tier DNS authoritative server designated for the second status.

Abstract: A processing system having at least one processor may obtain domain name system (DNS) traffic records of a DNS platform, the DNS traffic records associated with a source device having a first status and that is submitting DNS queries, where a first-tier DNS authoritative server of the DNS platform is configured to forward the DNS queries from the source device to at least a first second-tier DNS authoritative server of the DNS platform designated for the first status. The processing system may further detect anomalous DNS traffic records from the DNS traffic records, identify a change of the source device from a first status to a second status, based upon the detecting the anomalous DNS traffic records, and reconfigure the first-tier DNS authoritative server to redirect the DNS queries from the source device to at least a second second-tier DNS authoritative server designated for the second status.

Abstract: A method may include a processing system having at least one processor obtaining a first plurality of domain name system traffic records, generating an input aggregate vector from the first plurality of domain name system traffic records, where the input aggregate vector comprises a plurality of features derived from the first plurality of domain name system traffic records, and applying an encoder-decoder neural network to the input aggregate vector to generate a reconstructed vector, where the encoder-decoder neural network is trained with a plurality of aggregate vectors generated from a second plurality of domain name system traffic records. In one example, the processing system may then calculate a distance between the input aggregate vector and the reconstructed vector, and apply at least one remedial action associated with the first plurality of domain name system traffic records when the distance is greater than a threshold distance.

Abstract: A system for diffusing denial-of-service attacks by using virtual machines is disclosed. In particular, the system may receive, from a measurement probe, a network transaction measurement associated with a first node in a network. Based on the network transaction measurement, the system may determine if the network transaction measurement satisfies a threshold measurement value. If the network transaction measurement satisfies the threshold measurement value, the system may determine that an attack is occurring at the first node in the network. The system may then identify one or more nodes that have capacity for handling traffic intended for the first node. Once the one or more nodes are identified, the system may launch virtual machines at the one or more nodes to handle legitimate traffic intended for the first node.

Abstract: Concepts and technologies disclosed herein are directed to internet traffic classification via time-frequency analysis. According to one aspect of the concepts and technologies disclosed herein, a security classification scheme can be implemented to identify potentially malicious activities from normal internet traffic. The security classification scheme can exploit the distinctive characteristics of different types of traffic in both frequency domain and time domain to identify four different cases. Due to the separation of different types of traffic, the security classification scheme can lower the false alarm rate and improve network security. The security classification scheme can utilize a recursive discrete Fourier transform (“DFT”) implementation to enhance computational efficiency.

Abstract: A method includes receiving at a cache server a content request from a client system, determining that the cache server is overloaded in response to receiving the content request, and in response to determining that the cache server is overloaded, returning to the client system a domain redirection response including a load status of the cache server.

Abstract: Concepts and technologies disclosed herein are directed to internet traffic classification via time-frequency analysis. According to one aspect of the concepts and technologies disclosed herein, a security classification scheme can be implemented to identify potentially malicious activities from normal internet traffic. The security classification scheme can exploit the distinctive characteristics of different types of traffic in both frequency domain and time domain to identify four different cases. Due to the separation of different types of traffic, the security classification scheme can lower the false alarm rate and improve network security. The security classification scheme can utilize a recursive discrete Fourier transform (“DFT”) implementation to enhance computational efficiency.

Abstract: A system for diffusing denial-of-service attacks by using virtual machines is disclosed. In particular, the system may receive, from a measurement probe, a network transaction measurement associated with a first node in a network. Based on the network transaction measurement, the system may determine if the network transaction measurement satisfies a threshold measurement value. If the network transaction measurement satisfies the threshold measurement value, the system may determine that an attack is occurring at the first node in the network. The system may then identify one or more nodes that have capacity for handling traffic intended for the first node. Once the one or more nodes are identified, the system may launch virtual machines at the one or more nodes to handle legitimate traffic intended for the first node.

Abstract: Systems, methods and computer readable media are provided to control anycast traffic using a software defined network controller. Telemetry and event data is gathered from a plurality of service nodes in the network. The telemetry and event data sent by an event broker to an analytic application with a resource conditions at each of the plurality of service nodes is determined based on the telemetry and event data. Traffic routing change recommendations are provided to a software defined network controller based on resource conditions at each of the plurality of service nodes and a set of predetermined policies.

