Abstract: An upstream network bridge connection request is received in a network device from first network component for connecting to a second network component. This upstream network bridge connection request is analyzed by the network bridge to determine if a network attack threat is associated with the client device requesting the upstream network bridge connection to the server device preferably by inspecting certain network metrics present in the downstream connection associated with the client device. If no, then a determination is made as to whether a preexisting upstream network bridge connection between the client device and the server device exists in a connection pool database. If yes, then the preexisting upstream network bridge connection is retrieved from the connection pool database and is implemented for creating an upstream network connection between the client and server devices.

Abstract: A computer method and system for determining patterns in network traffic packets having structured subfields for generating filter candidate regular expressions for DDoS attack mitigation. Stored packets are analyzed to extract a query name for each stored packet. Each query name is segregated into subfields. A Results-table is generated utilizing the segregated subfields of the query names. A Field-length table is generated that contains the length of the Field Values (Field-length) for each Field Name and an associated counter indicating how many instances the Field-length for a Field Name is present in the extracted query names. The Field-length table is analyzed to determine patterns of equal length in the “Results” table. Utilizing the Patterns table, unique combinations of the Field Values are generated as a filter candidate regular expression for DDoS attack mitigation purposes.

Abstract: A computer implemented method and system for simulating the effect of one or more flow specification rules upon archived network flow data. Archived network flow data is retrieved from a database that was exported from a network device. One or more flow specification rules are applied to the archived network flow data, wherein the one or more flow specification rules are configured to perform one or more flow specification actions on the archived network flow data. Determined are one or more flow actions affected on the archived network flow data by the applied one or more flow specification rules. Indication/notification of the determined one or more flow actions are provided.

Abstract: A computer method and system for scheduling packets for transmission over a network, via a gateway device having a packet buffer for temporarily storing packets intended for a network device. Upon reception of a packet in the gateway device intended for a network device, a determination is made as to whether the received packet is the start a new packet session for the network device. If yes, the packet is then caused to be forward to the intended network device. If no, then a determination is made as to whether drop the received packet contingent upon a determined current size of the packet buffer (e.g., does it exceed a predetermined packet size threshold value). If the packet is not dropped, then a determination is made as to whether mark the packet for network congestion control contingent upon the determined size of the packet buffer (e.g., does it exceed a predetermined network congestion packet size threshold value). The packet is then caused to be forwarded to the intended network device.

Abstract: A computer implemented method system for obscuring the status of a network service provided by a network device. Received in a network monitoring device is network packet request message intended for a network device. The network monitoring device analyzes the received network packets request to determine whether the received network packet request is a DDoS network probe packet request. If the received packet request was determined to be a DDoS network probe packet requests, a response is generated and sent from the network monitoring device to the device that sent the DDoS network probe packet request indicating a faux degradation of service level for the intended network device.

Abstract: A computer method and system for scheduling packets for transmission over a network, via a gateway device having a packet buffer for temporarily storing packets intended for a network device. Upon reception of a packet in the gateway device intended for a network device, a determination is made as to whether the received packet is the start a new packet session for the network device. If yes, the packet is then caused to be forward to the intended network device. If no, then a determination is made as to whether drop the received packet contingent upon a determined current size of the packet buffer (e.g., does it exceed a predetermined packet size threshold value). If the packet is not dropped, then a determination is made as to whether mark the packet for network congestion control contingent upon the determined size of the packet buffer (e.g., does it exceed a predetermined network congestion packet size threshold value). The packet is then caused to be forwarded to the intended network device.

Abstract: A method and system for aggregating into a unique aggregated group (AG), protection groups (PGs) that are possible classifications with at least a threshold probability for a same unique combination of IP addresses. The PGs and the unique combination of IP addresses are included in the AG. Each of the IP addresses of the unique combination of IP addresses have respective associated probabilities for each PG included in the AG. The method further includes selecting and providing for display AGs based on the probabilities associated with the respective IP addresses included in the AGs, and providing for display at least one interactive graphical element in association with each AG selected for display. User activation of one of the interactive graphical element accepts assignment of one or more selected IP addresses included in the AG to a selected one of the one or more PGs included in the AG.

