Abstract: A computer implemented method system for obscuring the status of a network service provided by a network device. Received in a network monitoring device is network packet request message intended for a network device. The network monitoring device analyzes the received network packets request to determine whether the received network packet request is a DDoS network probe packet request. If the received packet request was determined to be a DDoS network probe packet requests, a response is generated and sent from the network monitoring device to the device that sent the DDoS network probe packet request indicating a faux degradation of service level for the intended network device.

Abstract: A system is disclosed. The system can include a network monitoring device connected to a communications network. The network monitoring device to store a probabilistic data structure indicating one or more domain names; receive a response data packet from the DNS server, the response data packet comprising a first domain name transmitted in a query to the DNS server and an affirmative response code; update the probabilistic data structure with the first domain name identified from the response data packet; responsive to detecting an attack on the network, retrieve a query message, the query message containing a second domain name; query the updated probabilistic data structure with the second domain name; and restrict transmission of the query message or communication by the computing device with the DNS server.

Abstract: Systems and methods for transparent service response analysis is provided. A system may obtain a network data packet from a network service provider. The system may determine the network data packet includes a response code indicating a status of the request. The system may extract the response code from the network data packet. The system may modify an IP header of the network data packet based on the response code. The system may encapsulate the network data packet based on the response code. The system may send the network data packet with the modified IP header. The system may send the encapsulated network data packet.

Abstract: Systems and methods for service response analysis via out-of-band signaling is provided. A system may obtain, via a first network channel, a network data packet from a network service provider. The system may determine the network data packet comprises a response code indicating a status of the request. The system may extract the response code from the network data packet. The system may generate an out-of-band response message comprising the response code. The system may send, to an external device via a second network channel, the out-of-band response message comprising the response code.

Abstract: Methods and systems for temporal context monitoring and enforcement for telecommunications networks are disclosed. A first and a second set of metrics associated with a network are collected. The first set of metrics are associated with a first time and indicate a first state of the network. The second set of metrics are associated with a second time and indicate a second state of the network. An indication of an anomaly on the network is determined responsive to comparing the second set of metrics with the first set of metrics. A network policy is applied to revert the network from the second state to the first state.

Abstract: A computer system and process for mitigating a Distributed Denial of Service (DDoS) attack by analyzing and correlating inbound and outbound packet information relative to the one or more protected computer networks for detecting novel DDoS Reflection/Amplification attack vectors. Created are separate data repositories that respectively store information relating to captured inbound and outbound packets flowing to and from the protected computer networks. Stored in each respective inbound and outbound data repository are identified inbound destination ports respectively associated with the captured inbound and outbound packets such that each identified inbound destination port number is associated with 1) a packet count relating to the inbound and outbound packets; and 2) a packet byte length count relating to each of the inbound and outbound packets.

Abstract: A method of configuring a filter to perform pattern matching against input data is provided. The method includes receiving one or more rules, each rule including one or more field specifiers, each field specifier including a value specifier that specifies a value to be matched and a location specifier that specifies a location in the input data. For each rule of the one or more rules an empty buffer is initialized. For each field specifier the value specified by the field specifier is appended to the buffer, and the buffer contents are inserted into contents of a probabilistic data structure representing all of the field specifiers of the rule. The probabilistic data structure is configured to receive a query that includes query buffer contents determined from the input data and respond with a match status of probably present based on a predetermined probability, or definitely not present.

Abstract: A computer method and system for determining patterns in network traffic packets having structured subfields for generating filter candidate regular expressions for DDoS attack mitigation. Stored packets are analyzed to extract a query name for each stored packet. Each query name is segregated into subfields. A Results-table is generated utilizing the segregated subfields of the query names. A Field-length table is generated that contains the length of the Field Values (Field-length) for each Field Name and an associated counter indicating how many instances the Field-length for a Field Name is present in the extracted query names. The Field-length table is analyzed to determine patterns of equal length in the “Results” table. Utilizing the Patterns table, unique combinations of the Field Values are generated as a filter candidate regular expression for DDoS attack mitigation purposes.

Abstract: A computer system and process for mitigating a Distributed Denial of Service (DDoS) attack to one or more protected computer networks by determining keywords and/or patterns in HyperText Transfer Protocol (HTTP) responses. Stored HTTP responses are analyzed to extract one or more HTTP characteristics for each stored HTTP response. One or more patterns having one or more keywords in each stored HTTP response is determined utilizing the extracted one or more HTTP characteristics for each stored HTTP response. A hash value is determined for each determined pattern, which is preferably stored in a hash structure accompanied by its respective determined HTTP characteristics. Each hash value accompanied by its respective determined HTTP characteristics is stored as a mitigation filter candidate if the hash value contains a determined pattern consisting of at least a predetermined percentage of all determined patterns stored in the hash structure.

Abstract: A method for detecting patterns using statistical analysis is provided. The method includes receiving a subset of structured data having a plurality of fields. A plurality of value combinations is generated for the plurality of fields using a statistical combination function. Each combination of the generated plurality of value combinations is stored as a separate entry in a results table. The entry in the results table includes a counter associated with the stored combination. A value of the counter is incremented for every occurrence of the stored combination in the generated plurality of value combinations. The results table is sorted based on the counters' values and based on a number of fields in each combination. One or more entries having highest counter values are identified in the results table.

Abstract: A computer implemented method system for obscuring the status of a network service provided by a network device. Received in a network monitoring device is network packet request message intended for a network device. The network monitoring device analyzes the received network packets request to determine whether the received network packet request is a DDoS network probe packet request. If the received packet request was determined to be a DDoS network probe packet requests, a response is generated and sent from the network monitoring device to the device that sent the DDoS network probe packet request indicating a faux degradation of service level for the intended network device.

