| Article (with link) | Abstract |
|---|---|
| 5G call flow Wireshark | Wireshark is a powerful tool that can be used to learn more about 5G call flow. By capturing and analyzing network traffic, you can gain insights into how 5G calls work and how they can be secured. |
| 1993 Novell LANalyzer Network Analyser Software Demo VHS | Network monitor and packet capture software from Novell. Looks like it supported Token Ring and Ethernet. I have never seen a network monitor for Windows 3.1 before. I got all the floppies for this software as well /about 20 of them!/, I may try to image them later. The part number on the cassette is 476-000112-002 |
| How to Use the DPIC Zotero Library | Take 3 minutes to learn tips and tricks for searching the DPI Consortium Zotero library. |
| Algorithmically detecting malicious packets in DDoS attacks | |
| HyperLock technique for high-speed network data monitoring | |
| Platform and method for providing data services in a communication network | |
| Adaptive sampling to build accurate application throughput models | In one embodiment, a node in a network reports, to a supervisory service, histograms of application-specific throughput metrics measured from the network. The node receives, from the supervisory service, a merged histogram of application-specific throughput metrics. The supervisory service generated the merged histogram based on a plurality of histograms reported to the supervisory service by a plurality of nodes. The node performs, using the merged histogram, application throughput anomaly detection on traffic in the network. The node causes performance of a mitigation action in the network when an application throughput anomaly is detected. The node adjusts, based on a control command sent by the supervisory service, a histogram reporting strategy used by the node to report the histograms of application-specific throughput metrics to the supervisory service. |
| TECHNIQUES AND INTERFACES FOR TROUBLESHOOTING DATACENTER NETWORKS /APPLICATION ONLY/ | A monitoring device for troubleshooting events in a datacenter network identifies a first network event for a time period, and provides an initial display page, one or more additional display pages, selectable display objects, and a representation of the first network event. The device generates a dynamic troubleshooting path for the first network event to track a user navigation between display pages, a manipulation of the one or more selectable display objects, and a last-current display page, and also provides an indication of a second network event associated with higher resolution priority relative to the first network event. Retrieving the dynamic troubleshooting path causes the interface to present the last-current display page, apply the manipulation of the one or more selectable display objects, and load the user navigation between the initial dashboard display page and the one or more additional display pages in a cache. |
| Wireshark User’s Guide – v1.11.3-rc1-2217 | |
| Wireshark Release History | |
| Wireless throughput issue detection using coarsely sampled application activity | In one embodiment, a service in a network samples application traffic throughputs for a set of applications present in a network. The service generates a throughput model based on the sampled application throughputs for the set of applications. The service performs anomaly detection on wireless throughput measurements from the network by comparing the wireless throughput measurements to the generated throughput model. The service sends an anomaly detection notification based on a determination that the wireless throughput measurements from the network are anomalous. |
| WildPackets to buy Net3 | The San Francisco Business Times features local business news about San Francisco. We also provide tools to help businesses grow, network and hire. |
| Wide area network optimization | In one embodiment, a method includes receiving application traffic at a network device from one or more endpoints, measuring performance of applications at the network device, optimizing TCP /Transmission Control Protocol/ applications and UDP /User Datagram Protocol/ applications based on the measured performance and policy input received at the network device, queuing the application traffic at the network device such that the application traffic shares available bandwidth in accordance with the measured performance and the policy input, and transmitting the application traffic over a wide area network. An apparatus is also disclosed. |
| Who’s spying on the web? – Business – Macleans.ca | |
| White Paper: Integrated Network Security Architecture | Most large organizations address network security with an army of tactical point tools like firewalls, VPN gateways, IDSs/IPSs, network proxies, malware sandboxes, web and e-mail gateways, etc. This messy array of independent technologies was adequate ten years ago, but now presents a plethora of operational, policy enforcement, and monitoring challenges. Worse yet, network security defenses are becoming less and less effective at blocking targeted and sophisticated threats and advanced malware attacks |
| What’s New in EcoSCOPE 4.0 | |
| What is Deep Packet Analysis? | NETSCOUT | |
| WG15 & Black Hat: Advancing Cyber Security for Electric Utilities Using IEC 62351 Standards | |
| Web-Based Internet Traffic Analysis Using Flows | |
| Web application security methods and systems | Computerized methods and systems receive a request message from a client device that is addressed to a web server hosting at least one web application. the request message is analyzed to identify potential attack indicators that are present in the request message. Each potential attack indicator has a score. A reputation score is assigned to the request message that is associated with behavior of the client device relative other client devices sending request message to the web server. A composite score for the request message is calculated based in part on the scores of the potential attack indicators and the reputation score. The request message is handled in accordance with the calculated composite score. |
| WAN and Application Optimization Solution Guide-Cisco Validated Design-Document Version 1.1 | This guide describes the Cisco WAN and application optimization solution and provides detailed technical information about the design and implementation of the solution. The WAN and application optimization solution combines Cisco products and technologies to deliver solutions to specific WAN and application optimization challenges. This guide helps its readers understand these challenges, and design and implement networking infrastructures to meet the challenges. Guide is dated August 2008. Archived July 5, 2017. |
| Virtual routing and forwarding /VRF/ for asymmetrical virtual service provider /VSP/ tunnels | In one embodiment, a device in a network maintains first and second routing tables associated with a virtual private network /VPN/ tunnel. The first and second routing tables comprise routing information used to route packets external to a particular routing domain. The device routes a first packet in the network via the VPN tunnel and a second tunnel that encapsulates the VPN tunnel, using the routing information in the first routing table. The device receives a second packet via the VPN tunnel that was routed to the device using the routing information in the second routing table and bypasses the second tunnel. |
| VALIDATING A DEVICE CLASS CLAIM USING MACHINE LEARNING /APPLICATION ONLY/ | In one embodiment, a device in a network receives an access policy and a class behavioral model for a node in the network that are associated with a class asserted by the node. The device applies the access policy and class behavioral model to traffic associated with the node. The device identifies a deviation in a behavior of the node from the class behavioral model, based on the application of the class behavioral model to the traffic associated with the node. The device causes performance of a mitigation action in the network based on the identified deviation in the behavior of the node from the class behavioral model. |
| Vineyard Networks Announces Support for OCTEON/R/ III and TurboDPI/TM/ From Cavium – Yahoo! Finance | |
| Vedicis Delivers Data Traffic Visibility to Telecom Operators and Deploys First Projects with Hewlett Packard Enterprise | Business Wire | PARIS–/BUSINESS WIRE/–Vedicis, a leading software editor of DPI /Deep Packet Inspection/ and PCEF /Policy and Charging Enforcement Function/ platforms, announces today the signature of an OEM agreement to provide their software DPI data probe, the Smart Traffic Collector, to Hewlett Packard Enterprise /HPE/. The first projects already deployed with Vedicis platform, enhances HPE Dragon with further DPI capabilities to help telecom operators to access to network traffic intelligence and marketing insight about subscriber’s experience and Internet usage. |
| USING STABILITY METRICS FOR LIVE EVALUATION OF DEVICE CLASSIFICATION SYSTEMS AND HARD EXAMPLES COLLECTION /APPLICATION ONLY/ | In one embodiment, a label stability analyzer service receives classification data indicative of device type labels assigned to endpoints in a network by a device classification service. The label stability analyzer service counts device type label changes made by the device classification service to the endpoints. The label stability analyzer service computes variability metrics for the device type labels, wherein the variability metric for a device type label is based on a count of the device type label changes associated with that label. The label stability analyzer service determines, based on one of the variability metrics for a particular one of the device type labels exceeding a threshold value, a configuration change for the device classification service that adjusts how the device classification service applies the particular label to endpoints. The label stability analyzer service provides the configuration change to the device classification service. |
| USING A FLAPPINESS METRIC TO LIMIT TRAFFIC DISRUPTION IN WIDE AREA NETWORKS /APPLICATION ONLY/ | In one embodiment, a device in a network obtains tunnel flappiness metrics associated with a particular tunnel in the network exhibiting flapping. The device makes, based on the tunnel flappiness metrics, a prediction that the particular tunnel is going to flap. The prediction is made using a machine learning model. The device proactively reroutes, based on the prediction, traffic from the particular tunnel onto an alternate tunnel, prior to the particular tunnel flapping. The device evaluates performance of the alternate tunnel, after proactively rerouting the traffic from the particular tunnel onto the alternate tunnel. |
| USE OF URL REPUTATION SCORES IN DISTRIBUTED BEHAVIORAL ANALYTICS SYSTEMS /APPLICATION ONLY/ | In one embodiment, a device in a network identifies a universal resource locator /URL/ from traffic destined for the URL that triggered a first anomaly detected by an anomaly detector. The device reports the first anomaly and the identified URL to a supervisory device in the network. The device receives a URL filter rule for the URL. The URL filter rule is configured to affect anomaly scores generated by the anomaly detector for traffic destined for the URL or a domain associated with the URL. The device uses the URL filter rule to adjust an anomaly score for a second anomaly detected by the anomaly detector based on the second anomaly involving traffic destined for the URL or the domain associated with the URL. |
| USE OF URL REPUTATION SCORES IN DISTRIBUTED BEHAVIORAL ANALYTICS SYSTEMS /APPLICATION ONLY/ | In one embodiment, a device in a network identifies a universal resource locator /URL/ from traffic destined for the URL that triggered a first anomaly detected by an anomaly detector. The device reports the first anomaly and the identified URL to a supervisory device in the network. The device receives a URL filter rule for the URL. The URL filter rule is configured to affect anomaly scores generated by the anomaly detector for traffic destined for the URL or a domain associated with the URL. The device uses the URL filter rule to adjust an anomaly score for a second anomaly detected by the anomaly detector based on the second anomaly involving traffic destined for the URL or the domain associated with the URL. |
| Using repetitive behavioral patterns to detect malware | In one embodiment, a device generates one or more time series of characteristics of client-server communications observed in a network for a particular client in the network. The device partitions the one or more time series into sets of time windows based on patterns present in the characteristics of the client-server communications. The device compares the characteristics of the client-server communications from the partitioned time windows to determine measures of behavioral similarity between the compared time windows. The device provides the measures of behavioral similarity between the compared time windows as input to a machine learning-based malware detector. The device causes performance of a mitigation action in the network when the machine learning-based malware detector determines that the particular client in the network is infected with malware. |
| UNSTRUCTURED DATA SENSITIVITY INFERENCE FOR FILE MOVEMENT TRACKING IN A NETWORK /APPLICATION ONLY/ | In one embodiment, a traffic analysis service that monitors a network obtains file metadata regarding an electronic file. The traffic analysis service determines a sensitivity score for the electronic file based on the file metadata. The traffic analysis service detects the electronic file within traffic in the network. The traffic analysis service causes performance of a mitigation action regarding the detection of the electronic file within the traffic, based on the sensitivity score of the electronic file. |
| Using a machine learning classifier to assign a data retention priority for network forensics and retrospective detection | In one embodiment, a device in a network receives traffic data regarding one or more traffic flows in the network. The device applies a machine learning classifier to the traffic data. The device determines a priority for the traffic data based in part on an output of the machine learning classifier. The output of the machine learning classifier comprises a probability of the traffic data belonging to a particular class. The device stores the traffic data for a period of time that is a function of the determined priority for the traffic data. |
| United States Patent Application: 0210105319 | The invention concerns a method for identifying a protocol of a data stream exchanged between two entities of a telecommunication network, the processing method comprising the following steps: —on receiving data of the data stream, grammatical parsing of said data stream in order to identify a protocol of the data stream; —in the event of failure to identify the protocol of the data stream by grammatical parsing, consulting a signature engine mapping protocols with corresponding signatures, and sequentially applying signatures to the data flow in order to identify a data stream protocol. |
| United States Patent Application: 0120166666 | The invention relates to a method for supervising a communication session over a data network, said session including a first data flow, referred to as the parent flow, using a first protocol, said parent flow including data suitable for setting up a second data flow, referred to as the child flow, using a second protocol for said session, which includes: searching /13/ the parent flow for the data that enable the child flow to be set up; generating /15/ and storing /17/ a signature, referred to as a parent key, using said data; auditing /19/ data flows using the second protocol on the data network; creating /21/ a signature for each one of the flows; comparing /23/ said signature of each one of the flows with the parent key; and, if the comparison is positive, determining /25/ that the data flow in question is the child flow of the session. |
| User control of a secure wireless computer network | A wireless network is established between a station and an access point for the network using a sequence of messages that securely transmit authentication information from the station to the access point for validation by the access point, and subsequently transmit a shared key necessary to establish the wireless network from the access point to the station when the station is validated. |
| United States Patent Application: 0040073800- Adaptive intrusion detection system | An intrusion detection method wherein a vulnerability determination or vulnerability assessment of one or more computers or hosts is performed to determine whether and what vulnerabilities exist on the computers or hosts, accomplished by using existing vulnerability determination or vulnerability assessment information that can be continually updated. Attack signatures, which can also be continually updated, are identified and correlated with the specific vulnerabilities identified. One or more designated IP sessions associated with attempted vulnerability exploitation are then inhibited or disconnected. |
| URGENT/11 – New ICS Threat Signatures by Nozomi Networks Labs | A well-known RTOS /Real-Time Operating System/, widely used in critical infrastructure sectors such as health care, transportation, aviation and other industrial operations, is affected by a series of 11 vulnerabilities dubbed URGENT/11. First reported and analyzed by an IoT security vendor, Armis*, and further described by VxWorks incident response, the vulnerabilities are particularly notable because they allow attackers to take over devices without user interaction. Also, they can be exploited using worms that spread very quickly, and they expose critical sectors to attack. |
| UNSUPERVISED LEARNING OF LOCAL-AWARE ATTRIBUTE RELEVANCE FOR DEVICE CLASSIFICATION AND CLUSTERING /APPLICATION ONLY/ | In various embodiments, a device classification service obtains data indicative of device attributes of a plurality of devices. The device classification service forms, based on the obtained data indicative of the device attributes, a concept graph that comprises nodes that represent different sets of the device attributes. The device classification service determines, by analyzing the concept graph, a relevance score for each of the device attributes that quantifies how relevant that attribute is to classifying a device by its device type. The device classification service uses the relevance scores for the device attributes to cluster the plurality of devices into device type clusters by their device attributes. |
| United States Patent: 11178177 – System and method for preventing session level attacks | A computer method and system for mitigating a Session Level Attack /SLA/ upon one or more internet hosted sought user accounts. A login request for a sought user account is received and Layer 3 information regarding the login request is utilized to determine existence of a SLA threat. One or more mitigations actions is performed on the login request to determine if a SLA threat exists based upon the utilization of Layer 3 information. Next, Layer 7 information regarding the login request is utilized to determine existence of a SLA threat wherein the Layer 7 information is only utilized to determine the existence of a SLA threat when no SLA threat was determined through utilization of the Layer 3 information. One or more mitigations actions is performed on the HTTP login request if the existence of a SLA threat exists based upon the utilization of the Layer 7 information. |
| TRAINING A NETWORK TRAFFIC CLASSIFIER USING TRAINING DATA ENRICHED WITH CONTEXTUAL BAG INFORMATION /APPLICATION ONLY/ | In one embodiment, a device groups feature vectors representing network traffic flows into bags. The device forms a bag representation of a particular one of the bags by aggregating the feature vectors in the particular bag. The device extends one or more feature vectors in the particular bag with the bag representation. The extended one or more feature vectors are positive examples of a classification label for the network traffic. The device trains a network traffic classifier using training data that comprises the one or more feature vectors extended with the bag representation. |
| United States Patent: 11165817 – Mitigation of network denial of service attacks using IP location services | A computer method and system for detecting denial of service network attacks by analyzing intercepted data packets on a network to determine a user account associated with a preselected target host sought to be accessed via a user account login attempt. Determine if the login attempt exceeds a predetermined login value for previous failed login attempts associated with the user account sought to be accessed. Determine a geographic location associated with the login attempt if determined the login attempt exceeded the predetermined login value. Determine if a prior login attempt to the user account sought to be accessed was successful from the determined geographic location. Authenticate the login attempt to the user account sought to be accessed in the event it was determined a prior successful login attempt was made to the user account from the determined geographic location or no prior login attempts originated from the determined geographic location. |
| United States Patent: 11153342 – Method and system for providing ddos protection by detecting changes in a preferred set of hierarchically structured items in stream data | A computer implemented method and system for protecting against denial of service attacks by detecting changes in a preferred set of hierarchically-structured items in a network data stream in which a set of network destination prefixes is identified that account for a user specified target of the attack traffic. Changes in the attack traffic profile are detected and new sets of network destination prefixes are generated when the attack has shifted by a predetermined threshold. sets of identified destination prefixes are then translated into route announcements to divert attack traffic to mitigation devices. |
| TRACKING OF DEVICES ACROSS MAC ADDRESS UPDATES /APPLICATION ONLY/ | In one embodiment, a service maintains a database of media access control /MAC/ addresses of devices in a network and their associated telemetry data captured from the network. The service identifies a new MAC address being used by a particular device in the network. The service matches telemetry data associated with the new MAC address with telemetry data in the database associated with another MAC address, by using the telemetry data associated with the new MAC address as input to a machine learning-based classifier. The service determines, based on the matching, that the MAC address in the database associated with the matched telemetry data has been updated to the new MAC address by the particular device. |
| United States Patent: 11153334 – Automatic detection of malicious packets in DDoS attacks using an encoding scheme | A method of detecting patterns in network traffic is provided. The method includes receiving packets of network traffic, performing a frequency analysis per field of the packets as a function of frequency of the occurrence of the same data in the corresponding field, and selecting top values which are values associated with each field of the set of fields that satisfy a criterion as having occurred most frequently in the packets as a function of a result of the frequency analysis. The method further includes assigning a bit encoding scheme that uses variable bit encoding to encode each of the top values for each field that has a top value, encoding into a single value each packet of the packets based on a bitfield representation that uses the encoding scheme for values associated with each field that has a top value, storing each potential combination of fields of the set of fields being processed, with all bits set per field when the field is an active field and no bits set when the field is inactive, performing a bitwise operation on each encoded packet with the stored potential combinations, sorting the results of the bitwise operation based on a number of the active fields and a number of occurrences of each same result of the bitwise operation, and providing the results of the sorting to a mitigation device for determining whether an attack is underway and/or for filtering network traffic for mitigating an attack. |
| TIERED DEEP PACKET INSPECTION IN NETWORK DEVICES /APPLICATION ONLY/ | Packet inspection in a network device includes a first stage circuit to monitor packets being switched by a network interface in the network device. The first stage circuit includes at least one pattern matcher to identify selected flows in the packets satisfying first criteria and to divert the selected flows from standard processing in the network interface. A second stage circuit receives the selected flows, performs deep packet inspection on the selected flows to identify further selected flows satisfying a second criteria, and controls the network interface to apply alternative processing to the further selected flows and allow the selected flows other than the further selected flows to rejoin the standard processing. |
| United States Patent: 11153189 – Grouping network traffic prior to storage in a columnar database | A computer-implemented method of grouping network traffic metadata includes, based on a selected dimension of the network traffic metadata received from a network router, obtaining a statistic about a flow of network traffic metadata received over an interval for each instance of multiple instances of the dimension. The method further includes distributing the network traffic metadata into a plurality of groups for network traffic metadata from the smallest possible number of instances of the selected dimension to be distributed to each group, with the flow of network traffic metadata distributed optimally for a criteria regarding the statistic amongst the plurality of groups for minimizing cardinality of each group of the plurality of groups with respect to unselected dimensions of the network traffic metadata and providing each group to a columnar database for storage of the network traffic metadata distributed into each group in a different partition of the columnar database. |
| TELEMETRY COLLECTION AND POLICY ENFORCEMENT USING ASSET TAGGING /APPLICATION ONLY/ | According to one or more embodiments of the disclosure, a networking device receives a policy for an endpoint in a network. The policy specifies one or more component tags and one or more activity tags that were assigned to the endpoint based on deep packet inspection of traffic associated with the endpoint. The networking device identifies a set of tags for a particular traffic flow in the network associated with the endpoint. The set of tags comprises one or more component tags or activity tags associated with the particular traffic flow. The networking device makes a determination that the particular traffic flow violates the policy based on the set of tags comprising a tag that is not in the policy. The networking device initiates, based on the determination that the particular traffic flow violates the policy, a corrective measure with respect to the particular traffic flow. |
| United States Patent: 11122080 – Method and system for identifying a preferred set of hierarchically structured items in streaming data | A computer implemented method and system for identifying a preferred set of hierarchically structured items in streaming data for analyzing Netflow data to identify those network destinations that are currently the target of a DDoS attack and to automatically select a set of network prefixes such that diversion routes for the prefixes are sent to the routers to divert attack traffic to TMS devices, The method includes searching sets of Hierarchical Heavy Hitters wherein each set corresponds to a different fraction of a total volume of network traffic and scoring each set according to an arbitrary scoring function. A certain set is selected and scored with a `good` score and a member of the `good` scored set is ranked in accordance with an arbitrary ranking function. A subset of the `good` scored set is selected such that the volume associated with the subset is in close proximity to a user-specified total whereby the selected subset becomes a set of recommended prefixes. |
| United States Patent: 11095671 – DNS misuse detection through attribute cardinality tracking | A system and computer-implemented method to detect particular Domain Name System /DNS/ misuse, wherein the method includes obtaining monitored network data. The monitored network data includes respective instances of request traffic. The request traffic is associated with DNS requests that request resolution of a name that belongs to at least one identified domain. Each DNS request is sent from a source address of one or more stub resolver; the source address of the stub resolver may be spoofed. Each instance of request traffic includes the source address, the name for which DNS resolution is requested to be resolved, and the at least one identified domain associated with a corresponding DNS request. The method further includes tracking over time, using a probabilistic algorithm, an approximation of a first cardinality of names belonging to a selected domain of the at least one identified domain included in the instances of request traffic. The method further includes tracking over time, using the probabilistic algorithm, an approximation of a second cardinality of source addresses associated with the selected domain included in the instances of request traffic. The method further includes detecting a combination of a first condition of the approximation of the first cardinality and the second condition of the approximation of the second cardinality, wherein the combination of the first and second conditions indicates the occurrence of a specific DNS misuse. The method further includes performing an action to at least one of output a notification of and correct a condition associated with the detected occurrence of the specific DNS misuse. |
| United States Patent: 11019095 – Ransomware detection using file replication logs | In one embodiment, a device in a network obtains log data regarding replication of files stored on an endpoint client to a file replication service. The device tracks, based on the obtained logs, encryption changes to the files that convert the files from unencrypted files to encrypted files. The device determines that the tracked encryption changes to the files are indicative of a ransomware infection on the endpoint client. The device initiates a mitigation action regarding the ransomware infection. |
| System, Device, and Method of Detecting, Mitigating and Isolating a Signaling Storm /APPLICATION ONLY/ | Detecting, mitigating and isolating a Signaling Storm, particularly in 5G communication networks. A Control Plane signal probe is connected at a first network node located between a Radio Access Network and a 5G Core Network, to monitor control messages originating from 5G-capable devices. A User Plane signal probe is connected at a second network node located between the 5G Core Network and remote entities to which the 5G-capable devices are sending messages, to monitor control messages passing through the second network node. An Inventory Management sub-system stores data correlating between 5G-capable devices and IMSI numbers. A Protector Unit is configured to receive /i/ data collected by the Control Plane signal probe, and /ii/ data collected by the User Plane signal probe, and /iii/ a subset of IMSI numbers. The Protector Unit performs Machine Learning analysis, and detects and quarantines particular 5G-capable devices that are compromised or malfunctioning. |
| United States Patent: 10965553 – Scalable unsupervised host clustering based on network metadata | A method for optimizing performance analysis of a plurality of network hosts associated with a communications network includes aggregating captured network performance data including a plurality of captured network performance metrics for a plurality of network flows. Each one of the plurality of network flows is associated with a plurality of network hosts. The aggregated captured network performance data is encoded by employing at least one data modification function. Dimensionality of the encoded captured network performance data is reduced using a neural network model. One or more reduced-dimensional clusters of the encoded captured network performance data are generated. Each of the one or more reduced-dimensional clusters is grouping one or more hosts of the plurality of network hosts based on the captured network performance metrics. |
| System and Methodology Protecting Against Key Logger Spyware /APPLICATION ONLY/ | System and methodology protecting against key logger software /spyware/ is described. In one embodiment, for example, a method is described for protecting a computer system from security breaches that include unauthorized logging of user input, the method comprises steps of: specifying a particular application to be protected from unauthorized logging of user input; identifying additional system processes that may serve as a source of unauthorized logging of user input; injecting into the particular application and each identified system process an engine capable of detecting and blocking attempts at unauthorized logging of user input; and upon detection of an attempt at unauthorized logging of user input, blocking the attempt so that user input for the particular application remains protected from unauthorized logging. |
| SYSTEM AND METHOD FOR GENERATING API SCHEMAS FOR NETWORKED SERVICES /APPLICATION ONLY/ | A method and system for generating an API schema associated with at least one API Endpoint by inspecting network data traffic. Network data requests that have been successfully served by an application associated with at least one API endpoint are examined, parsed and processed to generate an API schema corresponding to the service associated with the at least one API Endpoint. |
| SUBSCRIBER-AWARE NETWORK CONTROLLER /APPLICATION ONLY/ | Technology related to processing network packets in a subscriber-aware manner is disclosed. In one example, a method includes selecting one or more subscribers to move from a first network processing node to a second network processing node. In response to the selection, subscriber data associated with the one or more subscribers can be programmed at the second network processing node. After the subscriber data associated with the one or more subscribers is programmed on the second network processing node, a software defined network /SDN/ switch can be reprogrammed to forward network traffic having network addresses associated with the one or more subscribers to the second network processing node instead of the first network processing node. |
| SECURE TRAFFIC VISIBILITY AND ANALYTICS FOR ENCRYPTED TRAFFIC /APPLICATION ONLY/ | Presented herein is an exemplified system and method that provides visibility, for traffic analytics, into secured encapsulated packet /e.g., secure VXLAN-GPE packet, a secure metadata-GPE packet or other GPE standards/. The exemplified system and method facilitate encryption of traffic in a granular manner that also facilitate the monitoring of said secure traffic in a fabric network in an end-to-end manner throughout the network. Such monitoring can be beneficially used for analytics, performance analysis, and network debugging/troubleshooting. |
| REVISITING DEVICE CLASSIFICATION RULES UPON OBSERVATION OF NEW ENDPOINT ATTRIBUTES /APPLICATION ONLY/ | In various embodiments, a device classification service uses an initial device classification rule to label each of a set of endpoint devices in a network as being of a particular device type. The device classification service identifies a particular attribute exhibited by at least a portion of the set of endpoint devices and was not previously used to generate the initial device classification rule. The device classification service generates one or more new device classification rules based in part on the particular attribute. The device classification service switches from using the initial device classification rule to label endpoint devices in the network to using the one or more new device classification rules to label endpoint devices in the network. |
| PROTECTING DEVICE CLASSIFICATION SYSTEMS FROM ADVERSARIAL ENDPOINTS /APPLICATION ONLY/ | In various embodiments, a device classification service clusters devices in a network into a device type cluster based on attributes associated with the devices. The device classification service tracks changes to the device type cluster over time. The device classification service detects an attack on the device classification service by one or more of the devices based on the tracked changes to the device type cluster. The device classification service initiates a mitigation action for the detected attack on the device classification service. |
| Policy-Based Control Mechanism For Wireless Network Physical Layer Resources /APPLICATION ONLY/ | Embodiments of the present disclosure relate to physical layer resource utilization in wireless local area networks. In particular, the present disclosure relates to a policy-based control mechanism for wireless network physical layer resources such as transmit beamforming. Specifically, the disclosed system receives a set of network policy criteria, and information associated with each of a plurality of client devices connected to a network device. The disclosed system then selects a subset of client devices in a wireless network based on the set of network policy criteria and information associated with each of the plurality of client devices. Furthermore, the disclosed system provides the subset of client devices for using one or more of wireless network physical layer resources. Here, the wireless network physical layer resources are limited to a threshold number of client devices. Moreover, the number of client devices in the subset does not exceed the threshold number. |
| Policy Implementation at a Network Element based on Data from an Authoritative Source /APPLICATION ONLY/ | In an embodiment, at a network element in a network, a domain name query is intercepted from a client. Metadata associated with a network application or service that is the object of the domain name query is obtained from a domain name system server. A policy is determined to enforce, based on the metadata, and the policy is enforced with respect to the client’s access of the network application or service. |
| United States Patent: 10951649 – Statistical automatic detection of malicious packets in DDoS attacks using an encoding scheme associated with payload content | A method of detecting patterns in network traffic is provided. The method includes receiving a plurality of packets of network traffic, each packet having a payload populated with payload data and selecting payload lengths that occurred most frequently. For each of the selected payload lengths, a pattern template is generated using characters per position of the payload that satisfy a frequency criterion. A bit encoding scheme is assigned for each of the selected payload lengths and its associated pattern template. Each packet of the plurality of packets that has a payload length equal to any of the selected payload lengths and payload content that matches a pattern template generated for the payload is encoded into a single value. The single value uses the bit encoding scheme for the payload length and the pattern template matched. Each potential combination of fields representing the respective payload length and the pattern template is stored, with either all bits set per field when the field is active or no bits set per field when the field is inactive. A bitwise operation is performed on each encoded packet with the stored potential combinations. Results of the bitwise operation are stored in a sparse memory array. The results of the sparse array are sorted based on a number of the active fields and a number of occurrences of the respective results of the bitwise operation. The results of the sorting are provided to a mitigation device as an indication of whether an attack is underway and/or what type of attack is underway. |
| United States Patent: 10904203 – Augmenting network flow with passive DNS information | A method for encoding domain name information into flow records includes receiving a flow record. The flow record includes initial network flow information in a standard flow record format including at least a source address and a destination address. Domain name information associated with each of the source address and destination address is retrieved from a database. The domain name information is encoded into the received flow record while maintaining the initial network flow information to yield an enhanced flow record. |
| United States Patent: 10798124 – System and method for detecting slowloris-type attacks using server application statistics | A system and computer-implemented method to detect a slowloris-type network attack, wherein the method includes receiving data gathered by a server of a network over time, the data received including data about timing of requests from a plurality of clients received by the server, tracking the data about timing of requests over time, determining one or more characteristics about distribution of the data tracked, tracking the one or more characteristics to determine whether there is an increase in time for reading, by the server, a larger portion of requests tracked, identifying a change in the characteristics that indicates the presence of a slowloris-type network attack, and performing an action, in response to the change, to at least one of generate an alert about the slowloris-type network attack, request mitigation of the slowloris-type network attack, and mitigate the slowloris-type network attack. |
| United States Patent: 10771499 – Automatic handling of device group oversubscription using stateless upstream network devices | A DDoS attack mitigation system includes a plurality of stateless network devices connected to a network. The system also includes one or more DPI devices connected to the plurality of stateless devices. The system further includes a controller connected to the plurality of stateless devices and connected to the DPI devices. The controller includes logic integrated with and/or executable by a processor. The controller is configured to receive a signal from a first DPI device and analyze the received signal. The controller is further configured to update a network traffic policy to redirect at least some of network traffic destined for the first DPI device to one or more DPI devices different from the first DPI device based on the analyzed signal and to send a signal indicative of the updated network policy to at least some of the plurality of stateless devices. |
| United States Patent: 10708294 – System and method to select and apply hypothetical mitigation parameters | A system and method are provided to select mitigation parameters. The method includes receiving selection of at least one mitigation parameter, accessing a selected portion of stored network traffic or associated summaries that corresponds to a selectable time window, applying a mitigation to the selected portion of the stored network traffic or associated summaries using the selected at least one mitigation parameter, and outputting results of the applied mitigation. |
| United States Patent: 10701076 – Network management device at network edge for INS intrusion detection based on adjustable blacklisted sources | A network agent includes an ingress port in data communication with a network traffic source for receiving network traffic entering a network and an egress port in data communication with the ingress port and a protection device included in the network. The egress port is configured to transmit network traffic received from the ingress port to a network device included in the network. A processing device receives from a protection device included in the network blacklist addresses determined by the protection device to be a threat to the network, and maintains a blacklist that includes the received blacklist addresses. A physical layer device compares the network layer source address of a packet of the network traffic received by the ingress port to the blacklist and forwards the packet to the egress port only if the packet’s source address is not included in the blacklist. |
| PACKET METADATA CAPTURE IN A SOFTWARE-DEFINED NETWORK /APPLICATION ONLY/ | In one embodiment, a switch in a software-defined network receives a packet sent by an endpoint device via the SDN. The switch makes a copy of the packet based on one or more header fields of the packet matching one or more flow table entries of the switch. The switch forms telemetry data for reporting to a traffic analysis service by applying a metadata filter to the copy of the packet. The metadata filter prevents at least a portion of the copy of the packet from inclusion in the telemetry data. The switch sends the formed telemetry data to the traffic analysis service. |
| Orchestrating the Use of Network Resources in Software Defined Networking Applications /APPLICATION ONLY/ | Techniques are presented herein that allow for arranging traffic flows in a network, and using the capabilities for inspection, recording, and enforcement around the network, in a way that makes the best use of the resources. A software defined network /SDN/ interface between the network and security applications exposes a programmatic way to control security resources around the network such that they are optimally utilized. The SDN interface prioritizes and optimizes the use of security elements in the network. Security requests with corresponding priorities are used by a network controller to direct traffic flows through appropriate security elements, such as recording, inspection, or enforcement elements. The configuration of traffic flows is optimized with respect to the capacity of the communication links, as well as the priority of the respective security requests. |
| United States Patent: 10637885 – DoS detection configuration | A method for configuring a network monitoring device is provided. One or more performance metrics associated with one or more thresholds to be configured are received from a user. Historical network traffic flow information associated with a previously detected malicious activity is analyzed to identify characteristic values for the one or more performance metrics. Threshold values are automatically configured based on the identified characteristic values. |
| United States Patent: 10616071 – Asynchronous analysis of a data stream | The invention relates to a method for processing a data stream exchanged between a client and an entity via a telecommunications network, the data stream including a set of data packets, the processing method including the following steps: upon intercepting /201/ a data packet belonging to a data stream–the data stream including a source and a recipient, the client being the source or the recipient of the data stream–copying /204/ the data packet and transferring /205/ the data packet to the recipient; transmitting said copy to a stream analyser capable of analyzing the data stream; receiving /206/ a data stream analysis result from the stream analyser; and processing /207; 208/ the data stream in accordance with the receiver analysis result. |
| ORCHESTRATING CONFIGURATION OF A PROGRAMMABLE ACCELERATOR /APPLICATION ONLY/ | Technology related to orchestrating a configuration of a programmable accelerator is disclosed. In one example, a method includes executing a service within a container runtime. The service can include a software application and an orchestrator application, where the orchestrator application is adapted to configure a programmable hardware accelerator and the software application adapted to interoperate with the programmable hardware accelerator. The orchestrator application, executing within the container runtime, can be used to retrieve a system image from a file repository. The system image can include configuration data for the programmable hardware accelerator. The orchestrator application, executing within the container runtime, can be used to configure the programmable hardware accelerator. |
