Abstract: This method and system for detecting abnormal traffic in a communications network is based on classifying the traffic in risk and status categories and maintaining a service status table with this information for each service at a respective node. The risk categories are initially established based on known software vulnerabilities recognized for the respective service. An early notifier enables further processing of services suspected of malware propagation. Status categories enable segregating the traffic with a “under attack status” from the “non under attack” status, so that the intrusion detection system at the respective node only processes the “under attack” traffic. In this way, the time and amount of processing performed by the intrusion detection system is considerably reduced.

Abstract: Methods of detecting TCP SYN flooding attacks at a router located between a LAN and a network such as the Internet are described. The methods rely on a counting arrangement in which SYN and Fin packets are counted on both the LAN side and the network or Internet side of the router during a time interval. Weighting factors are applied to each count, the factor for the LAN side count having the opposite polarity to the factor for the network side count. The absolute values of the sums of the weighting factors of like polarity are equal. An abnormal number of unsuccessful connection attempts are determined based on a parameter calculated using the weighting factors in conjunction with the respective counts.

Abstract: Methods and apparatus for improving the resilience of wireless packet-switched networks to Layer-2 attacks is provided via a lightweight mechanism for detecting spoofed frames. The mechanism enables a receiving node to detect spoofed frames from information contained in cookies sent with frames. A first cookie, containing initial information, is sent to the receiving station from the transmitting node along with the first frame of a frame set. For each received frame, spoofing detection includes applying a function to information received via a corresponding cookie received with the subject frame, the result of which function is compared with information received via a previous cookie. The validity of the subject frame is asserted if the result of applying the function to information received in the corresponding subject cookie correlates with previous or initial information received in a previous or the first cookie, respectively. An exemplary implementation includes using a one-way hashing function.

Abstract: A system for improving security of management and control functions at a network element in a communications network is described. The control card of the network element is configured to function in association with an execution device such as a smartcard. The execution device has embedded thereon one or several processors each implementing specific security related operations. This limits access to the network element which, in turn, minimizes access to sensitive and confidential information.

Abstract: A method and system for tracing-back single packets based on storing only one record per flow, ‘FlowId’, observed by a router on a given interface and in a given time window ‘Time Period’. This record can be seen as a canonical representation for all packets seen during this window. A malicious packet may be traced back to its origin by identifying the port of arrival based on that packet time of arrival X and the FlowId.

Abstract: The Time to Live (TTL) field in an IP header is used as a covert channel in a communication system. More particularly the TTL field can be used to selectively mark packets with unique identifiers as they pass through an upstream station on their way to a downstream station. In this way the source of a traffic flow at least within a particular domain can be absolutely identified. This method of performing a traceback operation doesn't utilize additional resources as it relies on functionality which already exists in the system.

Abstract: A system and method of tracing network flows in an autonomous communications system are described. The Autonomous System may be formed of multiple subgroups depending on size and application. Each subgroup contains multiple, interconnected routers which participate in transporting data flow across the Autonomous System (AS). A Director within the AS has a full and complete vision of the network topology. When it is desired to trace a particular flow because of an identified attack, selected routers in key locations—through which that particular flow travels—mark packets with labels which enable the tracing of the path. These labels permit the source of the attack, at least in so far as it travels through the AS, to be identified. If the number of entry (or key) points to the AS is larger than the number of available labels, the AS will be divided into subgroups, the flow is traced from subgroup to subgroup.

Abstract: Systems and methods of mitigating attacks, such as Denial of Service (DoS) attacks, in a communications network are presented. Source addresses of packets received at network devices are monitored in relation to known reliable addresses stored in a decision engine. If the source address, as stored in a source table, is known as being legitimate the packets are placed in a high priority queue for transmission at the highest rate. Packets with an unknown address are placed in a lower priority queue, the source address stored in a different source table, and the packet is serviced at a lower rate. Packets that become known to be legitimate are moved from the unknown table to the table from which high priority queues are serviced. In this way, an attacker that employs spoofing techniques is prevented from overtaxing network resources.

Abstract: Methods of detecting TCP SYN flooding attacks at a router located between a LAN and a network such as the Internet are described. The methods rely on a counting arrangement in which SYN and Fin packets are counted on both the LAN side and the network or Internet side of the router during a time interval. Weighting factors are applied to each count, the factor for the LAN side count having the opposite polarity to the factor for the network side count. The absolute values of the sums of the weighting factors of like polarity are equal. An abnormal number of unsuccessful connection attempts are determined based on a parameter calculated using the weighting factors in conjunction with the respective counts.

Abstract: Methods of preventing flooding-type denial-of-service attacks in a computer-based network are described. Connection establishing messages known as SYN packets are matched with connection terminating messages (FIN packets) by using a hash algorithm. The hash algorithm or message digest uses source and destination IP addresses, port numbers, and a secret key as input parameters. The SYN packets and FIN packets are mapped to buckets using the hash algorithm and statistics are maintained for each bucket. A correspondence between SYN packets and FIN packets is maintained to close a security hole.

Abstract: A mechanism for detecting denial of service attacks in a digital communications system is described. A probabilistically determined portion of input packets of a connection are processed using a hash function to determine whether the packets belong to the flow initiated by a TCP SYN packet. The hash function includes a secret key for additional security. The result of the hash function is added to a value which is dependent on the sequence number of a packet being processed.

Abstract: A main unit pumps the transferred liquid actuated by an auxiliary unit for pumping a working liquid. The auxiliary unit comprises a piston provided with an axial drilling (bore) for circulating working liquid between a tank and a compression chamber. The piston further comprises a valve for closing the drilling, the valve housed in the drilling between two ends thereof in permanent communication with the tank and the compression chamber respectively. The valve opens when the pressure of the working liquid in the tank exceeds that of the working liquid in the compression chamber and closes in the opposite situation. The compression chamber is delimited by a flexible diaphragm for pumping transferred liquid. The diaphragm is constantly elastically returned to the first position by a diaphragm spring.