Abstract: A method and network are provided for monitoring a network during a DDoS attack. The method includes establishing a flow record for flows designated for tarpitting and a state machine, each state of multiple states of the state machine having an associated handler function. The handler function associated with a current state of a state machine associated with a flow is invoked to perform one or more actions associated with the flow or the flow record for applying at least one tarpitting technique of one or more candidate tarpitting techniques associated with the flow record, and return a next state, which is used to update the current state of the state machine. The handler function associated with the current state of the state machine is repeatedly invoked, wherein each invocation of the handler function potentially applies different tarpitting techniques.

Abstract: A method of monitoring a network during a DDoS attack is provided. The method includes receiving packets included in the attack, determining whether the packets are designated for tarpitting, for each packet from a source determined to be designated for tarpitting, assigning the packet to an existing or newly established flow, applying at least one tarpitting technique, and applying a randomization function for adjusting the at least one tarpitting technique or for selecting the at least one tarpitting technique to be applied from a plurality of candidate tarpitting techniques.

Abstract: A system and computer-implemented method to monitor network traffic for a protected network using a block of IP addresses including an IP address for a server. The method includes selecting one or more green addresses, each being a different IP address from the block of IP addresses, associating the green addresses with the IP address of the server, and receiving a packet of the internet traffic from a client directed to an IP address of the block of IP addresses prior to any performance of DPI on the packet. It is determined whether the destination address matches the one or more green addresses or is a yellow address (which belongs to the block of IP addresses, but is not a green address). When determined that the destination address matches the one or more green addresses, the method the packet is sent to the IP address associated with the matching green address, bypassing any DPI.

Abstract: A system and method for providing network bridge upstream connections by a network device using proxied network metrics. An upstream network bridge connection request is received in a network device (e.g., a bridge device) from first network component (e.g., a client device) for connecting to a second network component (e.g., a network server device). This upstream network bridge connection request is analyzed by the network bridge to determine if a network attack threat is associated with the client device requesting the upstream network bridge connection to the server device preferably by inspecting certain network metrics present in the downstream connection associated with the client device. If no network attack threat is determined, then a determination is made as to whether a preexisting upstream network bridge connection between the client device and the server device exists in a connection pool database.

Abstract: A computer method and system for determining a threat level score for a detected network attack. Network data is received having a detected network attack, which is then analyzed to determine metadata associated with the network attack. The determined metadata associated with the network attack is analyzed to determine: 1) an attack objective component; 2) an attack method component; and 3) an attack execution component, each being associated with the network attack. A severity score value for the network attack is then determined based upon calculating a weighted value for each of the: 1) an attack objective component; 2) a attack method component; and 3) an attack execution component. And an alert signal/message is then generated for a network attack based upon the determined severity score value.

Abstract: A computer method and system for mitigating Domain Name System (DNS) misuse using a probabilistic data structure, such as a cuckoo filter. Intercepted is network traffic flowing from one or more external hosts to a computer network, the intercepted network traffic including a DNS request that requests a Resource Record name in a DNS zone file. A determination is made as to whether the DNS request is requesting resolution at a protected DNS Name Server. A hash value is calculated for the requested Resource Record name if it is determined the DNS request is requesting resolution at the protected DNS Name Server. A determination is then made as to whether the calculated hash value for the requested Resource Record name is present in the probabilistic data structure. The DNS request is forwarded to the protected server if the requested Resource Record name is determined present in the probabilistic data structure.

Abstract: A computer-implemented method and a computer system are provided for selecting active or passive decryption mode when observing network traffic between a downstream client and an upstream server. The method includes selecting a decryption mode in an initial stage of setting up a secure session based on a determination of a most probable decryption mode based on decryption modes used for similar and/or past secure sessions, wherein the initial stage is when the client initiates a transport layer connection before the transport layer connection or the secure session is established. The method further includes validating the selected decryption mode at least once during the secure session based on whether the selected decryption mode is actually and/or is probably supported based on security algorithms supported by the client and/or server, and switching the decryption mode based on a result of validating the selected decryption mode.

Abstract: A computer method and system to determine one or more sub-groups of protected network servers for receiving common network filter settings for mitigating Denial of Services (Dos) attacks. Network traffic associated with the plurality of network servers is captured and collated for each of the plurality of network servers. The collated network traffic is then analyzed to determine a profile of one or more network services provided by each of the plurality of network servers. Each of the plurality of network servers is then tagged with one or more network services determined provided by each network server based upon analysis of the collated network traffic. Metadata is then determined from the collated network traffic that is associated with each of the plurality of network servers.

Abstract: A computer method and system for prioritizing network traffic flow to a protected computer network. Network traffic flowing from one or more external hosts to the protected computer network is intercepted and intercepted data packets are dropped if forwarding the intercepted data packet to the protected network would cause the value of the bandwidth of network traffic flow to the protected network to exceed a configured overall traffic bandwidth threshold value associated with the protected network. If not dropped, the intercepted data packet is analyzed to determine a classification type for the intercepted data packet based upon prescribed criteria wherein each classification type has an assigned classification bandwidth threshold value, wherein the classification bandwidth threshold value is less than the overall traffic bandwidth threshold value for the protected network.

Abstract: A method is provided for inspecting network traffic. The method, performed in a single contained device, includes receiving network traffic inbound from an external host that is external to the protected network flowing to a protected host of the protected network, wherein the network traffic is transported by a secure protocol that implements ephemeral keys that endure for a limited time. The method further includes performing a first transmission control protocol (TCP) handshake with the external host, obtaining source and destination data during the first TCP handshake, the source and destination data including source and destination link and internet addresses obtained, caching the source and destination data, and using the cached source and destination data to obtain a Layer-7 request from the external host to the protected host and to pass a Layer-7 response from the protected host to the external host.