| United States Patent: 10601778 – Visualization of traffic flowing through a host | A system, method and computer readable storage medium that analyzes network traffic intercepts data communications occurring between one or more hosts and a preselected target host in a protected network. The intercepted data communication includes a plurality of data packets. The intercepted data communications are analyzed to determine volumetric incoming and outgoing traffic flows for the received data packets. The determined volumetric incoming traffic flow for the received packets is graphically represented by a first region. The determined volumetric outgoing traffic flow for the received packets is graphically represented by a second region. The graphical representation includes a plurality of nodes interconnected by a plurality of links. The plurality of nodes represents the hosts. The plurality of links indicate operational relationship between the preselected target host, the one or more hosts, communication ports and communication services used in the data communications. |
| Offloading Packet Treatment using Modified Packet Headers in a Distributed Switch System /APPLICATION ONLY/ | According to one embodiment, a method comprises an operation of receiving a packet with a packet header indicating that a first treatment is needed to be applied to the packet. The first treatment is applied and the packet header is modified to indicate that the first treatment is no longer needed to be applied to the packet. The packet is forwarded with the modified header. |
| United States Patent: 10567415 – Visualization of network threat monitoring | A method to monitor a network is provided which includes identifying a time associated with detection of each occurrence of the network threats and generating a graphical user interface that includes a display of a time series graph that corresponds to a selected time period and an interactive popup window indicating certain details associated with a user selected network threat. |
| NETWORK TRAFFIC CLASSIFICATION /APPLICATION ONLY/ | In one embodiment, a method for video traffic flow behavioral classification is implemented on a computing device and includes: receiving coarse flow data from a network router, where the coarse flow data includes summary statistics for data flows on the router, classifying the summary statistics to detect video flows from among the data flows, requesting fine flow data from the network router for each of the detected video flows, where the fine flow data includes information on a per packet basis, receiving the fine flow data from the network router, and classifying each of the detected video flows per video service provider in accordance with the information. |
| Network Telemetry with Byte Distribution and Cryptographic Protocol Data Elements /APPLICATION ONLY/ | In one embodiment, a method for classifying an encrypted flow includes receiving a plurality of packets associated with an encrypted flow traversing a network, collecting telemetry data from the flow without decrypting the flow, sending the telemetry data to a backend system for classification, using the telemetry data to classify the flow using a machine learning classifier, creating a classification response, and using the classification response to modify processing of the flow. In another embodiment, a method for classifying an encrypted flow includes receiving a plurality of packets associated with an encrypted flow traversing a network, collecting telemetry data from the first plurality of packets associated with the flow, sending the telemetry data to a backend system for classification, using the telemetry data to classify the flow using a machine learning classifier, and using the output of the classifier to modify processing of the flow. |
| United States Patent: 10462179 – System and method for scaled management of threat data | A method, system, and computer-implemented method to manage threats to a network is provided. The method includes receiving volume threat data that indicates a volume of threat data that needs to be managed by a threat management system having a plurality of threat management devices, determining a volume range from a plurality of volume ranges to which the received volume threat data belongs, determining a number of threat management devices of the plurality of threat devices needed to manage threat traffic associated with the volume range determined, and determining whether the number of threat management devices needed is different than a number of threat management devices currently being used to manage threat traffic. The method further includes selecting automatically threat management devices of the plurality of threat management devices to manage received threat data, in response to a determination that the number is different and based on the number determined, assigning automatically, each packet of the threat traffic to a group, each group corresponding to a threat management device of the selected threat management devices, and directing automatically each packet of the threat traffic to the threat management device that corresponds to the group to which the packet is assigned. |
| United States Patent: 10462166 – System and method for managing tiered blacklists for mitigating network attacks | A method, system, and computer-implemented method to manage blacklists used for mitigating network traffic is provided. The method includes monitoring a first blacklist and a second blacklist, wherein the first blacklist is used by a first mitigation process applied to network traffic that is performed upstream along a communication path of the network traffic relative to a second mitigation process that is performed using the second blacklist. The method further includes moving at least one entry from one of the first and second blacklists to the other of the first and second blacklist based on a result of the monitoring. |
| NETWORK TELEMETRY COLLECTION WITH PACKET METADATA FILTERING /APPLICATION ONLY/ | In one embodiment, a telemetry exporter in a network establishes a tunnel between the telemetry exporter and a traffic analysis service. The telemetry exporter obtains packet copies of a plurality of packets sent between devices via the network. The telemetry exporter forms a set of traffic telemetry data by discarding at least a portion of one or more of the packet copies, based on a filter policy. The telemetry exporter applies compression to the formed set of traffic telemetry data. The telemetry exporter sends, via the tunnel, the compressed set of traffic telemetry data to the traffic analysis service for analysis. |
| United States Patent: 10459923 – System and method for handling top count queries for arbitrary, selectable intervals relating to a large, streamed data set | A system and method are provided for enabling querying of a large set, including accessing a data structure associated with a metadata parameter and configured to store partial information associated with the data set in a plurality of bins. Each bin, associated with a unique time interval, is configured to store a plurality of entries associated with identified respective members of the metadata parameter’s that have a detection time included in the bin’s time interval. Each entry has at least one of an updated maximum and minimum possible count value determined using a probabilistic algorithm. The method includes receiving a query having a requested time interval, selecting two or more bins f the data structure that in combination describe the requested time interval, selecting k entries from a combination of the entries in the selected bins based on at least one of an updated maximum and minimum possible count value associated with entries of the selected bins, and determining top-k data, the top-k data including identification of the selected k entries. |
| NETWORK HOST PROVIDED SECURITY SYSTEM FOR LOCAL NETWORKS /APPLICATION ONLY/ | A gateway host connected to a network can be programmed to control packet traffic from other hosts on the network. The gateway host sends spoof packets to one or more of the other hosts, rendering them as controlled hosts. Each controlled host, having received the spoof packets, sends network packets for an intended destination, which are intercepted by the gateway host. The spoof packets have caused reconfiguration of the packet routing by the controlled host, such that network packets are rerouted upon their being sent from the controlled host. The gateway host renders a decision on the network packet traffic. |
| United States Patent: 10313209 – System and method to sample a large data set of network traffic records | A computer-implemented method to sample a large data set of traffic records, including receiving a traffic record associated with a traffic flow from a source of a large data set of traffic records, incrementing a flow counter representing a number of traffic flows received for one address of a pair of addresses identified by a traffic record, adding a traffic size of the traffic flow associated with the received traffic record to a total traffic size of all flows received in previous iterations. If the flow counter is less than a predetermined sampling threshold, then storing a traffic record sample associated with the traffic record. If the flow counter is more than the predetermined sampling threshold, then determining whether or not to sample the received traffic record by applying an exponentially decreasing probability function. Storing the traffic record sample as sampled data associated with the traffic record only if the determination is to sample the received traffic record. |
| NETWORK CONFIGURATION USING SERVICE IDENTIFIER /APPLICATION ONLY/ | A network controller may include a monitor and a configuration handler. The monitor may determine a service address and a service identifier. The configuration handler may use the service identifier to obtain a configuration for the service address. The configuration handler may also provide the configuration to a network node. |
| United States Patent: 10243971 – System and method for retrospective network traffic analysis | A method is provided to monitor network traffic, including reserving a portion of a system memory for short-term storage of copied network traffic, wherein the system memory is volatile, receiving copied packets of intercepted network traffic traversing a network, wherein the packets are associated with a plurality of respective traffic streams included in the network traffic, storing the copied packets in the portion of the system memory, maintaining an ordered list per traffic stream of copied packets that are stored, removing copied packets selected, based on their positions in their respective ordered lists, from the portion of the system memory based on a storage constraint, receiving an attack alert identifying a packet that is involved in a network attack, identifying the traffic stream that includes the packet identified, and transferring stored copied packets that are included in the identified traffic stream from the portion of the system memory to a long-term storage device. |
| Multi-Access Edge Computing Based Visibility Network /APPLICATION ONLY/ | Disclosed herein are system, method, and computer program product embodiments for providing traffic visibility in a network. An embodiment operates by a third-party component in communication with a network component–each located at a network’s edge–maintaining a rule table including a first rule comprising first identifiers and a first action for deriving a first packet characteristic. The third-party component receives a first packet copy including second identifiers from the network component. Upon the second identifiers matching the first identifiers, the third-party component determines the rule table’s second rule includes a second action for deriving a second packet characteristic. Thereafter, the third-party component receives a second packet copy comprising third identifiers from the network component. Upon the third identifiers matching the first identifiers, the third-party component identifies the rule table’s second rule and performs the second rule to derive the second packet characteristic based on the second packet’s data. |
| United States Patent: 10182071 – Probabilistic tracking of host characteristics | A system for mitigating network attacks includes a protected network and one or more attack mitigation devices communicatively coupled to the protected network. The attack mitigation devices are configured to receive a request from a host having an IP address and determine whether the IP address is included in a first probabilistic data structure representing addresses of hosts having failed to authenticate using a first authentication procedure. The attack mitigation devices are also configured to perform the first authentication procedure, responsive to a determination that the IP address of the host is not included in the first data structure. The attack mitigation devices are yet further configured to allow the host to access the protected network, responsive to successful completion of the first authentication procedure and to update the first data structure to include the IP address of the host, responsive to unsuccessful completion of the first authentication procedure. |
| Monitoring Network Traffic /APPLICATION ONLY/ | An example of a computing system is described herein. The computing system includes a network switch configured to direct network traffic. The computing system also includes a network device to receive the network traffic. The computing system further includes a controller coupled to the network switch. The controller is to monitor network traffic in the network switch and generate a policy to instruct the network switch in selecting a portion of the network traffic to direct to the network device. |
| United States Patent: 10142360 – System and method for iteratively updating network attack mitigation countermeasures | A system and computer-implemented method for mitigating a malicious network attack. The method includes receiving an attack alert that a network attack has been detected, saving a sample of captured network traffic in response to the attack alert, playing back the sample while applying a playback countermeasure to the captured network traffic to block sample segments from the sample, analyzing at least one of the blocked sample segments and throughput sample segments that are not blocked, and adjusting the playback countermeasure in response to a result of the analyzing. |
| United States Patent: 10122571 – Autoclassification of network interfaces based on name | A network management system is provided in which a processing device coupled to a network performs operations to identify an interface accordance with a rule and associate the identified interface with a category in accordance with the rule. The interface is coupled between a managed device and the network. The rule is based on a name associated with the interface, wherein the name indicates semantic information about data transmitted via the interface. Upon detection of transmission of data via the interface, the processor further performs operations to determine an action associated with the category and apply the action to the data. |
| METHODS AND SYSTEMS FOR DETECTING SUSPECTED DATA LEAKAGE USING TRAFFIC SAMPLES /APPLICATION ONLY/ | Methods and systems for detecting suspected data leakage in a network that includes a plurality of networked devices is described herein. A packet is received from a networked device of the plurality of networked devices. It is determined that the packet includes sampled traffic data. The sampled traffic data includes a sample of a packet constituting network traffic through the networked device, and the sample includes payload data from the packet constituting network traffic. The payload data of the sampled traffic data is analyzed. It is determined whether sensitive data is detected in the payload data of the sampled traffic data. |
| United States Patent: 10116692 – Scalable DDoS protection of SSL-encrypted services | A system for mitigating network attacks within encrypted network traffic is provided. The system includes a protected network including a plurality of devices. The system further includes attack mitigation devices communicatively coupled to the protected network and to a cloud platform. The attack mitigation devices are configured and operable to decrypt the encrypted traffic received from the cloud platform and destined to the protected network to form a plurality of decrypted network packets and analyze the plurality of decrypted network to detect attacks. The attack mitigation devices are further configured to generate, in response to detecting the attacks, attack signatures corresponding to the detected attacks and configured to send the generated attack signatures to attack mitigation services provided in the cloud platform. The attack mitigation services are configured and operable to drop encrypted network traffic matching the attack signatures received from the attack mitigation devices. |
| METHOD, SYSTEM AND APPARATUS FOR NETWORK POWER MANAGEMENT /APPLICATION ONLY/ | A method for receiving Internet Protocol /IP/ IP traffic data corresponding to one or more network devices, analyzing the IP traffic data and dynamically generating a power management policy based on the analysis. |
| METHOD, SYSTEM AND APPARATUS FOR NETWORK POWER MANAGEMENT /APPLICATION ONLY/ | A method for receiving Internet Protocol /IP/ IP traffic data corresponding to one or more network devices, analyzing the IP traffic data and dynamically generating a power management policy based on the analysis. |
| WildPackets Releases AiroPeek Wireless Packet Analyzer v1.0 preliminary release fullfills promise to ship comprehensive, affordable wireless network analysis solution by year’s end | |
| WildPackets Introduction at NFD6 with Tim McCreery | Recorded at Networking Field Day 6 on September 12, 2013. For more information, visit http://TechFieldDay.com/event/nfd6 or http://WildPackets.com |
| Using AiroPeek and AiroPeek NX in an 802.1x or LEAP Environment | |
| WildPackets – Expert Protocol Analyzer Tools, Network Troubleshooting Tools | |
| WildPackets – AiroPeek Knowledge Base | |
| WildPackets – AiroPeek – tool for wireless network analysis and management-Wireless Protocol Analyzer | |
| White Paper: Continuous Endpoint Threat Detection and Response in a Point-in-Time World | Sourcefire is not a newcomer to security innovation nor have we been sitting idly by while attackers have continued to innovate. In fact, as early as 2003 we had a vision for what would be required to combat advanced threats and pioneered the concept of continuous network discovery which became foundational to Next-Generation IPS. Today, targeted, advanced malware and sophisticated attacks are relentless as they compromise environments using new and stealthy techniques. Once again, Sourcefire is changing the way we must think about security, building on our continuous capability and introducing a new model for the way we need to combat these attacks. |
| What’s New in EcoSCOPE 4.1 | |
| What is Next Generation Firewall /NGFW/ | Check Point Software | A next generation firewall /NGFW/ provides capabilities beyond that of a stateful network firewall, technology that was first pioneered in 1994 by Check Point Software Technologies. A stateful firewall is a network security device that filters incoming and outgoing network traffic based upon Internet Protocol /IP/ port and IP addresses. By intelligently inspecting the payload of some packets, new connection requests can be associated with existing legitimate connections. A next generation firewall adds additional features such as application control, integrated intrusion prevention /IPS/ and often more advanced threat prevention capabilities like sandboxing. |
| What is L4-L7 Network Services? Definition and Related FAQs | Avi Networks | |
| What Is DPI SSL – Deep Packet Inspection of Secure Socket Layer /DPI-SSL/ – YouTube | Cyber-criminals are constantly looking for any vulnerability to exploit in order to introduce potentially catastrophic threats into business networks. Now there’s an avenue that they’re actively pursuing, and with good reason: Encryption. |
| What is Application Traffic Management? | Avi Networks | |
| WHAM Scenarios | |
| Web Measurement Market Overview | |
| Wayback Machine | During their digital transformation process, many IT organizations still struggle with traditional networking methods and security approaches. By successfully addressing these challenges in thousands of real-world implementations, VMware NSX has established itself as the leading network virtualization platform, revolutionizing the way data center networks are designed and operated. In this book, data center expert and author Gustavo A. A. Santana thoroughly examines the specific circumstances that created such challenges and explains how VMware NSX overcomes them. This context will help those who want to: |
| Wayback Machine | Xirrus is the leading provider of high-performance wireless networks. Proven with over 4,000 customers worldwide, Xirrus’ Array-based solutions perform under the most demanding circumstances with wired-like reliability and superior security. |
| Wayback Machine | |
| Wayback Machine | |
| VSS Monitoring Launches VSS Information Assurance Suite Introduces Protector Series Load Balancer for Inline Network Security Tools, and ObjectFinder Real-Time Packet Inspection Platform | BURLINGAME, Calif.- Monday, March 1, 2010 – VSS Monitoring, Inc. today introduced Protector Series™, a session-aware load balancer and speed converter for inline network security tools such as intrusion prevention systems /IPSs/ and Web filter devices, and ObjectFinder™, a specialized real-time deep packet inspection /DPI/ and filtering platform for network surveillance. – See more at: http://www.vssmonitoring.com/corporate/news.asp?news=VSS-Monitoring-Launches-Real-time-DPI-Platform#sthash.vkmBQojX.dpuf |
| VSS Monitoring – 160+ Network Taps for Greater Network Monitoring Visibility & ROI | |
| Vpn deep packet inspection | |
| VMware NSX for vSphere 6.4: Eases Operations & Improves App Security | |
| VMware NSX Advanced Firewall for VMware Cloud on AWS | ASEAN | |
| Visualization tool for real-time network risk assessment | |
| VISIBILITY AND OPTIMIZATION FOR NETWORKED TRAFFIC | Blue Coat PacketShaper is a cloud-connected network management appliance that combines on-box application discovery with web content and web threat visibility powered by Blue Coat WebPulseTM. PacketShaper lets you measure network application performance, categorize and manage web traffic based on its content, guarantee quality-of-service /QoS/ for preferred applications and content, and contain the impact of undesirable traffic |
| Virtual Service Sideband Profile | Starting with Avi Vantage 16.4.4, for compliance and auditing purposes, where deep inspection of traffic is required, incoming HTTP/S/ traffic can be be replicated to logging/sideband servers at the protocol level. An example could be a web application firewall /WAF/ appliance monitoring HTTP payloads for any anomalies. Additionally, for compliance and auditing purposes, deep inspection of the traffic is required. |
| Vineyard Networks Corporate Overview | Vineyard Networks, located in the heart of the Okanagan Valley in British Columbia, Canada, was founded in 2008 to bring application intelligence – classification and reporting – to existing network equipment and services. The management team and senior developers are all seasoned veterans of application intelligence technology and continue to add to the team of hard working professionals dedicated to advancing application classification. Since its inception, Vineyard has enabled more than 30 technology partners to power over 120,000 appliances worldwide with application intelligence technology. |
| Vineyard Networks announces support for OCTEON III and TurboDPI from Cavium | Vineyard Networks, a global leader in Next Generation Deep Packet inspection solutions, today announced its product support for the new state-of-the art OCTEON® III MIPS64® family of 1 – 48 core multicore processors, as well as its product integration into the TurboDPI™ framework, both from Cavium, Inc. /NASDAQ: CAVM/, a leading provider of semiconductor products that enable intelligent processing for networking and communications. |
| Vineyard Networks and Netronome release 40Gbps DPI offering for Next-Generation Networking Applications | Vineyard Networks and Netronome announced today a strategic partnership to provide a 40Gbps OEM Deep Packet Inspection /DPI/ solution for vendors building next-generation, application-aware networking applications. The solution combines Vineyard’s Network Application Visibility Library /NAVL/ DPI engine and Netronome’s Network Flow Processors to offer advanced networking functionality, high performance flow processing, application recognition and metadata extraction at line rate 40Gbps speeds with a follow on platform capable of performing DPI at 100Gbps. |
| Vineyard Networks :: Specifications | |
| Vineyard Networks :: Features | Industry Leading Next-Generation DPI Engine Vineyard Networks’ Network Application Visibility Library /NAVL/ is a next-generation Deep Packet Inspection /DPI/ software engine that provides real-time, Layer-7 classification of network traffic. NAVL uses a combination of deep packet and deep flow inspection techniques to accurately identify today’s most common applications including Mobile, Social Networking, P2P, Instant Messaging, File Sharing, Enterprise and Web 2.0 applications. |
| Video quality monitoring | |
| Vedicis unveils its new software platform for end-to-end Policy Control & Charging solutions | Paris, 27 th September 2011 – Vedicis, the leading software editor in broadband DPI and Policy Enforcement solution, announces today the release of its new Open Traffic Management Software platform. Built upon its DPI-PCEF solution, this new platform is designed for vendors and telecom system integrators who intend to propose a full endto-end Policy Control & Charging solution to Mobile and Fixed operators |
| Vedicis DPI-PCEF | As voice revenue plummets and investments in fiber and LTE access technologies continue, Communication Service Providers need to accelerate IP monetization with new data services. Launching differentiated packages requires to analyze and segment subscribers’ behaviors then to control and charge data traffic based on application criteria. These capabilities, specified in the PCEF /Policy and Charging Enforcement Function/ by 3GPP standard, are however not included or not efficient enough in packet gateways /GGSN, PDN-GW or BRAS/. Vedicis DPI-PCEF provides a cost-efficient and access-agnostic way to generate new revenues, without impacting mobile and fixed core networks. |
| Vedicis Case Study – Wireless Access Gateway /WAG/ solution for Tier 1 Mobile operator | Vedicis provides its software Wireless Access Gateway /WAG/ to a tier 1 Mobile Network Operator in India. Managing the access to Internet from the Wifi network, the Vedicis solution enables to extend network coverage and to provide new data services to subscribers. |
| Vedicis – Products – Technology highlights | |
| Vedicis – Products – Content Smart Switch | |
| VantagePoint Internet Services – Active Monitoring Concepts Guide | HP OpenView VantagePoint Internet Services /VP-IS/ allows you to monitor a customer’s Internet and network services in an organized way. Once installed and configured, VP-IS measures the availability, response time, setup time, and throughput of specific Internet/network activity. With the data it receives, it can generate alarms and make them available to HP OpenView Network Node Manager, VantagePoint for Windows and IT/Operations /also known as VantagePoint Operations/ and produce management-ready reports. These alerts and regular information updates keep you informed as to whether or not a customer’s Internet and network services are performing efficiently |
| UTM / Firewall / VPN – First Line of Defence – SonicWALL, Inc. | OVERVIEW ENTERPRISE SMB SOLUTIONS COMPARE MODELS Malicious attacks can penetrate stateful packet inspection firewalls. Securing today’s networks demands Unified Threat Management /UTM/. SonicWALL’s family of network security appliances combines robust UTM security services with high-speed deep packet inspection to provide small, mid-size and enterprise-class organisations the best protection possible. SonicWALL® TZ, PRO, NSA and E-Class NSA appliances are engineered to reduce cost, risk and complexity by integrating automated and dynamic security capabilities for comprehensive protection and maximum performance. |
| Using URL reputation data to selectively block cookies | |
| Using the Service Control Engine and Deep Packet Inspection in the Data Center – Cisco | Using the Service Control Engine and Deep Packet Inspection in the Data Center Contents: Introduction Service Control Solution Overview Service Control Engine Insertion Strategies Port Mirror Inline Multi-Gigabit Service Control Point Basics of Dispatch Operation MGSCP Options MGSCP Layer 2 Dispatch Mode MGSCP Layer 2/Layer 3 Dispatch Mode MGSCP Layer 3 Dispatch Mode N+1 Redundancy SCE Management and Policy Creation Deploying a New SCE Changing a Policy Updating Signatures Reports Appendix A—SCE and PISA Introduction Deep packet inspection /DPI/ provides the ability to look into the packet past the basic header information. DPI intelligently determines the contents of a particular packet, and then either records that information for statistical purposes or performs an action on the packet. Applications enabled by DPI include the following: •Traffic Management, or the ability to control end-user applications such as peer-to-peer applications •Security, resource, and admission control •Policy enforcement and service enhancements such as personalization of content or content filtering Benefits include increased visibility into the network traffic, which enables network operators to understand usage patterns and to correlate network performance information along with providing usage base billing or even acceptable usage monitoring. DPI can also reduce the overall costs on the network by reducing operation expenses /OpEx/ and capital expenses /CapEx/ by providing a more thorough understanding of what is happening with the network, and by providing the ability to direct traffic or to prioritize traffic more intelligently. Cisco currently has two hardware-based solutions for achieving this DPI functionality: the Cisco Service Control Engine /SCE/ product line, and the newly-introduced PISA hardware for the Cisco 6500/7600 Supervisor 32. This document provides basic configuration and performance information with regard to the SCE product family as well as providing comparisons between the SCE and PISA products. PDF Copyright 2007. |
| Using Flows for Analysis and Measurement of Internet Traffic, Diploma Thesis, Institute of Communication Networks and Computer Engineering /IND/ of the University of Stuttgart | The rapid growth of the Internet and the growing demand for network-intensive multimedia applications during the last years has created new problems for network managers. Larger and faster TCP/IP networks need to be handled in an efficient way. Tools have to be developed that allow the analysis and measurement of traffic at high line speeds in order to provide information needed for network configuration and planning, to resolve congestion problems and for user accounting and charging. This report gives an overview of web based network management solutions. The traffic flow based methodology [15] is introduced as a means to analyze and monitor traffic. Measurement applications employing flow methodologies are compared. Finally, a Java based Internet traffic flow analyser is presented. This analyzer communicates via SNMP with applications that use the IETF real-time traffic flow measurement architecture [4,5,27]. The tool allows network managers to obtain flow-based network status information in real-time using a standard web browser. Please note that the focus of this work is not to be seen on flow methodology and traffic characterization itself. Its aim merely is to give an overview over existing methodologies and to examine the possibilities to integrate these techniques into the Web environment using Java. |
| Using Avi As A Universaol Monitoring Platform- AVI Technical Reference /v16.3/ | Monitoring tools are indispensable for daily NOC operations. Gaining visibility into packet flows can reduce the mean time to innocence for a given network problem and help the network admin make educated decisions to design their network better. Similarly, application-level monitoring helps developers debug and design their applications. With the advent of virtualization and use of a self-service model in Infrastructure as a Service /IaaS/ and Platform as a Service /PaaS/, the infrastructure access and responsibilities of network and application administrators have started to overlap. This calls for a unified product which can provide analytics and metrics across L3 to L7 of OSI model. The natural place to achieve this is the application delivery controller /ADC/ or load balancer, as it is an essential component of the networking fabric and has access to all application-related traffic without the need to deploy agents in the network or add monitoring software to application code. Avi Vantage leverages this to provide out-of-the-box, enterprise-grade analytics and metrics. In addition, it supports ways to export the data or stream the logs to trusted widely used third-party monitoring tools. This article explores various features of Avi Vantage which make it a universal monitoring tool. |
| Using Avi As A Universal Monitoring Platform | Monitoring tools are indispensable for daily NOC operations. Gaining visibility into packet flows can reduce the mean time to innocence for a given network problem and help the network admin make educated decisions to design their network better. Similarly, application-level monitoring helps developers debug and design their applications. With the advent of virtualization and use of a self-service model in Infrastructure as a Service /IaaS/ and Platform as a Service /PaaS/, the infrastructure access and responsibilities of network and application administrators have started to overlap. This calls for a unified product which can provide analytics and metrics across L3 to L7 of OSI model. The natural place to achieve this is the application delivery controller /ADC/ or load balancer, as it is an essential component of the networking fabric and has access to all application-related traffic without the need to deploy agents in the network or add monitoring software to application code. Avi Vantage leverages this to provide out-of-the-box, enterprise-grade analytics and metrics. In addition, it supports ways to export the data or stream the logs to trusted widely used third-party monitoring tools. This article explores various features of Avi Vantage which make it a universal monitoring tool. |
| In-band quality-of-service signaling to endpoints that enforce traffic policies at traffic sources using policy messages piggybacked onto DiffServ bits | IP packets are scheduled at source devices such as cell phones on a private network that connect to the Internet at an edge device. A private traffic controller by the edge device detects pre-Internet congestion on the private network. The private traffic controller uses in-band piggybacked signaling of policy changes by intercepting return packets to the source devices and modifying bits such as DSCP bits in the header. Source traffic controllers in the source devices read the modified DSCP bits and implement specified policy changes, dropping or delaying packets at the source device before transmission. Congestion on RF links from cell phones is reduced by the source traffic controllers dropping packets before transmission. The source device limits or drops future packets in response to the policies signaled by the DSCP bits. Rather than indicate the existing packet’s priority, private DSCP bits signal policy changes to the source device. |
| User’s Guide Chapter 7.5. Packet Reassembling | |
| User’s Guide Chapter 6.6. Finding packets | |
| User’s Guide Chapter 6.2. Filtering packets while viewing | |
| User’s Guide Chapter 6. Working with captured packets | |
| University of Saskatchewan uses IBM QRadar to Manage Log, Compliance, & Threats – YouTube | The University of Saskatchewan was facing security de-permiterization challenges and had to re-think how they secured their IT environment. Watch this video and learn how IBM Security QRadar SIEM is being used to move to a more data intensive security model, and make log information from many data sources |
| Unified Threat Management | |
| Unified network traffic monitoring for physical and VMware environments- White Paper | Applications and servers hosted in a virtual environment have the same network monitoring requirements as applications and servers in a physical environment. For organizational and technical reasons, virtual and physical networks are often monitored independently, making it difficult for network administrators to have a single view of overall network activity. This white paper outlines an approach, based on monitoring network traffic, that delivers a unified view of network activity across virtual and physical components of the network. |
| Two-stage intrusion detection system for high-speed packet processing using … | |
| Troubleshooting with Network Application Analyzers-About Compuware’s EcoSCOPE product | |
| TRITON: The First ICS Cyber Attack on Safety Instrument Systems Understanding the Malware, Its Communications and Its OT Payload | In December 2017 it was reported that a Middle Eastern oil and gas petrochemical facility [1] had undergone a safety system shutdown as the result of a malware attack. The malware, named TRITON /also known as TRISIS or HatMan/, went beyond other industrial cyber attacks by directly interacting with a Safety Instrumented System /SIS/. SIS are the last line of automated safety defense for industrial facilities, designed to prevent equipment failure and catastrophic incidents such as explosions or fire. Based on the significance of this industrial cyber attack, it warranted an in-depth analysis. We were determined to understand the TRITON malware itself, as well as the resources it took to create it. We also sought to gain insights that would help industrial operators defend their control systems from such attacks in the future. Our challenge was to learn how to turn an undocumented device – the Triconex controller from Schneider Electric, which was the target of the attack – into malicious code. To do so we first focused on obtaining the TRITON engineering toolset. We combined Internet sleuthing with asking the right people the right questions, to obtain the information we needed. Our next hurdle was obtaining the Triconex controller. Employing a variety of global ecommerce websites, we purchased the components needed and assembled them into a working environment. We were unable to find one key component – the marshalling cables, but we overcame that problem by using brute force to directly connect two panels. Now that we had a working system, we proceeded to reverse engineer the TriStation suite of software used on the engineering workstation that communicates with the SIS controller. That activity, combined with malware analysis, allowed us to deeply dissect the TriStation proprietary communication protocol used by the Triconex controller. |
| Trend Micro™ Deep Security Fuels Virtualization Initiative | As a global company, Trend Micro’s virtualization initiative was originally targeted at improving manageability and data center cost efficiencies. At the same time the technology team was challenged to leverage virtualization to provide users with a secure, improved experience when accessing vital enterprise applications and cloud services. The company’s cloud services related to the Trend Micro™ Smart Protection Network™ infrastructure were also highly dependent on securing a virtualized infrastructure. |
| Trend Micro™ Deep Discovery and IBM® Security QRadar SIEM- Solutions Brief | Highly targeted attacks and advanced persistent threats /APTs/ are stealthier and more sophisticated than ever, using deceptive social engineering techniques to quietly penetrate your network and deploy customized malware that can live undetected for months. Once they’ve established command and control /C&C/ communications, cybercriminals can covertly steal your valuable information—from credit card data to the more lucrative intellectual property or government secrets. |
| Trend Micro Deep Security for VMware Mobile Secure Desktops Trend Micro Optimizes and Secures the VMware View Mobile Secure Desktop Across Devices and Locations | oday’s employees are increasingly transient and consumer products such as laptops, desktops, tablets, and smartphones are driving user expectations at home and in the office. This consumerization of IT is forcing many IT departments to scramble to balance consumer trends and needs with IT requirements to protect corporate assets. |
| Transforming Network Capacity Planning from an Art to a Science | |
| Traffic Replication Options with AVi Vantage- AVI Technical Reference /v17.1/ | Sideband Profile Operation It is application layer /L7/ replication of client requests. SE establishes TCP connections with the sideband servers before sending the client HTTP request. SE expects HTTP response in return, but the response status is ignored. |
| Traffic Replication Options With Avi Vantage | Avi Vantage provides two means to replicate application traffic: Sideband Profile Traffic Cloning This article compares the two seemingly similar traffic replication methods, to help users make an educated choice according to their use case. |
| Traffic Classification Using a Statistical Approach | Accurate traffic classification is the keystone of numerous network activities. Our work capitalises on hand-classified network data, used as input to a supervised Bayes estimator. We illustrate the high level of accuracy achieved with a supervised Naïve Bayes estimator; with the simplest estimator we are able to achieve better than 83/ accuracy on both a per-byte and a per-packet basis. |
| Traffic Classification Using a Statistical Approach | Accurate traffic classification is the keystone of numerous network activities. Our work capitalises on hand-classified network data, used as input to a supervised Bayes estimator. We illustrate the high level of accuracy achieved with a supervised Na¨ıve Bayes estimator; with the simplest estimator we are able to achieve better than 83/ accuracy on both a per-byte and a per-packet basis. |
| Traffic Analyzer Data Sheet | |
| Traffic analysis | NetFort Technologies | |
| Toward the Accurate Identification of Network Applications | Well-known port numbers can no longer be used to reliably identify network applications. There is a variety of new Internet applications that either do not use well-known port numbers or use other protocols, such as HTTP, as wrappers in order to go through firewalls without being blocked. One consequence of this is that a simple inspection of the port numbers used by flows may lead to the inaccurate classification of network traffic. In this work, we look at these inaccuracies in detail. Using a full payload packet trace collected from an Internet site we attempt to identify the types of errors that may result from port-based classification and quantify them for the specific trace under study. To address this question we devise a classification methodology that relies on the full packet payload. We describe the building blocks of this methodology and elaborate on the complications that arise in that context. A classification technique approaching 100/ accuracy proves to be a labor-intensive process that needs to test flow-characteristics against multiple classification criteria in order to gain sufficient confidence in the nature of the causal application. Nevertheless, the benefits gained from a content-based classification approach are evident. We are capable of accurately classifying what would be otherwise classified as unknown as well as identifying traffic flows that could otherwise be classified incorrectly. Our work opens up multiple research issues that we intend to address in future work. |
| Toward the Accurate Identification of Network Applications | Well-known port numbers can no longer be used to reliably identify network applications. There is a variety of new Internet applications that either do not use well-known port numbers or use other protocols, such as HTTP, as wrappers in order to go through firewalls without being blocked. One consequence of this is that a simple inspection of the port numbers used by flows may lead to the inaccurate classification of network traffic. In this work, we look at these inaccuracies in detail. Using a full payload packet trace collected from an Internet site we attempt to identify the types of errors that may result from port-based classification and quantify them for the specific trace under study. To address this question we devise a classification methodology that relies on the full packet payload. We describe the building blocks of this methodology and elaborate on the complications that arise in that context. A classification technique approaching 100/ accuracy proves to be a labor-intensive process that needs to test flow-characteristics against multiple classification criteria in order to gain sufficient confidence in the nature of the causal application. Nevertheless, the benefits gained from a content-based classification approach are evident. We are capable of accurately classifying what would be otherwise classified as unknown as well as identifying traffic flows that could otherwise be classified incorrectly. Our work opens up multiple research issues that we intend to address in future work. |
| Tool port throttling at a network visibility node | |
| TippingPointTM X505 Data Sheet | Building Intelligence Into The Network The TippingPoint X505 is the first integrated security platform based on the award-winning TippingPoint Intrusion Prevention System architecture with the extended functionality of virtual private network /VPN/ and firewall, bandwidth management, quality of service and Web content filtering. |
| The VMware NSX Network Virtualization Platform | VMware’s Software Defined Data Center /SDDC/ vision leverages core data center virtualization technologies to transform data center economics and business agility through automation and non-disruptive deployment that embraces and extends existing compute, network and storage infrastructure investments. Enterprise data centers are already realizing the tremendous benefits of server and storage virtualization solutions to consolidate and repurpose infrastructure resources, reduce operational complexity and dynamically align and scale their application infrastructure in response to business priorities. However, the data center network has not kept pace and remains rigid, complex, proprietary and closed to innovation – a barrier to realizing the full potential of the virtualization and the SDDCs. |
| TippingPoint x505 Testimonials | |
| Tippingpoint x505 achieves ICSA labs’ firewall and VPN certifications | |
| TippingPoint Intrusion Prevention System | The Platform For Unrivaled Security and Performance Protection has never been more powerful. TippingPoint is the industry’s leading Intrusion Prevention System /IPS/, unrivaled in security, performance, high availability and ease-of-use. As the only Intrusion Prevention System to receive the NSS Gold Award and Common Criteria certification, among many other awards, TippingPoint is the defining benchmark for network-based intrusion prevention. |
| Three tiers of saas providers for deploying compute and network infrastructure … | |
| Threat Intelligence: BD Releases Advisory on Microsoft’s Zerologon Vulnerability | |
| Threat disposition analysis and modeling using supervised machine learning | |
| The Purview™ Solution– Integration With Splunk Integrating Application Management and Business Analytics With Other IT Management Systems A SOLUTION WHITE PAPER | Purview is a network powered application analytics and optimization solution that captures and analyzes context-based application traffic to deliver meaningful intelligence – about applications, users, locations and devices. It is the Industry’s very first and only – patent pending – solution to transform the Network into a Strategic Business Asset – by enabling the mining of network-based business events and strategic information that help business leaders make faster and more effective decisions. It does this all from a centralized command control center that combines Network Management with Business Analytics, and at unprecedented scale /100M sessions/ and scope. Enterprise mobility is more than the mobile device – mobility and agility across the entire enterprise requires access to data from any device, which has resulted in a change of the application landscape by moving away from installing and maintaining traditional applications, to private and public Cloud-based delivery models, such as SalesForce.com, Google Apps and many more. Millions of new applications have been developed to support new work efficiencies, with new “apps” showing up every day; some become business-critical the next day while others may have no real value. Additionally, mobile users demand immediate access to all of their social media apps. Social, mobile, Cloud and Big Data is everywhere. To maximize the user experience IT must make sure that applications can be seamlessly delivered from the Cloud – private or public—to those users and devices that require them to perform their jobs. |