Abstract: A computer implemented method and system for simulating the effect of one or more flow specification rules upon archived network flow data. Archived network flow data is retrieved from a database that was exported from a network device. One or more flow specification rules are applied to the archived network flow data, wherein the one or more flow specification rules are configured to perform one or more flow specification actions on the archived network flow data. Determined are one or more flow actions affected on the archived network flow data by the applied one or more flow specification rules. Indication/notification of the determined one or more flow actions are provided.

Abstract: A method includes selecting one or more green addresses, each being a different IP address from a block of IP addresses, associating the green addresses with the IP address of the server, and receiving a packet from a client directed to an IP address of the block of IP addresses. It is determined whether the destination address matches the one or more green addresses or is a yellow address. When determined that the destination address matches the one or more green addresses, the packet is sent to the IP address associated with the matching green address, bypassing any DPI. Otherwise, the packet is sent to a scrubber to analyze the packet using DPI and handle the packet or perform a redirection of the client. The redirection causes subsequent requests from the client to be sent to the IP address associated with the green address, bypassing any DPI.

Abstract: A computer system and process for mitigating a Distributed Denial of Service (DDoS) attack by analyzing and correlating inbound and outbound packet information relative to the one or more protected computer networks for detecting novel DDoS Reflection/Amplification attack vectors. Created are separate data repositories that respectively store information relating to captured inbound and outbound packets flowing to and from the protected computer networks. Stored in each respective inbound and outbound data repository are identified inbound destination ports respectively associated with the captured inbound and outbound packets such that each identified inbound destination port number is associated with 1) a packet count relating to the inbound and outbound packets; and 2) a packet byte length count relating to each of the inbound and outbound packets.

Abstract: A computer-implemented method and system for managing and configuring flow specification (FlowSpec) messages for a customer network by a controller device coupled to the customer network. Network traffic is monitored by the controller device flowing through the customer network detect a network attack in the customer network. The controller device enables a network user to configure a Flowspec message responsive to the detected network attack. The controller device preferably enables the network user to either 1) manually configure a FlowSpec message or 2) configure a Flowspec message utilizing one or more pre-existing FlowSpec rulesets preferably defined for that customer network.

Abstract: An authenticating method including storing internally a reference hash set having hashes of genuine client binary and/or library files. The method further includes receiving an authentication request for authentication of the client process to authorize the client process to access a server resource provided by the server process. In a first phase, the method further includes requesting from the client OS, the process details and the hashes of the client binary and/or library files and verifying (using the reference hash set) these hashes received. In a second phase the method further includes, contingent on positive verification in the first phase, transmitting a random message to the client process by locating it using the IP address and PID presented during the authentication request, verifying a copy of the random message received back from the client process, and contingent on positive verification in the second phase, allowing the client process to access the requested server resource.

Abstract: A computer method and system for mitigating Domain Name System (DNS) misuse using a probabilistic data structure, such as a cuckoo filter. Intercepted is network traffic flowing from one or more external hosts to a computer network, the intercepted network traffic including a DNS request that requests a Resource Record name in a DNS zone file. A determination is made as to whether the DNS request is requesting resolution at a protected DNS Name Server. A hash value is calculated for the requested Resource Record name if it is determined the DNS request is requesting resolution at the protected DNS Name Server. A determination is then made as to whether the calculated hash value for the requested Resource Record name is present in the probabilistic data structure. The DNS request is forwarded to the protected server if the requested Resource Record name is determined present in the probabilistic data structure.