Abstract: A computer method and system for prioritizing network traffic flow to a protected computer network. Network traffic flowing from one or more external hosts to the protected computer network is intercepted and intercepted data packets are dropped if forwarding the intercepted data packet to the protected network would cause the value of the bandwidth of network traffic flow to the protected network to exceed a configured overall traffic bandwidth threshold value associated with the protected network. If not dropped, the intercepted data packet is analyzed to determine a classification type for the intercepted data packet based upon prescribed criteria wherein each classification type has an assigned classification bandwidth threshold value, wherein the classification bandwidth threshold value is less than the overall traffic bandwidth threshold value for the protected network.

Abstract: Matching an internet service with an IP host address to attribute network traffic to the internet service by mapping one or more server names to an internet service by a network device by detecting a DNS Response to a DNS Query. Inspect the DNS Response to determine an association of a service consumer's IP address with an internet service's server IP address relating to a certain internet service to maintain an array of indexed entries having an association of the service consumer's IP address with an internet service's server IP address relating to a certain internet service for a certain length of time using a probabilistic data structure for the indexed entries.

Abstract: A method and system are provided for monitoring a protected network. The method includes, in a scoring phase, receiving a learned model having clusters of learning requests of learning network traffic observed during non-strain operation of the protected network, wherein each cluster has an associated characteristic learning response time. The method further includes receiving a score request to score a network service request of the network traffic, classifying the network service request with one of the clusters by comparing fields of the network service request to fields used for clustering the learning requests with the cluster, calculating a score based on the characteristic learning response times generated for the learned cluster to which the network service request is classified, and adjusting supportive handling of the network service request based on the score.

Abstract: A computer-implemented method and device for analyzing network packet traffic flow affected by a network security device in a communication network. Received in a network monitoring device is packet traffic flow data from a network security device that filters network traffic based upon prescribed security filter settings. The network monitoring device analyzes the received packet traffic flow data by correlating the received traffic flow data with the security filter settings prescribed in the network security device. Certain statistics are identified regarding the network traffic flow affected by the security filter settings of the network security device based upon the correlating of the received traffic flow data with the security filter settings prescribed in the network security device. A report regarding the identified statistics is preferably sent to a network administrator.

Abstract: A method for correlating discarded network traffic with network policy events in a network includes receiving a flow record. The flow record includes initial network flow information in a standard flow record format. Discarded network traffic information associated with each network policy is received from a network policy enforcement device. Network traffic is discarded based on a network traffic policy. The received flow record is correlated with the received discarded network traffic information. The discarded network traffic information is encoded into the received flow record based on the correlation while maintaining the initial network flow information to yield an enhanced flow record.

Abstract: A method of monitoring network traffic for cryptojacking activity is provided. A request is received from a protected host. It is determined whether the request is a cryptocurrency request based on whether the request uses a protocol specified for requests belonging to the cryptocurrency communication. In response to a determination that the request is a cryptocurrency request for the cryptocurrency, a second request is submitted to a destination indicated by the request, wherein the second request is formatted as a cryptocurrency request for the cryptocurrency. A determination is made whether a reply to the second request from the destination is a cryptocurrency response for the cryptocurrency based on whether the response uses a protocol specified for a response that belongs to communication associated with the cryptocurrency. An intervention action is caused in response to a determination that the reply to the second request from the destination is a cryptocurrency response for the cryptocurrency.

Abstract: A system and computer-implemented method of monitoring a network is provided. The method includes receiving a packet of network traffic, wherein the packet has an associated source and destination address pair, where this pair constitutes a connection pair. The method further includes comparing the packet to a plurality of patterns and/or compare a source or destination address of the packet to known malicious addresses, and upon determining that the packet matches a pattern of the plurality of patterns or the source or destination address of the packet matches a known malicious address. The method further includes deploying a honeypot in a container for the pattern matching the packet, if not yet deployed, and forwarding all network traffic for the connection pair to the honeypot.

Abstract: A method and system for automatically classifying protected devices of a protected network to protection groups providing customized protection. The method includes accessing network flow information that includes network statistics processed from observed data obtained by packet interception devices, accessing at least one model that was trained using machine learning and a training data set of the network flow information to classify protected devices having addresses that correspond to destination addresses associated with the training data set to respective protection groups as a function of the network statistics that correspond to the training data set, and classifying a protected device that has an address that corresponds to a destination address associated with a portion of the network flow information to at least one of the protection groups using the at least one model and machine learning and as a function of the network statistics that correspond to the portion of the network flow information.

Abstract: A method is provided of extracting file content from a live stream of network data streaming multiple files.

Abstract: Detecting a Denial of Service (DoS) attack in a network by a network edge router device whereby network traffic flows from the edge router to a core router in the network. Storing DoS attack traffic information in storage associated with the edge router which receives network traffic. Determining in the edge router if a portion of the received network traffic matches at least a portion of the stored DoS attack information. Determining in the edge router an alert condition exists if a portion of the received network traffic is determined to match at least a portion of the stored DoS attack information. Send an alert signal from the edge router to an attack mitigation device if it is determined an alert condition exists causing the attack mitigation device to transition to a mitigation state for mitigating effects of a DoS attack upon the network.