| The Perils of Deep Packet Inspection | Symantec Connect | |
| The new face of packet analysis: Continuous capture and expert data mining with the nGenius® Flow Recorder | Enterprise networks – the essential underpinnings of today’s most competitive corporations and productivity-conscious government agencies. On them, a myriad of technologies run a host of business-critical and revenue-generating applications, which require optimum availability and performance. The increased network complexity brought about by the merger of technologies and applications has led to service degradations that are subtle and difficult to pinpoint. You cannot afford to spend time manually recreating a problem or waiting for it to recur, as was done in the past – business operations require uninterrupted, optimal application performance. The nGenius® Flow Recorder continuously captures and records traffic streams on critical network links, letting you quickly assess the exact circumstances surrounding a performance event, resolve it, and ensure that the organization is not impacted a second time. |
| the nature of the beast: recent traffic measurements from an Internet backbone | As described in last years Inet ’97 paper [1], MCI has implemented a high-performance, low-cost monitoring system that can monitor Internet traffic /cell/packet headers/ and perform analyses, and deployed them on OC-3 trunks within iMCI’s backbone and also within the NSF-sponsored vBNS /very High performance Backbone Service/. This publicly-available tool facilitates measurement and analysis of high-speed OC-3, and now OC-12, trunks that carry hundreds of thousands of simultaneous flows. As a follow up to last year’s paper, we provide some new data analyses as well as comparisons with last year’s data that may suggest trends in changing workload profiles. All the data in this paper is based on recent wide-area MCI Internet backbone traffic as recorded by the Coral monitors. |
| The Importance of Network Application Classification | Today’s network resources are shared by thousands of users operating thousands of different applications. In order to properly secure and manage a network, visibility is needed into who the users are and what applications they are using on the network. Traditionally, network management and security was based on classification at the lower layers of the network by IP address /to determine users/ and by port /to determine applications/. This was a fairly reliable method because users typically had static IP addresses and applications used well-defined ports. The modern network is very different. Factors such as ease of development, reliability, and performance have caused a significant number of network applications to migrate to common ports and protocols, specifically HTTP /on port 80/ and HTTPS /on port 443/. More than 95/ of all applications use these ports. The growing mobile user presence and the increased complexity of network environments means that users typically pick up IP addresses dynamically. For this reason, a user could have several different IP addresses during a single work period. This evolution of the network therefore makes it nearly impossible to monitor, secure, and manage a network solely by IP address and port. |
| The Ethereal Network Analyzer Web Home Page | Ethereal is a free network protocol analyzer for Unix and Windows. It allows you to examine data from a live network or from a capture file on disk. You can interactively browse the capture data, viewing summary and detail information for each packet. Ethereal has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session. Open source. |
| The Ethereal Network Analyzer Web Home Page | Ethereal is a network protocol analyzer for Unix. It allows you to examine data from a live network, or from a capture file on disk. Open Source. |
| The Case for Deep Packet Inspection | |
| The Advantages of Multi-Core UTM | Network communications no longer just rely on storeand-forward applications like e-mail. It has now grown to include real-time collaboration tools, Web 2.0 applications, instant messenger /IM/ and peer-to-peer applications, Voice over IP /VoIP/, streaming media and telepresence conferencing. Any one of these applications can open your network to potential attack. |
| Telcordia Technologies Project Felix—Home Page | The objective of this project is to develop a prototype monitoring infrastructure to provide information on a consistent basis about the health of large networks, without requiring prior knowledge of network topology or routing information. Network monitoring devices gather data on network performance by observing the loss, delay and throughput characteristics of packets sent from other monitors. Monitors keep databases of network measurements, and computational engines can operate on this data to realize a model of the network topology and the performance of each network element. This topology and performance knowledge can be used to facilitate automatic detection of network faults and anomalous behavior. The project consists of 6 main components or tasks as follows: 1/ The network stations, which are general-purpose computers. The current implementation uses a UNIX workstation. The monitor software is expected to be easily portable between platforms. 2/ The Monitor Data Exchange Protocol /MDEP/, which the monitors use to measure the network and to transfer data among themselves. 3/ The performance database. This contains measurements recorded by each monitor, but also allows combination of data from many monitors for computation of topology and network health displays. 4/ The web-based Graphical User Interface /GUI/. This allows a user to query Felix monitor databases, compile statistics on network measurements, invoke the LDA engine and display results showing the network health. The user /with security access/ can also control the data gathering policy of the monitors. 5/ The Linear Decomposition Algorithms /LDA/ for topology discovery and performance evaluation of specific network elements. This is clearly the most significant and challenging part of the project. Our approach is to develop initial LD algorithms that can accurately determine simple topologies, and then evolve them to much more complex methods, with an assessment of the capabilities and limitations in each case. The careful analysis of data measured from real networks will inform the composition of these algorithms. 6/ Deployment of monitors within first geographically limited, and then more significant portions of the domestic U.S. Internet. |
| Tektronix: Products > Network Diagnostics – Spectra: Introduction | FEATURES & BENEFITS Monitor and Test SS7 and ISDN signaling networks Conformance testing for: Sigtran, HSL, ISUP, GSM, TCAP, Conformance, Validation and Regression Testing /CVR/ Network Element Emulation SSP, STP, HLR, VLR, SG, ASP Complete Support for Standard Protocols and Signaling Interfaces One box for all your testing needs PCI processing cards for increased link and traffic capacity Scalable architecture for multi-protocol analysis Over 2,400 PSTN protocol conformance test cases Reduce lab equipment cost with network element simulation /STPs, SCPs, HLRs/ |
| Technology Partner Case Study | Sophos | Sophos is one of the best known names in security and data protection with more than 100 million users in 150 countries. The Astaro Network Security division of Sophos delivers the Astaro Security Gateway, a full network security platform which includes web, wireless, email, and web server protection. |
| Technology Partner Case Study | Emulex | Emulex, the leader in network connectivity, monitoring and management, provides hardware and software solutions that enable unrivaled end-to-end application visibility, optimization and acceleration for global networks that support enterprise, cloud, government and telecommunications. Emulex’s monitoring and management solutions, including its portfolio of Endace network visibility and recording products, help organizations investigate and respond to security events quickly and efficiently by connecting analysts directly to the network history that they need to make rapid and informed decisions. |
| Technical Guide Enterprise Deployment Topologies for Packeteer’s PacketSeeker and PacketShaper | |
| Target-Based TCP Stream Reassembly | The open source IDS/IPS Snort has begun to implement target-based analysis with the stream5 and frag3 preprocessors. Stream5 is able to reassemble overlapping TCP segments using the same policy as the destination host. A user configures Snort to apply specific TCP reassembly policies for individual hosts or networks. Then, when Snort sees overlapping TCP segments bound for any of these hosts, it knows the appropriate reassembly policy to apply—allowing both Snort and the destination host to reassemble the segments identically. This successfully precludes evasion attacks that use overlapping TCP segments. This paper discusses TCP overlapping segment attacks, a model for identifying TCP reassembly policies, and a method and code used to determine a given host’s TCP reassembly policy. |
| Tap Aggregation, Regeneration and Filtering to enable Deep Packet Inspection /DPI/ in Carrier IP Networks | The weapon of choice for service-oriented network monitoring is Deep Packet Inspection /DPI/. Typically, DPI is performed by high-performance software solutions that run on standard server hardware platforms, enabling providers to identify, classify or even selectively block IP traffic. DPI is used to detect and protect against security threats and network anomalies, and facilitate wiretapping and reconstruction of relevant digital transactions. |
| T3100 Adaptive Traffic Manager- Product Datasheet | By 2015, according to industry forecasts, there will be more than 7.1 billion mobile devices on earth – nearly one for each person – as more consumers flock to the digital lifestyle. If this meteoric growth in usage plays out as anticipated, it will be accompanied by some inevitable statistics: • The average smartphone will consume 1.3+ GB of traffic per month, or 800 percent over 2010 levels. • Annual mobile data traffic will reach 6.3 exabytes per month, a compound annual growth rate of 92 percent. • Mobile video will account for more than 66 percent of all mobile data traffic. |
| T3100 Adaptive Traffic Manager Seven Dimensions of Trafic Control for Managing and Monetizing Data | By 2015, according to industry forecasts, there will be more than 7.1 billion mobile devices on earth – nearly one for each person – as more consumers flock to the digital lifestyle. If this meteoric growth in usage plays out as anticipated, it will be accompanied by some inevitable statistics: • The average smartphone will consume 1.3+ GB of traffic per month, or 800 percent over 2010 levels. • Annual mobile data traffic will reach 6.3 exabytes per month, a compound annual growth rate of 92 percent. • Mobile video will account for more than 66 percent of all mobile data traffic. |
| T3100 Adaptive Traffic Manager – Bytemobile | |
| T3100 Adaptive Traffic Manager – Bytemobile | |
| T3000 Adaptive Traffic Management System /T-Series/ – Bytemobile | daptive Traffic Management provides mobile network operators with real-time control of application traffic across all layers to improve subscriber quality of experience /QoE/ and monetize subscriber usage through differentiated service plans. With an unprecedented level of visibility, Adaptive Traffic Management measures each subscriber’s QoE and dynamically adjusts traffic flows to maximize it. The T-Series Adaptive Traffic Management System includes the T3100 Adaptive Traffic Manager, the T2100 Content Accelerator and the T1100 Traffic Controller. With these elements, the T-Series represents a fundamental change in traffic management architecture for mobile networks. |
| T3000 Adaptive Traffic Management System /T-Series/ – Bytemobile | |
| T1100 Traffic Director Product Datasheet | Bytemobile’s T-Series Adaptive Traffic Management System provides a next-generation architecture for mobile network operators to manage their data traffic holistically across all applications and subscribers. As a network element in the T-Series architecture, the T1100 Traffic Director intelligently steers traffic and manages load for Smart Capacity™ solutions on Bytemobile’s Unison™ and T-Series platforms. The high-performance, intelligent T1100 enables operators to efficiently and cost-effectively manage explosive growth in data traffic while delivering a high-quality experience to their subscribers |
| T1100 Traffic Director – Bytemobile | |
| Method and apparatus for detecting SSH login attacks | A digital filter correlation engine, wherein the correlation engine combines N arbitrary digital filter states based on the weights and along with a threshold generate a network incident. This network incident in turn can be feedback to another digital filter. This multi-layering capability allows the creation of higher level event detections that are time-based for a cyber security analyst to analyze, thereby reducing the amount of manual work the analyst has to do in inspecting behaviors within the network. |
| Method and apparatus for content filtering on SPDY connections | The present disclosure discloses a method and a network device for performing content filtering on SPDY connections. Specifically, a network device receives, from a client device, a first control frame identifying a first maximum number of unsolicited unacknowledged messages related to a web resource that can be transmitted by a web server. The network device transmits to the web server a second control frame identifying a second and different maximum number of unsolicited unacknowledged messages related to the web resource that can be transmitted by the web server. In some embodiments, the network device establishes a first connection with the client device without forwarding the request to the web server, and a second connection with the web server. Further, the network device inspects data in the unsolicited unacknowledged messages and forwards at least portion of the data to the client device using the first connection. |
| Method and apparatus for communicating an encrypted broadcast to virtual private network receivers | A method of communicating an encrypted data broadcast to a plurality of virtual private network receivers is disclosed. A first communication channel is established between a first one of the receivers and a network node. A private data stream is communicated to the first receiver on the first channel. A request is received from the first receiver to join a broadcast data stream that is directed to a plurality of receivers by a broadcast server. A second encrypted communication channel is established between the first receiver and the network node for purposes of carrying the broadcast data stream. Decryption information, which the first receiver can use to decrypt information that is sent on the second channel, is sent to the first receiver through the first channel. The broadcast data stream is then communicated to the first receiver on the second channel. As a result, a particular receiver can receive an encrypted broadcast that is encrypted as part of a single session for a large plurality of other receivers, without impacting separate, private encrypted communications conducted by the particular receiver. |
| Merging of scored records into consistent aggregated anomaly messages | In one embodiment, a device in a network identifies a plurality of traffic records as anomalous. The device matches each of the plurality of traffic records to one or more anomalies using one or more anomaly graphs. A particular anomaly graph represents hosts in the network as vertices in the graph and communications between hosts as edges in the graph. The device applies one or more ordering rules to the traffic records, to uniquely associate each traffic record to an anomaly in the one or more anomalies. The device sends an anomaly notification for a particular anomaly that is based on the traffic records associated with the particular anomaly. |
| Merging of scored records into consistent aggregated anomaly messages | In one embodiment, a device in a network identifies a plurality of traffic records as anomalous. The device matches each of the plurality of traffic records to one or more anomalies using one or more anomaly graphs. A particular anomaly graph represents hosts in the network as vertices in the graph and communications between hosts as edges in the graph. The device applies one or more ordering rules to the traffic records, to uniquely associate each traffic record to an anomaly in the one or more anomalies. The device sends an anomaly notification for a particular anomaly that is based on the traffic records associated with the particular anomaly. |
| Merging and optimizing heterogeneous rulesets for device classification | In one embodiment, a device classification service receives a plurality of device classification rulesets, each ruleset associating a set of device characteristics with a device type label. The device classification service forms a unified ruleset by resolving a conflict between conflicting device characteristics from two or more of the device classification rulesets. The device classification service trains a machine learning-based device classifier using the unified ruleset. The device classification service classifies, using telemetry data for a device in a network as input to the trained device classifier, the device with the device type label. |
| Mechanisms to prevent anomaly detectors from learning anomalous patterns | In one embodiment, a device in a network detects an anomaly in the network by analyzing a set of sample data regarding one or more conditions of the network using a behavioral analytics model. The device receives feedback regarding the detected anomaly. The device determines that the anomaly was a true positive based on the received feedback. The device excludes the set of sample data from a training set for the behavioral analytics model, in response to determining that the anomaly was a true positive. |
| Mechanisms to prevent anomaly detectors from learning anomalous patterns | In one embodiment, a device in a network detects an anomaly in the network by analyzing a set of sample data regarding one or more conditions of the network using a behavioral analytics model. The device receives feedback regarding the detected anomaly. The device determines that the anomaly was a true positive based on the received feedback. The device excludes the set of sample data from a training set for the behavioral analytics model, in response to determining that the anomaly was a true positive. |
| Managing Virtual Identities Across IP Networks | How do you accurately identify targets across multiple applications, multiple physical locations, multiple terminais and multiple identities? |
| Machine learning-based traffic classification using compressed network telemetry data | In one embodiment, a device in a network receives telemetry data regarding a traffic flow in the network. One or more features in the telemetry data are individually compressed. The device extracts the one or more individually compressed features from the received telemetry data. The device performs a lookup of one or more classifier inputs from an index of classifier inputs using the one or more individually compressed features from the received telemetry data. The device classifies the traffic flow by inputting the one or more classifier inputs to a machine learning-based classifier. |
| Lucid Security, makers of ipANGEL/tm/, the world’s premier Vulnerability Shield | |
| Lucid Security » ipAngel Appliances | |
| LogRhythm NetMon | Network Monitoring | LogRhythm | |
| Load balancing for mobile IP home agents | In one embodiment, mobile nodes may be pre-provisioned with a static home agent address and a static home address. The home agent address may be the same for all the mobile nodes. The home address may be a unique identifier for the mobile node in a network. A registration request from a mobile node may be sent to the home agent address. A load balancer may be configured to receive the registration request at the home agent address. The load balancer is then configured to determine a home agent in the plurality of home agents to send the registration request to. The load balancer determines which home agent to send the request to based on the home address for the mobile node. The load balancer then sends the request to the determined home agent. |
| Lightweight flow reporting in constrained networks | In one embodiment, a device in a network receives one or more packets that are part of a traffic flow. The device provides a sample packet to a path computation element /PCE/ that includes a signature that uniquely identifies the traffic flow. The device receives a traffic flow policy for the traffic flow from a policy engine and enforces the traffic flow policy for the traffic flow. |
| Leveraging point inferences on HTTP transactions for HTTPS malware detection | In one embodiment, a traffic analysis service receives captured traffic data regarding a Transport Layer Security /TLS/ connection between a client and a server. The traffic analysis service applies a first machine learning-based classifier to TLS records from the traffic data, to identify a set of the TLS records that include Hypertext Transfer Protocol /HTTP/ header information. The traffic analysis service estimates one or more HTTP transaction labels for the connection by applying a second machine learning-based classifier to the identified set of TLS records that include HTTP header information. The traffic analysis service augments the captured traffic data with the one or more HTTP transaction labels. The traffic analysis service causes performance of a network security function based on the augmented traffic data. |
| Learning when to reuse existing rules in active labeling for device classification | In various embodiments, a device classification service forms a device cluster by applying clustering to attributes of endpoint devices observed in one or more networks. The device classification service applies an initial device classification rule to the endpoint devices in the device cluster, based on one or more of the endpoint devices in the device cluster matching the initial device classification rule. The device classification service computes metrics for the initial device classification rule that quantify how well the attributes of the endpoint devices in the device cluster match the initial device classification rule. The device classification service decides, based on the metrics, whether to associate the initial device classification rule with the device cluster or generate a new device classification rule based on the device cluster. |
| Learning robust and accurate rules for device classification from clusters of devices | In various embodiments, a device classification service obtains traffic telemetry data for a plurality of devices in a network. The service applies clustering to the traffic telemetry data, to form device clusters. The service generates a device classification rule based on a particular one of the device clusters. The service receives feedback from a user interface regarding the device classification rule. The service adjusts the device classification rule based on the received feedback. |
| Learning packet capture policies to enrich context for device classification systems | In various embodiments, a device classification service receives, from a networking device in a network, an indication that deep packet inspection /DPI/ trace data is not available for an endpoint device in the network because the endpoint device does not match any DPI policies of the networking device. The service configures a first DPI policy on the networking device that causes it to capture a DPI trace of traffic associated with the endpoint device. The service receives, via a user interface, an indication that a subset of attributes of the endpoint device in the DPI trace is relevant to labeling the endpoint device with a device type. The service replaces the first DPI policy on the networking device with a second DPI policy that causes it to report only the subset of attributes of endpoint devices to the device classification service for endpoint devices that match the second DPI policy. |
| Learning internal ranges from network traffic data to augment anomaly detection systems | In one embodiment, a device in a network receives traffic records indicative of network traffic between different sets of host address pairs. The device identifies one or more address grouping constraints for the sets of host address pairs. The device determines address groups for the host addresses in the sets of host address pairs based on the one or more address grouping constraints. The device provides an indication of the address groups to an anomaly detector. |
| Learning criticality of misclassifications used as input to classification to reduce the probability of critical misclassification | In one embodiment, a device classification service that uses a machine learning-based device type classifier to classify endpoint devices with device types, identifies a set of device types having similar associated traffic telemetry features. The service obtains, via one or more user interfaces, feedback indicative of whether the device type classifier misclassifying an endpoint device having a particular device type in the set with another device type in the set would be a critical misclassification. The service trains, using the obtained feedback, a prediction model to predict an impact of misclassifying the particular device type as one of the other device types in the set of device types. The service also retrains the machine learning-based device type classifier based on a prediction from the prediction model. |
| Label distribution protocol advertisement of services provided by application nodes | An application node advertises service/s/, using a label distribution protocol, that it offers to other network nodes and a corresponding label to use to identify these services/s/. For example, a Targeted Label Distribution Protocol /tLDP/ session may be established between a packet switching device and the application node providing these services to communicate the advertisement. Packets are encapsulated and sent from a service node /e.g., packet switching device/ with the corresponding label to have one or more advertised services applied to the packet by an application node /e.g., a packet switching device and/or computing platform such as a Cisco ASR 1000/. |
| Juniper Networks Deep Packet Inspection-Decoder /JDPI-Decoder/ Documentation | Juniper Networks TechLibrary | |
| IoT device management using multi-protocol infrastructure network devices | Techniques for managing IoT devices through multi-protocol infrastructure network devices are disclosed. A system utilizing such techniques can include a multi-protocol infrastructure network device and a WAN based IoT device management system and various network device based engines. A method utilizing such techniques can include management according to WAN based IoT device policies and LAN based IoT device policies. |
| Intrusion event correlation with network discovery information | A policy component includes policy configuration information. The policy configuration information contains one or more rules. Each rule and group of rules can be associated with a set of response actions. As the nodes on the monitored networks change or intrusive actions are introduced on the networks, network change events or intrusion events are generated. The policy component correlates network change events and/or intrusions events with network map information. The network map contains information on the network topology, services and network devices, amongst other things. When certain criteria is satisfied based on the correlation, a policy violation event may be issued by the system resulting in alerts or remediations. |
| Intrusion detection strategies for hypertext transport protocol | A hypertext transport protocol /HTTP/ inspection engine for an intrusion detection system /IDS/ includes an HTTP policy selection component, a request universal resource identifier /URI/ discovery component, and a URI normalization module. The HTTP policy selection component identifies an HTTP intrusion detection policy using a packet. The request URI discovery component locates a URI within the packet. The URI normalization module decodes an obfuscation within the URI. In another embodiment, a packet transmitted on the network is intercepted. The packet is parsed. An Internet protocol /IP/ address of the packet is identified. An HTTP intrusion detection policy for a network device is determined. A URI is located in the packet. A pattern from an intrusion detection system rule is compared to the located URI. In another embodiment, an IDS includes a packet acquisition system, network and transport reassembly modules, an HTTP inspection engine, a detection engine, and a logging system. |
| Intrusion Detection & Prevention Systems – Sourcefire Snort | Information security is a challenging issue for all business organizations today amidst increasing cyber threats. While there are many alternative intrusion detection & prevention systems available to choose from, selecting the best solution to implement to detect & prevent cyber-attacks is a difficult task. The best solution is of the one that gets the best reviews, and suits the organization’s needs & budget. In this review paper, we summarize various classes of intrusion detection and prevention systems, compare features of alternative solutions and make recommendation for implementation of one as the best solution for business organization in Fiji. |
| Intrusion and misuse deterrence system employing a virtual network | A method and apparatus is disclosed for increasing the security of computer networks through the use of an Intrusion and Misuse Deterrence System /IMDS/ operating on the network. The IMDS is a system that creates a synthetic network complete with synthetic hosts and routers. It is comprised of a network server with associated application software that appears to be a legitimate portion of a real network to a network intruder. The IMDS consequently invites inquiry and entices the intruder away from the real network. Simulated services are configured to appear to be running on virtual clients with globally unique, class |
| Intrusion and misuse deterrence system employing a virtual network | A method and apparatus is disclosed for increasing the security of computer networks through the use of an Intrusion and Misuse Deterrence System /IMDS/ operating on the network. The IMDS is a system that creates a synthetic network complete with synthetic hosts and routers. It is comprised of a network server with associated application software that appears to be a legitimate portion of a real network to a network intruder. The IMDS consequently invites inquiry and entices the intruder away from the real network. Simulated services are configured to appear to be running on virtual clients with globally unique, class |
| Intrusion and misuse deterrence system employing a virtual network | A method and apparatus is disclosed for increasing the security of computer networks through the use of an Intrusion and Misuse Deterrence System /IMDS/ operating on the network. The IMDS is a system that creates a synthetic network complete with synthetic hosts and routers. It is comprised of a network server with associated application software that appears to be a legitimate portion of a real network to a network intruder. The IMDS consequently invites inquiry and entices the intruder away from the real network. Simulated services are configured to appear to be running on virtual clients with globally unique, class |
| Introduction to Cisco IOS NetFlow – A Technical Overview [Cisco IOS NetFlow] – Cisco Systems | |
| Interposer with security assistant key escrow | An interposer is provided that is configured to interpose into an application security protocol exchange by obtaining application session security state. The interposer does this without holding any private keying material of client or server. An out-of-band Security Assistant Key Escrow service /SAS/SAKE/ is also provided. The SAKE resides in the secure physical network perimeter and holds the private keying material required to derive session keys for interposing into application security protocol. During a security protocol handshake, the interposer sends SAKE security protocol handshake messages and in return receives from the SAKE session security state that allows it to participate in application security protocol. |
| Interactive dynamic ordering of deep packet inspection rules | A network device processes packets transiting the device using successive deep packet inspection /DPI/ rules. For each rule, the device attempts to apply the DPI rule to each packet, applies the DPI rule to each packet for which the attempt is successful, determines a probability that the attempt is successful across a plurality of packets, determines an average computational cost of applying the rule across a plurality of packets, and determines a merit of the DPI rule based on the average computational cost and the probability. The device reorders the successive DPI rules in an order of decreasing merit /computational cost/, and processes new packets using the optimized DPI rules. The method of re-arranging DPI rules provides significant saving for network devices including mobile gateways in terms of computational cost. |
| Intelligent handling of voice calls from mobile voice client devices | The present disclosure discloses a method and network device for intelligent handling of voice calls from mobile voice client devices. In some embodiments, the network device detects that a load, corresponding to a plurality of client devices associated with an access point, exceeds a particular threshold value. In some embodiments, the network device detects that a call quality for a current ongoing call, corresponding to a first client device associated with an access point, is below a first threshold value. In response, the network device selects a particular client device, of the plurality of client devices associated with the access point, for disassociation with the access point. The network device then causes the particular client device to disassociate with the access point. |
| Integrated security platform | An integrated security platform that enables a wide variety of network security elements to share security information in a comprehensive manner so as to provide automation of policy and security enforcement based on intelligence gathered by the different network security elements. The integrated security information platform provides the ability to clarify security intelligence by simplifying the collection and indexing of security information so that the information is visible and accessible to systems wanting to make use of the security information, without requiring all of the information to be co-resident with the infrastructure of the security platform or requiring the various systems to have pair-wise relationships with one another. |
| Inserting and removing stateful devices in a network | Embodiments are directed to managing communication over a network with traffic management computers /TMCs/. If network traffic that is statelessly monitored is selected for stateful monitoring, the TMCs may perform operations to transition from stateless monitoring to stateful monitoring with minimal disruption of users/clients. TMCs may receive the network traffic that include network packets. If the network packets are statelessly monitored by the TMCs one or more stateless network management operations may be performed on the network packets. If the network packets may be statefully monitored the TMCs may perform stateful network management operations on the network packets. |
| Ingress traffic classification and prioritization with dynamic load balancing | According to one embodiment, a method comprises an operation of determining whether an ingress control message is locally terminated control traffic on a digital device prior to the ingress control message being forwarded to a hardware processor of the digital device for processing. A priority is assigned to the ingress control message based on information within the ingress control message, if the ingress control message is determined to be locally terminated control logic. |
| Information reporting for anomaly detection | In one embodiment, a first device in a network receives traffic flow data from a plurality of devices in the network. The traffic flow data from at least one of the plurality of devices comprises raw packets of a traffic flow. The first device selects a set of reporting devices from among the plurality of devices based on the received traffic flow data. The first device provides traffic flow reporting instructions to the selected set of reporting devices. The traffic flow reporting instructions cause each reporting device to provide sampled traffic flow data to an anomaly detection device. |
| Inferring device load and availability in a network by observing weak signal network based metrics | In one embodiment, a traffic analysis service obtains traffic characteristics of network traffic associated with a device in a network. The traffic analysis service uses a machine learning model to infer resource usage by the device based on the obtained traffic characteristics of the network traffic associated with the device. The traffic analysis service controls traffic flows in the network based on the inferred resource usage by the device. |
| Inet’s Spectra: Simultaneous Multi-Protocol Analyzer for SS7, X.25 and ISDN. | |
| Independent comparison of popular DPI tools for traffic classification | Deep Packet Inspection /DPI/ is the state-of-the-art technology for traffic classification. According to the conventional wisdom, DPI is the most accurate classification technique. Consequently, most popular products, either commercial or open-source, rely on some sort of DPI for traffic classification. However, the actual performance of DPI is still unclear to the research community, since the lack of public datasets prevent the comparison and reproducibility of their results. This paper presents a comprehensive comparison of 6 well-known DPI tools, which are commonly used in the traffic classification literature. Our study includes 2 commercial products /PACE and NBAR/ and 4 open-source tools /OpenDPI, L7-filter, nDPI, and Libprotoident/. We studied their performance in various scenarios /including packet and flow truncation/ and at different classification levels /application protocol, application and web service/. We carefully built a labeled dataset with more than 750 K flows, which contains traffic from popular applications. We used the Volunteer-Based System /VBS/, developed at Aalborg University, to guarantee the correct labeling of the dataset. We released this dataset, including full packet payloads, to the research community. We believe this dataset could become a common benchmark for the comparison and validation of network traffic classifiers. Our results present PACE, a commercial tool, as the most accurate solution. Surprisingly, we find that some open-source tools, such as nDPI and Libprotoident, also achieve very high accuracy. |
| Increased granularity and anomaly correlation using multi-layer distributed analytics in the network | In one embodiment, a primary networking device in a branch network receives a notification of an anomaly detected by a secondary networking device in the branch network. The primary networking device is located at an edge of the network. The primary networking device aggregates the anomaly detected by the secondary networking device and a second anomaly detected in the network into an aggregated anomaly. The primary networking device associates the aggregated anomaly with a location of the secondary networking device in the branch network. The primary networking device reports the aggregated anomaly and the associated location of the secondary networking device to a supervisory device. |
| Increased granularity and anomaly correlation using multi-layer distributed analytics in the network | In one embodiment, a primary networking device in a branch network receives a notification of an anomaly detected by a secondary networking device in the branch network. The primary networking device is located at an edge of the network. The primary networking device aggregates the anomaly detected by the secondary networking device and a second anomaly detected in the network into an aggregated anomaly. The primary networking device associates the aggregated anomaly with a location of the secondary networking device in the branch network. The primary networking device reports the aggregated anomaly and the associated location of the secondary networking device to a supervisory device. |
| In-data-plane network policy enforcement using IP addresses | The present disclosure provides a method of embedding finer grained information such as user identity and application identity in IPv6 addresses used for end-to-end communications within a network. The finer grained information can be used for improved policy enforcement within the network. In one aspect, generating an address for an end-to-end communication within a network, the address including a user identifier and an application identifier for network policy enforcement; assigning the address to an application used in the end-to-end communication; and performing network segmentation and the network policy enforcement within the network using the address. |
| IEC TR 62351-90-2:2018 | IEC Webstore | IEC TR 62351-90-2:2018, which is a technical report, addresses the need to perform Deep Packet Inspection /DPI/ on communication channels secured by IEC 62351. The main focus is the illustration of the state-of-the art of DPI techniques that can be applied to the various kinds of channels, highlighting the possible security risks and implementation costs. Additional, beyond state-of-the-art proposals are also described in order to circumvent the main limits of existing solutions. It is to be noted that some communications secured by IEC 62351 are not encrypted, but only add integrity and non-repudiation of the message – however they are mentioned here for the sake of completeness around IEC 62351 and DPI |
| IBM QRadar SIEM – Details – United States | |
| IBM QRadar Security Intelligence | Tap into the flexibility and efficiency of the modern security platform. At the core of a security analyst’s challenge, there is too much data spread across too many tools. An integrated analytics platform offers more than a basic SIEM to streamline critical capabilities into a common workflow and help the security analyst be more efficient. The IBM Security App Exchange ecosystem extends platform capabilities on demand, adding cognitive security with Watson, user behavior analytics and more, to speed attack detection and response. |
| IBM QRadar SIEM | IBM® QRadar® SIEM detects anomalies, uncovers advanced threats and removes false positives. It consolidates log events and network flow data from thousands of devices, endpoints and applications distributed throughout a network. It then uses an advanced Sense Analytics engine to normalize and correlate this data and identifies security offenses requiring investigation. As an option, it can incorporate IBM X-Force® Threat Intelligence which supplies a list of potentially malicious IP addresses including malware hosts, spam sources and other threats. QRadar SIEM is available on premises and in a cloud environment. |
| HPJournal_1992-Oct_NetworkAdvisor_45pages.pdf | |
| HPInternetAdvisorSeries_5964-5902E_17pages_Jan96.pdf | Integrated monitoring and protocol analysis to solve network problems quickly and easily. |
| HP Internet Advisor WAN Low Speed User’s Guide | The Hewlett-Packard Internet Advisor WAN – Low Speed is part of an integrated software and hardware package /called the Internet Advisor WAN/ that provides wide area network testing and analysis capability. Other Internet Advisor WAN applications include wide area network monitoring in Windows 95, the High Speed Toolkit, and DDS 4-Wire. This User’s Guide concerns only the Internet Advisor WAN – Low Speed application /also referred to as the Low Speed Analyzer/. The Low Speed Analyzer gives you all of the tools you need to test data communications links from 50 bps to 64 Kbps. In addition, you can use a provided high speed capture application for monitoring and capturing data at speeds above 64 Kbps. The operating system of the Internet Advisor WAN – Low Speed is the Toolkit /described in more detail in chapter 3/. This user interface simplifies operations, and lets you find problems on your network quickly. Using the Toolkit, you can configure the Advisor to run tests by pressing a |
| HP Computer Museum – Network Advisor Software Discs | Operating system Name: Network Advisor Software Associated Hardware: HP Network Advisor Introduced: 1992 Product Number: Media: 3.5 inch HD Original Price: Unknown Division: Colorado Telecommunications Donated by: David Hanes, Loveland Colorado Teledisk: 2.16 Description: The Zip file contains 20 discs. 18 of the discs are the system software of the HP Network Advisor /part numbers 5011-0784 through 5011-0800 and 5011-1701/. One of the discs /J2176-16008/ contains file conversion and communication utilities for the Network Advisor. The final disc contains PC card configuration software /5011-0750/. |
| HP Computer Museum – 4980 Network Advisor | Emulators/Protocol Analyzers Selection: Name: 4980 Network Advisor Product Number: J2176A Introduced: 1991 Division: Colorado Telecommunications Original Price: Unknown Catalog Reference: 1992, page 609 Description: The 4980 was an Ethernet and Token-Ring network fault finder. It ran MS-DOS and was based on the Intel 386SX CPU. |
| HP 4980 Series Network Advisor Quick Start/User’s Guide | |
| High speed pattern matching for deep packet inspection | In communication equipments, pattern matching techniques are used to handle various requirements, such as network security, QoS and so on. This paper presents a pattern matching technique to process multiple characters at a single clock cycle. And this paper presents the way to find a particular pattern from communication packets using TCAMs. |
| High Speed Deep Packet Inspection with Hardware Support | In this dissertation, we developed high speed packet processing algorithms for new services such as network intrusion detection, high speed firewalls, Network Address Translation /NAT/, Hypertext Transfer Protocol /HTTP/ load balancing, Extensible Markup Language /XML/ processing, and Transmission Control Protocol /TCP/ offloading. These new services have stringent requirements for speed, extensibility, scalability, and cost-effectiveness. For example, some services require rapid scanning of packets against thousands of known patterns. Traditional packet handling techniques, such as next hop forwarding, focus on packet headers only and fail to support these demanding requirements. This thesis research aims to provide fast and efficient deep packet inspection techniques that can function on the entire packet content rather than just the header. To keep up with high speed packet processing in existing networks, we proposed deep packet inspection schemes that are optimized for new technologies such as Ternary Content Addressable Memory /TCAM/ and multi-core processors. We propose algorithms that work both on packet headers and packet payload. Our techniques form a cohesive architecture that can perform Gigbit rate packet scanning against thousands of sophisticated patterns. |
