Abstract: An upstream network bridge connection request is received in a network device from first network component for connecting to a second network component. This upstream network bridge connection request is analyzed by the network bridge to determine if a network attack threat is associated with the client device requesting the upstream network bridge connection to the server device preferably by inspecting certain network metrics present in the downstream connection associated with the client device. If no, then a determination is made as to whether a preexisting upstream network bridge connection between the client device and the server device exists in a connection pool database. If yes, then the preexisting upstream network bridge connection is retrieved from the connection pool database and is implemented for creating an upstream network connection between the client and server devices.

Abstract: A method and apparatus for processing flow specification (Flowspec) messages to one or more of a plurality of customer networks by a controller device coupled to the plurality of customer networks. Preferably a network controller monitors network traffic flowing through each of the customer networks for detecting a network attack in one of the plurality of customer networks, via monitoring of the network traffic. Upon detection of a network attack, a Flowspec message is generated for the customer network detected to be under network attack wherein the Flowspec message is configured specifically for that customer network. The generated Flowspec message is transmitted to the customer network detected to be under network attack for implementation by the customer network for mitigation of the detected network attack.

Abstract: A computer-implemented method and a computer system are provided for selecting active or passive decryption mode when observing network traffic between a downstream client and an upstream server. The method includes selecting a decryption mode in an initial stage of setting up a secure session based on a determination of a most probable decryption mode based on decryption modes used for similar and/or past secure sessions, wherein the initial stage is when the client initiates a transport layer connection before the transport layer connection or the secure session is established. The method further includes validating the selected decryption mode at least once during the secure session based on whether the selected decryption mode is actually and/or is probably supported based on security algorithms supported by the client and/or server, and switching the decryption mode based on a result of validating the selected decryption mode.

Abstract: A computer-implemented method and system for managing and configuring flow specification (FlowSpec) messages for a customer network by a controller device coupled to the customer network. Network traffic is monitored by the controller device flowing through the customer network detect a network attack in the customer network. The controller device enables a network user to configure a Flowspec message responsive to the detected network attack. The controller device preferably enables the network user to either 1) manually configure a FlowSpec message or 2) configure a Flowspec message utilizing one or more pre-existing FlowSpec rulesets preferably defined for that customer network.

Abstract: A method of delaying computer network clients from sending DNS queries. The method includes receiving a DNS query from a client and consulting a client record in a client record database and/or a flow record in a flow record database storing information about the flow including about one or more previous DNS queries and/or responses in the flow. The method further includes formulating a response to the DNS query as a function of the information about the client and/or the information about the flow, updating the client record with information about the client and/or the flow record with information about the DNS query and the response as formulated, and transmitting the response as formulated to the client. The DNS query includes a question and the response is intentionally defective or incomplete and causes the client to be delayed in sending another DNS query as part of an attack.

Abstract: A computer system and process for mitigating a Distributed Denial of Service (DDoS) attack by analyzing and correlating inbound and outbound packet information relative to the one or more protected computer networks for detecting novel DDoS Reflection/Amplification attack vectors. Created are separate data repositories that respectively store information relating to captured inbound and outbound packets flowing to and from the protected computer networks. Stored in each respective inbound and outbound data repository are identified inbound destination ports respectively associated with the captured inbound and outbound packets such that each identified inbound destination port number is associated with 1) a packet count relating to the inbound and outbound packets; and 2) a packet byte length count relating to each of the inbound and outbound packets.

Abstract: A computer implemented method and system for simulating the effect of one or more flow specification rules upon archived network flow data. Archived network flow data is retrieved from a database that was exported from a network device. One or more flow specification rules are applied to the archived network flow data, wherein the one or more flow specification rules are configured to perform one or more flow specification actions on the archived network flow data. Determined are one or more flow actions affected on the archived network flow data by the applied one or more flow specification rules. Indication/notification of the determined one or more flow actions are provided.

Abstract: A system and method for providing network bridge upstream connections by a network device using proxied network metrics. An upstream network bridge connection request is received in a network device (e.g., a bridge device) from first network component (e.g., a client device) for connecting to a second network component (e.g., a network server device). This upstream network bridge connection request is analyzed by the network bridge to determine if a network attack threat is associated with the client device requesting the upstream network bridge connection to the server device preferably by inspecting certain network metrics present in the downstream connection associated with the client device. If no network attack threat is determined, then a determination is made as to whether a preexisting upstream network bridge connection between the client device and the server device exists in a connection pool database.

Abstract: A method and network are provided for monitoring a network during a DDoS attack. The method includes establishing a flow record for flows designated for tarpitting and a state machine, each state of multiple states of the state machine having an associated handler function. The handler function associated with a current state of a state machine associated with a flow is invoked to perform one or more actions associated with the flow or the flow record for applying at least one tarpitting technique of one or more candidate tarpitting techniques associated with the flow record, and return a next state, which is used to update the current state of the state machine. The handler function associated with the current state of the state machine is repeatedly invoked, wherein each invocation of the handler function potentially applies different tarpitting techniques.

Abstract: An upstream network bridge connection request is received in a network device from first network component for connecting to a second network component. This upstream network bridge connection request is analyzed by the network bridge to determine if a network attack threat is associated with the client device requesting the upstream network bridge connection to the server device preferably by inspecting certain network metrics present in the downstream connection associated with the client device. If no, then a determination is made as to whether a preexisting upstream network bridge connection between the client device and the server device exists in a connection pool database. If yes, then the preexisting upstream network bridge connection is retrieved from the connection pool database and is implemented for creating an upstream network connection between the client and server devices.