Abstract: A computer method and system for determining patterns in network traffic packets having structured subfields for generating filter candidate regular expressions for DDoS attack mitigation. Stored packets are analyzed to extract a query name for each stored packet. Each query name is segregated into subfields. A Results-table is generated utilizing the segregated subfields of the query names. A Field-length table is generated that contains the length of the Field Values (Field-length) for each Field Name and an associated counter indicating how many instances the Field-length for a Field Name is present in the extracted query names. The Field-length table is analyzed to determine patterns of equal length in the “Results” table. Utilizing the Patterns table, unique combinations of the Field Values are generated as a filter candidate regular expression for DDoS attack mitigation purposes.

Abstract: A method of configuring a filter to perform pattern matching against input data is provided. The method includes receiving one or more rules, each rule including one or more field specifiers, each field specifier including a value specifier that specifies a value to be matched and a location specifier that specifies a location in the input data. For each rule of the one or more rules an empty buffer is initialized. For each field specifier the value specified by the field specifier is appended to the buffer, and the buffer contents are inserted into contents of a probabilistic data structure representing all of the field specifiers of the rule. The probabilistic data structure is configured to receive a query that includes query buffer contents determined from the input data and respond with a match status of probably present based on a predetermined probability, or definitely not present.

Abstract: A computer system and process for mitigating a Distributed Denial of Service (DDoS) attack by analyzing and correlating inbound and outbound packet information relative to the one or more protected computer networks for detecting novel DDoS Reflection/Amplification attack vectors. Created are separate data repositories that respectively store information relating to captured inbound and outbound packets flowing to and from the protected computer networks. Stored in each respective inbound and outbound data repository are identified inbound destination ports respectively associated with the captured inbound and outbound packets such that each identified inbound destination port number is associated with 1) a packet count relating to the inbound and outbound packets; and 2) a packet byte length count relating to each of the inbound and outbound packets.

Abstract: A method of automated filtering includes receiving a network traffic snapshot having packets with data stored in respective fields, generating a statistical data structure storing each potential unique combination of data stored in respective fields with an associated counter that is incremented for each occurrence that the combination matches one of the packets of the network traffic snapshot and one or more observation timestamps. Determining an observed vector from the statistical data structure, wherein the observed vector has associated attribute/value pairs and counters that satisfy a predetermined criterion. The observed vector's attribute/value pairs are compared to known attribute/value pairs associated with known DDoS attack vectors of an attack vector database.

Abstract: A computer system and process for mitigating a Distributed Denial of Service (DDoS) attack to one or more protected computer networks by determining keywords and/or patterns in HyperText Transfer Protocol (HTTP) responses. Stored HTTP responses are analyzed to extract one or more HTTP characteristics for each stored HTTP response. One or more patterns having one or more keywords in each stored HTTP response is determined utilizing the extracted one or more HTTP characteristics for each stored HTTP response. A hash value is determined for each determined pattern, which is preferably stored in a hash structure accompanied by its respective determined HTTP characteristics. Each hash value accompanied by its respective determined HTTP characteristics is stored as a mitigation filter candidate if the hash value contains a determined pattern consisting of at least a predetermined percentage of all determined patterns stored in the hash structure.

Abstract: A computer method and system for determining patterns in network traffic packets having structured subfields for generating filter candidate regular expressions for DDoS attack mitigation. Stored packets are analyzed to extract a query name for each stored packet. Each query name is segregated into subfields. A Results-table is generated utilizing the segregated subfields of the query names. A Field-length table is generated that contains the length of the Field Values (Field-length) for each Field Name and an associated counter indicating how many instances the Field-length for a Field Name is present in the extracted query names. The Field-length table is analyzed to determine patterns of equal length in the “Results” table. Utilizing the Patterns table, unique combinations of the Field Values are generated as a filter candidate regular expression for DDoS attack mitigation purposes.

Abstract: A system and method for detecting a Denial of Service (DoS) attack. A number of evaluator elements (M) is determined for DoS analysis for network connection requests wherein each evaluator element is preferably associated with a component of the analyzed connection request. A DoS evaluator element score is determined for an evaluator element of the connection request by analyzing the evaluator element. DoS mitigation actions may be performed on the connection request if the determined evaluator element score is indicative of a DoS attack. An evaluator consolidated score (which may be weighted) is then calculated preferably consisting of one or more of the respective DoS evaluator element scores. Next, a determination is made as to whether each evaluator element of the M evaluator elements has been analyzed for determining a respective DoS evaluator element score. If no, a DoS evaluator element score for a succeeding evaluator element to be analyzed is then determined.

Abstract: A method of automated filtering includes receiving a network traffic snapshot having packets with data stored in respective fields, generating a statistical data structure storing each potential unique combination of data stored in respective fields with an associated counter that is incremented for each occurrence that the combination matches one of the packets of the network traffic snapshot and one or more observation timestamps. Determining an observed vector from the statistical data structure, wherein the observed vector has associated attribute/value pairs and counters that satisfy a predetermined criterion. The observed vector's attribute/value pairs are compared to known attribute/value pairs associated with known DDoS attack vectors of an attack vector database.

Abstract: A method of detecting patterns in network traffic is provided. The method includes receiving packets of network traffic, performing a frequency analysis per field of the packets as a function of frequency of the occurrence of the same data in the corresponding field, and selecting top values which are values associated with each field of the set of fields that satisfy a criterion as having occurred most frequently in the packets as a function of a result of the frequency analysis.