| Hierarchical models using self organizing learning topologies | In one embodiment, a device in a network maintains a plurality of anomaly detection models for different sets of aggregated traffic data regarding traffic in the network. The device determines a measure of confidence in a particular one of the anomaly detection models that evaluates a particular set of aggregated traffic data. The device dynamically replaces the particular anomaly detection model with a second anomaly detection model configured to evaluate the particular set of aggregated traffic data and has a different model capacity than that of the particular anomaly detection model. The device provides an anomaly event notification to a supervisory controller based on a combined output of the second anomaly detection model and of one or more of the anomaly detection models in the plurality of anomaly detection models. |
| Hierarchical models using self organizing learning topologies | In one embodiment, a device in a network maintains a plurality of anomaly detection models for different sets of aggregated traffic data regarding traffic in the network. The device determines a measure of confidence in a particular one of the anomaly detection models that evaluates a particular set of aggregated traffic data. The device dynamically replaces the particular anomaly detection model with a second anomaly detection model configured to evaluate the particular set of aggregated traffic data and has a different model capacity than that of the particular anomaly detection model. The device provides an anomaly event notification to a supervisory controller based on a combined output of the second anomaly detection model and of one or more of the anomaly detection models in the plurality of anomaly detection models. |
| Hierarchical activation of scripts for detecting a security threat to a network using a programmable data plane | In one example embodiment, a network management device generates a first script defining a first function for detecting a first customizable network event in a sequence of customizable network events indicative of a security threat to a network. The network management device activates the first script at a first network device in the network so as to cause the first network device to execute the first function for detecting the first customizable network event, and obtains, from the first network device, one or more indications that the first network device has detected the first customizable network event. Based on the one or more indications, the network management device determines whether to activate a second script defining a second function for detecting a second customizable network event in the sequence at a second network device in the network capable of detecting the second customizable network event. |
| Hash based per subscriber DNS based traffic classification | Embodiments are directed towards managing name service communications using traffic management computers /TMCs/. TMCs may extract values from a name service reply received from one or more name service computers. TMCs may provide a name service key based on the values extracted from the name service reply. Accordingly, if a new flow may be detected further actions may be performed, including: TMCs may extract values from a network packet associated with the new flow; TMCs may provide a flow key based on one or more values from one or more fields of a network packet associated with the new flow; TMCs may compare the flow key to one or more name service keys; and if the comparison may be affirmative, TMCs may apply one or more traffic management policies associated with the affirmative comparison. |
| Hard/soft finite state machine /FSM/ resetting approach for capturing network telemetry to improve device classification | In one embodiment, a device classification service receives a first set of telemetry data captured by one or more networking devices in a network regarding traffic associated with an endpoint device in the network. The service classifies the endpoint device as being of an unknown device type, by applying a machine learning-based classifier to the first set of telemetry data. The service instructs the one or more networking devices in the network to reset a finite state machine /FSM/ of the traffic associated with the endpoint device. The device classification service receives a second set of telemetry data regarding traffic associated with the endpoint device and captured after reset of the FSM. The service reclassifies the endpoint device as being of a particular device type, by applying the machine learning-based classifier to the second set of telemetry data. |
| Gathering flow characteristics for anomaly detection systems in presence of asymmetrical routing | In one embodiment, a first device in a network identifies a first traffic flow between two endpoints that traverses the first device in a first direction. The first device receives information from a second device in the network regarding a second traffic flow between the two endpoints that traverses the second device in a second direction that is opposite that of the first direction. The first device merges characteristics of the first traffic flow captured by the first device with characteristics of the second traffic flow captured by the second device and included in the information received from the second device, to form an input feature set. The first device detects an anomaly in the network by analyzing the input feature set using a machine learning-based anomaly detector. |
| Gathering flow characteristics for anomaly detection systems in presence of asymmetrical routing | In one embodiment, a first device in a network identifies a first traffic flow between two endpoints that traverses the first device in a first direction. The first device receives information from a second device in the network regarding a second traffic flow between the two endpoints that traverses the second device in a second direction that is opposite that of the first direction. The first device merges characteristics of the first traffic flow captured by the first device with characteristics of the second traffic flow captured by the second device and included in the information received from the second device, to form an input feature set. The first device detects an anomaly in the network by analyzing the input feature set using a machine learning-based anomaly detector. |
| Framework for joint learning of network traffic representations and traffic classifiers | In one embodiment, a device in a network receives traffic data associated with a particular communication channel between two or more nodes in the network. The device generates a mean map by employing kernel embedding of distributions to the traffic data. The device forms a representation of the communication channel by identifying a set of lattice points that approximate the mean map. The device generates a traffic classifier using the representation of the communication channel. The device uses machine learning to jointly identify the set of lattice points and one or more parameters of the traffic classifier. The device causes the traffic classifier to analyze network traffic sent via the communication channel. |
| Forecasting SDN fabric saturation and machine learning-based flow admission control | In one embodiment, a supervisory device for a software defined networking /SDN/ fabric predicts characteristics of a new traffic flow to be admitted to the fabric, based on a set of initial packets of the flow. The supervisory device predicts an impact of admitting the flow to the SDN fabric, using a heatmap-based saturation model for the SDN fabric. The supervisory device admits the flow to the SDN fabric, based on the predicted impact. The supervisory device uses reinforcement learning to adjust one or more call admission control /CAC/ parameters of the SDN fabric, based on captured telemetry data regarding the admitted flow. |
| FlowScan: A Network Traffic Flow Reporting and Visualization Tool | Internet traffic flow profiling has become a useful technique in the passive measurement and analysis field. The prerequisites for flow-based measurements are now available within the network infrastructure – particularly, in popular Cisco network devices. The integration of this feature has enabled the “flow” concept to become a valuable tool for the network administrator, as it had been in the past for the researcher. This paper describes FlowScan, a software package for open systems that is freely available under the terms of the GNU General Public License. FlowScan analyzes and reports on flow data exported by Internet Protocol routers. It is an assemblage of perl scripts and modules and is the glue that binds together other freely available components such as a flow collection engine, a high performance database, and a visualization tool. Once assembled, the FlowScan system produces graph images, suitable for use in web pages. These provide a continuous, near real-time view of the network traffic through a network’s border. Although there are now a number of tools available that collect and process flow data, there is a dearth of visualization tools. By utilizing freely available software tools, FlowScan can be readily deployed in most modern educational institution, corporate, and ISP networks. The information presented by FlowScan assists in understanding the nature of the traffic that your network is carrying. It can be useful in the identification and investigation of anomalies such as poor performance and attacks on hosts. It can provide a foundation on which to develop usage-based billing or to verify the effectiveness of Quality-of-Service policies. By understanding the flows of traffic carried by the network, your institution should be able to make informed network management and bandwidth provisioning decisions. |
| FlowIntelligence Cyber Sensor Suite | Bivio Networks | |
| FlowIntelligence Cyber Analyst | Bivio Networks | |
| Flexible flow-aging mechanism | A flow identifier is stored in a memory to identify a network flow. The memory is capable of storing multiple flow identifiers for multiple flows. Packet statistics are collected for each of the flows. The packet statistics are compared and a flow identifier is subsequently selected and removed from the memory. |
| Firepower, Next Generation firewall from Cisco | As there is more and more threats on the internet the need for security is more crucial than ever for the companies to look into their solutions to protect their information. To be able to see how an attack works, we discus and show how an attack is progressing in this thesis we compare the difference between traditional and Next Generation firewalls. We also compare three different vendors to compare different functions and security performance. By using Systemair AB as testing ground and having their network as a template we will compare the models in a real environment and finally make the changes to get a more effective network at their site with a new Next Generation firewall at their center. It will also contain a description about Cisco’s Next generation firewall ASA with FirePOWER, and some of the installation process to get it to work. This is Cisco’s new firewall that they have created with the help of Sourcefire. |
| Firepower | No other network security device is as common as the firewall; however, modern firewalls have evolved leaps over the traditional state tracking firewalls. Modern firewalls provide options such as traffic normalization, application inspection, intrusion detection integration, and Virtual Private Network /VPN/ capabilities among many other features. The Firepower series was born from a combination of Cisco’s ASA firewalls and Sourcefire’s Intrusion Prevention System /IPS/. They are powerful next-generation security appliances that go far beyond being just a firewall. |
| Fingerprint merging and risk level evaluation for network anomaly detection | A device in a network receives fingerprints of two or more network anomalies detected in the network by different anomaly detectors. Each fingerprint comprises a hash of tags that describe a detected anomaly. The device associates the fingerprints with network records captured within a timeframe in which the two or more network anomalies were detected. The device compares the fingerprints associated with the network records to determine that the two or more detected anomalies are part of a singular anomaly event. The device generates a notification regarding the singular anomaly event. The notification includes those of the fingerprints that are associated with the singular anomaly event. |
| Feedback-based prioritized cognitive analysis | An automated method for processing security event data in association with a cybersecurity knowledge graph having nodes and edges. It begins by receiving from a security system /e.g., a SIEM/ information representing an offense. An offense context graph is built. Thereafter, and to enhance the offense context graph, given nodes and edges of the knowledge graph are prioritized for traversal based on an encoding captured from a security analyst workflow. This prioritization is defined in a set of weights associated to the graph nodes and edges, and these weights may be derived using machine learning. The offense context graph is then refined by traversing the nodes and edges of the knowledge graph according to a prioritization tailored at least in part by the encoding. In addition to using security analyst workflow to augment generation of weights, preferably the machine learning system provides recommendations back to the security analysts to thereby influence their workflow. |
| FDDI Topology Mapping | For the FDDI version of the HP Network Advisor protocol analyzer, ring mapping algorithms were devised to provide topological views of FDDI networks. These algorithms are designed to handle many problem situations that are characteristic of emerging LAN technologies. |
| FDDI Management Information Base | This memo defines an experimental portion of the Management Information Base /MIB/ for use with network management protocols in TCP/IP-based internets. In particular, it defines objects for managing devices which implement the FDDI, as specified in the ANSI SMT 7.3 draft standard. This memo does not specify a standard for the Internet community. |
| Fast and memory-efficient regular expression matching for deep packet inspection | Packet content scanning at high speed has become extremely important due to its applications in network security, network monitoring, HTTP load balancing, etc. In content scanning, the packet payload is compared against a set of patterns specified as regular expressions. In this paper, we first show that memory requirements using traditional methods are prohibitively high for many patterns used in packet scanning applications. We then propose regular expression rewrite techniques that can effectively reduce memory usage. Further, we develop a grouping scheme that can strategically compile a set of regular expressions into several engines, resulting in remarkable improvement of regular expression matching speed without much increase in memory usage. We implement a new DFA-based packet scanner using the above techniques. Our experimental results using real-world traffic and patterns show that our implementation achieves a factor of 12 to 42 performance improvement over a commonly used DFA-based scanner. Compared to the state-of-art NFA-based implementation, our DFA-based packet scanner achieves 50 to 700 times speedup. |
| Exposed control components for customizable load balancing and persistence | Embodiments are directed towards exposing access to network metrics to a late binding user customized set of computer instructions within a traffic manager device /TMD/ for use in managing a request for a resource. In one embodiment, the TMD may be interposed between client devices and a plurality of network devices. Request specific data is extracted from a client request received by the user’s instructions. Various network metrics about the network devices are provided to the user’s instructions to selectively provide the request from the client device to a network device. In one embodiment, an election hash is described as an action performed by the user’s instructions. |
| Exclude filter for load balancing switch | In an example, there is disclosed a computing apparatus for providing load-balanced switching, including a switching network; one or more logic elements operable for providing network switching or routing; and one or more logic elements providing a load balancing engine operable for: load balancing at least some incoming network traffic; receiving an exclude list identifying a network node excluded from load balancing; identifying a network packet directed to the network node excluded from load balancing; and directing the network packet to the network. |
| Events from network flows | In one embodiment, a system includes a processor to receive network flows, for each of one of a plurality of event-types, compare each one of the network flows to a flow-specific criteria of the one event-type to determine if the one network flow satisfies the flow-specific criteria, for each one of the event-types, for each one of the network flows satisfying the flow-specific criteria of the one event-type, assign the one network flow to a proto-event of the one-event type, test different combinations of the network flows assigned to the proto-event of the one event-type against aggregation criteria of the one event-type to determine if one combination of the network flows assigned to the proto-event of the one event-type satisfies the aggregation criteria for the one event-type and identifies an event of the one event-type from among the network flows of the proto-event. Related apparatus and methods are also described. |
| Ordering of multiple plugin applications using extensible layered service provider with network traffic filtering | Low-level network services are provided by network-service-provider plugins. These plugins are controlled by an extensible service provider that is layered above the TCP layer but below the Winsock-2 library and API. The extensible service provider orders the plugins based on the function performed by each plugin and on ordering hints. Plugins that redirect the protocol or socket are executed first. Plugins that examine packets or block entire packets are executed before plugins that modify packets. Plugins that compress or encrypt data are executed last for outgoing packets. Ordering hints cause a plugin to be executed before or after others in its functional class. Ordering allows examining plugins that simply read data get to the packets before an encrypting or compressing plugin renders the data unreadable. The extensible service provider has a plugin manager that orders and controls execution of the plugins. A filter manager evaluates one or more packet-filters. Filters are bound to plugins by binding objects; each socket has its own binding list of filters and plugins. Execution of some plugins can be skipped when filters bound to them do not match packets sent or received. Well-ordered plugins transparently provide a variety of network services such as content-filtering and blocking, encryption and compression, and statistics-gathering. |
| Estimating feature confidence for online anomaly detection | In one embodiment, a device in a network obtains characteristic data regarding one or more traffic flows in the network. The device incrementally estimates an amount of noise associated with a machine learning feature using bootstrapping. The machine learning feature is derived from the sampled characteristic data. The device applies a filter to the estimated amount of noise associated with the machine learning feature, to determine a value for the machine learning feature. The device identifies a network anomaly that exists in the network by using the determined value for the machine learning feature as input to a machine learning-based anomaly detector. The device causes performance of an anomaly mitigation action based on the identified network anomaly. |
| Estimating feature confidence for online anomaly detection | In one embodiment, a device in a network obtains characteristic data regarding one or more traffic flows in the network. The device incrementally estimates an amount of noise associated with a machine learning feature using bootstrapping. The machine learning feature is derived from the sampled characteristic data. The device applies a filter to the estimated amount of noise associated with the machine learning feature, to determine a value for the machine learning feature. The device identifies a network anomaly that exists in the network by using the determined value for the machine learning feature as input to a machine learning-based anomaly detector. The device causes performance of an anomaly mitigation action based on the identified network anomaly. |
| EP 2321934 B1 20140625 – SYSTEM AND DEVICE FOR DISTRIBUTED PACKET FLOW INSPECTION AND PROCESSING | Distribution of network processing load among a set of packet processing devices is improved by employing means for eliminating, controlling, or otherwise affecting redundant packet processing operations. In one embodiment, at least two packet processing devices are present, both capable of processing data packets flowing therethrough, such as, inspecting, detecting, and filtering data packets pursuant to one or more filters from a filter set. Redundancy is controlled by providing or enabling either or both of the packet processing devices with capability for detecting during its said inspection of said data packets that, for example, one or more filters had been previously executed on said data packets by the other packet processing device, and then not executing the previously-executed filters on said data packets. |
| EP 0478175 A1 19920401 – A protocol analyzer. | A protocol analyzer is provided for monitoring a selected communication connection being conducted in accordance with a predetermined protocol by the exchange of protocol data units between two entities over a data network /12/. The analyzer /10/ comprises monitoring means /13-15/ for identifying protocol data units, a protocol-follower /17,18,27/ conditioned in dependence on said predetermined protocol and operative to follow the progress of the connection as it receives relevant protocol data units from the monitoring means /13-15/, and alarm means /22/ indicating when the sequence of protocol data units diverges from the protocol. The protocol data units are passed through a FIFO store /16/ as they are used by the protocol-follower, so that on a protocol violation occurring, the sequence of protocol data units leading up to the violation can be extracted from the FIFO store /16/ and displayed. The protocol analyzer thus filters out protocol data units conforming to the relevant protocol so that only protocol data units violating the protocol, together with the immediately preceding protocol data units, are displayed. |
| EP 0332286 A2 19890913 – Programmable protocol analyzer. | The programmable protocol analyzer enables a user to specify /102-106/ one or more fields /501-526/ that are to be monitored /107-109/ by the protocol analyzer and displayed /110-111/ to the user. The specified fields /501-526/ can be selected /103-104/ from a menu of predefined fields /501-526/ in the frame of data or can be user defined fields /524/ of arbitrary length and position in the frame /Frame/ of data. The programmable protocol analyzer excerpts /107-109/ these specified fields /501-526/ from the transmitted frame /Frame/ of data, stores the specified fields /501-526/ in a memory and displays /110-111/ the data contained in the specified fields /501-526/ to the user. This programmable protocol analyzer thereby permits a user to monitor and display only the particular segments of the frame /Frame/ of data that are of interest to the user. This arrangement filters out the extraneous information contained in the frame /Frame/ of data in order that the user can concentrate on only the particular fields /501-526/ that are most relevant to the test being performed by the user. |
| Enhancing visibility in a heterogeneous network | A method for providing enhanced visibility in heterogeneous network. The method comprises receiving, at a networking device housing a cellular base station and a WLAN access point, cellular network traffic from an electronic device. The method further comprises receiving, at the networking device, WLAN traffic from the electronic device and encapsulating, at the networking device, the cellular network traffic and the WLAN traffic using a common protocol. The method further comprises transmitting the encapsulated cellular traffic and the encapsulated WLAN traffic to a controller. |
| Enhancing visibility in a heterogeneous network | A method for providing enhanced visibility in heterogeneous network. The method comprises receiving, at a networking device housing a cellular base station and a WLAN access point, cellular network traffic from an electronic device. The method further comprises receiving, at the networking device, WLAN traffic from the electronic device and encapsulating, at the networking device, the cellular network traffic and the WLAN traffic using a common protocol. The method further comprises transmitting the encapsulated cellular traffic and the encapsulated WLAN traffic to a controller. |
| Enforcing network service level agreements in a network element | Enforcing network service level agreements in a network infrastructure element comprises receiving, at the network infrastructure element, an application-layer message comprising one or more of the packets; forwarding the application-layer message toward a destination endpoint and concurrently copying the application-layer message without disrupting the forwarding; using the copied application-layer message, discovering one or more applications or services that are using the network; using the copied application-layer message, identifying one or more network-layer condition metrics, and identifying one or more application-layer condition metrics; determining, based on the identified network-layer condition metrics and the application-layer condition metrics, whether one or more conditions of a service level agreement are violated; and in response to determining a violation, performing one or more responsive operations on one or more network elements. |
| Encrypted traffic analysis control mechanisms | In one embodiment, a service monitors collection of telemetry data by a telemetry exporter in a network. The telemetry exporter collects the telemetry data from a plurality of interfaces via which a plurality of encrypted traffic flows flow. The telemetry exporter also sends the collected telemetry data to a traffic analysis service for analysis. The service determines that a cost associated with the collection of the telemetry data by the telemetry exporter exceeds a cost threshold. The service selects a subset of the interfaces from which telemetry data is to be captured by the telemetry exporter, based in part on a determination that the cost associated with the collection of the telemetry data exceeds the cost threshold. The service controls the telemetry exporter to collect telemetry data from a subset of the plurality of encrypted traffic flows that use the selected subset of interfaces. |
| Efficient network monitoring and control | In one embodiment, a method for monitoring traffic associated with users in a network includes assigning a trust level to each of the users, monitoring traffic associated with each of the users, and analyzing the monitored traffic. A level of monitoring is based on the trust level of the user. A user’s trust level is modified if the analyzed traffic indicates that the user is operating outside of specified network usage parameters. An apparatus for monitoring traffic associated with users in a network is also disclosed. |
| Edge-based machine learning for encoding legitimate scanning | In one embodiment, a device in a network receives an indication that a network anomaly detected by an anomaly detector of a first node in the network is associated with scanning activity in the network. The device receives labeled traffic data associated with the detected anomaly that identifies whether the traffic data is associated with legitimate or illegitimate scanning activity. The device trains a machine learning-based classifier using the labeled traffic data to distinguish between legitimate and illegitimate scanning activity in the network. The device deploys the trained classifier to the first node, to distinguish between legitimate and illegitimate scanning activity in the network. |
| Edge-based detection of new and unexpected flows | In one embodiment, a device in a network identifies a new interaction between two or more nodes in the network. The device forms a feature vector using contextual information associated with the new interaction between the two or more nodes. The device causes generation of an anomaly detection model for new node interactions using the feature vector. The device uses the anomaly detection model to determine whether a particular node interaction in the network is anomalous. |
| Edge-based detection of new and unexpected flows | In one embodiment, a device in a network identifies a new interaction between two or more nodes in the network. The device forms a feature vector using contextual information associated with the new interaction between the two or more nodes. The device causes generation of an anomaly detection model for new node interactions using the feature vector. The device uses the anomaly detection model to determine whether a particular node interaction in the network is anomalous. |
| Dynamic, broker-based virtual service platform /VSP/ engagement for computer networks | In one embodiment, a device in a network determines one or more network metrics regarding operation of the network. The device determines one or more policy constraints regarding the routing of network traffic through a virtual service platform /VSP/. The device generates a VSP usage policy based on the one or more network metrics and on the one or more policy constraints. The VSP usage policy is operable to cause traffic in the network to be routed through a particular VSP that is selected based on the VSP usage policy. The device causes the VSP usage policy to be implemented in the network. |
| Dynamic, broker-based virtual service platform /VSP/ engagement for computer networks | In one embodiment, a device in a network determines one or more network metrics regarding operation of the network. The device determines one or more policy constraints regarding the routing of network traffic through a virtual service platform /VSP/. The device generates a VSP usage policy based on the one or more network metrics and on the one or more policy constraints. The VSP usage policy is operable to cause traffic in the network to be routed through a particular VSP that is selected based on the VSP usage policy. The device causes the VSP usage policy to be implemented in the network. |
| Dynamic network tuner for the automated correlation of networking device functionality and network-related performance | A dynamic network tuner establishes fluid, continuous, and automatic correlation between the extent and/or degree of a networking device’s functionality, on the one hand, and the network-related performance /i.e., network data traffic and/or network application performance/, on the other. The dynamic network tuner can be embodied as a discrete device ready for installation into a host network. Preferably, such /and like/ tuner embodiments are integrated into a network to automatically correlate, according to user-predefined parameters, the network’s performance with the operation within the network of specifically-targeted, performance-altering networking devices, such as network security devices, or more preferably and particularly, intrusion prevention devices. |
| Dynamic encoding algorithms and inline message decryption | In general, data exchanged between users is protected using any of various encoding approaches. An example of encoding is encryption, but any kind of encoding may be used. The data used to encrypt the data exchanged between the users, referred to as a |
| Dynamic device clustering using device profile information | In one embodiment, a networking device in a network causes formation of device clusters of devices in the network. The devices in a particular cluster exhibit similar characteristics. The networking device receives feedback from a device identity service regarding the device clusters. The feedback is based in part on the device identity service probing the devices. The networking device adjusts the device clusters based on the feedback from the device identity service. The networking device performs anomaly detection in the network using the adjusted device clusters. |
| Dynamic device clustering using device profile information | In one embodiment, a networking device in a network causes formation of device clusters of devices in the network. The devices in a particular cluster exhibit similar characteristics. The networking device receives feedback from a device identity service regarding the device clusters. The feedback is based in part on the device identity service probing the devices. The networking device adjusts the device clusters based on the feedback from the device identity service. The networking device performs anomaly detection in the network using the adjusted device clusters. |
| Dynamic deep packet inspection for anomaly detection | In one embodiment, a device in a network captures a first set of packets based on first packet capture criterion. The captured first set of packets is provided for deep packet inspection and anomaly detection. The device receives a second packet capture criterion that differs from the first packet capture criterion. The device captures a second set of packets based on the second packet capture criterion. The device provides the captured second set of packets for deep packet inspection and anomaly detection. The anomaly detection of the captured first and second sets of packets is performed by a machine learning-based anomaly detector configured to generate anomaly detection results based in part on one or more traffic metrics gathered from the network and based further in part on deep packet inspection results of packets captured in the network. |
| Check Point Software Blade Architecture Achieving the right balance between security protection and investment | Protecting networks against today’s constantly evolving threat environment has never been more challenging. Infrastructure, connectivity and performance requirements keep growing. New and varied threats are leading to more security vendors and point-products—including firewalls, intrusion prevention systems /IPS/, Data Loss Prevention /DLP/ and application control, just to name a few. All of this adds more and more complexity. Meanwhile, IT teams are under increasing pressure to reduce costs and complexity, and do more with existing hardware and resources. The combination of these challenges has led to ineffectual approaches that are increasingly inefficient, costly and unsustainable. As a result, organizations and IT teams are looking for an effective solution—one that is more simple, flexible and easier to manage. This includes the freedom to add critical protection as needed, without worrying about performance, availability or forklift upgrades. It also means the ability to invest in security only as you need it, without having to introduce yet another security vendor and point appliance. |
| Check Point IPS Engine Architecture: New Technologies Provide a Robust Integrated Intrusion Prevention System | Some organizations have a love-hate relationship with Intrusion Prevention System technology, and its older cousin, the Intrusion Detection System. On the one hand, IPS is vital for protecting against a deluge of application layer exploits. According to a Verizon Business Report in 2008 hacking led to data breaches by a margin of almost two to one. 39/ of the the attacks targeting the Application Service Layer led to data compromise.1 These attacks often evade usual port/protocol defenses established by a firewall, so detection requires deep-packet inspection with IPS. But when an organization uses in-line blocking deployment of IPS, too often the processing requirements prevent simultaneous use of other security functions. The dilemma of connectivity or security is now moot. The Open Performance Architecture technology from Check Point will allow implementing as much integrated IPS functionality as required without system degradation. With the Security Gateway R70, organizations can now get fully-integrated IPS with new performance technologies infused in a next-generation inspection engine. Check Point is the first to exploit performance capabilities of industry standard multi-core processors for IPS. With the Security Gateway R70, intelligent load-balancing among cores enables fast, fully-integrated IPS functions into the industry’s leading firewall. This white paper describes how technologies in the new engine fulfill key user requirements. With Check Point IPS technologies, you can have confidence that your organization’s network will get top performance and full functionality without compromising on security. |
| Check and performance monitoring for applications and protocols using deep | |
| ChangeLog for Changes to Snort Source Code | Snort Source Code Change Log – Documenting changes from December 21, 1998 through May 6, 2004. |
| cflowd: Traffic Flow Analysis Tool | cflowd is a flow analysis tool currently used for analyzing Cisco’s NetFlow enabled switching method. The current release /described below/ includes the collections, storage, and basic analysis modules for cflowd and for arts++ libraries. This analysis package permits data collection and analysis by ISPs and network engineers in support of capacity planning, trends analysis, and characterization of workloads in a network service provider environment. Other areas where cflowd may prove useful include usage tracking for Web hosting, accounting and billing, network planning and analysis, network monitoring, developing user profiles, data warehousing and mining, as well as security-related investigations. |
| cflowd design html | This document contains a description of the design and architecture of cflowd. |
| cflowd design | This document contains a description of the design and architecture of cflowd. |
| cflowd configuration | This is the cflowd system configuration guide for cflowd-2-1-a2. |
| cflowd | cflowd is a flow analysis tool currently used for analyzing Cisco’s NetFlow enabled switching method. The current release /described below/ includes the collections, storage, and basic analysis modules for cflowd and for arts++ libraries. This analysis package permits data collection and analysis by ISPs and network engineers in support of capacity planning, trends analysis, and characterization of workloads in a network service provider environment. Other areas where cflowd may prove useful include usage tracking for Web hosting, accounting and billing, network planning and analysis, network monitoring, developing user profiles, data warehousing and mining, as well as security-related investigations. |
| CBR Business Intelligence Magazine – ‘Vineyard unveils NAVL 2.7’ | Vineyard Networks | |
| Cavium PACE Ecosystem Partners Announce Broad Support for New 100Gbps OCTEON/R/ III MIPS64/R/ Processor Family | |
| Category-based data loss prevention for network-connected devices | |
| CAIDA Network Tools | Newest Caida Tools cflowd version 2.0 of the cflowd software used in collecting/analyzing Cisco’s netflow output. cflowd v.2.0 replaces the original version by developer Daniel McRobb when he was with ANS’ Engineering Group Coral flow monitoring software for OC3 and OC12 wires /other interfaces under development/ MantaRay Java-based interactive Mbone visualization Mapnet macroscopic Internet infrastructure visualization /geographically based/ Otter Java-based interactive topological visulization tool /more general purpose, have used for mbone, SNMP, and bgp data/ Plankton macroscopic NLANR cache hierarchy topology and workload visualization /both geographic and topological versions, working on integration/comparison mechanisms/ Skitter measurement of forward IP paths from a source to many destinations, designed for infrastructure-wide round-trip-time and macroscopic routing stability measurement, analysis and visualization |
| Cacheswitch 310 The Importance of Identifying all p2p Traffic | The effectiveness of any P2P management solution is based upon its ability to identify all P2P traffic. If complete identification is not achieved any undetected P2P traffic will aggressively consume the majority of any initial bandwidth savings. |
| Cacheswitch 310 Manage the Impact, Mitigate the Cost and Maintain the End-User Experiance of P2P | OPTIMISED TO REDUCE P2P BANDWIDTH CONSUMPTION The Cachepliance product range has been specifically designed to reduce transit, access and last mile traffic volumes by dramatically reducing the amount of repetitive/duplicate P2P traffic traversing Service Provider networks. |
| CacheLogic : Streamsight Analysis Network : Programme Overview | |
| Cacheswitch 310 | •Isolate all P2P traffic, including applications employing stealth techniques through deep packet inspection. • Provide load balancing and failover to multiple caches. • Provide complete transparency for caching. • Provide detailed statistics on P2P traffic and network usage. |
| Cachepliance Product Range | OPTIMISED TO REDUCE P2P BANDWIDTH CONSUMPTION The Cachepliance product range has been specifically designed to reduce transit, access and last mile traffic volumes by dramatically reducing the amount of repetitive/duplicate P2P traffic traversing Service Provider networks. |
| CacheLogic : Understanding the Impact of P2P | |
| CacheLogic : Research : Peer-to-Peer in 2005 | |
| CacheLogic : Products : P2P-Management | |
| CacheLogic – Cacheswitch 310 | |
| CacheLogic – Advanced Solutions for Peer to Peer Networks | |
| C |
Internet Protocol Flow Informaion eXport /IPFIX/ is an effort to standardize flow export and has been proposed as an IETF Working Group. There are a number of IP flow export systems in common use. These systems differ significantly, even though some have adopted a common transport mechanism; such differences make it difficult to develop generalised flow analysis tools. As such, there is a need in industry and the Internet research community for IP devices such as routers to export flow information in a standard way to external systems such as mediation systems, accounting/billing systems, and network management systems to facilitate services such as measurement, accounting, and billing. An IP flow export system includes a data model, which represents the flow information, and a transport protocol. An “exporter,” which is typically an IP router or IP traffic measurement device, will employ the IP flow export system to report “IP flows,” these being series of related IP packets that have been either forwarded or dropped. The reported flow details will include both /1/ those attributes derived from the IP packet headers such as source and destination address, protocol, and port number and /2/ those attributes often known only to the exporter such as ingress and egress ports, IP /sub/net mask, autonomous system numbers and perhaps sub-IP-layer information. This group will select a protocol by which IP flow information can be transferred in a timely fashion from an “exporter” to a collection station or stations and define an architecture which employs it. |
| Bypassing a load balancer in a return path of network traffic | |
| Bypassing a load balancer in a return path of network traffic | |
| BYPASS realizing method, equipment and system | |
| Building High-performance Deep Packet Inspection Platforms with Netronome and Procera Networks | Procera and Netronome have partnered to deliver the industry’s most flexible and highest-performance platform solutions for next generation Deep Packet Inspection /DPI/ and network flow processing. This integrated solution combines the unparalleled application recognition and metadata extraction capabilities of Procera Networks NAVL DPI engine with the ultra-high performance and functionality of Netronome’s Flow Processors, Network Flow Engine /NFE/ acceleration cards and 1U/2U appliance reference platforms. Together, this represents an industry leading OEM platform for building and delivering next generation network infrastructure solutions that recognize and identify thousands of today’s most popular applications at real time speeds up to 100 Gbps. |
| Building High-performance Deep Packet Inspection Platforms with Netronome and Procera Networks | Procera and Netronome have partnered to deliver the industry’s most flexible and highest-performance platform solutions for next generation Deep Packet Inspection /DPI/ and network flow processing. This integrated solution combines the unparalleled application recognition and metadata extraction capabilities of Procera Networks NAVL DPI engine with the ultra-high performance and functionality of Netronome’s Flow Processors, Network Flow Engine /NFE/ acceleration cards and 1U/2U appliance reference platforms. Together, this represents an industry leading OEM platform for building and delivering next generation network infrastructure solutions that recognize and identify thousands of today’s most popular applications at real time speeds up to 100 Gbps. |
| Botnet beacon detection | |
| Blue Coat PacketShaper- WAN Application Optimization Solutions | WAN Application Optimization Solutions Successful distributed enterprises depend on collaborative, customer-critical applications to run their business. They can’t afford “operational paralysis” due to rigid networks that aren’t able to support these applications. The Blue Coat PacketShaper® is an intelligent overlay that bridges the gap between the network and applications, delivering integrated visibility, control, compression and acceleration in a single device, ensuring optimal application performance and a great user experience. |
| Blue Coat PacketShaper Monitoring Module Features | |
| Blue Coat PacketShaper Monitoring Module | et an accurate picture of network traffic. Blue Coat’s Monitoring Module provides deep insight into application traffic-making it easy to identify and measure all traffic types-mission-critical, recreational and miscellaneous. Track, troubleshoot and manage all networked application environments. |
| Blue Coat PacketShaper Components | Build the perfect PacketShaper to match your organization’s goals and needs. Designed as a scalable, flexible platform, PacketShaper can be easily configured for additional functionality with a flexible array of turnkey modules, hardware and software enhancements. |
| Blue Coat PacketShaper | Blue Coat PacketShaper solutions provide visibility and control over network traffic to improve application monitoring and performance for any user, anywhere, across the networks of distributed enterprises. |
| Blue Coat Managing Encrypted Traffic with Blue Coat Solutions | The use of Secure Sockets Layer /SSL/ or Transport Layer Security /TLS/ encryption for Internet and enterprise traffic is growing steadily. Modern applications that use SSL communications by default – such as SharePoint, Exchange, WebEx, Salesforce.com and Google Apps – are commonplace and rapidly growing. Even hosted and mobile email applications such as Gmail, Yahoo and Zimbra utilize SSL encryption by default in today’s workplace environments. It’s clear that Enterprise organizations now need complete visibility into the encrypted SSL-based traffic. A holistic encrypted traffic management strategy that considers the various division needs, policies to be established, regulatory compliance requirements, and data privacy mandates is essential for all federal agencies. Blue Coat has solutions today to manage this growing encrypted traffic dilemma |
| Blue Coat and Packeteer Support Information | Posted June 9th, 2008 by bcsAdmin On 6 June the acquisition of Packeteer by Blue Coat was completed. |
| Blue Coat – PacketShaper – Assuring Performance of Applications over the WAN and Internet | |
| Blue Coat – New PacketShaper Drives Performance up to 8 Gbps and Introduces Visibility and Control of IPv6 “Shadow Networks” | |
| Blue Coat – New Blue Coat PacketShaper Software Advances Network Application Visibility and Control | |
| Blue Coat – Blue Coat Updates PacketShaper Visibility and Management for Latest Versions of Popular Chinese Applications | |