Abstract: A computer method and system for determining patterns in network traffic packets having structured subfields for generating filter candidate regular expressions for DDoS attack mitigation. Stored packets are analyzed to extract a query name for each stored packet. Each query name is segregated into subfields. A Results-table is generated utilizing the segregated subfields of the query names. A Field-length table is generated that contains the length of the Field Values (Field-length) for each Field Name and an associated counter indicating how many instances the Field-length for a Field Name is present in the extracted query names. The Field-length table is analyzed to determine patterns of equal length in the “Results” table. Utilizing the Patterns table, unique combinations of the Field Values are generated as a filter candidate regular expression for DDoS attack mitigation purposes.

Abstract: A computer method and system for mitigating Domain Name System (DNS) misuse using a probabilistic data structure, such as a cuckoo filter. Intercepted is network traffic flowing from one or more external hosts to a computer network, the intercepted network traffic including a DNS request that requests a Resource Record name in a DNS zone file. A determination is made as to whether the DNS request is requesting resolution at a protected DNS Name Server. A hash value is calculated for the requested Resource Record name if it is determined the DNS request is requesting resolution at the protected DNS Name Server. A determination is then made as to whether the calculated hash value for the requested Resource Record name is present in the probabilistic data structure. The DNS request is forwarded to the protected server if the requested Resource Record name is determined present in the probabilistic data structure.

Abstract: A computer system and process for mitigating a Distributed Denial of Service (DDoS) attack to one or more protected computer networks by determining keywords and/or patterns in HyperText Transfer Protocol (HTTP) responses. Stored HTTP responses are analyzed to extract one or more HTTP characteristics for each stored HTTP response. One or more patterns having one or more keywords in each stored HTTP response is determined utilizing the extracted one or more HTTP characteristics for each stored HTTP response. A hash value is determined for each determined pattern, which is preferably stored in a hash structure accompanied by its respective determined HTTP characteristics. Each hash value accompanied by its respective determined HTTP characteristics is stored as a mitigation filter candidate if the hash value contains a determined pattern consisting of at least a predetermined percentage of all determined patterns stored in the hash structure.

Abstract: A computer implemented method and system for simulating the effect of one or more flow specification rules upon archived network flow data. Archived network flow data is retrieved from a database that was exported from a network device. One or more flow specification rules are applied to the archived network flow data, wherein the one or more flow specification rules are configured to perform one or more flow specification actions on the archived network flow data. Determined are one or more flow actions affected on the archived network flow data by the applied one or more flow specification rules. Indication/notification of the determined one or more flow actions are provided.

Abstract: A computer method and system for scheduling packets for transmission over a network, via a gateway device having a packet buffer for temporarily storing packets intended for a network device. Upon reception of a packet in the gateway device intended for a network device, a determination is made as to whether the received packet is the start a new packet session for the network device. If yes, the packet is then caused to be forward to the intended network device. If no, then a determination is made as to whether drop the received packet contingent upon a determined current size of the packet buffer (e.g., does it exceed a predetermined packet size threshold value). If the packet is not dropped, then a determination is made as to whether mark the packet for network congestion control contingent upon the determined size of the packet buffer (e.g., does it exceed a predetermined network congestion packet size threshold value). The packet is then caused to be forwarded to the intended network device.

Abstract: A method for detecting patterns using statistical analysis is provided. The method includes receiving a subset of structured data having a plurality of fields. A plurality of value combinations is generated for the plurality of fields using a statistical combination function. Each combination of the generated plurality of value combinations is stored as a separate entry in a results table. The entry in the results table includes a counter associated with the stored combination. A value of the counter is incremented for every occurrence of the stored combination in the generated plurality of value combinations. The results table is sorted based on the counters' values and based on a number of fields in each combination. One or more entries having highest counter values are identified in the results table.

Abstract: A computer method and system for scheduling packets for transmission over a network, via a gateway device having a packet buffer for temporarily storing packets intended for a network device. Upon reception of a packet in the gateway device intended for a network device, a determination is made as to whether the received packet is the start a new packet session for the network device. If yes, the packet is then caused to be forward to the intended network device. If no, then a determination is made as to whether drop the received packet contingent upon a determined current size of the packet buffer (e.g., does it exceed a predetermined packet size threshold value). If the packet is not dropped, then a determination is made as to whether mark the packet for network congestion control contingent upon the determined size of the packet buffer (e.g., does it exceed a predetermined network congestion packet size threshold value). The packet is then caused to be forwarded to the intended network device.

Abstract: A computer implemented method system for obscuring the status of a network service provided by a network device. Received in a network monitoring device is network packet request message intended for a network device. The network monitoring device analyzes the received network packets request to determine whether the received network packet request is a DDoS network probe packet request. If the received packet request was determined to be a DDoS network probe packet requests, a response is generated and sent from the network monitoring device to the device that sent the DDoS network probe packet request indicating a faux degradation of service level for the intended network device.

Abstract: A method of detecting patterns in network traffic is provided. The method includes receiving packets of network traffic, performing a frequency analysis per field of the packets as a function of frequency of the occurrence of the same data in the corresponding field, and selecting top values which are values associated with each field of the set of fields that satisfy a criterion as having occurred most frequently in the packets as a function of a result of the frequency analysis.

Abstract: A system and computer-implemented method to detect particular Domain Name System (DNS) misuse, wherein the method includes obtaining monitored network data. The monitored network data includes respective instances of request traffic. The request traffic is associated with DNS requests that request resolution of a name that belongs to at least one identified domain. Each DNS request is sent from a source address of one or more stub resolver; the source address of the stub resolver may be spoofed. Each instance of request traffic includes the source address, the name for which DNS resolution is requested to be resolved, and the at least one identified domain associated with a corresponding DNS request. The method further includes tracking over time, using a probabilistic algorithm, an approximation of a first cardinality of names belonging to a selected domain of the at least one identified domain included in the instances of request traffic.