Abstract: A system for diffusing denial-of-service attacks by using virtual machines is disclosed. In particular, the system may receive, from a measurement probe, a network transaction measurement associated with a first node in a network. Based on the network transaction measurement, the system may determine if the network transaction measurement satisfies a threshold measurement value. If the network transaction measurement satisfies the threshold measurement value, the system may determine that an attack is occurring at the first node in the network. The system may then identify one or more nodes that have capacity for handling traffic intended for the first node. Once the one or more nodes are identified, the system may launch virtual machines at the one or more nodes to handle legitimate traffic intended for the first node.

Abstract: A system for diffusing denial-of-service attacks by using virtual machines is disclosed. In particular, the system may receive, from a measurement probe, a network transaction measurement associated with a first node in a network. Based on the network transaction measurement, the system may determine if the network transaction measurement satisfies a threshold measurement value. If the network transaction measurement satisfies the threshold measurement value, the system may determine that an attack is occurring at the first node in the network. The system may then identify one or more nodes that have capacity for handling traffic intended for the first node. Once the one or more nodes are identified, the system may launch virtual machines at the one or more nodes to handle legitimate traffic intended for the first node.

Abstract: A system includes an analyzer module, a content request data collection module, and a domain name server. The content request data collection module is configured to receive a content request sent to a tracking address, collect content request information about the content request, and provide the content request information to the analyzer module. The domain name server is configured to receive an address request from a local domain name server for a cache server address, provide a tracking address to the local domain name server, collect address request information about the address request, and provide the address request information to the analyzer module. The analyzer module is configured to receive the address request information and the content request information, and determine properties of clients served by the local domain name server based on the address request information and the content request information.

Abstract: A system for diffusing denial-of-service attacks by using virtual machines is disclosed. In particular, the system may receive, from a measurement probe, a network transaction measurement associated with a first node in a network. Based on the network transaction measurement, the system may determine if the network transaction measurement satisfies a threshold measurement value. If the network transaction measurement satisfies the threshold measurement value, the system may determine that an attack is occurring at the first node in the network. The system may then identify one or more nodes that have capacity for handling traffic intended for the first node. Once the one or more nodes are identified, the system may launch virtual machines at the one or more nodes to handle legitimate traffic intended for the first node.

Abstract: A method includes receiving at a cache server a content request from a client system, determining that the cache server is overloaded in response to receiving the content request, and in response to determining that the cache server is overloaded, returning to the client system a domain redirection response including a load status of the cache server.

Abstract: A system for diffusing denial-of-service attacks by using virtual machines is disclosed. In particular, the system may receive, from a measurement probe, a network transaction measurement associated with a first node in a network. Based on the network transaction measurement, the system may determine if the network transaction measurement satisfies a threshold measurement value. If the network transaction measurement satisfies the threshold measurement value, the system may determine that an attack is occurring at the first node in the network. The system may then identify one or more nodes that have capacity for handling traffic intended for the first node. Once the one or more nodes are identified, the system may launch virtual machines at the one or more nodes to handle legitimate traffic intended for the first node.

Abstract: A method includes receiving at a cache server a content request from a client system, determining that the cache server is overloaded in response to receiving the content request, and in response to determining that the cache server is overloaded, returning to the client system a domain redirection response including a load status of the cache server.

Abstract: A system includes an analyzer module, a content request data collection module, and a domain name server. The content request data collection module is configured to receive a content request sent to a tracking address, collect content request information about the content request, and provide the content request information to the analyzer module. The domain name server is configured to receive an address request from a local domain name server for a cache server address, provide a tracking address to the local domain name server, collect address request information about the address request, and provide the address request information to the analyzer module. The analyzer module is configured to receive the address request information and the content request information, and determine properties of clients served by the local domain name server based on the address request information and the content request information.

Abstract: A system and method for receiving a plurality of values related to providing services on a network, determining at least one constraint value based on the plurality of values, performing a distribution analysis using the plurality of values and the at least one constraint value and outputting a result derived from the distribution analysis.

Abstract: A system includes an analyzer module, a content request data collection module, and a domain name server. The content request data collection module is configured to receive a content request sent to a tracking address, collect content request information about the content request, and provide the content request information to the analyzer module. The domain name server is configured to receive an address request from a local domain name server for a cache server address, provide a tracking address to the local domain name server, collect address request information about the address request, and provide the address request information to the analyzer module. The analyzer module is configured to receive the address request information and the content request information, and determine properties of clients served by the local domain name server based on the address request information and the content request information.