| Blue Coat – Blue Coat Updates PacketShaper Visibility and Management for Latest Versions of Popular Chinese Applications | Coat Systems, Inc. /Nasdaq: BCSI/, a leading provider of Web security and WAN optimization solutions, today announced new software plug-ins that update the capabilities of its cloud-connected Blue Coat® PacketShaper® appliance to discover, monitor, assess and control the traffic from the latest versions of popular Chinese and Asian applications. |
| Bivio OEM Networking Platform Unmatched Flexibility, Uncompromising Performance | Today’s networking applications require network appliances to accomplish gigabit line rate throughput while allowing deep packet processing by the application layer and consolidation of multiple applications on the same system. Neither general-purpose server platforms nor specialized ASIC-based systems provide the performance and flexibility to be the foundation of a scalable, adaptable, and modular hardware platform that provides customers superior cost-performance, investment protection, and flexible upgrade paths. |
| Bivio Networks Named a Red Herring Global 100 Winner | |
| Bivio 7000 Series | 10 Gigabit Deep Packet Processing The Bivio 7000 Series of Network Appliance Platforms is a family of compact, extremely high-performance, and fully programmable network appliances that combine a unique packet processing hardware architecture with a software platform that includes a standard Linux-based execution environment and a comprehensive set of networking features. Designed specifically to provide wire speed deep packet processing, the Bivio 7000 Series architecture fuses Network Processing components with Application Processing CPUs to deliver uncompromising performance and unmatched flexibility. The platform family includes two main product groups that provide performance optimized features to deliver true line rate packet processing from 3 Gbps through 10 Gbps throughput. |
| BIVIO NETWORKS ANNOUNCES NEXT GENERATION OF PROGRAMMABLE DEEP PACKET INSPECTION NETWORK APPLIANCE PLATFORMS | |
| Bivio 7000 Series | Cyber Security Application Platforms | Bivio Networks | The Bivio 7000 Series of Bivio’s DPI Application Platform family are high-performance and fully programmable, multi-application network appliances that combine a unique packet processing hardware architecture with a software platform that includes a standard Linux-based execution environment and a comprehensive set of networking features. Designed specifically to provide wire speed deep packet processing at speeds up to 10 Gbps, the Bivio 7000 Series architecture fuses Network Processing components with Application Processing CPUs to deliver uncompromising performance and unmatched flexibility. The Bivio 7000 Series includes two main product configurations that provide performance optimized features to deliver true line rate packet processing from 4 Gbps to more than 10 Gbps throughput using seamless scaling technology. |
| Bivio 7000 10 Gigabit Programmable Network Appliance Platforms | Bivio Networks | |
| Bivio 6500 Datasheet | The Bivio 6500 Custom Programmable Network Appliance Platform delivers an advanced packet processing architecture in a cost-effective, modular chassis suitable for a wide range of high-performance content-aware networking solutions. Central to the Bivio 6500 design is the RMI XLR™ Processor that implements 4-way multithreading on up to eight MIPS64® -compatible cores for a total of 32 threads or virtual CPUs in a single platform. With multiple threads, the XLR processor can efficiently manage tasks by processing additional data on available threads when a thread is occupied. This technology significantly reduces internal cache and memory latencies to dramatically improve overall system throughput. In addition, for more compute-intensive applications, a single core can be programmed to dedicate all processing resources to a single, focused task. |
| Bivio 6500 Custom Programmable Network Appliance Platforms | Bivio Networks | The Bivio 6500 Custom Programmable Network Appliance Platform delivers an advanced packet processing architecture in a cost-effective, modular chassis suitable for a wide range of high-performance content-aware networking solutions. Central to the Bivio 6500 design is the RMI XLR™ Processor that implements 4-way multithreading on up to eight MIPS64®-compatible cores for a total of 32 threads or virtual CPUs in a single platform. With multiple threads, the XLR processor can efficiently manage tasks by processing additional data on available threads when a thread is occupied. This technology significantly reduces internal cache and memory latencies to dramatically improve overall system throughput. In addition, for more compute-intensive applications, a single core can be programmed to dedicate all processing resources to a single, focused task. |
| Bivio 6310 Series | The Bivio 6310 Series is a family of compact, high-performance packet processing systems that are ideal host platforms for a wide range of Network Security, Cyber Intelligence, Active Cyber Defense and other Deep Packet Inspection /DPI/ applications. The platforms are optimized for packet processing through a field-proven architecture that features multicore Intel® processors and a robust Linux application environment. |
| Biovio 7000 Series Network Appliance Platforms | |
| Beyond DPI: Network Intelligence in Telecoms | Qosmos provides DPI and Network Intelligence /NI/ components for network equipment providers and network solution vendors who need ready to use, high performance, real-time network data mining and packet management. By delivering a pre-developed capability to see inside network flows, Qosmos offers a valuable strategic option to avoid the upfront costs, delays and associated business risks of in-house development of complex technology. |
| Beyond DPI: Network Intelligence for Revenue Assurance xDR collection from the most reliable data source: network traffic | Qosmos provides DPI and Network Intelligence /NI/ components for revenue assurance solution vendors who require ready to use, high performance, real-time network data collection. By delivering a complementary source of information directly from the network, Qosmos enables more accurate usage reconciliation and billing verification. Available as Deep Packet Inspection /DPI/ building blocks with a pre-developed capability to see inside network flows and deliver xDRs, Qosmos offers a valuable strategic option to avoid the upfront costs, time to market delay and associated business risks of in-house development. |
| Beyond DPI: Network Intelligence for Charging & Billing xDR collection from the most reliable data source: network traffic | Qosmos provides DPI and Network Intelligence /NI/ components for charging and billing solution vendors who need ready to use, high performance, real-time network data collection. By delivering a pre-developed capability to see inside network flows and deliver xDRs, Qosmos offers a valuable strategic option to avoid the upfront costs, delays and associated business risks of in-house development. |
| Become an ICS Jedi; Learning the FORCE of Deep Packet Inspection…. and beyond | SCADAguardian Monitoring and Assessing Industrial Control Systems • Automates real-time modeling of ICS and its process • Rapidly detects of cybersecurity & operational anomalies • Delivers insights that protect reliability and save time • Reduces troubleshooting and remediation efforts • Preempts corrective maintenance • Deploys easily and safely with no network impacts • Rapid Deep Packet Inspection of industrial protocols |
| Bandwidth Quota Monitor Know exactly who is using bandwidth on your network. Keep bandwidth hogs under control with daily and weekly quotas. | The bandwidth challenge Availability of high-speed Internet access is taken for granted by users in large networks these days. Bandwidth is expensive and demand is insatiable, so the network manager must deal with the challenge of keeping costs under control while at the same time managing bandwidth and allocating it fairly. |
| Bandwidth monitoring | NetFort Technologies | |
| Bandwidth Management Solutions for Network Operators | |
| Bandwidth Bank Data Sheet | |
| Bandwidth Bank | Volume/Usage Control In order to have profitable business models, our networks should be oversubscribed. We profile our users and purchase sufficient bandwidth to ensure the required performance for the statistical mix of users and applications at a given time of day. Our experience with hundreds of large and small networks has shown us that five percent of the users consume forty percent of the available incoming bandwidth and twenty-five percent of the outgoing bandwidth. Add more bandwidth and usage expands like a gas to consume all that’s available. Existing bandwidth management products may be used to limit real-time bandwidth consumption by these heavy users, but do nothing to control aggregate bandwidth usage. Heavy users impact network quality not only via high realtime consumption, but also by the total volume of bandwidth used. By setting policies that apply to a small /5// percentage of the users, Network Justice Bandwidth Bank can substantially increase the capacity of your network and reduce your WAN costs. |
| Automatic semantic modeling of system events | |
| Automatic provisioning of new users of interest for capture on a communication … | |
| Automated L2-L7 Network and Application Services with Juniper and Avi Networks | Organizations understand the benefits of web-scale and cloud-native architectures such as flexibility, agility, speed, automation, elastic scale, and cost effectiveness. While they can achieve these benefits for application deployments, legacy networking and application services solutions prevent them from realizing end-to-end benefits for the infrastructure stack. Furthermore, the emergence of private, public, and hybrid cloud deployments and heterogeneous environments /bare-metal servers, virtual machines, containers/ requires a next-generation solution architected for software-defined environments. |
| Attribute enhancement for handling network packet traffic between micro … | |
| Assuring Quality Performance and Availability of Healthcare Services | NETSCOUT | |
| ARUBAOS The Operating System Designed with Scalable Performance- Datasheet | ArubaOS is the operating system and application engine for all Aruba Mobility Controllers and controller-managed wireless LAN /WLAN/ access devices. Designed for scalable performance, ArubaOS consists of three core components. First, a hardened, multicore, multithreaded supervisory kernel manages administration, authentication, logging and other system operation functions. This control plane is distinctly separate from the packet forwarding components to ensure continuous availability. Second, an embedded real-time operating system powers dedicated packet-processing hardware. This highly parallel architecture includes support for high-performance deep packet inspection of every connection that traverses the controller, and implements all routing, switching and firewall functions. Third, a programmable encryption/decryption engine built on dedicated hardware delivers client-to-core encryption for wireless user data traffic and software VPN clients. ArubaOS comes with an extensive set of integrated technologies and capabilities: |
| ARUBA ORCHESTRATOR GLOBAL ENTERPRISE | Aruba Orchestrator Global Enterprise is a secure, cloud-hosted SaaS application that enables enterprises to centrally manage and monitor multiple Aruba EdgeConnect SD-WAN fabrics. |
| Aruba and Cynerio Integration: Transforming Healthcare IoT Security with a Clinical NAC | The Healthcare IoT Footprint Patients have more control over their data and treatment plans than ever, thanks to connected medical and IoT devices. These devices have transformed the healthcare industry and provided greater accessibility to treatment for patients and streamlined workflows for healthcare professionals, but they have also broadened the attack surface and exposed healthcare facilities to myriad threat actors and cyber exploitation. |
| Architecture of a Network Monitor | This paper describes a system for simultaneously monitoring multiple protocols. It performs full linerate capture and implements on-line analysis and compression to record interesting data without loss of information. We accept that the balance must be maintained in such a system between disk-bandwidth, CPU-capacity and datareduction in order to perform monitoring at full line-rate. We present the architecture in detail and measure the performance of our sample implementation, Nprobe. |
| Arbor Networks, Inc. Peakflow SP /DoS & Traffic/ | Peakflow™ SP, with new features that improve mitigation, reporting and real-time response, protects networks from a broad spectrum of security and operational threats. Peakflow SP is comprised of Peakflow DoS, which proactively detects and mitigates network-wide anomalies, and Peakflow Traffic, which offers insight into traffic and routing patterns across the entire network. Built upon the Peakflow Platform, Peakflow SP enables network operators to maintain constant availability while bolstering security and streamlining operations. |
| Arbor Networks – The Peakflow Platform | Arbor’s availability solutions, Peakflow DoS and Peakflow Traffic, are built upon the Peakflow Platform, a distributed dynamic network profiling and anomaly detection system. By looking at network flows, Peakflow gains an understanding of what is normal in the network. When traffic deviates from this dynamically established norm, Peakflow identifies the anomalous event, classifies its severity and alerts the network operator in real-time, providing recommendations for resolving the threat. |
| Arbor Networks – Peakflow Traffic for Enterprises | Leveraging the Peakflow Platform, Peakflow Traffic provides a distributed view of network-wide traffic and routing. Peakflow Traffic is unprecedented in its use of traffic and routing data to protect the availability of your overall infrastructure, helping you understand and visualize these threats, whether they stem from an attack, misconfiguration, or the longer-term impact of changes in your network utilization. |
| Arbor eSeries: Deep Packet Inspection /DPI/ | Arbor Networks | |
| Arbor Networks – Peakflow for the Enterprise – Data Sheet | As your network has grown in complexity, so too have the threats to its availability. Among the challenges you face are distributed denial of service attacks, worms and next-generation network attacks. How do you protect your network from distributed attacks that overwhelm edge security devices like firewalls and intrusion detection systems? How do you detect threats in the core of the network or the routing infrastructure, halting them before they bring down your network? How do you address threats you’ve not seen before–a new worm or a new type of denial of service attack /DoS/? How do you identify the changes in your network that precipitate drops in performance? These challenges demand a different class of solution that protects the network itself, not just the network perimeter. An effective solution requires an understanding of your network’s normal traffic and routing so that anomalous activity can be identified and countered. |
| Arbor Networks – Peakflow DoS for Enterprises | Leveraging the Peakflow Platform. Peakflow DoS flags anomalies, such as denial of service attacks and network worm propagation, by comparing them against a dynamically established baseline of normal network traffic. |
| Arbor Networks – Arbor Ellacoya eSeries – DPI-Based Technology | |
| Arbor e100 | The Arbor Networks e100 /“e100”/ is a carrier-class 20 Gbps solution for broadband service optimization. Based on deep packet inspection /DPI/ technology, the e100 enables service providers to dramatically increase the return on network investments by managing traffic at both the subscriber and application level to prioritize network activity, enforce policies and develop new service plans. |
| AppScout | AppScout application flow monitor is a web-based, real-time reporting solution that verifies delivered performance against application service level agreements by tracking application flows and application response times. |
| Applications that Blue Coat PacketShaper Classifies and Controls | |
| Application/context-based management of virtual networks using customizable … | |
| Application Session Filtering Feature Brief | Challenges with Traffic Complexity in Enterprise and Service Providers Security and monitoring appliances look at session and application layer data for patterns, also called signatures. They search for these patterns across huge volumes of real world traffic. This process is extremely cumbersome, as every packet would need to be searched for hundreds, and sometimes thousands, of patterns. There is a need for the ability to extract relevant flows of interest that match specific patterns or applications and forward them to tools that need this data. An email security appliance may only be interested in email traffic, and, even more specifically, email traffic with suspicious links and attachments. Likewise, with significant volumes of enterprise traffic being voice or video, it may be prudent to prevent sending them to certain security and monitoring appliances. What is needed is a methodology to extract specific flows belonging to an application or a pattern of interest and forward them to appliances that are looking for that data. |
| Application Response Measurement 2.0 API Guide | |
| Application Management Probe /AMP/ | AMP enables any SNMP-capable Network Management system to collect and view information about which applications /even non-IP applications!/ are running when, where they go, and what kind of networking performance they see. Specifically, AMP provides data from our application management MIB which contains the following: For each user – Summary Stats – For each application –Summary Stats –For each address —Summary Stats —Hourly breakdown —-Summary Stats For each application -Summary Stats -For each application –Summary Stats –For each address —Summary Stats —Hourly breakdown —-Summary Stats Where Summary Stats consist of: Number of flows Duration of flows Bytes Received Bytes Sent Avg Transfer Rate Worst Transfer Rate Best Transfer Rate Standalone AMP acts as a network probe and collects the same information as AMP /with less granularity on classifying applications and users/. Standalone AMP can collect information from any type of host using any protocol. |
| Application Notes for the Packeteer PacketShaper with Avaya SIP IP Telephony – Issue 1.0 | |
| Application Filtering Intelligence Feature Brief | It’s a constant dilemma for NetOps and SecOps teams: You need insight into the application traffic running on your network so you can better manage and monitor your infrastructure, but getting Layer 7 visibility can be extremely difficult. Typically, NetOps teams will take an ad hoc approach to gain application visibility and control, such as hardwiring applications to specific ports or writing regex rules that can identify individual applications. |
| Application Classifier Engine | Deterministic’s Application Classifier Engine is the first piece of the overall Policy Solution /see Order out of Chaos: The Policy Solution/. It is host-based /client and/or server/ software which delivers application and user specific information to policy servers, network management systems, and infrastructure devices. Policy Servers can use the statistical information to make good policy decisions. Network Management systems can actually track individual application network usage. Infrastructure devices can use ACE to identify and classify traffic based on application/port mapping and UserID. ACE is actually a plugin to our patented Extensible Service ProviderTM /ESP/. The ACE plugin tracks application usage, port assignments, USERIDs and associated IP addresses of client applications which access servers, traffic, connections – attempts and successes, duration of applications, and more. For demo purposes we have the free downloadable ACE Viewer which shows realtime classification of application sessions. As an example, we can identify the user and associated IP address and dynamically /or static/ assigned port for any application. This can be done on the client, or on a server. That is, we can identify clients /and associated UserIDs, IP addresses and port assignments/ which contact the server. We have also designed ACE to be flexible in delivery of the information to external systems. In addition to an SNMP MIB which shows both realtime and historical information about when applications are run, where they connect, bandwidth, ports, etc., we have a COM/DCOM API available which enables local and remote applications to request information from and control Extensible Service ProviderTM /ESP/ plugins. For example, one customer has used this API to build a traffic and destination-based billing system: they charge users by how much traffic is sent/received from specific sites. ACE enables infrastructure devices to classify traffic based on application/port mapping and UserID. Network Management Systems can use ACE to get user/application/URL performance information and histories.Policy Servers use ACE to decide where to apply specific policies and to classify traffic for routers, security devices, and bandwidth control boxes. |
| Application Awareness | Application Visualization | Gigamon | |
| Application Aware Metadata Datasheet | Key Features Figure 1. Application Metadata Intelligence extracts metadata elements for use by ecosystem solutions such as SIEM and performance monitoring tools • Over 7,000 protocol, application and user behavior L4-7 attributes spanning 3,000 apps • Dozens of elements for apps such as Facebook and protocols including DNS, FTS, IMAP and SIP • Identify specific users and link actions such as client login and subsequent file usage by application • Provides metadata export capability for tunneling protocols such as GTP to address mobile carriers • Integration with Gigamon App Visualization, App Filtering and Fabric Manager solutions • Supported by connectors for SIEM tools-Splunk and QRadar and out-of-box by other Gigamon partners |
| Apparatus and method for utilizing fourier transforms to characterize network … | |
| Apparatus and method for transmitting contents on a relay node between sending … | |
| Apparatus and method for reconstructing transmitted file in real time for … | |
| Apparatus and Method for Random Database Sampling with Repeatable Results | |
| Apparatus and method for preventing network attacks, and packet transmission … | |
| Apparatus and method for performing real-time network antivirus function | |
| Apparatus and method for parallel processing flow based data | |
| Apparatus and method for dynamically processing packets having various … | |
| Apparatus and method for decryption of secure communication sessions | |
| Apparatus and method for configuring service function path of service function … | |
| Analytics | Network Analytics solutions depend on data from Layer 7 DPI engines such as Procera’s Network Application Visibility Library /NAVL/ to provide insight into user behavior and traffic patterns on the network at certain times of day, week month or year. They can be used to help telco providers and IT managers better understand who is going to what web sites and using which applications when. This helps ensure proper alignment of network resources with business priorities and ensure high quality experience for all users. |
| Layer 7 Identity Management for Lawful Interception: ixDPI Information eXtraction through Deep Packet Inspection | How do you accurately identify targets across multiple applications, multipíe physical locations, multiple terminais and multiple identities? |
| Analyzing Complex Web Environments- Silk Stream Corporation | |
| Analysis of historical network traffic to identify network vulnerabilities | |
| An Introduction To EcoNET | |
| Allot Unveils Industry’s First DPI-based Service Gateway Supporting Two 10 Gigabit Ethernet Links -Press Releases-Allot | |
| Allot Named DPI Pure-Player Market Leader-Press Releases-Allot Communications | |
| Allot Launches Service Gateway Sigma: Network Intelligence Supercharged for Mobile Broadband & Next Generation Networks at 40Gbps-Press Releases-Allot | |
| Allot Deploys DPI Solution at Two Tier 1 Mobile Operators to Deliver Value-Added and Tiered Service Packages-Press Releases-Allot | |
| All PacketShaper® Models WAN Application Optimization Solutions | |
| AiroPeek™ wireless protocol analysis software | |
| AiroPeek™ AiroPeek NX™ Version 2.0.2 Technical Specifications | |
| AiroPeek- Wireless Protocol Analyzer | |
| AiroPeek SE/NX Version 3.1 Technical Specification | |
| AiroPeek NX™ Expert Wireless LAN Network Analyzer | |
| AiroPeek NX and Wireless Security: Identifying and Locating Rogue Access Points | |
| AG Group – products/etherpeek/details | |
| AiroPeek and Wireless Security: 802.11 Security Audits | |
| AG Group EtherPeek-Peeking through your Windows- Software protocol analyzer moves overfrom Macintosh | |
| Advertising service control apparatus and method thereof | |
| Advantage, Network Metadata How to Enhance Efficiency in Incident Investigations Without PCAP | Cybersecurity teams need to investigate and validate data pertaining to security incidents • Though complete, packet capture /PCAP/ is inefficient and resource intensive • By reducing the dataset and extracting only important information, metadata increases efficiencies in the response/investigation/validation cycle |
| Advanced Threat Defense with Aruba SD-Branch- Protecting the branch form today’s evolving threats- technical brief | As Gartner and othter analysts have noted is a top concern for enterprises implementign WAN and SD-WAN solutions. It’s a critical requiremetn to enuser continued network operations for IT staff responsibile for managign multiple, geographically distributed locations. Ans as enterprises increasingly connect to the internet from branch offices, the requirements expand to include inspection such as intrusion detection adn prevention /IDS/IPS/, anti-virus, and anti-malware built into the gateway. |
| Advanced Network Traffic Analysis /NTA/ Tools by Rapid7 | |
| Advanced Firewall Manager /AFM/ | |
| Addressing Emerging Threats and Targeted Attacks with IBM Security Network Protection | Examination of evolving security threats including malicious applications and network activity Introduction of the IBM Security Network Protection system components and deployment architecture Presentation of a typical client scenario with a solution that meets the challenge |
| Adax and Vineyard Networks Announce DPI Partnership | Adax, /www.adax.com/ an industry leader in high-performance packet-processing, security and network infrastructure hardware, is pleased to announce its close working partnership with Vineyard Networks /www.vineyardnetworks.com/. Vineyard is a global leader in next-generation Deep Packet Inspection software solutions. Together Adax and Vineyard deliver a combination that easily integrates into OEM and VAS solutions for Policy Control and Traffic Shaping, Optimization and Redirection. |
| Addendum to PacketShaper Reference Guide | |
| Adaptive monitoring of telecommunications networks | |
| Adaptive cpu usage mechanism for networking system in a virtual environment | |
| Achieving Security and Compliance using Avi Vantage | Security breaches are on the rise. Verizon Data Breach Investigations in 2017 and 20181 /see Figure 1/ show that web application attacks are the most prevalent breaches, but web application security—especially as web applications are increasingly deployed outside of traditional on-premise environments—is lagging |
| ACE Viewer | The Ace Viewer demo application shows you a sample of the real time and historical information we gather and can provide for Network or Policy Management, Classification of Traffic, or networked applications, like traffic-based billing. The ACE Viewer monitors bandwidth usage and connection parameters for network applications on Windows XP, 2000, Millenium, NT, 98, and 95 systems. ACE Viewer displays a bar graph containing send, receive, and peak bandwidth for each network application on your system. Additionally, a table of connection parameters is displayed for each network application including: Local host address Local User ID Remote Host address and port contacted by the application Total bytes sent by the application Total bytes received by the application Instantaneous transfer rate achieved by the application |
| Access Point System Reference Guide | efining Profile Application Visibility Settings About this task DPI /Deep packet inspection/ is an advanced packet filtering technique functioning at the application layer. Use DPI to find, identify, classify, reroute or block packets containing specific data or codes that other packet filtering techniques /examining only packet headers/ cannot detect. |
| Accelerating Throughput for PacketShaper and AppCelera Products White Paper | |
| About the Optimal Internet Monitor | |
| About OpenView PolicyXpert | Vision Provide a policy-based, network management solution that delivers on Service-Level Agreements through standardized configuration and control of a heterogeneous network environment. OV PolicyXpert 1.0 Control Quality of Service through the deployment of policies defined on the basis of application, protocol, source/destination address, time of day, etc. Configure key network resources in order to implement /enforce/ the QoS policies defined by the administrator. Provide – an easy-to-use policy console, – a scalable policy management infrastructure, policy agents and – an Agent SDK to enable partners to develop additional agents. |
| A Traffic Identification Method and Evaluations for a Pure P2P Application | Pure P2P applications are widely used nowadays as a file sharing system. In the overlay networks, music and video files are the main items exchanged, and it is known that the traffic volume is much larger than that of classical client/server applications. However, the current status of the P2P application traffic is not well known because of their anonymous communication architectures. In particular, in cases where the application does not use the default service port, and the communication route and the shared file are also encrypted, the identification traffic has not been feasible. To solve this problem, we have developed an identification method for pure Peer-to-Peer communication applications, especially for traffic for Winny, the most popular Peer-to-Peer application in Japan, by using server/client relationships among the peers. We will give some evaluation results for our proposed identification method. |
| A system and method for network incident identification, congestion detection, … | |
| A Survey on Internet Traffic Identification | The area of Internet traffic measurement has advanced enormously over the last couple of years. This was mostly due to the increase in network access speeds, due to the appearance of bandwidth-hungry applications, due to the ISPs’ increased interest in precise user traffic profile information and also a response to the enormous growth in the number of connected users. These changes greatly affected the work of Internet service providers and network administrators, which have to deal with increasing resource demands and abrupt traffic changes brought by new applications. This survey explains the main techniques and problems known in the field of IP traffic analysis and focuses on application detection. First, it separates traffic analysis into packet-based and flow-based categories and details the advantages and problems for each approach. Second, this work cites the techniques for traffic analysis accessible in the literature, along with the analysis performed by the authors. Relevant techniques include signature-matching, sampling and inference. Third, this work shows the trends in application classification analysis and presents important and recent references in the subject. Lastly, this survey draws the readers’ interest to open research topics in the area of traffic analysis and application detection and makes some final remarks. |
| A survey of techniques for internet traffic classification using machine learning | The research community has begun looking for IP traffic classification techniques that do not rely on `well known’ TCP or UDP port numbers, or interpreting the contents of packet payloads. New work is emerging on the use of statistical traffic characteristics to assist in the identification and classification process. This survey paper looks at emerging research into the application of Machine Learning /ML/ techniques to IP traffic classification – an inter-disciplinary blend of IP networking and data mining techniques. We provide context and motivation for the application of ML techniques to IP traffic classification, and review 18 significant works that cover the dominant period from 2004 to early 2007. These works are categorized and reviewed according to their choice of ML strategies and primary contributions to the literature. We also discuss a number of key requirements for the employment of ML-based traffic classifiers in operational IP networks, and qualitatively critique the extent to which the reviewed works meet these requirements. Open issues and challenges in the field are also discussed. |
| 5966-5387_HP_Internet_Advisor_LAN_1997 User’s Guide | The HP Internet Advisor LAN family of products includes Ethernet, Fast Ethernet, Token-Ring, and FDDI Advisors. The hardware for the different Advisors can be any of the following: • a streamlined portable Internet Advisor – built in Ethernet or Token-Ring with an optional Fast Ethernet or FDDI undercradle • an Internet Advisor – WAN with a LAN undercradle • a ruggedized transportable Network Advisor /and attachable modules/ • Advisor PC cards for Ethernet or Token-Ring Whatever form the hardware takes, all the Internet Advisors consist of measurements and applications to help you monitor, analyze, and troubleshoot your network. There are many different applications that run on the Internet Advisor LAN. This manual discusses the basic operation of typical measurements involved in monitoring, troubleshooting, and analyzing your networks. Most measurements and techniques are similar across all network types. Where the procedure or measurements differ, an example is given for each. This User’s Guide covers the basic operating information for the Internet Advisor LAN. There is online help built into the Internet Advisor LAN. You can find specific information for the tests you are running in the area of the Internet Advisor LAN you are in. There is also a Glossary of terms. This User’s Guide explains general procedures for operating the Internet Advisor LAN. Detailed instructions and field definitions for each measurement are found in that measurement’s online help window |
| AccelPoint – End-to-End Bandwidth Management and QoS | Controls network traffic at its source NetworkJustice AccelPoint is the first software product to provide full bandwidth managment and QoS for endpoint systems. Accelpoint’s unique architecture allow users and/or network managers to set dynamic networking policies which simultaneously optimize the user’s experience while reducing network load. Operating on endpoint systems, AccelPoint guarantees that your VoIP won’t be adversely affected by your file transfers, browsing or file sharing, even when you are connected to your office network through a secure VPN. Not only does AccelPoint offer unprecedented performance for clients and servers, it also enables network managers and operators to accurately control the mix of traffic at its source – before it touches the resource-constrained shared infrastructure. It even manages applications which use dynamic ports, UDP, and encryption. AccelPoint is ideal for wireless, WiMax, mobile, cable, and other shared bandwidth environments. Its easy-to-use manager simplifies policy creation and distribution to large numbers of users. |
| 360° Network Access Control with TippingPoint NAC | |
| 30 Gbps Intelligent Policy Enforcement for Broadband Networks | Procera’s PL8820 Intelligent Policy Enforcement /IPE/ appliance provides 30 Gbps with the largest signature database available and no feature limitations. The PL8820 is easy to deploy and supports up to 8 channels of 10 Gigabit Ethernet or 16 channels of 1 Gigabit Ethernet in a compact 2RU size. The PL8820 is specifically designed for today’s high connection, high growth Internet, where social networks have dramatically increased the number of active connections on the network, and video streaming continues to grow daily. It is especially applicable for the high bandwidth and high stress network deployments that are typical for mobile operator’s networks today |
| 5 Key Network Trends Neatly Solved with DPI | |
| 3COM REDEFINES NETWORK SECURITY WITH LAUNCH OF INDUSTRY’S FIRST INTRUSION PREVENTION SYSTEM WITH MULTI-FUNCTION SECURITY CAPABILITIES | AUSTIN, TX. – Nov. 14, 2005 – TippingPoint, a division of 3Com and the leader in intrusion prevention, today launched the TippingPoint X505, the first integrated security platform built upon Intrusion Prevention System /IPS/ technology, combining stateful inspection firewall, IPSec VPN, bandwidth management, Web content filtering and dynamic routing. The new platform meets the growing demand of enterprise customers to have a more complete security solution that provides preemptive, automatic and dynamic protection not found in today’s firewalls. |
| Intrusion Detection and Prevention Systems | Intrusion in lay terms is unwanted or unauthorized interference and as it is unwanted or unauthorized, it is normally and mostly with bad intentions. The intention of the intrusion is to collect information related to the organization such as the structure of the internal networks or software systems like operating systems, tools / utilities, or software applications used by the organization and then initiate connections to the internal network and carry out attacks. Intrusions are normally carried out by people outside the organization. Sometimes, intrusions can be caused by internal authorized persons carrying out these attacks by misusing their authorization or by internal authorized persons who go beyond their area of authorization and such attacks also need to be protected against. |
| Performance Comparison and Detection Analysis in Snort and Suricata Environment | Recently, crimes are cause in the internet by hacking to target one’s and the companies financial. Due to the massive crimes that are caused by digital convergence and ubiquitous IT system, it is clear that the amount of network packet which need to be processed are rising. The digital convergence and ubiquitous IT system caused the IDS /Intrusion Detection System/ to process packets more than the past. Snort /version 2.x/ is a leading open source IDS which has a long history but since it was built a long time ago, it has several limitations which are not fit for today’s requirements. Such as, it’s processing unit is in single threading. On the other hand, Suricara was built to cover Snorts these disadvantages. To cover massive amount of packets which are caused by digital convergence and ubiquitous IT system Suricata’s have the availability to process packets in multi-threading environment. In this paper we have analyzed and compared Snort and Suricata’s processing and detection rate to decide which is better in single threading or multi-threading environment. |
| GeoProbe: Inet’s Network-Wide, Signaling Monitoring System for Network Operations & Maintenance. | |
| GeoProbe RTP Stream Capture for Media Quality – Data Sheet | Tektronix’ GeoProbe network monitoring system provides highly-configurable, non-intrusive capture of RTP streams in VoIP networks. GeoProbe’s real-time correlation of signaling and media even across multiple protocols and network types ensures detection and capture of all RTP media associated with a given call. |
| GeoProbe G10 | Tektronix Communications | Designed specifically to address high bandwidth interfaces and datacenter applications, the NEBS-compliant GeoProbe G10 platform features a distributed architecture optimized to handle high volume IP traffic. The GeoProbe G10 serves as a primary collection and correlation agent for Tektronix Communications’ Network Intelligence solution. Used to feed Iris Analyzer Toolset applications, the G10 may be used in combination with existing SpIprobes to provide a comprehensive view of the network. |
| GeoProbe G10 – Data Sheet | New Probe Handles High Capacity, High Bandwidth With a proven track record and worldwide deployment by Tier 1 operators, the GeoProbe family remains at the center of Tektronix Communications’ network monitoring portfolio. In keeping with the pace of network technology changes and dynamic market conditions, Tektronix Communications has evolved its hardware to meet changing customer needs. Designed specifically to address high bandwidth interfaces and datacenter applications, the NEBS-compliant GeoProbe G10 platform features a distributed architecture optimized to handle high volume IP traffic. – 8 Gbps of user plane packet processing power – 2 million simultaneous GTP sessions – Native support for both IPv4 and IPv6 The G10 serves as a primary collection and correlation agent for Tektronix Communications’ Network Intelligence solution. Used to feed Iris Analyzer Toolset applications, the G10 may be used in combination with existing SpIprobes to provide a comprehensive view of the network |
| Generation and maintenance of identity profiles for implementation of security response | |
| GENBAND | GENBAND Bolsters Industry-Leading Portfolio with Deep Packet Inspection Technology from Procera Networks | PLANO, TX and LOS GATOS, CA, July 22, 2010 – GENBAND, a leading developer of IP solutions and services, and Procera® Networks Inc. /AMEX: PKT/, a developer of evolved Deep Packet Inspection /DPI/ solutions providing awareness, analysis, and control for network service providers, today announced that the companies have signed an OEM agreement under which GENBAND will incorporate Procera’s PacketLogic™ DPI technology into GENBAND’s industry-leading portfolio and enable further innovation with GENBAND’s current and future products. |
| GENBAND – P-Series DPI | The rapid growth in devices, applications and broadband demand presents both opportunity and challenges to service providers. Today, operators must address a range of issues: from backhaul congestion and over-the-top usage habits, to more complex traffic and routing, cost pressures, and the need to create new revenue-generating service offerings. |
| GENBAND – Deep Packet Inspection- Cable | In today’s fast-paced, content-driven world, service providers must adapt to meet subscriber demands of new high-bandwidth applications by preparing their networks to deliver advanced IP-based services and support significantly complex data-oriented applications. |
| GENBAND – Deep Packet Inspection -Mobile | |
| GENBAND – Deep Packet Inspection -Fixed | |
| GENBAND – Deep Packet Inspection -Converged | |
| GENBAND – Deep Packet Inspection – IMS/LTE | In today’s fast-paced, content-driven world, service providers must adapt to meet subscriber demands of new high-bandwidth applications by preparing their networks to deliver advanced IP-based services and support significantly complex data-oriented applications. |
| GENBAND – Deep Packet Inspection | |
| Gaining Visibility Into Network and Application Behavior With Packeteer’s PacketSeeker™ Application-Intelligent Traffic Monitoring Appliance | |
| Fuzzy cyber detection pattern matching | |
| Four Steps to Application Performance Across the Network With Packeteer’s PacketShaper | |
| Fortinet and Nozomi Networks Comprehensive OT Security Solution Broad, Integrated, and Automated Security with Real-Time Cybersecurity and Visibility for Industrial Control Networks | The backbone of critical infrastructure, industrial control systems /ICS/, is ubiquitous in all industries including energy, electric, water, manufacturing, and even military applications. In the last decade, ICS have grown to become more automated and advanced, but also more connected to conventional and enterprise networks than ever before. While this increase in connectivity has helped utilities and governments alike reach a higher level of efficiency, it has also exposed ICS networks, and their devices, to new cyber-borne and operational vulnerabilities. The advantages of leveraging common Internet protocols, combined with the ease and cost saving of using Windows-based terminals such as HMIs and SCADA Masters brought operational technology /OT/ networks on a collision course with traditional IT systems and associated security risks. Two key issues with this transformation prevail. First, ICS networks involved with critical infrastructure can’t afford any unexpected outages—aka unplanned downtime—even for unscheduled maintenance or basic update patching, leaving the Windows-based terminals vulnerable. The second issue is that those serial protocols of ICS, which were merely encapsulated in TCP/IP, have no security features built into them, like basic authentication or encryption, again a fundamental vulnerability |
| Fluxoscope a System for Flow-Based Accounting | We present a traffic accounting system developed at SWITCH. Its applications include differentiated usagebased charging, long-term traffic analysis for capacity planning, and troubleshooting tasks such as the detection of routing anomalies or denial-of-service attacks. The system is based on flow-based accounting information generated by routers. |
| Fluxoscope | The Fluxoscope system has been developed internally at SWITCH since 1997. It is used for volume-dependent charging for the use of our transatlantic links, as well as for other tasks including network monitoring and traffic analysis. The source code of the system can be made available upon request. Note that the largest part is written in Common Lisp. |
| Fluke Networks: SuperAgent Application Performance | Application Performance Management In order to support mission critical applications, an IT department must be able to continuously monitor end user experience and react to problems before productivity is affected. SuperAgent is a passive application response time analyzer that isolates slow performance to the network, server or application — quickly — with no need for endpoint agents. SuperAgent analyzes TCP application performance based on real user traffic, not synthetic transactions. In a single view, management can easily see which user groups are receiving the best, or worst, transaction times for any application. IT departments are then able to drill into the cause of poor performance and resolve specific deficiencies. |
| Fluke Networks: Protocol Inspector Software Options | |
| Fluke Networks: OptiView Protocol Expert Traffic Analysis | OptiView PE provides seven-layer packet decodes and real-time network health statistics. Many network vital signs can be monitored such as: Utilization and error rate Frame size distribution Protocol distribution Top senders/receivers Conversation matrices VLAN traffic analysis Expert analysis Application response time analysis Advanced Packet Decode and Filtering OptiView PE decodes packets captured by OptiView™ Analyzers. Multiple sessions of the packet decode window can be opened simultaneously. Traffic analysis tools, such as conversation matrix and protocol mix view can be used to help quickly narrow down packets of interest. Advanced capture filters and display filters are easy to setup, using a combination of protocol types, source/destination addresses, TCP/UDP port numbers and bit patterns. |
| Fluke Networks: Protocol Inspector Overview | At a Glance Supports desktop, notebook or distributed deployment. High performance full-line rate packet capture on 10/100/1000 Mbps Ethernet. Non-intrusive access to monitor and capture full-duplex switch traffic. Real-time network traffic monitoring. Complete seven-layer packet decode and filtering capabilities for 10/100/1000 Mbps Ethernet and Token Ring networks. |
| Fluke Networks: Protocol Inspector Analysis Software Features | When you’re troubleshooting protocol interoperability and response time problems, you need the ability to capture, decode, and filter frames quickly. Fluke’s Protocol Inspector Standard Version, a Windows-based software application that you can run with a standard NDIS driver and a laptop or desktop computer, provides you a robust, easy-to-use set of network analysis and monitoring tools in a single package. Its extensive seven-layer decodes allow any network professional to easily identify problematic segments. Protocol Inspector provides: Real-time monitoring of network traffic, including: MAC/Protocol/Application layer conversations matrix Top talker by MAC address, Network layer address or Application usage Network health statistics, including Frame Size Distribution, and Segment Utilization Complete seven-layer packet capture, decode, and filtering capabilities for 10/100/1000 Mbps Ethernet and 4/16 Mbps Token Ring networks Capture and decodes in VLAN environments such as Cisco ISL and 802.1q Decoding of more than 150 protocols, including TCP/IP, IPX, SNA, AppleTalk, Vines, DECnet, IP Multicast, Lotus Notes, Sybase, Oracle, Cisco ISL and 802.1q VLANs, and SMB. It’s also a snap to add custom protocols. Fully customizable capture and display filters Email or Pager notification for defined alarm conditions |