Abstract: A method and apparatus for processing flow specification (Flowspec) messages to one or more of a plurality of customer networks by a controller device coupled to the plurality of customer networks. Preferably a network controller monitors network traffic flowing through each of the customer networks for detecting a network attack in one of the plurality of customer networks, via monitoring of the network traffic. Upon detection of a network attack, a Flowspec message is generated for the customer network detected to be under network attack wherein the Flowspec message is configured specifically for that customer network. The generated Flowspec message is transmitted to the customer network detected to be under network attack for implementation by the customer network for mitigation of the detected network attack.

Abstract: A method includes selecting one or more green addresses, each being a different IP address from a block of IP addresses, associating the green addresses with the IP address of the server, and receiving a packet from a client directed to an IP address of the block of IP addresses. It is determined whether the destination address matches the one or more green addresses or is a yellow address. When determined that the destination address matches the one or more green addresses, the packet is sent to the IP address associated with the matching green address, bypassing any DPI. Otherwise, the packet is sent to a scrubber to analyze the packet using, DPI and handle the packet or perform a redirection of the client. The redirection causes subsequent requests from the client to be sent to the IP address associated with the green address, bypassing any DPI.

Abstract: A computer system and process for mitigating a Distributed Denial of Service (DDoS) attack to one or more protected computer networks by determining keywords and/or patterns in HyperText Transfer Protocol (HTTP) responses. Stored HTTP responses are analyzed to extract one or more HTTP characteristics for each stored HTTP response. One or more patterns having one or more keywords in each stored HTTP response is determined utilizing the extracted one or more HTTP characteristics for each stored HTTP response. A hash value is determined for each determined pattern, which is preferably stored in a hash structure accompanied by its respective determined HTTP characteristics. Each hash value accompanied by its respective determined HTTP characteristics is stored as a mitigation filter candidate if the hash value contains a determined pattern consisting of at least a predetermined percentage of all determined patterns stored in the hash structure.

Abstract: A computer method and system for mitigating Domain Name System (DNS) misuse using a probabilistic data structure, such as a cuckoo filter. Intercepted is network traffic flowing from one or more external hosts to a computer network, the intercepted network traffic including a DNS request that requests a Resource Record name in a DNS zone file. A determination is made as to whether the DNS request is requesting resolution at a protected DNS Name Server. A hash value is calculated for the requested Resource Record name if it is determined the DNS request is requesting resolution at the protected DNS Name Server. A determination is then made as to whether the calculated hash value for the requested Resource Record name is present in the probabilistic data structure. The DNS request is forwarded to the protected server if the requested Resource Record name is determined present in the probabilistic data structure.

Abstract: A computer method and system for determining patterns in network traffic packets having structured subfields for generating filter candidate regular expressions for DDoS attack mitigation. Stored packets are analyzed to extract a query name for each stored packet. Each query name is segregated into subfields. A Results-table is generated utilizing the segregated subfields of the query names. A Field-length table is generated that contains the length of the Field Values (Field-length) for each Field Name and an associated counter indicating how many instances the Field-length for a Field Name is present in the extracted query names. The Field-length table is analyzed to determine patterns of equal length in the “Results” table. Utilizing the Patterns table, unique combinations of the Field Values are generated as a filter candidate regular expression for DDoS attack mitigation purposes.

Abstract: A method of delaying computer network clients from sending DNS queries. The method includes receiving a DNS query from a client and consulting a client record in a client record database and/or a flow record in a flow record database storing information about the flow including about one or more previous DNS queries and/or responses in the flow. The method further includes formulating a response to the DNS query as a function of the information about the client and/or the information about the flow, updating the client record with information about the client and/or the flow record with information about the DNS query and the response as formulated, and transmitting the response as formulated to the client. The DNS query includes a question and the response is intentionally defective or incomplete and causes the client to be delayed in sending another DNS query as part of an attack.

Abstract: A method of detecting patterns in network traffic is provided. The method includes receiving packets of network traffic, performing a frequency analysis per field of the packets as a function of frequency of the occurrence of the same data in the corresponding field, and selecting top values which are values associated with each field of the set of fields that satisfy a criterion as having occurred most frequently in the packets as a function of a result of the frequency analysis.