| Fluke Networks: OptiView Protocol Expert Expert Analysis | Expert Analysis speeds up troubleshooting The Expert View of the OptiView Protocol Expert /PE/ automatically detects problems while monitoring real-time traffic, or analyzing captured packets collected by the OptiView PE or the OptiView™ Analyzers. The Expert View categorizes, by OSI Layers, the problems detected. It summarizes the address or name of the stations involved, and the position of frames in the capture file that trigger the Expert System to identify the problem. Traffic statistics for the stations involved are correlated and presented for each OSI layer in an easy-to-read hierarchy by the expected symptoms. This information usually provides enough data to isolate problems, eliminating the need to perform tedious, line-by-line packet analysis. |
| Fluke Networks: OptiView Protocol Expert | Complete seven-layer packet capture, decode and filtering capabilities Analyze packets captured from OptiView hardware analyzers Expert analysis quickly pinpoints problems and suggests corrective action Extensive QoS Analysis of H.323 and Cisco AVVID VoIP implementation Integrated support available for local and remote network analysis Special Protocol Support: Extreme EDP & ESRP and Cisco CDP and VTP. |
| Fluke Networks: 69X Traffic Analyzer – Monitor Traffic | Fluke’s 694 and 695 multiport Fast Ethernet Traffic Analyzers for 10/100 Mbps networks provide line-rate performance on all ports, half- or full-duplex. Fluke’s 694/695 Traffic Analyzers have a fault-tolerant internal tap feature that allows them to monitor up to 4 full-duplex connections, which can be configured on a per port-pair basis. You can also aggregate RMON2 statistics from multiple full duplex ports to form a unified RMON2 statistic. The 694/695 is particularly suited for environments using the new Fast EtherChannel® technology from Cisco and Intel. |
| FlowScan Download Website | FlowScan is a network analysis and reporting tool. It processes IP flow export records and reports on what it finds. |
| FlowIntelligence Threat Analyst: Advanced Threat Fusion and Breach Detection Prevention | – Scalable network breach detection and prevention sensor up to 100Gbps – Static, dynamic and custom PCREbased analysis -Threat fusion analysis with STIX, CYBOX and MAEC threat intelligence indicators – Extreme scaling in PCRE-based analysis with HyperScan® – Deep file inspection and malware analysis automation with effective machine learning – Threat sharing, unified threat response and analytics environment – Fully integrated, high performance, secure platform and sensor solution – Integrated with FlowIntelligence analytics environment – Integrated with enterprise management via Systems Management Center – Embedded API’s for threat sharing and active response |
| FlowIntelligence Cyber Analyst Cloud Event Monitoring and Traffic Analysis | Deep Visibility • Collect network flows and analyze network applications through Layer 7 of the OSI model from the enterprise • Analyze Cloud traffic /DNS, FTP, SIP, DHCP, SMTP, HTTP/HTTPs, SMB, ModBus & DNP3, etc./ • Centralized and distributed analysis environments • More than 3000 types of network events tracked • Generate metadata for network events with more than 50 embedded log types and hundreds of metadata objects • Investigate data with associated BGP, MPLS and VLAN tags • Identify network and application anomalous behavior including known embedded malware • Integrate threat intelligence indicators for dynamic analysis |
| FlowIntelligence Cyber Analyst | The complexity of networks, applications and services creates additional pressure on enterprise and service provider cyber analyst to identify network events as well as detect, mitigate and protect from cyber threats. Network-based based applications, social media, Email, SCADA and Internet of Things /IoT/ all bring risk of an unwanted or undesirable event in the network. Identifying external and internal threats, lateral movement from a network event as well as data exfiltration adds complexity and challenges for the security operations teams. They now have to address multiple questions for the network ecosystem, including: |
| FlowIntelligence 8600 MCA | |
| FlowIntelligence 6540 | Typical User Deployments • Deep Packet Inspection • Network Security and Monitoring • Network Breach Detection and Prevention • Web, URL and Application Filtering • Network Flow Monitoring • Cyber Security and Network Threat Intelligence • Network Malware Identification • Integrated Adaptive Cyber Defense • Network Sensor Application Consolidation |
| FlowIntelligence 6425 | The FlowIntelligence 6400 Series Adaptive Cyber Platform is a scalable high-density packet processing system. It delivers unparalleled performance for the FlowIntelligence Cyber Sensor Suite of tools, open source, custom-proprietary, or commercial off-the-shelf /COTS/ network security and cyber intelligence applications. The platform is optimized for packet processing through an extensively field-tested and proven architecture which features multi-core Intel® processors and a robust Linux application environment. |
| Flow-Based and Packet-Based Processing User Guide for Security Devices | Use this guide to conC]r; and monitor the flow of |r-Lc or packet, on a device using flow-based processing and packet-based forwarding. Also, for using an extensive set of flow-based security features which include policies, screens, network addresstranslation /NAT/, and other flow-based services. |
| Five Key Challenges Facing Campus Network Administrators Today | Introduction: Shouldering the Responsibilities of a Campus Network Networking and IT professionals today have a tremendous responsibility when it comes to managing the network of a higher-education campus or organization. The massive growth of stored data /and the need to share it/ is constantly placing pressure on an already over-stressed network. The unpredictable student user base is prone to network misuse and security breaches. Educators are looking to further leverage networked-based learning tools and streaming video. Campus administrators are adding new applications while demanding more and more remote accessibility. And campus legal departments are anxious to ensure that campus networks are meeting all government and other security and privacy regulations and compliancy—while constantly making requests for network usage reports and other network activity to assist in copyright protection efforts. |
| Firewall rule management | |
| Finder Series Finder 10G 2400 – Real-Time Deep Packet Tracking & Filtering | VSS Monitoring helps you maximize the return from your network intelligence infrastructure. Using our vBroker™ Series of network packet brokers, you can make better use of your monitoring and security tools, simplify operational complexity and realize a higher ROI from additional cost savings and service quality improvements. VSS vBroker appliances solve a variety of network-related IT challenges in your network and data centers, including improving the link-layer visibility and data access of monitoring and security tools, accelerating the time to diagnose performance problems and security incidents, and making sure CapEx and OpEx costs remain stable as network size and speeds grow. |
| Finder Series – PRODUCTS – VSS Monitoring | |
| Features and Benefits of PolicyXpert | PolicyXpert adds policy-based configuration and control to the OpenView Network Management Solution. The PolicyXpert approach benefits IT organizations by allowing them to: Optimize Network Resources Assure response times for critical applications Take control of the network Establish classes of service as driven by business needs Enhance their OpenView investment Key features include: QoS management Automated policy enforcement Heterogeneous configuration and control Robust policy creation and deployment Standards-based implementation |
| Fast identification of offense and attack execution in network traffic patterns | |
| FAQ: NetMon Freemium | What is NetMon? NetMon provides enterprise-wide network visibility through application-level awareness and rich network session detail. It enables organizations to: • Baseline network behavior to immediately pinpoint abnormal activity • Detect unauthorized or suspicious application activity • Expedite network forensic investigations • Perform full packet capture for advanced forensics • Prevent sensitive data loss • Monitor application bandwidth consumption |
| Facilitating secure 24×7 on-demand service availability while minimizing power … | |
| Facilitating flow symmetry for service chains in a computer network | Techniques are described for facilitating flow symmetry using a scalable service platform that anchors the service chain. The scalable service platform may facilitate flow symmetry and, at least in some cases, flow stickiness for a first packet flow /a “forward packet flow” and a second, related packet flow /a “reverse packet flow”/ both traversing the service chain in the forward and reverse directions, respectively. For example, a virtualized computing infrastructure may deploy a scalable service platform to perform load balancing of multiple forward packet flows, received from the gateway, among multiple parallel service instances for an ingress service in a service chain. For each corresponding reverse packet flows for the multiple forward packet flows, the scalable service platform load balances the reverse packet flow to the service instance for the egress service in the service chain that is applied to the corresponding forward packet flow. |
| ExtremeXOS® User Guide for Version 31.5 | This guide is intended for use by network administrators who are responsible for installing and setting up network equipment. In addition to comprehensive conceptual information about each feature of our software, you will also find detailed configuration material, helpful examples, and troubleshooting information. Also included are supported platforms and recommended best practices for optimal software performance. |
| ExtremeAnalytics™ For Healthcare /Formerly Purview™/ Network-powered application analytics for today’s clinical environments | Extreme Application Analytics is a network powered application analytics and optimization solution that captures and analyzes context-based application traffic to deliver meaningful intelligence — about apps, users, locations, and devices. It is the Industry’s first and only — patent pending – Solution to Transform the Network into a Strategic Business Asset – by enabling the mining of network based clinical events and strategic information that help hospital leaders make faster and more effective decisions. It does this all from a centralized command control center that combines Network Management with Clinical Analytics, and at unprecedented scale /100M sessions/ and scope. |
| ExtremeAnalytics User Guide | Table of Contents ExtremeAnalytics® User Guide 1 1 Legal Notices 2 Trademarks 2 Contact 2 Extreme Networks® Software License Agreement 4 Table of Contents 11 ExtremeAnalytics Help 20 Document Version 20 Getting Started with ExtremeAnalytics 21 ExtremeAnalytics Access Requirements 21 ExtremeAnalytics Engine Configuration 21 Enable Flow Collection 21 Enable Jumbo Frames 22 Configuring Enhanced Netflow for Extreme Analytics and Extreme Wireless Controller Version 10.21 in ExtremeCloud IQ – Site Engine 23 How to Deploy ExtremeAnalytics in an MSP or MSSP Environment 29 |
| ExtremeAnalytics ® User Guide Version 8.4 | ExtremeAnalytics provides Layer 7 application visibility on your network. Combining Extreme Management Center, S-Series and/or K-Series devices, and the ExtremeAnalytics engine, this feature integrates application, user, and device data to give you a full understanding of the applications on your network and who’s using those applications. ExtremeAnalytics uses deep packet inspection /DPI/ and a rich set of application fingerprinting techniques to provide granular control of private applications /SAP, SOA traffic, Exchange, SQL, etc./, public cloud applications /Salesforce, Google, Email, YouTube, P2P, file sharing, etc./, as well as social media applications /Facebook, Twitter, etc./, guaranteeing a quality user experience for business critical applications. |
| Extreme Networks Purview Solution Cuts Network Management Time by 40 Hours Per Week | Extreme Networks | |
| Extreme Networks Purview Solution Cuts Network Management Time By 40 Hours Per Week | Serving the towns of Stonington and Mystic, Connecticut, the Stonington Public School District is committed to creating an educational environment with structures to support collaboration, personalized learning, and innovative instruction to help students become knowledgeable, problem solving, productive citizens. In order to meet the mobile needs of 3,000 users across six schools and seven buildings, Stonington Public Schools turned to Extreme Networks to implement an enterprise wireless network that would allow them to roll out BYOD, deploy a virtual desktop infrastructure, and centrally manage the entire infrastructure from a single screen. |
| Extensible Service ProviderTM /ESP/ | Our Patented Extensible Service Provider /ESP/ intercepts Winsock calls from all Winsock applications and, based on filters, delivers the calls and associated data and parameters to plugin applications. The ESP is actually a Winsock 2 Layered Service Provider. It ‘binds’ to all protocols running on the system and for IP can capture TCP, UDP, and raw sockets. It runs on Windows 95, NT 4.0, and Windows 98, and Windows 2000, and Windows XP. The ESP and associated Plugins are manageable through the Microsoft Policy Editor. This permits configuration of the ESP filters and plugin parameters. In addition, it distributes these configurations to individual users or to workgroups. |
| Explore LANGuardian | NetFort Technologies | NetFort LANGuardian is software that analyzes your network traffic. Using advanced deep packet inspection techniques, LANGuardian gives you a unique level of visibility into everything that’s happening on your network, including user activity, file and database monitoring, intrusion detection, bandwidth usage, and Internet access. Try our online demo system or install a 30-day free trial on your own network – you’ll be amazed at what you can find out from your network traffic! |
| Executing online services in a public cloud | |
| EtherPeek™ ethernet protocol analyzer- Procera | |
| EtherPeek™ and TokenPeek™ for Windows QuickTour An introduction to the “Peek” software | |
| Etherpeek: Ethernet Protocol Analyzer & Packet Debugger | |
| EtherPeek SE/NX EtherPeek SE v.7.0.1/NX v.4.0.1 Technical Specifications | |
| EtherPeek NX: Expert Ethernet Network Analyzer | |
| EtherPeek NX Streamlines Beverage manufacturer’s Network Services | |
| EtherPeek NX Real time expert protocol analysis | |
| Etherpeek Graphic | |
| EtherPeek and Security: A definite match-up | |
| EtherPeek 4 for Macintosh Demonstration Software Quick Tour A Step-by-Step Guide Through Key Features of EtherPeek | |
| Etherhelp: Free Packet Capture Utility | |
| Ethereal: Download | |
| Ethereal: Samples | Packet Capture Samples |
| Ethereal: Features, ScreenShots, etc. | |
| Establishing simultaneous mesh node connections | |
| Enhance Application Security with Nutanix Flow and Check Point CloudGuard – Check Point Software | Nutanix provides a “web-scale, hyperconverged infrastructure solution purpose-built for virtualization and both containerized and private cloud environments”. Nutanix Flow offers policy-based network security tightly integrated into Nutanix AHV and Prism Central. Flow provides rich visualization, automation, and security for VMs running on AHV. Microsegmentation is a component of Flow networking that simplifies policy management. Using multiple Prism Central categories /logical groups/, users can create a powerful distributed firewall that gives administrators an application-centric policy management tool for securing VM traffic. |
| Endpoint Protection – Symantec Enterprise | |
| Elastic Security Services and Load Balancing in a Wireless Mesh Network | |
| Elastic modification of application instances in a network visibility … | |
| Efficient application identification with network devices | In general, techniques are described for efficiently implementing application identification within network devices. In particular, a network device includes a control unit that stores data defining a group Deterministic Finite Automata /DFA/ and an individual DFA. The group DFA is formed by merging non-explosive DFAs generated from corresponding non-explosive regular expressions /regexs/ and fingerprint DFAs /f-DFAs/ generated from signature fingerprints extracted from explosive regexs. The non-explosive regexs comprise regexs determined not to cause state explosion during generation of the group DFA, the signature fingerprints comprise segments of explosive regexs that uniquely identifies the explosive regexs, and the explosive regexs comprise regexs determined to cause state explosion during generation of the group DFA. The network device includes an interface that receives a packet and the control unit traverses first the group DFA and then, in some instances, the individual DFAs to more efficiently identify network applications to which packets correspond. |
| EcoSCOPE Product Info | |
| EcoSCOPE Product Detail | |
| EcoSCOPE FAQ | |
| EcoPROFILER Home Page | |
| EcoPREDICTOR Product Detail | |
| EcoPREDICTOR Home Page | |
| EcoNET System Overview | |
| Early filtering of clean file using dynamic analysis | |
| EcoNET Reporting Capabilities | |
| Dynamically specifying multiple public cloud edge nodes to connect to an … | |
| Dynamic service chaining and late binding | |
| Dynamic policy control for application flow processing in a network device | n one example, a method includes receiving, with a network device, a portion of a subscriber session packet flow for a subscriber session, and reassembling application-layer data from data packets in the subscriber session packet flow into one or more application flows for the subscriber session. The method includes identifying, from the application flows, application identity information for the application flows, and applying a first session policy to the subscriber session. Applying the first session policy includes applying one or more application policies to the application flows in the subscriber session based on subscriber information and the application identity information for the application flows. The method includes processing the application flows in the subscriber session for accessing a packet data network in accordance with the application policies. |
| Dynamic network tuner for the automated correlation of networking device functionality and network-related performance | A dynamic network tuner establishes fluid, continuous, and automatic correlation between the extent and/or degree of a networking device’s functionality, on the one hand, and the network-related performance /i.e., network data traffic and/or network application performance/, on the other. The dynamic network tuner can be embodied as a discrete device ready for installation into a host network. Preferably, such /and like/ tuner embodiments are integrated into a network to automatically correlate, according to user-predefined parameters, the network’s performance with the operation within the network of specifically-targeted, performance-altering networking devices, such as network security devices, or more preferably and particularly, intrusion prevention devices. |
| Dynamic network tuner for the automated correlation of networking device … | |
| Dynamic bypass of TLS connections matching exclusion list in DPI-SSL in a NAT … | |
| Dynamic Bypass | |
| DPX Nework Probe- Comprehensive Lawful Interception and Monitoring in Broadband Networks | |
| DPX Network Probe-Data Sheet | |
| DPX Network Probe | |
| DPI: Enabling secure, personalized and metered services | Allot Blog | |
| DPI-SSL > Client SSL | |
| DPI-Based Application Identification for Next Generation Firewalls Qosmos ixEngine uses Deep Packet Inspection /DPI/ to provide full application visibility irrespective of ports and protocols | Qosmos ixEngine allows firewall vendors to detect protocols and applications irrespective of TCP/UDP port with the highest accuracy using powerful Deep Packet Inspection /DPI/. Qosmos ixEngine software development kit /SDK/ consists of pre-developed, reusable “building blocks” that are easily integrated into new or existing solutions. |
| DPI Application Platform | Bivio Networks | |
| DPI and Traffic Management Sandvine Tops DPI and Traffic Management | Sandvine’s flagship Policy Traffic Switch /PTS/ 32000 incorporates DPI functionality for both TDF and PCEF capabilities. Building on the Intel x86 architecture ensures straightforward virtualization. It also contains two network processor units for load balancing. The PTS 32000 delivers up to 375 Gbps in a two-rack unit form factor, and a cluster can support 8Tbps. The PTS 32000 has market-leading performance- power efficiency, measured by bits per second/watt. Likewise, the two-rack unit form factor of the PTS 32000 delivers the highest bits per second/liter among 100GE-capable DPI solutions. |
| DPI and Policy Complementary Tools for network optimization and new revenue creation | The rapid growth in mobile broadband has been a great success story, but one that has left in its wake many challenges, as well as opportunities, for mobile operators. Adoption of smartphones, which in many markets now account for over half of new devices, and extensive availability of applications and services, with video accounting for over half the traffic, has created a surge in the data load on the networks. Accommodating the increased traffic volume can be an expensive proposition for mobile operators, and yet discouraging subscriber use limits the opportunity for revenue growth. |
| DPI & Traffic Analysis in Networks Based on NFV and SDN-White Paper | Traffic analysis based on deep packet inspection /DPI/ and a wide range of other techniques is now well-established as a means for operators to better understand IP network traffic. This information is used for a widening range of purposes, including policy management, service assurance, security, customer experience management and development of new services. DPI is now embedded in many types of equipment, including network gateways /e.g., GGSN and P-GW/; policy enforcement appliances; service assurance elements such as network probes; load balancers; applications delivery controllers; analytics platforms, and others. However, the coming transformation of networks by ETSI NFV, SDN, and cloud services poses some new questions. In particular: What is the role of DPI and related techniques in a virtualized network and a cloud-based service delivery environment? In this white paper, we examine these issues from the point of view of network hardware and software suppliers, drawing mainly on an exclusive survey conducted by Heavy Reading in October/November 2013. This survey asked executives from telecom suppliers a range of questions about DPI/traffic analysis, virtualization, and the relationship between the two. The first part of the paper briefly discusses the background to this work, then considers the evolution of DPI and traffic analysis in networks and network equipment, looking at the main use cases, both established and emerging; the changing balance between internal development and third-party sourcing of DPI; and the impact of traffic encryption on DPI. In the second part, we explore vendor attitudes to virtualization, including their views on the impact of NFV, the growing potential to use standardized third-party components, and the impact of virtual switches, among other things. In the final part of the paper, Qosmos presents its own views on the findings presented here. Key findings from the survey include the following: Two thirds of vendors now believe DPI is a must-have technology. The largest use case /by number of vendors citing it/ is service assurance for QoS/QoE; the second largest is policy control /PCEF/, which we believe is the largest use case by volume. The proportion of vendors choosing to source DPI from a third party is gradually rising, and a majority of those doing so prefer to use a pure-play supplier of DPI components. Half of respondents said that encryption of protocols is reducing the effectiveness of DPI. Packet metric analysis /heuristics/ was identified as the main remedy. More than 90 percent said ETSI NFV would affect next-generation product design, and more than half said availability of standardized virtualized network function /VNFC/ components would likely lead them to source more third-party components, including the proposed ETSI DPI VNFC. Most vendors expect to use several hardware platform types, including in some cases proprietary or ATCA platforms, as they shift to virtualization. More than two thirds said the virtual switch would be important in future product designs, and most also said it should be application-aware. |
| DPI & Network Intelligence Technology For QoS/QoE Solutions | QoS/QoE solution vendors are relying heavily on Deep Packet Inspection /DPI/ technology to gather performance data from the core network as a complement to operations and maintenance center /OMC/ counters. Beyond using DPI only to identify applications, QoS/QoE solutions need more detailed information on protocols and applications metadata such as RTT and jitter per application in order to compute KPIs. In addition, they need a technology that enables systems to carry out investigations through several angles: per individual subscriber, per handset type, per data content and per network element. This translates into advanced DPI requirements and a challenge to extract detailed traffic information in real-time at 10 Gb/s and above. |
| Just in time memory analysis for malware detection | |
| Just in time memory analysis for malware detection | |
| Junos® OS Application Security User Guide for Security Devices | Web-based applicaitons are changing the dynamics of security. Previously, applications were associated with specific protocols and ports, making policy enforcement at the host level relatively straightforward that can be accessed from anywhere create challenge for network administrators to ;@;cঞv;Ѵy manage |r-Lc flows and access to data while delivering the security and network services. |
| Juniper Networks Deep Packet Inspection-Decoder /Application Signature/ Release Notes | The JDPI-Decoder is a dynamically loadable module that mainly provides application classification functionality and associated protocol attributes. It is hosted on an external server and can be downloaded as a package and installed on the device. The package also includes XML files that contain additional details of the list of applications and groups. The list of applications can be viewed on the device using the CLI command show services application-identification application summary. Additional details of any particular application can be viewed on the device using the CLI command show services application-identification application detail |
| Judging ipANGEL – Jim Baxter Delivers the Verdict | In this special report from the frontlines, Lucid Security’s own Vik Phatak goes on the record with Jim Baxter, Network Engineer, The Judge Group |
| ixMachine | Shift your understanding of network usage from traditional packet-by-packet DPI analysis to advanced DPI, enabling unrivalled information extraction over IP networks. Based on Qosmos network information extraction /iX/ technology, the Qosmos ixMachine /Qosmos ixM/ portfolio of next-generation network appliances is specially designed for system integrators to meet the complex challenges of network analysis and information extraction requirements. It demonstrates Qosmos’ continued commitment to providing best in field infrastructure solutions, specially tailored to support clients’ business objectives and leverage business growth. By choosing the right Qosmos ixM hardware, from access to core networks, system integrators can provide their clients with unmatched visibility on network usages and metrics, enabling a wide variety of innovative high added value applications, including: – Smart Network Optimization: unmatched visibility over network usage enables advanced optimization – Aware billing: operators can bill not only based on the volumes of data exchanged, but also based on real usage of services, applications, content, etc. – Data leak prevention & copyright enforcement: prevent illegal distribution of confidential documents and copyrighted materials – Network surveillance, intelligence & legal interception: detect and intercept illegal communications over the web, whatever the application – chat, webmails, etc. |
| ixEngine Extract the Right Information from the Network… to Generate Value! | The Qosmos ixEngine Software Development Kit enables Network Equipment Providers, Telecom Equipment Manufacturers, and Software or Solutions Vendors to integrate state of the art Information eXtraction /iX/ and DPI features into their product offers. They benefit from Qosmos’ expertise on protocols to empower the creation of high-value applications. This leaves them free to concentrate on what they do best. |
| ITT Technical Institutes EtherPeek and AiroPeek | |
| Issues and future directions in traffic classification | Traffic classification technology has increased in relevance this decade, as it is now used in the definition and implementation of mechanisms for service differentiation, network design and engineering, security, accounting, advertising, and research. Over the past 10 years the research community and the networking industry have investigated, proposed and developed several classification approaches. While traffic classification techniques are improving in accuracy and efficiency, the continued proliferation of different Internet application behaviors, in addition to growing incentives to disguise some applications to avoid filtering or blocking, are among the reasons that traffic classification remains one of many open problems in Internet research. In this article we review recent achievements and discuss future directions in traffic classification, along with their trade-offs in applicability, reliability, and privacy. We outline the persistently unsolved challenges in the field over the last decade, and suggest several strategies for tackling these challenges to promote progress in the science of Internet traffic classification. |
| Iris Traffic Analyzer | Tektronix Communications | A part of the Iris Analyzer Toolset, Iris Traffic Analyzer /ITA/ assists your operations and engineering teams with unsurpassed visibility into the network for advanced identification and resolution of network, service and infrastructure performance issues-often before your end users are impacted. Track application response times. Understand application performance impacts. Establish baseline performance levels to assess deviations and traffic anomalies. With ITA, customizable dashlet views and seamless integration with other IrisView applications facilitate traffic profiling, troubleshooting and proactive end-to-end monitoring of network traffic, protocols and services, transaction latencies and application/host bandwidth usage. |
| Iris Traffic Analyzer – Data Sheet | Leverage Critical Performance Information for Ongoing Customer Satisfaction A part of the Iris Analyzer Toolset, Iris Traffic Analyzer /ITA/ assists your operations and engineering teams with unsurpassed visibility into the network for advanced identification and resolution of network, service and infrastructure performance issues—often before your end users are impacted. Track application response times. Verify performance for new service launches. Understand network impacts and pinpoint capacity limitations. Establish baseline performance levels to assess deviations and traffic anomalies. |
| Iris Session Analyzer | Tektronix Communications | Iris Session Analyzer /ISA/ leverages a proven multi-protocol correlation engine for real-time and historical options from a single application. Launched exclusively from the IrisView data adaptation and presentation layer, ISA provides a seamless user experience for session trace users independent of the underlying probes. |
| Iris Session Analyzer – Data Sheet | |
| Iris Performance Intelligence | Tektronix Communications | Iris Performance IntelligenceTM Tektronix Communications Iris Performance Intelligence /IPI/ offering combines, from a single user interface, proactive performance monitoring with in-depth entity analysis tools to deliver a more complete and actionable view of applications and services performances across the networks and the underlying network resources. Comprised of workflow-directed dashboard views and auxiliary reporting functions, IPI delivers real value to a variety of departments. Iris Performance Intelligence application leverages the unique combination of a collection and correlation layer with a data adaptation and presentation layer for use by purpose driven workflow and analytics reporting capabilities. |
| Iris Performance Intelligence – Ensure End-to-End Service Performance and Manage Network-wide Resources – Data Sheet | IMS- and LTE-ready Solution Delivers Insights to Mobile Broadband Services and Converged Networks With the Iris Performance Intelligence offering, Tektronix Communications combines proactive performance monitoring with in-depth entity analysis tools and historical reporting functions to deliver a more complete and actionable view of value-added services and underlying network resources with a single, multi-faceted solution. Comprised of three targeted modules /FastPath, Performance Analytics and Management Reports/, Iris Performance Intelligence offers Network Operations and Network Engineering personnel the visibility required to manage the profitability of the network by focusing on the services delivered. – Ensure the network and supported services are operating at peak performance to better serve corporate accounts and individual subscribers. – Validate market forecasts and benchmark actual service uptake for more informed expansion planning and ongoing network tuning. |
| IQMediaMonitor™ | ineoquest.com | |
| IQMediaMonitor™ | ineoquest.com | The IQMediaMonitor™ is a cost-effective, real-time IPTV/IP Video network test and monitoring probe that is ideal for assuring the quality of video over IP program flows. Based on powerful FPGA technology, the IQMediaMonitor provides a complete solution for monitoring, maintaining, and troubleshooting any IPTV/IP Video network. The included software applications are simple to use and allow detailed inspection of all video flows across multiple IQMediaMonitor units. Critical parameters such as MDI, bit-rates, network utilization, IP jitter and loss, and PID loss on MPEG-2, H.264/MPEG-4 part 10, MPEG-4 part 2, DCII, H.264/AVC, and WM9/VC1 are detected and logged automatically on all streams. IQMediaMonitor hardware and application software together feature several higher level functions, including user permission login, remote logging, ASI playout, and IQ Remote Video Link for remote viewing of video programming from anywhere in the network. |
| ipoque’s Industry-Leading Deep Packet Inspection Engine Goes Open Source | |
| ipoque- Press Releases- Spotlight on Deep Packet Inspection | |
| ipoque enhances IP application detection to meet the QoE demands of VoLTE and video on mobile networks- Press Release | |
| ipoque :: Press Releases :: ipoque’s Industry Leading Deep Packet Inspection Engine Goes Open Source | |
| IPgrab – Originially Used as a Development Template to Create Snort, Archived August, 2000 | The website includes information for the pre-release version, the latest release, web access to the CVS tree, and an example telnet output. |
| IpANGEL Vulnerability Shield Beyond Intrusion Detection | Lucid Security’s ipANGEL Vulnerability Shield, coupled with Check Point FireWall-1®, provides COMPLETE protection against all network and application attacks. |
| ipANGEL UTM Series | A Seamless Appliance That is Easy to Manage and Deploy The AmbironTrustWave ipANGEL™ UTM Series is a family of feature-rich, Unified Threat Management /UTM/ network security solutions. The ipANGEL UTM Series appliances are purpose-built based on AmbironTrustWave’s leading Intrusion Prevention System /IPS/ platform, to provide an enterprise-class level of security ideally suited for remote offices, retail locations and broadband telecommuting. |
| ipANGEL Gives Clean Bill of Health to Prowers Medical | In this special report from the frontlines, Lucid Security’s own Vik Phatak goes on the record with Prowers Medical IT Director, Vince Yoder. |
| ipAngel Data Sheet | Lucid Security’s ipANGEL Vulnerability Shield, coupled with the capabilities of FireWall-1® and SmartDefenseTM provides COMPLETE protection against all network and application attacks. |
| ipAngel and Firewall-1 Two Great Products That Work Great Together… | Lucid Security’s ipANGEL Vulnerability Shield, coupled with the capabilities of FireWall-1® and SmartDefenseTM provides COMPLETE protection against all network and application attacks. |
| ipAngel 4.0 Appliance Specification | |
| Intrusion Prevention IPS | TippingPoint, a division of 3Com | TippingPoint X505 | Introduction Protecting enterprise networks from attacks has been improved immeasurably over the past several years. Yet, for all of the deployment of perimeter security firewalls, application security gateways, ID management systems, desktop protection software, and other network security devices, major network breaches leading to loss of personal privacy information, intellectual property and other critical data continue to make headline news. |
| Intrusion Prevention IPS | TippingPoint, a division of 3Com | TippingPoint Threat Suppression Engine | |
| Intrusion Prevention IPS | TippingPoint, a division of 3Com | TippingPoint Filter Technology | |
| Intrusion detection with Snort | With over 100,000 installations, the Snort open-source network instrusion detection system is combined with other free tools to deliver IDS defense to medium – to small-sized companies, changing the tradition of intrusion detection being affordable only for large companies with large budgets. Until now, Snort users had to rely on the official guide available on snort.org. That guide is aimed at relatively experience snort administrators and covers thousands of rules and known exploits. The lack of usable information made using Snort a frustrating experience. The average Snort user needs to learn how to actually get their systems up-and-running. Snort Intrusion Detection provides readers with practical guidance on how to put Snort to work. Opening with a primer to intrusion detection and Snort, the book takes the reader through planning an installation to building the server and sensor, tuning the system, implementing the system and analyzing traffic, writing rules, upgrading the system, and extending Snort |
| Introduction to Cisco IOS® NetFlow—A Technical Overview | |
| Introducing the NEW Citrix NetScaler MPX-Series | Citrix Blogs | |
| Introducing Gigamon Application Intelligence – Gigamon Blog | |
| Introducing Cynerio IoT Attack Detection and Response for Healthcare | According to a Ponemon Institute research report released last month on cyberattacks in healthcare, the root cause of a data breach was equally liable to be due to an insecure medical or other IoT device as caused by a phishing attack. However, while hospitals often have some kind of anti-phishing filter or solution in place, IoT protection often falls between the cracks of the typical IT security stack. Most IoT and IoMT /Internet of Medical Things/ devices can’t be agented or patched. Many medical devices, even if they are not currently hooked up to a patient whose health depends on them, run outdated operating systems, lack vendor support, and even so can’t be easily replaced. If connected devices at hospitals expand the attack surface and IT security tools are unable to provide comprehensive insight into them, it is only natural that cyberattacks will evolve to take advantage of this relatively unguarded entry and pivot point. |
| Introducing Check Point vSEC for Google Cloud Platform | Check Point Blog | |
| Internet Traffic Measurement: an Overview | This paper gives a brief overview of the Internet as a mesh of interconnected users and service providers, explaining how service providers operate, and how they recover the costs of their services. Traffic measurement techniques are presented briefly, together with a methodology for making such measurements in large networks. Technical terms in the paper appear in italics when they are defined or are first used. |
| Internet Traffic Classification: A Sandvine Technology Showcase | |
| Internet traffic characterization, phd dissertation | Traffic statistics normally collected during day-to-day operation of wide-area datagram networks are frequently insufficient for researchers to use in studying the workloads and performance of these realistic environments. As wide-area networks become more ubiquitous and service expectations rise, current methods for collecting data will become even less suitable. We examine ways to improve techniques for statistics collection so that the resulting data will enable researchers, and indeed service providers themselves, to develop more accurate Internet traffic models. We first provide a taxonomy of traffic characterization tasks. We then use operationally collected statistics to characterize traffic of the T1 and T3 NSFNET backbones. Because current infrastructural statistics collection is oriented toward either short term operational requirements or periodic simplistic traffic reports to funding agencies, this data is often not conducive to assessing network workload or performance; we evaluate to what extent they are useful for tasks in the taxonomy, and propose improvements in current statistics collection architectures, with particular application to the NSFNET backbone. We include an investigation of the effects of sampling to characterize traffic and evaluate performance in a high-speed wide-area network environment. In the second part of the thesis we focus on items in the outlined taxonomy that are not conducive to investigation using operationally collected statistics. These items mostly involve short-term aspects of Internet flows, which operationally collected statistics fail to expose. We develop a general methodology for use in assessing Internet flow profiles and their impact on an aggregate Internet workload. Our methodology for profiling flows differs from many previous studies that have concentrated on end-point definitions of flows defined by TCP connections using the TCP SYN and FIN control mechanism. We focus on the IP layer and define flows based on traffic satisfying various temporal and spatial locality conditions, as observed at internal points of the network. We first define the parameter space and then concentrate on metrics characterizing both individual flows and the aggregate flow. Metrics of individual flows include: volume in packets and bytes per flow, and flow duration. Metrics of the aggregate flow , or workload characteristics from the network perspective, include: counts of the number of active, new, and timed out flows per time interval; flow interarrival and arrival processes; and flow locality metrics. Applying the methodology to our measurements yields significant observations of the Internet infrastructure, which have implications for performance requirements of routers at Internet hotspots, general and specialized flow-based routing algorithms, future usage-based accounting requirements, and traffic prioritization. Finally, we discuss trends that will affect how Internet service providers collect statistics in the future. Improvements in operational statistics collection, such as support for flow assessment, will help networking activities along various time horizons, from defining service quality patterns to long-term capacity planning. We offer a unique combination of operational and research perspectives, allowing us to reduce the gaps among /1/ what network service providers need; /2/ what statistics service providers can provide; and /3/ what network analysis requires. |
| Internet Statistics and Metrics Analysis: Engineering Data and Analysis Workshop Report August 31 – Sept. 1, 1998 San Diego Supercomputer Auditorium | The Internet Statistics and Metrics Analysis: Engineering Data and Analysis workshop was an invitational meeting for individuals involved in developing or deploying Internet traffic measurement or analysis tools associated with backbone engineering. Thirty-nine /39/ people attended, representing Internet service providers /ISP/, the research and education /R&E/ community, and vendors. The meeting was held at the San Diego Supercomputer Center /SDSC/ on the campus of the University of California, San Diego /UCSD/. The meeting was sponsored by the Cooperative Association for Internet Data Analysis /CAIDA/, with a reception co-sponsored by TCG CERFnet and Cisco Systems. The goals for the meetings included clarification of ISP requirements for Internet statistics and metrics that support backbone engineers ability to: diagnose network problems conduct capacity planning explain the phenomena resulting from topology changes |
| Intelligent Traffic Management with the F5 BIG-IP Platform | With the advent of smartphones and tablets, more and more users are demanding data-intensive content over both wireline and wireless broadband connections. Although the resulting explosion of data traffic has been unprecedented, it was a well-forecasted trend for more than five years, and while CSPs may not own the content or the services directly, they do own the delivery of that content to their customers. Their efforts to cope with the data boom have highlighted several challenges that threaten their futures: an inability to scale effectively, weakening revenues and operating margins, and uneven network performance. |
| Integrating LANGuardian with Active Directory | Overview With the optional Identity module enabled, LANGuardian integrates with a Microsoft Windows environment to access additional information that it incorporates into reports, trends, and dashboards. The Identity module provides LANGuardian with: User names and department information from Active Directory. Logon and logoff information from the domain controller event logs. LANGuardian includes this information in the reports, trends, and dashboards that it creates, making them more readable and more useful for troubleshooting and monitoring activity on your network. |
| Integrated packet inspection and modification system and network device for … | A network router includes interfaces to receive packets, a routing engine that executes a routing protocol to maintain routing information specifying routes through a network, a packet forwarding engine forward the packets to the interfaces in accordance with the routing information, one or more advertising engine service cards comprising a packet inspection engine and an advertising engine control unit, and a set of dynamic filters that identify packets for inspection by the packet inspection engine based on characteristics of the packet. The filters direct any matching ones of the packets from the packet forwarding engine to the packet inspection engine within the advertising engine service card, and the packet inspection engine analyzes the packets to extract information from the packets based on configured advertising engine policies. The advertising engine control unit outputs commands to dynamically add and delete filters from the set of dynamic filters. |
| Instant secure wireless network setup | |
| Installing the LANGuardian ISO image | This document describes how to install LANGuardian using the ISO image that is available for download from the NetFort website: |
| Installing LANGuardian on VMware Workstation | This document describes the steps requir ed to install LANGuardian on a system running VMware Workstation. VMware Workstation is an ideal platform to use for evaluating LANGuardian because it contains a Virtual Network Editor utility, which can be used to bridge physical network adapters to virtual appliances. This functionality allows the traffic from a monit oring session on a network switch to be bridged to the virtual LANGuardian appliance. |
| Innovative Bandwidth Farming For Providers of Managed Bandwidth Services with Packeteer’s Packetshaper/ISP | Packeteer Technical Product Overview. Dated November 2001. |
| Initial DPI-SSL Setup – YouTube | Learn how setup DPI-SSL on a SonicWall firewall. Test and confirm by downloading fake virus’. We know we shouldn’t be having this much fun… |
| Inferring temporal relationships for cybersecurity events | |
| Inet GeoProbe Brochure | The GeoProbe System Total network visibility – it means continuously monitoring every link, analyzing every message, and reconstructing every call in the SS7 network. Only Inet’s GeoProbe system executes such vital functions and provides a complete, comprehensive view of your system. |
| Improving ICS Cyber Resiliency with New Version of SCADAguardian | |
| Improve Network Efficiency with Deep Packet Inspection- Executive Brief | |
| Identifying network intrusions and analytical insight into the same | |
| Identifying multiple nodes in a virtual network defined over a set of public … | |
| Identifying compromised computing devices in a network | |
| Identifying and Measuring Internet Traffic: Techniques and Considerations | Accurate traffic identification and insightful measurements form the foundation of network business intelligence and network policy control. Without identifying and measuring the traffic flowing on their networks, CSPs are unable to craft new subscriber services, optimize shared resource utilization, and ensure correct billing and charging. |
| Identification of potential network vulnerability and security responses in … | |
| IBM Security QRadar Visibility, detection, investigation, and response | There is no shortage of challenges facing security teams: an increase in the volume and sophistication of cyberattacks, an explosion of data, an expanding attack surface, disjointed security tools and a shortage of skilled security staff. In fact, organizations are spending hundreds of hours a week investigating suspicious alerts and yet, despite this time spent, close to 17/ of alerts are not being investigated.1 Organizations seeking to protect their customers’ identities, safeguard their intellectual property and avoid business disruption need to proactively monitor their environment so that they can rapidly detect threats and accurately respond before attackers are able to cause financial and reputational damage |
| IBM Security QRadar SIEM | IBM | IBM Security® QRadar® Security Information and Event Management /SIEM/ helps security teams detect, prioritize and respond to threats across the enterprise. As an integral part of your zero trust strategy, it automatically analyzes and aggregates log and flow data from thousands of devices, endpoints and apps across your network, providing single alerts to speed incident analysis and remediation. QRadar SIEM is available for on-prem and cloud environments. |
| IBM Security QRadar QFlow Collector appliances for security intelligence | Security intelligence through increased network visibility As the security threats facing organizations have grown exponentially, the need for greater visibility into network activity has become an imperative. Attacks and breaches have become more sophisticated, attackers now pursue targets of choice rather than targets of opportunity, and the consequences can include significant brand and financial damage or risk to critical infrastructures. |
| IBM QRadar SIEM Data Sheet | Detect threats with IBM QRadar Security Information and Event Management /SIEM/ Today’s networks are larger and more complex than ever before, and protecting them against increasingly malicious attackers is a never-ending task. Organizations seeking to safeguard their intellectual property, protect their customer identities and avoid business disruptions need to do more than monitor logs and network flow data; they need to leverage advanced, easy-to-use solutions to quickly detect security offenses and take action. IBM® QRadar® SIEM can serve as the anchor solution within a small, medium or large organization’s security operations center to collect, normalize and correlate network data using years’ worth of contextual insights. It also integrates with hundreds of IBM and non-IBM products and provides complete, unified visibility to security events in on-premises, hybrid, and cloud environments. |
| IBM and Narus Combine Forces for Carrier IP Security-Press Release | |
| HTTP IDS Evasions Revistited | This paper describes two general IDS evasion techniques and applies them to the HTTP protocol. These techniques are illustrated using some older types of HTTP evasions and some new HTTP evasions.The different types of evasions occur in both the Request URI portion of the HTTP protocol and by using the protocol standard in HTTP/1.0 and HTTP/1.1.The evasions within the Request URI address evasion types possible in encoding and obfuscating the URL and parameter fields in the Request URI. The various methods of valid URL encodings for both the Apache and Internet Information Serverare explained and examples given for each type of encoding. HTTP IDS evasions are also demonstrated using the HTTP protocol properties against the IDS. These evasions incorporate the request pipeline property and the content-encoding header. This paper should help explain how HTTP IDS evasions work and give the reader enough knowledge to generate their own HTTP IDS evasions using these general principles and examples. |
| HP S Intrusion Prevention System /IPS/ N Series | |
| HP Protocol Analyzers | Protocol Analyzers Protocol analyzers are essential tools for managing networks by providing analysis of protocols /sets of rules or procedures used to exchange information between devices/ of communication networks. Basic models passively monitor individual network links, usually testing from the bottom of the protocol stack upward. Many can decode traffic, measure bit error rates, and provide historical data from switches, routers, and other devices. Recreating and solving protocol problems in multiple technology networks requires advanced protocol analyzers with stimulus-response capabilities. Versions let users test both sides of a network device, emulating traffic going in /including call setup and service negotiation/ and monitoring traffic coming out. Sophisticated decodes, triggers, filters, and synchronized time stamps aid understanding events occurring on different ports. Protocol analyzers can be configured with software and line interfaces to test WAN, LAN, broadband and narrowband ISDN, and signaling protocols. Applications include product development, QA, conformance/interoperability tests, and field trials. Portable models that combine protocol analysis, bit error rate testing, and a PC ease network maintenance. |
| HP OpenView VantagePoint Operations for UNIX Administrator’s Reference, Volume II, Edition 4 | |
| HP OpenView VantagePoint Internet Services Passive Monitoring Component for VPO User’s Guide Version: A.03.50 | |
| HP OpenView VantagePoint Internet Services Passive Monitoring Component for VPO User’s Guide Version: A.03.00 dated November 2000 | |
| HP OpenView Select Access Policy Builder Guide Software Version: 6.0 for HP-UX, Linux, Solaris, and Windows operating systems | |
| HP OpenView Select Access Developer’s Guide Software Version: 5.2 for HP-UX, Linux, Solaris, and Windows operating systems | |
| HP OpenView Reporter Concepts Guide | HP OpenView Reporter creates Web-based reports from data of targeted systems it “”discovers.”” Discovery of a system can occur if the system is running OpenView agent software. Agent software includes HP OpenView MeasureWare Agent for Windows NT/2000 /MeasureWare Agent/ or HP OpenView Performance Agent on UNIX systems. /Using HP OpenView Vantage Point Operations /VPO/ data or Oracle as the database requires special configurations; see instructions in the appendices./ Please see the links that follow the illustration below./ After Reporter has run through its discovery |
| HP OpenView Problem Diagnosis Concepts Guide | |
| HP OpenView PolicyXpert User’s Guide | |
| HP OpenView PolicyXpert Product Brief | HP OpenView PolicyXpert allows Service Providers and IT Network Operators to intuitively manage bandwidth and Quality of Service /QoS/. Service Providers can now control IP QoS and offer differentiated services. Mission critical applications running over wide area networks /WANs/ benefit from PolicyXpert’s end-to-end configuration of heterogeneous networking environments. Managers can now translate business needs into specific operational behaviors within the network infrastructure. HP OpenView PolicyXpert offers a new network management paradigm that allows end-toend service level management and configuration across heterogeneous networks. Based on a technology partnership between HP and the Intel Corporation, PolicyXpert creates, distributes, and enforces policies on key resources in the network environment to ensure these business needs are met. |
| HP OpenView PolicyXpert Developer’s Guide | |
| HP OpenView PolicyXpert – Software Developer’s Toolkit | PolicyXpert Developer’s Toolkit is the key to creating device specific proxy agents that integrate with the industry-leading provisioning and configuration management solution. |
| HP OpenView Performance Manager Concepts Guide | Performance Manager /OVPM/, a Web-based analysis and planning tool, provides graphs and drill-down data of near real-time system performance information. With this information, you can evaluate system performance, manage systems, look at usage trends, and make system performance comparisons. Performance Manager can display any of the following: ■ Graphs such as line, bar, area ■ Tables for data such as process details ■ Baseline graphs ■ Dynamic graphs in Java format that allow you to turn off display of individual metrics or hover over a point on a graph and see the values displayed |
| hp OpenView Performance Manager Administrator’s Guide | |
| HP OpenView Performance Insight Report Pack for RMON Ethernet Statistics Version: 1.0 User Guide | This chapter covers the following topics: • Remote monitoring • OVPI and ethernet statistics • Customizing reports • Integration with Network Node Manager /NNM/ • Additional sources of information |
| hp OpenView performance insight Report Pack for NetFlow Interface, Version 1.0, User Guide | The NetFlow Interface Report Pack processes network flow data and calculates various metrics for a selected interface for a given time period. The purpose of this guide is to help you install, configure, and provision this package. Provisioning may be optional. If you want to populate reports with customers and locations, or if you are a service provider and you want to share reports with customers, provisioning is mandatory |
| HP OpenView Performance Insight Report Pack for IP QoS Statistics Version: 1.0 User Guide | This chapter covers the following topics: • QoS reporting from OVPI • Customizing QoS reports • Adding property information to reports • Sources for additional information |
| hp OpenView performance insight NNM/OVPI Integration Utility Integrating OVPI with Network Node Manager User Guide | The NNM/OVPI Integration Utility creates tight linkages between HP OpenView Network Node Manager /NNM/ and HP OpenView Performance Insight /OVPI/. By joining fault management to performance management, the NNM/OVPI Integration Utility enhances problem diagnostic capabilities. If you are already familiar with NNM, you are about to see more performance data than you are accustomed to seeing. This additional data will provide the information you need to resolve network-based service level problems easier and faster than was possible in the past. This document describes the technical aspects of the utility and provides complete installation instructions. |
| HP OpenView Performance Insight NetFlow Preprocessor User Guide, Version: 3.0, UNIX and Windows | |
| HP J2522B Internet Advisor LAN – Ethernet | The HP Internet Advisor LAN – Ethernet /HP J2522B/ features an easy-to-use Windows®95 based user interface that facilitates comprehensive testing of Ethernet networks. The HP Internet Advisor is a portable, pc-based, full-featured network analyzer that allows users to install, support and maintain local area network /LAN/, wide area network /WAN/, and asynchronous transfer mode /ATM/ networks by providing powerful features and a Windows interface that make troubleshooting any network segment quick and easy. |
| HP Computer Museum – Network Advisor Software Download | |
| How Symantec Endpoint Security Protects You | |
| How much do applications benefit from PacketShaper Acceleration? | |
| How Can Infrastructure Devices Implement Policy? – White Paper | |
| High-speed ip flow mediation apparatus using network processor | |
| High End Products Compare – SonicWall | |
| Hierarchical packet process apparatus and method | |
| Hewlett-Packard Journal October 1992 | |
| Hardware-Based Filtering – Allows user to determine what type of traffic is copied from the network ports to the monitor ports based on OSI Layer 2-7 criteria – VSS Monitoring | |
| Guardian Industrial Strength OT and IoT Security and Visibility | Up-to-Date Asset Inventory Enhances cyber resiliency and saves time with automated asset inventory Identifies all communicating devices Provides extensive node information including name, type, serial number, firmware version and components Presents risk information including security and reliability alerts, missing patches and vulnerabilities Reduced Risk Through Network Visualization Provides instant awareness of your OT/IoT network and its activity patterns Presents key data such as traffic throughput, TCP connections, and protocols Improves your understanding of ‘normal’ operations ADD-ON Smart Polling Expands Guardian’s built-in passive asset discovery with low-volume active polling, see: nozominetworks.com/smart-polling Intuitive Dashboards and Reports Explore macro views as well as detailed information on endpoints and connections Filter by subnets, type, role, zone and topologies Group assets visually, in lists and detailed single asset views A |
| Hardware accelerated application-based pattern matching for real time … | |
| GTE Internetworking Web Advantage Uses Cisco NetFlow for Innovative Billing | |
| GTE Internetworking [Cisco IOS NetFlow] – Cisco Systems | |
| Going Beyond Deep Packet Inspection /DPI/ Software on Intel Architecture | |
| Gigamon Deep Dive: For Consultants and Presales Professionals | |
| DNE Case Studies | IP Dynamics, Cisco Systems, NetIQ, Ositis Software, Gilian Technologies, Irdeto Access |
| DNE 3.11 Release Notes | |
| DNE 2.10 Release Notes | |
| Distributing service function chain data and service function instance data in … | In one example, a method includes receiving, with a network device, a portion of a subscriber session packet flow for a subscriber session, and reassembling application-layer data from data packets in the subscriber session packet flow into one or more application flows for the subscriber session. The method includes identifying, from the application flows, application identity information for the application flows, and applying a first session policy to the subscriber session. Applying the first session policy includes applying one or more application policies to the application flows in the subscriber session based on subscriber information and the application identity information for the application flows. The method includes processing the application flows in the subscriber session for accessing a packet data network in accordance with the application policies. |
| Distributed service function forwarding system | |
| Distributed packet deduplication | |
| Digging Deeper Into Deep Packet Inspection /DPI/ | dPacket.org: Deep Packet Inspection / DPI / Community | |
| Device, system and method of traffic detection | |
| Deterministic Policy Agent Features | General Implements policies based on application /by name/, user /by name/, source/destination addresses or ports and by time of day Operates with any applications /even those that dynamically allocate ports/ Operates in DHCP and dial environments Accepts Policies from COPS, COPS-PR, and from SNMP-capable servers Accepts file-based policies Policies include: – Bandwidth limits – Bandwidth guarantees – TOS – 802.1p – Access Control – Priority – DiffServ No Measurable performance overhead Runs on Clients and/or Servers Transparent Install |
| Deterministic Network Extender Data Sheet | Robust toolkit for developing “packet-aware” applications DNE is a cross-platform, multi-threaded, extensible “shim” that uses a plug-in model to extend network stack and driver functionality. DNE is used to capture, examine, and potentially manipulate network packets entering or leaving a system. Using filters, DNE dynamically routes traffic to plug-ins which can manipulate the traffic before it reaches applications or the network. DNE is potentially useful to any product that needs direct access to network packets. It is the only toolkit that allows developers to create networking drivers that run on multiple operating systems. A plug-in written for DNE can run with little or no modification on all DNE-supported platforms, including Windows XP, 2000, ME, 98, 95, NT, CE, PocketPC, Linux, Solaris, and HP-UX. A DNE plug-in written for one operating system usually needs only to be recompiled to run on other operating systems. Key Benefits • Dramatically lower development and maintenance costs • Speed time to market • Maintain a single source base for applications running on multiple platforms and operating systems • Eliminate the need to go through WHQL process • Ensure compatibility with operating system and application updates • Sophisticated packet ordering and filtering • Portable, cross-platform IOCTL interface |
| Deterministic Network Extender /DNE/ | Our Cross-Platform /Windows, Solaris, Linux, WinCE, etc/ Network Extender allows you to implement unique driver-level functions like packet schedulers, IPSEC, MobileIP, routers, traffic redirectors, and much more. There are millions of DNE systems installed. DNE has solved the problems seen with competitive NDIS intermediate drivers including NT WAN/RAS/WINS, NetBeui on W2K, DHCP and spoofing, Virtual Adapters, WAN support /including working with products like AOL/, VPN support, and compatibility with Microsoft and non-Microsoft products. A plugin written for DNE runs under DNE’s digital signature and does not need to go through the complex and expensive WHQL signing process. DNE is a multithreaded NDIS-compliant module /in Windows environments/, which appears to be a network device driver to all protocol stacks and a protocol driver to all network device drivers. It supports all network protocols and network adapter types /e.g. WAN, LAN, USB, etc/. A Plugin registers with DNE and can look at packets /including MAC-level/, modify, delete, insert, or redirect them. Most operations can be done without copying the packets so there is no measureable overhead. Plugins are invoked when inbound or outbound packets match pre-specified filters. The filtering scheme is identical to the one used by the ESP. DNE can support thousands of filters simultaneously. DNE also supports a standard, cross-platform IOCTL interface to application space for configuration, high speed data exchange or plugin coordination. Its efficient ordering scheme guarantees proper execution of potentially conflicting network functions /e.g. NAT, IPSEC, QoS running together/. |
| Deterministic Application Filter | TDI-based Identifier of Applications and Users Our Deterministic Application Filter is TDI-based software which identifies packet flows from any and all applications running on Windows systems. The application filter recognizes the start and stop of application flows and gives you the application name, process ID, and the associated traffic signature /source and destination IP addresses and ports/ to enable you to uniquely associate a packet with a user and application. It extends DNE filters to allow you to request traffic from specific applications, all applications, or just to see session initiations, even from UDP flows. Key Features • Transparent installation across operating systems. • Allows you to use filters to capture, modify, redirect, insert, and delete incoming and outgoing packets by application. • Recognizes TCP and UDP application starts and stops. • Classifies even non-Winsock-based applications. • Integrates seemlessly with DNE. |
| Determining quality of experience confidence level for mobile subscribers | |
| Determine service impacts due to device software upgrades | |
| Detection of exploitative program code | |
| Detecting network devices and mapping topology using network introspection by … | |
| Detecting inappropriate activity in the presence of unauthenticated api … | |
| Detect WannaCry Initial Exploit Traffic with NetMon | LogRhythm | |
| Deploying Polycom VSX Video Conferencing Systems with PacketShaper to Deliver Predictable QoE | |
| Deep Security and VMware NSX Defining a Security Framework for the Software Defined Data Center | The Software Defined Data Center is an evolution and extension to server virtualization. While server virtualization dramatically maximizes the deployment of computing power, the Software Defined Data Center does the same for all of the resources needed to host an application, including storage, networking and security. |
| Dell SonicWall SuperMassive Next-Generation Firewall Series | The Dell™ SonicWALL™ SuperMassive™ Series is Dell’s Next-Generation Firewall /NGFW/ platform designed for large networks to deliver scalability, reliability and deep security at multi-gigabit speeds with near zero latency. |
| DeepFlow™ Security for HP ArcSight | A new source of forensic traffic information for faster discovery and containment of advanced cyber threats. With the addition of DeepFlow records, HP ArcSight can typically reduce time to discovery and containment of security breaches from weeks to days. |
| Deep Packet Inspection- Technology, Applications & Net Neutrality-White Paper | |
| Deep Security 8.0 | Virtualization and cloud computing have changed the face of today’s data center. Yet as organizations move from physical environments to a mix of physical, virtual, and cloud, many have addressed the prevailing threat landscape with yesterday’s mix of legacy security solutions. The results can actually threaten desired performance gains—causing undue operational complexity, leaving unintentional security gaps, and ultimately hindering the organization’s ability to fully invest in virtualization and cloud. |
| Deep Packet Inspection Solutions | AT&T; Cybersecurity | Encryption of traffic on the web establishes a crucial security foundation for confidentiality and privacy online. However, encryption also provides a cloak to cybercriminals by which to transmit malware. Many firewalls claim that they offer deep packet inspection capabilities, but decryption is so processor-intensive that it greatly reduces the performance to an unacceptable level. AT&T Global Security Gateway is a managed service that offers unified protection against web-based threats for virtually all of your users, whether they are working from the office or remotely. This solution allows organizations to utilize deep packet inspection to help determine if the content they are interacting with on the Internet contains malware, removing the burden of this function from firewalls. |
| DEEP PACKET INSPECTION FOR THREAT HUNTING 2018 | Deep Packet Inspection /DPI/ is one of the technologies frequently used in cybersecurity: DPI is embedded in products like NG firewalls, UTMs, secure gateways, and various threat analysis tools. DPI sensors represent a new way of leveraging DPI: they strengthen an existing security tech stack inside high-end SOCs with detailed traffic intelligence and can significantly improve threat hunting for the most advanced attacks. This report summarizes the findings of a survey by Cybersecurity Research among cybersecurity professionals, performed during the summer of 2018. |
| Deep packet inspection device and method | |
| Deep packet inspection device and method | |
| Deep Packet Inspection | Procera Networks: Empowering Intelligence | |
| Deep Packet Inspection /DPI/ – Network Intelligence – QOSMOS | Qosmos Virtualized DPI /VNFC/ | Qosmos DPI as a Virtual Network Function Component /VNFC/ complies with an official use case standardized by ETSI in July 2013. This new Qosmos product runs in a virtual machine and uses optimized interface to feed application information and metadata to other integrated components, together forming virtual networking equipment /VNFs/ such as Service Routers, GGSN, PCEF, BRAS, ADC/Load Balancers, Network Analytics, NG Firewalls, WAN optimization, etc. |
| Deep Packet Inspection /DPI/ – Network Intelligence – QOSMOS | ixMachine Probes | |
| Deep Packet Inspection /DPI/ – Network Intelligence – QOSMOS | DPI Engine | Qosmos ixEngine is a Software Development Kit /SDK/ composed of software libraries and tools that are easily integrated into new or existing solutions. Developers benefit from market-leading IP flow parsing technology to accelerate the delivery of application aware solutions. Qosmos ixEngine can be used in all environments: physical, virtualized and in SDN architectures. |
| Deep Packet Inspection /DPI/ – Network Intelligence – QOSMOS | DeepFlow Probes | |
| Deep Packet Inspection /DPI/ – Network Intelligence – QOSMOS | DeepFlow for Network Analytics Vendors | |
| Deep Packet Inspection /DPI/ – Network Intelligence – QOSMOS | Cyber Defense | |
| Deep packet inspection – IBM Documentation | |
| Deep Packet Inspection | AppRF is Aruba’s custom built Layer 7 firewall capability. It comprises of an on-board deep packet inspection and a cloud-based Web Policy Enforcement service that allows creating firewall policies based on types of application. The web policy enforcement capabilities require the IAP to have a web policy enforcement subscription. Please contact the Aruba Sales Team. |
| Deep Packet Inspection | |
| Deciphering Internet Protocol /IP/ Security in an IP Multimedia Subsystem /IMS/ … | |
| De Lage Landen, Sniffer Distributed, Sniffer Portable – Case Study | |
| Dave Plonka’s Home Page | |
| Data transport acceleration and management within a network communication … | |
| Data Traffic Classification – Supported Protocol Updates | Allot | |
| Data offloading apparatus and method | |
| Data integrity scoring and visualization for network and customer experience … | |
| Data Enrichment Process | Captured data and imported PCAPs are sent to the metadata indexer. 2 The metadata indexer sends the packets to the deep-packet inspection /DPI/ engine, where the packet headers are extracted and classified. |
| Data Center Security Based on Micro-Segmentation: Protect Traffic Between VMs up to Application Level | Micro-segmentation is a new way to enhance security for east-west traffic within a data center. This new approach requires real-time application-awareness which can be provided by a L7 Classifier based on Qosmos ixEngine® . |
| Cynerio & Check Point Joint Solution Brief: Medical- First IOT Security | |
| Customized content billing management server and method | |
| Cross flow parallel processing method and system | |
| Coverage Digest- Gigabit Monitoring — Tap Aggregation, Regeneration and Filtering to enable Deep Packet Inspection /DPI/ in Carrier IP Networks | The weapon of choice for service-oriented network monitoring is Deep Packet Inspection /DPI/. Typically, DPI is performed by high-performance software solutions that run on standard server hardware platforms, enabling providers to identify, classify or even selectively block IP traffic. DPI is used to detect and protect against security threats and network anomalies, and facilitate wiretapping and reconstruction of relevant digital transactions. |
| Cornell University Weill Medical College Utilizes EtherPeek NX | |
| Core Technologies | Deterministic Networks has developed several core software components which allow us to deliver the industry’s most complete Policy Solutions. Several of these are so unique that we have applied for patents on the technology. To understand how we can do what we do, check out the following unique components: Application Classifier Engine /ACE/ – Our Patented ACE identifies all networking traffic flows. Unlike other classification schemes such as Stateful Inspection, ACE actually sees the applications. It can classify encrypted traffic, and even identify new unknown applications by name /e.g. John downloads Network Eater IV from the Web/. Application Management Probe /AMP/ – AMP collects traffic statistics and network level performance information about users, applications, and destinations by time of day. This information is placed in our Application Management MIB which can be viewed and managed by any SNMP-capable Network Management System. Extensible Service Provider /ESP/ – Our Patented ESP is a Winsock 2 extensible Layered Service Provider. Rather than developing illegal Winsock shims or performace burdened proxies, ESP provides for easy development of layer 5 and 6 application and protocol extensions. Our customers have used ESP for transparent proxies, traffic monitors, classifiers for policy servers and infrastructure bandwidth controllers, authentication agents, VPN redirectors, high-level policy enforcers, and more. Deterministic NDIS Extender /DNE/ – DNE is a Cross Platform, extensible stack/driver shim which uses a plugin model to extend network stack and driver funtionality. With its sophisticated filtering and ordering scheme /the same one that ESP uses at the application level/, DNE is the ideal vehicle for developing host-based routers, IPSEC implementations, traffic schedulers, traffic analyzers, and other driver extenders like Mobile IP. A plugin written for DNE can run unmodified on all DNE supported platforms /Windows XP, 2000, ME, 98, 95, NT, Linux, Solaris, HP-UX and more/ Application Management Extender /AME/ – AME is a unique software module which facilitates communication between applications, ESP plugins, and kernel-level DNE plugins. This unifying technology provides a single COM/DCOM API to simultaneously gather information from, configure, or control both user and kernel level components. |
| CoralReef Software Suite – Description | CoralReef is a suite of flexible, high performance Internet traffic data collection and analysis tools. The CoralReef suite is a totally passive monitoring system which does not require any additional network infrastructure and does not increase network traffic or interfere with other network devices. Monitoring of optical networks is done with an optical splitter which diverts a small fraction of the light from the optical fiber to the monitor device. |
| CoralReef Frequently Asked Questions | 1. General Questions 1.1 What is CoralReef? 1.2 What is the status of the project? 1.3 What are the differences between the members only version of CoralReef and the not-for-profit version that is available on the CAIDA web site? 2. Hardware Questions 2.1 What are the CoralReef machine specs? 2.2 What are the specifications for the OCx interface card? 2.3 What sort of splitters are required and where they be purchased? 2.4 Are there any remaining sources for the former Apptel POINT cards? 2.5 I followed your specs and bought all the parts. Now when my machine boots up I can see that two devices try to share the same IRQ. Is this ok? 2.6 Is there a vendor or system integrator you people can recommend? 3. Link Layer 3.1 What protocols does CoralReef support? 3.2 Will the ATM cards support culling traffic from specific VCs? 3.3 Will CoralReef enable me to get the cards to echo /pass-through/ ATM cells /which would make it possible to splice the card into the existing fiber link instead of splitting off part of the signal for the card/? 3.4 What about SDH on European links? 3.5 What POS support does CoralReef provide? 3.6 Does Coralreef support any Gigabit Ethernet cards? 3.7 When I use CoralReef’s cell reassemble function, how can I make sure that no cells are lost? 4. Transport Layer 4.1 Will the ATM cards support culling traffic from specific IP address/flows/VCs? 4.2 Can I play back traffic using your CoralReef software? 4.3 Do you have a tcpdump to coral converter? 4.4 Do you have a coral to tcpdump converter? 5. Software 5.1 How do I start using the software? 5.2 Where can a get a routing table to use t2_report[++]? 5.3 How can one control when a flow is finished using crl_flow? Does crl_flow use the FIN packet for flow termination? 6. Analysis modules 6.1 How can I convert an IP address into an AS /Autonomous System/ number? 6.2 How do I get routing tables for ASFinder? 7. Human Interface 7.1 Is it possible to generate HTML reports using CoralReef? 7.2 I have many scripts that work on the old NLANR Coral format. How can I make them work with the new package? 7.3 What is the CoralReef file format? 7.4 Do you have a description of all the applications that come with CoralReef? 8. Troubleshooting 8.1 When compiling on a LINUX system, I get errors involving bool. How do I fix these? 8.2 CoralReef won’t compile with gcc 2.96. How do I fix this? 8.3 The Perl applications complain about undefined symbols. How do I fix this? 8.4 Why do the cell timestamps jump backward in my POINT trace? Why do some applications report intervals with negative duration? 8.5 Why do the cell timestamps jump backward in my FATM trace? 8.6 Why does the point card sometimes report -185273100 or -454761244 cells lost? 8.7 Why does running some Coral applications appear to cause cell/packet loss when the applications are run for a short durations? 8.8 Why do CoralReef applications crash the first time one is run on a DAG card? 8.9 How do I fix this error on a dag device: coral_open: /dev/dag0: ioctl FILLINFO: Inappropriate ioctl for device? 8.10 Why does the report generator t2_report[++] report a large number of Autonomous Systems /AS’s/ as unknown? 8.11 Why doesn’t my pcap filter expression match any packets on my VLAN? |
| CoralReef Download Page | Version 3.3.1 includes bug fixes since 3.3.0. Version 3.3.0 included many improvements to t2_report and other analysis applications, and to the C and perl APIs. See the CHANGELOG for a detailed list of changes. |
| Coral: Passive network traffic monitoring and statistics collection | Coral is a suite of flexible, affordable, high performance network statistics collection tools. Coral is a extension of the DOS-based OC3mon and OC12mon activity of MCI, which was based on measurement and analysis tools assessing active flows for Ethernet and FDDI developed at SDSC under the NLANR /now NLANR MOAT/ project. Current development under the CAIDA project is focused on the OC3 and OC12 collection tools implemented on a PC running FreeBSD. Plans include development of an OC48 monitor /development lead by Joel Apisdorf of MCI Worldcom under CAIDA’s NGI project/, and eventually an OC192 monitor as well. The Coral suite also includes software for collection and analysis of traces collected with the monitors. |
| Coral – Security Applications | CAIDA is collaborating with the Pacific Institute for Computer Security /PICS/ at SDSC to enhance the OC12mon passive traffic monitor to facilitate ubiquitous network monitoring at aggregation points /e.g. DMZ’s and up-stream ISP’s/, by developing dynamic filtering and data collection, security policy compliance monitoring, and security policy enforcement components. Filtering is required to reduce data, isolate suspicious traffic, minimize contention for the peripheral bus, and permit persistent monitoring of heavily-loaded links. This will be accomplished with two-level filtering: in hardware on the network adaptor FPGA and in the host kernel. Modifications of the FPGA firmware to enable classes of filters will be developed. In-kernel filtering will be optimized with a zero-copy design built around the BSD Packet Filter /BPF/ machine. Once the basic filtering and data collection mechanisms are in place, security-relevant capabilities can be expanded. We will build on previous work to perform further data reduction through dynamic filtering. In this approach, traffic matching specified flow filters /e.g. attack precursors/ triggers realtime modification of traffic collection filters to enable detailed flow data collection. This detailed flow data collection could not be accomplished with conventional static filters. We will extend the OC12mon capabilities by developing security policy compliance and enforcement modules. The compliance module takes a network security policy, formulated by a set of protocol filter rules, and passively audits traffic on the link for compliance. Statistics and alerts may be generated for non-compliant traffic. The compliance monitor could be used to signal an enforcement module to actively respond to the non-compliant traffic. In previous work, we developed an enforcement module for broadcast media. We will explore new mechanisms, applicable to non-broadcast media, to enable policy enforcement. These could include NNI protocol attacks, switch re-configuration, and packet insertion. While the focus of this task is on security applications of the OC12mon, the expanded capabilities are by no means limited to security. This task will permit more general filtering and detailed data collection with the OC12mon. Such capabilities would be quite useful in other areas such as network management and trouble-shooting where one may wish to detect and extract specific or abberant protocol traffic in realtime. |
| Converting Signal Strength Percentage to dBm Values | |
| Converged access control method using network access device at penetration node … | |
| Contrail Networking Datasheets | Juniper Networks | Simple, open, and agile, Contrail Networking solves networking challenges for multiple cloud environments. With its scale-out microservices architecture and distributed control and data planes, Contrail Networking orchestrates virtual networks and network services at the performance and scale required of the largest, most dynamic clouds. Service providers, enterprises, software-as-a-service /SaaS/ providers, and hosting and cable providers use Contrail Networking to connect heterogeneous cloud environments, accelerating the deployment of innovative cloud applications and services while providing the agility, interoperability, and automation that application developers and network operators demand. |
| Contrail Networking | Simple, open, and agile, Contrail Networking solves networking challenges for multiple cloud environments. With its scale-out microservices architecture and distributed control and data planes, Contrail Networking orchestrates virtual networks and network services at the performance and scale required of the largest, most dynamic clouds. Service providers, enterprises, software-as-a-service /SaaS/ providers, and hosting and cable providers use Contrail Networking to connect heterogeneous cloud environments, accelerating the deployment of innovative cloud applications and services while providing the agility, interoperability, and automation that application developers and network operators demand. |
| Context-Aware Firewall | Context- aware firewall enhances visibility at the application level and helps to override the problem of application permeability. Visibility at the application layer helps you to monitor the workloads better from a resource, compliance, and security point of view. |
| Context engine model | |
| Context based firewall services for data message flows for multiple concurrent … | |
| Content Delivery Networks | Layer 7 switches or “content switching” serves as the basis of content delivery networks or CDNs. These geographically dispersed networks, which incorporate technologies such as those used in Procera’s Network Application Visibility Library /NAVL/, to direct specific application traffic to certain location, are designed to take bandwidth-intensive traffic and content such as HD video closer to the consumer and store it locally. This means that the content travels shorter distances over faster pipes to fewer people, costing less to transmit on a per-bit basis and helping ensure a higher quality of experience for all users. |
| Configuring Network-Based Application Recognition | Configuring Network-Based Application Recognition This chapter describes the tasks for configuring the Network-Based Application Recognition /NBAR/ feature. For complete conceptual information, see the section |
| Configuring Netflow Statistics Collection | |
| Confidence intervals for key performance indicators in communication networks | |
| Compuware News Release – May 10, 1999 | |
| Compuware Ecoscope- Analyzing Application Performance- How to Analyzw perfocmance with EcoSCOPE- white paper | |
| Computer Laboratory – Nprobe: Network protocol analysis, Archived March 2003 | |
| Comprehensive Core-to-Access IP Session Analysis and Correlation for GPRS and UMTS networks | Adoption of rich media and IP-centric mobile broadband data services has dramatically increased the number of IP data sessions within the mobile operator’s core and radio-access network. Additionally, mobile operators face significant technical challenges as they transform their infrastructure from legacy technology to all-IP networks. |
| Comparison of network traffic analysis protocols. | NetFort LANGuardian analyzes the traffic on your network and uses advanced deep packet inspection techniques to give you a unique level of visibility into everything that’s happening on your network, including user activity, file and database monitoring, intrusion detection, bandwidth usage, and Internet access. LANGuardian can analyze full packet data as well as flow data conforming to the NetFlow and sFlow protocols. This document lists the main features of LANGuardian and shows their availability in terms of the traffic information that is provided to the software. |
| Company Overview | |
| Communications switching architecture | Presently described is a system and method for switching multimedia data communications, including but not limited to Voice over IP /VoIP/ telephony, cable TV, digital audio and video. The system utilizes a single, integrated device to provide all PacketCable-compliant functionality, including enhanced user privacy, compliance with CALEA, E911 and other mandated services not available in conventional distributed PacketCable systems. High speed and efficient, low cost operation are provided by means of an optimized data unit encapsulation scheme for internal switching and routing. A proprietary fiber optic backplane and removable optical connectors are used to enable lightspeed internal communications hot-swapping of components. Furthermore, the present system is extensible to all forms of digital data switching and is secure, resistant to Denial of Service attacks, and fault-resilient. |
| Communication node having traffic optimization capability and method for … | |
| Collecting asymmetric data and proxy data on a communication network | |
| Collecting and processing contextual attributes on a host | |
| Collecting and processing context attributes on a host | |
| Collecting and processing context attributes on a host | |
| CloudGuard Cloud Network Security | Check Point Software | |
| Cloudguard Architecture Blueprint Diagrams | |
| Cloud-based gateway security scanning | |
| Cloud based just in time memory analysis for malware detection | |
| Classifying Network Traffic Using NBAR | |
| Classifying Network Traffic | Classifying Network Traffic Classifying network traffic allows you to organize traffic /that is, packets/ into traffic classes or categories on the basis of whether the traffic matches a specific criteria. Classifying network traffic is the foundation for enabling many quality of service /QoS/ features on your network. This module contains conceptual information and the configuration tasks for classifying network traffic. Module History This module was first published on May 2, 2005, and last updated on May 2, 2005. Finding Feature Information in This Module Your Cisco IOS software release may not support all features. To find information about feature support and configuration, use the |
| Classification Overview | Classification Overview Classifying network traffic allows you to organize traffic /that is, packets/ into traffic classes or categories on the basis of whether the traffic matches a specific criteria. Classifying network traffic /used in conjunction with marking network traffic/ is the foundation for enabling many quality of service /QoS/ features on your network. Packet classification is pivotal to policy techniques that select packets traversing a network element or a particular interface for different types of QoS service. For example, you can use classification to mark certain packets for IP Precedence and you can identify others as belonging to a Resource Reservation Protocol /RSVP/ flow. Methods of classification were once limited to use of the contents of the packet header. Current methods of marking a packet with its classification allow you to set information in the Layer 2, 3, or 4 headers, or even by setting information within the payload of a packet. Criteria for classification of a group might be as broad as |
| Citrix SD-WAN /formerly NetScaler SD-WAN/ increases the performance and reliability of traditional enterprise applications, SaaS applications, and virtual desktops over any network while simplifying the branch network. | |
| Cisco WAN and Application Optimization Solution Guide – Chapter 5 /Traffic Classification/, Archived April 2014 | Traffic Classification 5-1 5.1 Payload-Based Traffic Classification 5-2 5.2 Deep Packet Inspection 5.2.1 Pattern Analysis 5.2.2 Numerical Analysis 5.2.3 Behavior & Heuristic Analysis 5-4 5.2.4 Protocol/State Analysis 5-4 5.3 Cisco Classification Technologies 5-4 5.3.1 QoS Access Lists 5-5 5.3.1.1 QoS Software-based L3/L4 Access Lists 5-5 5.3.1.2 Classification with QoS ACLs in hardware 5-5 5.3.2 DPI Engines 5-5 5.3.2.1 Service Control Engine /SCE/ 5-5 5.3.2.2 Network Based Application Recognition /NBAR/ 5-5 5.4 Packet Markings 5-6 5.4.1 L2 Packet Markings 5-6 5.4.1.1 ATM Marking 5-6 5.4.1.2 Frame Relay Marking 5-6 5.4.1.3 Ethernet Marking 5-7 5.4.2 L3 Packet Markings 5-8 5.4.2.1 ToS 5-8 5.4.2.2 DSCP 5-9 5.5 Summary 5-10 5.6 References 5-10 |
| Cisco WAN and Application Optimization Solution Guide – Chapter 5 /Traffic Classification/ | Traffic Classification 5-1 5.1 Payload-Based Traffic Classification 5-2 5.2 Deep Packet Inspection 5.2.1 Pattern Analysis 5.2.2 Numerical Analysis 5.2.3 Behavior & Heuristic Analysis 5-4 5.2.4 Protocol/State Analysis 5-4 5.3 Cisco Classification Technologies 5-4 5.3.1 QoS Access Lists 5-5 5.3.1.1 QoS Software-based L3/L4 Access Lists 5-5 5.3.1.2 Classification with QoS ACLs in hardware 5-5 5.3.2 DPI Engines 5-5 5.3.2.1 Service Control Engine /SCE/ 5-5 5.3.2.2 Network Based Application Recognition /NBAR/ 5-5 5.4 Packet Markings 5-6 5.4.1 L2 Packet Markings 5-6 5.4.1.1 ATM Marking 5-6 5.4.1.2 Frame Relay Marking 5-6 5.4.1.3 Ethernet Marking 5-7 5.4.2 L3 Packet Markings 5-8 5.4.2.1 ToS 5-8 5.4.2.2 DSCP 5-9 5.5 Summary 5-10 5.6 References 5-10 |
| Cisco IOS Software Releases 12.0 T NetFlow Aggregation – Cisco Systems | |
| Cisco IOS Netflow Data Sheet [Cisco IOS NetFlow] – Cisco Systems | |
| Cisco IOS Netflow | |
| Cisco IOS Flexible NetFlow [Cisco IOS NetFlow] – Cisco Systems | |
| Check Point is the Only Firewall to Pass the NSS Group Test | |
| Cisco Catalyst 4500 Series Switches Configuring NetFlow Statistics Collection – Cisco Systems | |
| Cisco Application Visibility and Control /AVC/ – Cisco | |
| Cisco – NetFlow Services and Applications Whitepaper | |
| CHEVRONTEXACO- NetQoS’ ReporterAnalyzer Technology Works with Cisco IOS NetFlow to Provide Global Network Visibility and Reduce WAN Costs at ChevronTexaco | |
| NRF User’s Guide MeasureWare Network Response Facility Edition 2 /January 18, 1996/ | The MeasureWare Network Response Facility is a capability which has been added to the MeasureWare Agent. NRF will automatically bring network response time data into MeasureWare logging through the use of the Data Source Integration capability of MeasureWare. This data may then be used for alarm generation and monitoring, analysis, forecasting and comparison with the other performance metrics collected by MeasureWare. NRF receives the network response data from the NetMetrix Internetwork Response Agent /IRA/. This agent must be running on the same HP-UX system as the MeasureWare agent. |
| Nprobe: Network Protocol Analysis, Archived March 2003 | |
| Nprobe Architecture Diagram, Archived February 2007 | |
| NOX: Towards an Operating System for Networks | As anyone who has operated a large network can attest, enterprise networks are difficult to manage. That they have remained so despite significant commercial and academic efforts suggests the need for a different network management paradigm. In search of a new approach, we turned to a past example of taming management complexity: operating systems. |
| Non-blocking shared state in an intrusion-prevention system | |
| Nicera Network Virtualization Platform /NVP/ Datasheet | Clouds are dynamic by design and the network is a barrier to achieving the promise of cloud computing. The problem with the existing network is that network services are bound to vendor specific hardware and physical topology. |
| nGeniusONE Platform for HL7 in Healthcare Organizations | The advancements, innovation, and maturity of Healthcare IT technology continues unabated as organizations shift to a more patient-care centric approach to delivering healthcare services. Prompt, secure, cost- effective interaction with patient Electronic Medical Records /EMRs/, imaging services /DICOM/, and diagnostic test results for collaboration with specialists and/or communication with patients are common place in hospitals and clinics. As Health Layer 7 /HL7/ solutions are widely deployed in leading healthcare providers’ IT environments for standards-based interoperability between the many applications, devices and services involved in transferring information related to patient care and treatment, it is critical that it operates flawlessly |
| nGenius Traffic Monitor | The nGenius Traffic Monitor is the real-time, fault isolation application of the nGenius Performance Management System. When combined with nGenius Performance Monitor and nGenius Probes, nGenius Traffic Monitor is an integral component in the war against network brownouts in e-business networks. When troubleshooting the back office, it will rely on information collected from probes and trap alerts sent from nGenius Performance Monitor to help isolate problems, ensuring network optimization. |
| nGenius Trace Analyzer Integrator Data Sheet | |
| nGenius Service Assurance Solution For Mobile Operators Technical Brief | Wireless technology advances coupled with the demand for personalized IP-enabled services have dramatically changed the way in which consumers in both residential and business settings are connecting with each other. Operators face significant competitive pressure as well as technical challenges in keeping up with this disruptive change in demand and reacting to the impact it has on their infrastructure, operations and service creation and service delivery methodology. Service providers are focusing on strategies to impact top line revenue growth and stability and give them a competitive edge by |
| nGenius Server | The nGenius Server is the cornerstone of the nGenius Performance Management System. As a high performance network management server, it is responsible for collecting, aggregating, and storing application flow and device data from industry standard probes, switches, routers, and servers. The nGenius Server is also the underlying foundation for all the nGenius System´s application software modules, including nGenius Traffic Monitor and nGenius Performance Monitor. |
| nGenius Quick Reference Guide | NetScout’s unique, patent pending CDM™ Technology is designed to provide a simplified, cost-effective and less cluttered environment for ensuring as well as maximizing the delivery of business services across the network. The underlying CDM Architecture is a structure for mapping data so that performance information can be collected and delivered in a consistent context regardless of the data source or location within the infrastructure. The CDM approach allows NetScout to collect and integrate performance data from multiple sources throughout the network, such as nGenius Probes, infrastructure usage records like NetFlow and sFlow, or standards-based SNMP agents. This revolutionary approach reduces the total cost of network ownership by preserving and enhancing your investment in existing management solutions as well as dramatically reducing upgrade costs. Finally, as network complexity and the size of the infrastructure changes, CDM Technology provides the scalability to support unparalleled network and application visibility and control, anytime, anywhere. |
| nGenius Quick Reference Guide | |
| nGenius Performance Monitor | nGenius Performance Monitor is a powerful Web-based application- and Web-flow performance monitoring solution that measures the performance levels of your e-business applications and how well site resources are being utilized. Working in conjunction with nGenius Server™ and nGenius Probe™, nGenius Performance Monitor is the first line of defense in e-business network performance management. It helps ensure site availability by tracking URL traffic volumes, response-times, and connection request. nGenius Performance Monitor allows network managers and Webmasters to view data in the same manner that networks and applications are used. Proactive alarming on leading failure indicators — e.g. site slowdowns, rising error rates and surges in connection requests — forewarn network management about impending performance problems before users are affected. |
| nGenius Performance Manager for Flows | Many network operators today have come to the realization that SNMP and MIB II data sources do not provide sufficient performance information to effectively manage today’s complex networks. NetFlow is a good source of application conversation information that enterprises can use in a variety of ways, including capacity planning, troubleshooting, usage-based billing, and intelligent traffic load balancing. |
| nGenius Performance Manager Data Sheet | |
| nGenius Flow Recorder Data Sheet | |
| nGenius Flow Directors Data Sheet | |
| nGenius Flow Director White Paper | |
| nGenius Application Fabric Monitor | For many situations, traditional monitoring approaches provide excellent analysis of networks, applications, response times and trending. At times, packet level details are necessary to pinpoint more difficult to troubleshoot problems with complex applications traversing sprawling enterprise networks. Newer devices for continuous capture of packet streams have emerged, to work in tandem with other monitoring tools, and from a practical perspective, this makes sense, because long term, no IT organization will be able to manually troubleshoot every problem by mining extensive packet trace files |
| Next generation systems — Commercial software and free software comparative based on IDPS security | Threats within the network are a security risk with which you deal daily. Due to this, the use of more complex means of security than the Firewall should be considered to perform the analysis of the traffic behavior of the network by means of devices of next generation such as Systems of Detection and Prevention of Intrusions /IDPS/. This article presents a comparison of commercial systems and open sources based on these devices, and thus transfer a commercial functionality to free code. |
| Next Generation Deep Packet Inspection for Telecom Infastructure Telecom Datasheet | Vineyard Networks’ Network Application Visibility Library /NAVL/ classification library is an SKD providing real-time application layer classification of network traffic designed for integration into third part solutions /OEM/. NAVL uses a combination of deep packet /DPI/ and deep flow /DFI/ inspection to accurately identify thousands of today’s common applications such as Social Networking, P2P, Instant Messaging, File Sharing, Enterprise applications, Web 2.0 and more. NAVL is delivered as an OEM solution to dramatically reduce the time, cost, and complexity of adding layer-7 classification to your networking solution. |
| Next Generation Deep Packet Inspection Enterprise Datasheet | Vineyard Networks’ Network Application Visibility Library /NAVL/ features next-generation Deep Packet Inspection /DPI/ technology, providing real-time, Layer-7 classification of network traffic. NAVL uses a combination of deep packet inspection and deep flow inspection to accurately identify today’s most common applications including Mobile, Social Networking, P2P, Instant Messaging, File Sharing, Enterprise and Web 2.0 applications. NAVL offers a deeper understanding of how the network is being used via data mining and analytics. DPI optimizes traffic shaping and prioritization, content filtering and blocking. |
| New WildPackets Academy Rolls Out 802.11 Wireless, Mac OS/X Training and Network Analysis Expert /NAX/ Certification Program | |
| New market dynamics are driving the adoption of DPI and Network Intelligence in Telecoms Interview with Qosmos CEO Thibaut Bechetoille | New market dynamics are driving transformation in critical operational areas for Communications Service Providers /CSPs/, such as for billing and charging, revenue assurance and bandwidth management. But network equipment technology and Billing Support Systems /BSSs/ have not evolved efficiently to support this transformation according to a recent Yankee Group Anchor Report on how Network Intelligence Is Key to Profiting From Anywhere Demand. The research performed by Yankee Group VP and report author Brian Partridge identifies the emergence of Network Intelligence /NI/ as a key enabling technology for CSPs and their vendors to exploit the full potential of network investments. The network analytics and intelligent, real-time, event-driven systems made possible by NI as a complement to traditional Deep Packet Inspection /DPI/ enable CSPs to quickly respond to new market demands, drive new levels of QoS and QoE for customers, and improve both the operations and revenue of a CSP. Mr. Partridge’s findings corroborate the experiences of Qosmos which is seeing rapid growth in the CSP vendor market for its NI software development kits and intelligent IP probes, as we learn in this interview with Qosmos CEO Thibaut Bechetoille: |
| NetWorkJustice Traffic Analyzer | Historical Analysis of Network Trends Before you can set bandwidth control policies, you need to determine what’s going on in your network. Which users are consuming bandwith? Which applications are running? How much traffic is going to P2P or download traffic, and when it is happening? NetworkJustice Traffic Analyzer collects per-flow information, consolidates it and stores weeks or months of data which you can query via Traffic Analyzer’s web-based reports. You can even schedule reports to be automatically generated onto a portal to allow customers or managers to see the traffic analysis of their network segments. NetworkJustice Traffic Analyzer allows you to know exactly what’s going on in your network at any time of the day, any day of the week and any month of the year. |
| NetworkJustice Traffic Analyzer | We developed our NetworkJustice Traffic Analyzer product for a large satellite-based ISP. Like many other ISPs they needed to support 20,000 or more simultaneous users per monitoring box with hundreds of thousands of flows. Our ISP-Scalable Monitoring product is a software component that is architected to monitor large amounts of traffic. We track traffic by users, applications, protocols, time of day, sources, destinations, traffic rates, associated histograms – just about anything you can think of. In fact, if you think of something new, NetworkJustice Traffic Analyzer can be customized to add new protocol recognition and new data and summary collection, and our Reporting Tool allows you to create any type of report from the collection database. |
| NetworkJustice Policy Agent | Want to control where your users go, when they go there, and what kind of network performance and security they get along the way? Our NetworkJustice Policy Agent controls users, applications, and network traffic. It accepts policy records from directory services, from any COPS-based Policy Server, like HP Openview PolicyXpert /with the first true End-to-End QoS!/ and from our application Management MIB. Special object additions to our Application Management MIB, empower network managers to set user and applications’ access permissions, security levels, bandwidth limits, and priorities. |
| Network-Based Application Recognition – Cisco Case Study | |
| Network-Based Application Recognition – Case Study | |
| Network Traffic Monitor – View, Analyze, and Optimize Traffic | SolarWinds | |
| Network Threat Analytics Module | Organizations in every industry are facing a growing number of increasingly sophisticated threats to their networks. Yet a chronic shortage of trained security professionals and a lack of true visibility into network activity has left organizations struggling to combat advanced cyber threats and breaches before they cause major damage. A holistic approach to security intelligence is an integral component of arming the next generation security operations center, and a capable network analytics solution is a necessary component of a larger strategy to arm organizations with the contextual visibility to detect, prioritize and neutralize cyber threats. |
| Network service system and method for providing network service in multiple … | |
| Network sensor deployment for deep packet inspection | Disclosed herein are methods, systems, and processes for centralized containerized deployment of network traffic sensors to network sensor hosts for deep packet inspection /DPI/ that supports various other cybersecurity operations. A network sensor package containing a pre-configured network sensor container is received by a network sensor host from a network sensor deployment server. Installation of the network sensor package on the network sensor host causes execution of the network sensor container that further causes deployment of an on-premise network sensor along with a network sensor management system, a DPI system, and an intrusion detection/prevention /IDS/IPS/ system. The configurable on-premise network sensor is deployed on multiple operating system distributions of the network sensor host and generates actionable network metadata using DPI techniques for optimized log search and management and improved intrusion detection and response /IDR/ operations. |
| Network Policy – F.A.Q. | What is Network Policy? What Products Support Network Policy? Are There Standards for Policy? Where Do I Apply Network Policy – Which Users? Which Applications? When? Can Devices like Routers Do Policy Controls? Why Can’t Edge Devices Identify Applications, Users or Data Context? Edge Devices like Routers, Switches or Servers. Do All Necessary Policy Controls? I’ve been hearing that centralized directory services like Active Directory will solve all my Policy problems. Is this true? What do I need to do to implement Policy Controls in my Network? |
| Network Performance Statistics – WiscNet | This site contains performance statistics gathered from network devices /such as routers and switches/ within the WiscNet network These colorful RRDtool graphs were produced by FlowScan. The data points represent 5 minute averages measured at our peering point/s/ within the past 48 hours. Click any graph to see data presented over a different time range. |
| Network Performance Monitor- Administrator Guide-Version 12.2 | |
| Network Performance Monitor -Datasheet | https://www.solarwinds.com/network-performance-monitor/use-cases/packet-sniffer |
| Network Performance Monitor -Administrator Guide-Version 2020.2 | |
| Network Performance Monitor | Network Performance Monitor The SolarWinds Network Performance Monitor is a real-time network monitor that can track network latency, packet loss, traffic and bandwidth usage, and many other network statistics. The Network Performance Monitor can also monitor each managed node and interface via SNMP to report when a node reboots or an interface goes down. Network Performance Monitor can monitor and collect traffic statistics from any device that supports SNMP. Devices that do not support SNMP can also be monitored. Network Latency and Packet Loss can be monitored for any network device, even those that do not support SNMP. You may manage any number of devices /several hundred interfaces will require higher Pentium III class computer with adequate memory/ to monitor concurrently. The devices do not need to be on the same network. The Network Performance Monitor is ideal for monitoring the bandwidth utilization of your WAN circuits. It is also great for isolating traffic bottlenecks within your network. The advanced graphing utility lets you drill into the results real-time. With the customizable summary screen it is easy to quickly identify high traffic nodes or build customized reports. The customizable alerting system lets you configure network Alerts on any of over 150 network properties. |
| Network Packet Sniffer – Sniffing Software for Applications | SolarWinds | |
| Network Packet Sniffer – Sniffing Software | SolarWinds | Sniff packet data and calculate network and application response time to determine if end-user experience is affected. Download NPM free 30-day trial! |
| Network packet inspection flow management | |
| Network Monitoring Software | SolarWinds | |
| Network interface card device and method of processing traffic using the … | |
| Network General The Sniffer Token-Ring Network Portable Protocol Analyzer /Sniffer V 1.0/ Operation and Reference Manual Dec 1986 | Network General Token Ring Sniffer manual |
| Network General The Sniffer Addendum to Token-Ring Network Portable Protocol Analyzer /Sniffer V 1.20/ Operation and Reference Manual Apr 1987 | Network General Token-Ring SnifferOperation and Reference Manual Version 1.20 addendum |
| Network General Sniffer Product Brochure | “”The Network. Your Business Is Built On It””; Network General Corp. product brochure. |
| Network General Sniffer Brochure 1986 | Network General PA-400 Token-Ring Sniffer brochure |
| Network General Sample Sniffer Screens Dec 1986 | Network General Token-Ring SnifferSample Screens |
| Network General R 4904 ARCNET Line Analyzer /””The Sniffer””/ OEM Version Oct 1986 | Network General ARCNET Line Analyzer, OEM version / |
| Network General R 4903 ARCNET Line Analyzer /””The Sniffer””/ Installation and Operation Manual Sep 1986 | Network General ARC Line Analyzer /””The Sniffer””/ |
| Network General Ethernet Sniffer Model PA-302 Operation and Reference Manual Jun 1988 | Network General Ethernet Sniffer Protocol AnalyzerOperation and Reference Manual |
| Network General Ethernet Sniffer Introduction Apr 1987 | Network General Ethernet Sniffer Protocol Analyzer |
| Network General Corporate Backgrounder | Network General Corp.Corporate Backgrounder |
| Network General Corp. annual reports 1989-1993, 1995, 1997 | Network General Corporation Annual Reports, 1989-1993, 1995, 1997 |
| Network function virtualization method and apparatus using the same | |
| Network flow-based scalable video coding adaptation device and method | |
| Network flow control of internet of things /IoT/ devices | |
| Network enumeration at a network visibility node | |
| Network device and method for processing traffic using multi-network interface … | |
| Network Associates Inc. Sniffer® Distributed | McAfee Network Protection Sniffer® Distributed Sniffer Distributed is a powerful network performance and security management solution that can be deployed across an entire enterprise. It provides continuous monitoring to give you real-time network status updates. Changes in network behavior are visible immediately, so you can detect potential problems before they impact end-users. Sniffer Distributed delivers an unequaled ability to anticipate, isolate, and diagnose network faults and performance problems through a combination of unique, real-time Sniffer Technologies Expert diagnoses and extensive protocol decodes, as well as short- and long-term reporting. Sniffer Distributed enables you to baseline your network so you can understand network performance before, during, and after a network attack. This unparalleled combination of standards-based monitoring and Expert analysis makes Sniffer distributed the ideal tool to proactively manage today’s multitopology, multiprotocol distributed networks. Sniffer Distributed is available as a self-contained turnkey system and as a software only solution. The turnkey system comes with preloaded software components and does not have minimum software or hardware system requirements. See Features See System Requirements |
| Network Associates Inc. Netasyst Network Analyzer 1.0, Assuring Optimal Network Performance and Security – Data Sheet | Product Overview When your business is about to grind to a halt due to slow e-mail response time, it’s time to implement a network management solution that enables you to not only identify problems associated with the e-mail system that 80 percent of small- and medium-sized businesses utilize—Microsoft® Exchange and Microsoft Outlook—but also quickly resolves these issues. Netasyst™ Network Analyzer enables you to reliably, flexibly, and cost-effectively monitor, troubleshoot, maintain, and secure your 10/100 LAN and 802.11 Wireless networks. As a “Powered by Sniffer® Technologies” solution, Netasyst products leverage many of the features and functionality that worldwide enterprises have used to manage, secure, and plan the growth of their networks. Within minutes, you can configure the Netasyst software and begin tracking all the information flowing through your network. Netasyst functionality protects your network at every level, from the physical layer to the application layer. With the incorporation of Sniffer Technologies expert analysis system, you can easily pinpoint the root cause of problems such as slow application response times, IP address conflicts, and domain logon failures. Netasyst software utilizes host and connection packet monitoring, application response time tracking, and packet filtering and triggering to assess the entire set of transmitting stations on 10/100 LAN and 802.11 Wireless network segments. When the packets are examined for monitoring purposes, they can also be simultaneously captured and displayed for Expert analysis and fast problem resolution. Netasyst software is ideal for managing local network segments in a campus environment or for field service engineers traveling from one site to another to perform network troubleshooting. With six offerings to choose from, you can upgrade your Netasyst offering to meet your ever-changing business needs. |
| Network Associates Inc. McAfee Protection-In-Depth Strategy – Simple Steps to Build Your Small Business Network – White Paper | |
| Network Associates Inc. InfiniStream™ Security Forensics | McAfee Network Protection InfiniStream™ Security Forensics Efficiently capture, index, and store data packets on your instrumented network with InfiniStream™ Security Forensics from Sniffer® Technologies. The InfiniStream Security Forensics solution delivers gigabit-speed, long-term, high capacity packet-level data storage that includes an intelligent retrieval mechanism to analyze network-based event data, and protect your network from threats. Coupled with the Sniffer Network Protection Platform, InfiniStream Security Forensics assures the optimal performance and security of your network. |
| Network Associates Inc. InfiniStream Security Forensics, Assuring Optimal Network Performance and Security – Data Sheet | |
| Network Associates Inc. InfiniStream Security Forensics, Assuring Optimal Network Performance and Security – Data Sheet | |
| Network Application Visibility Library | Procera Networks: Empowering Intelligence | |
| Network Application Visibility Library /NAVL/ True Layer 7 DPI Technology for Application Classification and Metadata Extraction | True Layer 7 DPI Technology for Application Classification and Metadata Extraction |
| Network Application Visibility Library | |
| Network Application Visibility Layer /NAVL/ | |
| Network access apparatus and method for monitoring and controlling traffic … | |
| Network application virtualization method and system | |
| Network Analysis in the Distributed Enterprise | |
| NetScout® WebCast™ | Network Reporting Software Using the World WideWeb – Features and Benefits – Introduction – NetScout WebCast Software – Automatic Updates – On-Demand Reporting – Integrated Alarm Management – Simplified Database Access – Secure, Controlled Access – Instant Reports – NetScout Server – The NetScout Product Family – WebCast Specifications – NetScout Manager Specifications |
| NetScout® WAN Capabilities | |
| NetScout Systems Product Section – Mentor | The Mentor Expert Analysis System provides rapid and accurate analysis and diagnosis of network prob- lems from data captures. |
| NetScout Systems Product Section – Examine | |
| NetScout Solutions | The network transports the very applications that run the business: order entry, accounting, payroll, inventory tracking, and manufacturing and distribution. A real-time view of these applications is crucial to the business itself. NetScout Probes, the data sources of NetScout Systems’ Application Flow Management architecture, help IT professionals track the applications that run the business. |
| NetScout Server by NetScout Systems | NetScout Server aggregates, sorts, and stores traffic statistics collected by NetScout Probes and other data sources, forwarding them as needed to WebCast. Ideal for large networks that require more data control, NetScout Server is deployed at strategic locations on the network to provide scalable polling, logging, and reporting of network traffic. NetScout Server allows for more traffic data to be collected with finer granularity, and without burdening WAN and Frame Relay links with excessive management traffic. Working in conjunction with NetScout WebCast, NetScout Server automatically disseminates report information to users, staff, and management. |
| NetScout Probes | NetScout Systems’ nGenius Probe is the industry’s first, standards-based, application- and Web-aware instrumentation, specifically designed to address the unique requirements of e-business. The nGenius Probe features advanced application recognition to identify and classify internet-enabled application traffic as well as provide system-wide traffic flow information. |
| NetScout Probe Features | NetScout Probes can be easily installed by loading the appropriate IP address and then connecting the probe to the network. The probe immediately begins learning and identifying the most active applications and protocols. Additional built-in features, most of which can be customized via the graphical management tools of NetScout Manager, contribute to the strength of the NetScout monitoring solutions. These features include: Access from Multiple Managers Auto-dialback Auto-discovery of Protocols and Application Domains Configuration Management Custom Filtering End-to-End Analysis Independent Operation Multi-protocol Support Multiple Interfaces Multi-topology Support |
| NetScout Manager Plus | Because your network is your business, you can’t afford to leave control of your network to chance or educated guesses. NetScout Systems’ Application Flow Management solution is an approach to manage enterprise networks by tracking the flow of applications. It connects network management to the needs of the business and establishes a common ground for communications between network operations staff and the users of the network. NetScout Manager Plus is the flagship product of this architecture. |
| NETscout Manager Applications | The new NETscout Manager user interface has been enhanced to provide an easy to use icon based menus for selection of critical applications and probes for RMON diagnostics. From each of these major applications, a rich set of diagnostic tools can be selected to let users solve network problems quickly and effectively. |
| NetScout Manager and NetScout Manager Plus Data Sheet | Fault Isolation, Performance Tuning, and Capacity Planning for Shared LANs, WANs, and Switched LANs on Distributed Networks – Features and Benefits – Introduction – The NetScout Manager Family – Seven by Twenty Four Fault Isolation – Alarms and Traps – Analyzing Custom Application Traffic – Resource Manager – Baseline Reporting and Capacity Planning – Trend Reporter – Analyzing WAN and Frame Relay with EnterpriseRMON – Analyzing the Switched Infrastructure – Expert Visualizer – Technical Specifications |
| NETscout Manager | Feature Rich Analysis Tools for Distributed Diagnostics NETscout/TM/ Manager runs on the industry’s most popular network management systems. With NETscout Manager, the monitoring of an enterprise network can be done proactively from a central site assuring high network availability. NETscout’s new icon based user interface allows easy access to an array of powerful diagnostic tools. NETscout Manager supports key network management systems on PC, SPARC, HP9000, and RS6000 platforms. The Unix based Manager can be launched either directly from the UNIX shell or from the respective maps of SunNet Manager, OpenView, and NetView. The Windows version, identical to the UNIX implementation, is Winsock compliant allowing the user to implement their IP stack of choice. The Windows model also provides a unique Unix-like shell allowing the user to easily write script files that can be launched by trap conditions. Frontier’s advanced diagnostics architecture, DomainView/TM/, lets the user monitor all 7 layers of network traffic. EnterpriseRMON/TM/ allows the user to view enterprise wide traffic for any segment from physical, to protocol, to application level. In addition, new applications such as Protocol Monitor and Traffic Monitor let the user obtain a quick high level assessment of network problems. With point and click real time diagnostic tools, the user can |
| NETscout Family | The NETscout family of probes use 486 or Pentium based processors and a real time operating system to deliver excellent price performance. The NETscout probes have a scaleable architecture that will constantly improve in performance in concert with Intel processor technology. The architecture makes NETscout probes ideal for cost effective monitoring of single segment, multisegment and corporate backbone networks. Typical Network Configuration Features of NETscout RMON Probes The RMON MIB |
| NETscout Expert Visualizer | Features Centralized RMON analysis tools for Ethernet, Token Ring, FDDI and WAN /and planned support for VLANs and ATM/ Powerful 3D graphical displays User customizable views Scaleable to large enterprise networks Performance monitoring across multiple network segments Troubleshoots network applications traffic Views network at the physical, protocol and applications layers Supports leading network topologies Built to RMON2 standards Runs on the leading UNIX platforms Integrates with NETscoutTM Manager for comprehensive monitoring and control Compatible with any RMON / RMON2 based probe |
| NeTraMet Release Note | |
| NeTraMet 4.2 User’s Guide | |
| NeTraMet – a Network Traffic Flow Measurement Tool | NeTraMet is an open-source /GPL/ implementation of the RTFM architecture for Network Traffic Flow Measurement, developed and supported by Nevil Brownlee at the University of Auckland. Nevil also developed a version of NeTraMet which uses the CoralReef library to read packet headers. This ‘CoralReef NeTraMet meter’ can work with any CoralReef data source; it has been tested on both CAIDA and NLANR trace files, and on DAG and Apptel ATM interface cards. |
| NetMon User Guide | |
| NetMon Overview | |
| NetMon Deep Packet Analytics: System Rules | |
| NetMon Deep Packet Analytics | |
| NetMon as a Programmatic Intrusion Detection System – LogRhythm | |
| Netify DPI – Open-source DPI and Network Intelligence Engine | OPEN SOURCE DPI FOR INTEGRATORS Managing modern networks requires insights at the application, protocol, security, and data intelligence layers. Netflow data is good, but DPI provides the metadata to take network and cybersecurity analysis to the next level. If you are looking for a open source deep packet inspection engine to integrate with your solution, then you have come to the right place. Our Netify DPI software has been integrated into firewalls, routers, SD-WAN solutions, IoT gateways, software-defined network architectures and other devices. |
| Netify Agent vs. l7-filter – Netifyd | |
| Netify Agent – netifyd – Open-source DPI and Network Intelligence Engine | The Netify Agent – netifyd – does one thing and one thing very well: network analysis using deep packet inspection. It does not firewall traffic and it does not shape traffic – that job is left to other tools that can integrated with the agent. The features of netifyd agent are described below. |
| NetFlow Services and Applications White Paper | |
| NetFlow on Logical Interfaces: Frame Relay, Asynchronous Transfer Mode, Inter-Switch Link, 802.1q, Multilink Point to Point Protocol, General Routing Encapsulation, Layer 2 Tunneling Protocol, Multiprotocol Label Switching VPNs, and Tunnel | |
| NetCountant – Usage Based Billing from NetScout Systems | NetCountant provides a fair cost allocation system based on actual network bandwidth consumption. It tracks network utilization by volume, application, protocol, user group and distance. Billing with Net- Countant encourages conservation of expensive network bandwidth and adherence to usage policies through tariffs, including off-peak rate reductions. |
| NetFlow gives network managers a detailed view of application flows on the network | |
| nDPI – ntop | nDPI is a ntop-maintained superset of the popular OpenDPI library. Released under the LGPL license, its goal is to extend the original library by adding new protocols that are otherwise available only on the paid version of OpenDPI. In addition to Unix platforms, we also support Windows, in order to provide you a cross-platform DPI experience. Furthermore, we have modified nDPI do be more suitable for traffic monitoring applications, by disabling specific features that slow down the DPI engine while being them un-necessary for network traffic monitoring. |
| NBAR2 Protocol Library – Cisco | |
| NBAR2 Protocol Library | |
| NBAR2 or Next Generation NBAR – Common questions and answers regarding Cisco® NBAR2 or Next Generation Network-Based Application Recognition /NBAR/. | |
| NBAR support for HTTP | |
| NAVL | Procera Networks: Empowering Intelligence | |
| Narus Semantic Traffic Analysis Development Platform | |
| Narus nSystem | |
| NARUS IBI Platform | |
| Narus Corporate Backgrounder | |
| NAE99: Internet measurement and data analysis: topology, workload, performance and routing statistics | We discuss the collection, analysis and visualization of four forms of Internet traffic data: network topology, workload, performance, and routing. Topology data describe network link infrastructure at a variety of `protocol’ layers. Workload measurements involve the collection of traffic information from a point within a network, e.g., data collected by a router or switch or by an independent device passively monitoring traffic as it traverses a network link. Performance measurements involve the introduction of traffic into the network for the purpose of monitoring delay between specific end-points. Routing data includes data from Border Gateway Protocol /BGP/ routing tables, which reflect the transit relationships between individual Autonomous Systems /ASes/ at a given point in time. We describe highlights from these topic areas and their role in the state of Internet measurement and data analysis today. |
| Multiprotocol Label Switching /MPLS/-aware NetFlow | |
| Multilayer parallel processing apparatus and method | |
| Multi-tier integrated security system and method to enhance lawful data … | |
| MPLS-aware NetFlow [Cisco IOS NetFlow] – Cisco Systems | |
| More About Examine | The foundation of network management, network optimization and troubleshooting play a key role in the success of today’s e-business and e-commerce efforts. Rectifying problems rapidly is no luxury — it’s critical to the success of the enterprise itself. And when unresolved problems mean lost productivity, lost customers, and lost revenue, it is easy to understand why so many IT organizations depend on NetScout Systems solutions for optimization and troubleshooting. Teaming with industry leader Wavetek Wandel Goltermann /WWG/, NetScout Systems offers WWG’s award-winning software Mentor for expert analysis and Examine for packet decode. Working in concert with NetScout Probes, Mentor and Examine deliver the most advanced analysis and decoding features available for rapid, proactive, and customized troubleshooting. WWG Examine provides in-depth analysis and decode of troublesome data packets. |
| Monitoring traffic across diameter core agents | |
| Monitoring QoS – Application Note | |
| Monitoring Citrix Applications – Application Note | |
| Monitoring 3G/4G Handovers in Telecommunication Networks | |
| Modules for the PRX Traffic Manager Series | |
| Modules for the PRX Traffic Manager | |
| Mobile advertisement method | |
| Methods, systems, and computer readable media for providing application layer firewall and integrated deep packet inspection functions for providing early intrusion detection and intrusion prevention at an edge networking device | Methods, systems, and computer readable media for an application layer firewall function including an integrated deep packet inspection function for providing early intrusion detection and intrusion prevention at an edge networking device are disclosed. According to one method, steps are performed at a session controller configured to operate at the border of a first network and a second network. The steps include receiving, at an intrusion protection system /IPS/ module of the session controller interfacing with modules associated with layers 2 and above of a protocol stack of the session controller, information gathered by modules located at lower layers and associated with an intrusion attempt, vulnerability, or other security policy violation. In response to receiving the information, the IPS module provides at least one of a security policy and a rule to a module located at the most appropriate layer for securing the intrusion attempt, vulnerability, or other security policy violation. |
| Methods, systems, and computer readable media for managing social interaction histories | According to one aspect, the subject matter described herein includes a method for managing social interaction information. The method includes receiving first social interaction information associated with a user of a first over the top /OTT/ service platform. The method also includes receiving second social interaction information associated with the user, the second social interaction information from a communications service platform distinct from the first OTT service platform. The method further includes generating, using the first social interaction information and the second social interaction information, consolidated social interaction information and providing the consolidated social interaction information to the user. |
| Methods, systems, and computer readable media for deep packet inspection /DPI/-enabled traffic management for xDSL networks | Methods, systems, and computer readable media for DPI-enabled traffic shaping for xDSL networks are disclosed. According to one method, a DPI node analyzes signaling for an xDSL network access node or a broadband network gateway to determine nodal or link capacities available to nodes upstream from the network access node or the broadband network gateway for delivering downstream traffic to the network access device. The DPI node uses the determined capacities to shape downstream traffic delivered to the network access device. |
| Methods, systems, and computer readable media for content delivery using deep packet inspection | Methods, systems, and computer readable media for content delivery using deep packet inspection are disclosed. According to one method, steps are performed at a packet inspection /PI/ module that is distinct from a cache module. The method includes receiving a request for content. The method also includes inspecting the request to obtain information about the content. The method further includes determining, by comparing the obtained information with traffic management policy information based on a dynamically derived content access profile, whether the cache module is to process the request. The method also includes, in response to determining that the cache module is to process the request, sending the request towards the cache module. |
| Methods, systems, and computer readable media for affecting user associations in over the top /OTT/ service platforms | According to one aspect, the subject matter described herein includes a method for affecting user associations in over the top /OTT/ service platforms. The method includes receiving a first message for initiating associations or disassociations between a first user and a second user of over the top /OTT/ service platforms. The OTT service platforms are controlled and operated by distinct entities. The method also includes determining, using at least one of information in the first message and stored information, the OTT service platforms in which associations are to be established or disestablished. The method further includes sending at least a second message for establishing or disestablishing an association between the first user and the second user in the OTT service platforms. |
| Methods and systems for using keywords preprocessing, Boyer-Moore analysis, and … | |
| Methods and systems for optimal delivery of internet video over wireless … | |
| Methods and systems for detection and classification of multimedia content in … | |
| Methods and devices for data flow control in a communication network | |
| Methods and apparatus for routing in a network | |
| Methods and apparatus for detecting and/or dealing with denial of service attacks | Methods and apparatus for detecting and minimizing the effects of Denial Of Service /DOS/ attacks in high-speed networks in which packet processing is carried out by multiple processing cores. In one embodiment of the invention a communications method and apparatus detects and deletes denial of service attack packets in a multi-core distributed packet processing system using a lightweight DOS attack packet detection and deletion process. |
| Methods and apparatus for analyzing and management of application traffic on networks | An apparatus and method are provided for analyzing traffic on a network by monitoring packets sent between devices on the network and identifying applications occurring between devices on the network based on information derived from monitoring the packets. Techniques are provided to examine header information of the packets, such as information in the header of Internet Protocol /IP/ packets, to identify applications that are occurring on the network. In some cases, information about the packet beyond the header information is examined to match a packet to a particular application. Using these techniques, a list is built of all of the applications occurring between devices on the network. Parameters may be generated to track one or more of the response time, latency and traffic volume associated with a particular device on the network. |
| Method, device and system for preventing embedded BYPASS device from powering … | |
| Method to enable deep packet inspection /DPI/ in openflow-based software … | |
| Method of processing traffic to recover service chain path, service function … | |
| Method of high-speed switching for network virtualization and high-speed … | |
| Method of creating high availability for single point network gateway using … | |
| Method of automatically identifying multiservice and method of providing … | |
| Method for transmitting and receiving packet in transport network | |
| Method for providing an elastic content filtering security service in a mesh … | |
| Method for providing an elastic content filtering security service in a mesh … | |
| Method for ordering monitored packets with tightly-coupled processing elements | |
| Method for managing and sharing symmetric flow and asymmetric flow in duplexed … | |
| Method for dynamically configuring network services | |
| Method for controlling software defined network and apparatus for the same | |
| Method and system for remote quality of experience diagnostics | |
| Method and system for detecting and responding to harmful traffic | |
| Method and System For Controlled Delay of Packet Processing With Multiple Loop … | |
| Method and apparatus to perform multiple packet payloads analysis | |
| Method and Apparatus for Real Time Identification and Recording of Artifacts | |
| Method and apparatus for providing gateway function | |
| Method and apparatus for processing multi-layer data | |
| Method and apparatus for multimedia content filtering | |
| Method and apparatus for dynamically managing hierarchical flows | |
| Method and apparatus for detecting the anomalies of an infrastructure | |
| Method and apparatus for detecting security anomalies in a public cloud … | |
| Method and apparatus for detecting process failure | |
| Method and apparatus for controlling access in wireless network | |
| Measuring web browsing quality of experience in real-time at an intermediate network node | A method including acquiring a current HTTP transaction; determining whether the current HTTP transaction relates to web browsing for a specific client; acquiring a previous transactions set of the specific client; evaluating whether the current HTTP transaction belongs with the previous transactions set; if the current HTTP transaction belongs with the previous transactions set, adding the current HTTP transaction to the previous transactions set; and if the current HTTP transaction does not belong with the previous transactions set, creating a boundary of a page unit that includes the HTTP transactions of the previous transactions set for computing a page unit time. |
| Method and an apparatus to perform multiple packet payloads analysis | |
| Meeting U.S. Government Cybersecurity Guidelines for Pipelines | Nozomi Networks | |
| Mechanisms for layer 7 context accumulation for enforcing layer 4, layer 7 and … | |
| Measuring web browsing quality of experience in real-time at an intermediate … | |
| Maximum Mask Aggregate Output NetFlow [Cisco IOS NetFlow] – Cisco Systems | |
| Managing Encrypted Traffic with Symantec Solutions | The use of Secure Sockets Layer /SSL/ or Transport Layer Security /TLS/ encryption for Internet and enterprise traffic is growing steadily. Modern applications that use SSL communications by default – such as SharePoint, Exchange, WebEx, Salesforce.com and Google Apps – are commonplace and rapidly growing. Even hosted and mobile email applications such as Gmail, Yahoo and Zimbra utilize SSL encryption by default in today’s workplace environments. |
| Managing apparatus and managing method for network traffic | |
| Managing a Switched Network Environment with EtherPeek | |
| MAC address modification of otherwise locally bridged client devices to provide … | |
| Lucid Security, makers of ipANGEL/tm/, the world’s premier Intrusion Protection System /IPS/ | |
| Lucid Security, makers of ipANGEL/tm/, the world’s premier Intrusion Protection System /IPS/ | |
| Lucid Security, makers of ipANGEL/tm/, the world’s premier Active Defense System /ADS/ | |
| Lucid Security ipAngel 4.0 Appliance Models | |
| Lucid Security » White Papers | |
| Lucid Security » ipANGEL Solution – How Asset-Centric Protection Works – Part 1 | |
| Lucid Security » ipANGEL Solution | |
| Lucid Security » ipAngel Overview | |
| Load Balancers | |
| Lightweight replicas for securing cloud-based services | |
| Layer four optimization for a virtual network defined over public cloud | |
| Layer four optimization for a virtual network defined over public cloud | |
| Layer 7 Visibility for Virtual CPE | Virtual customer premisis equiplent /vCPE/ is a way for network operators to transition enterprise access and virtual private network /VPN/ customers to next -generation cloud networking platrorms. This can substanially reduce costs assocuated with specialized hardware deployed on premises and, with the right tools , enables operators to inject calue into wide -area network /WAN/ sercives using cirthal network functions /VNFs/. This white paper reciews state- of-the-art vCPE deployments in the enterprise market and discusses how operators can use embedded traffic analysis software to desigb application-aware, customerspecific network sercices. In particular, it adresses Lauer 4-7 analysis engines and their role in three key use cases: monitoring / reporting , Layer 7 firewall capability and VDF service chaining. |
| Layer 7 Visability for vCPE Services | |
| Layer 7 Classification | |
| Layer 7 Classification | Procera Networks: Empowering Intelligence | |
| Large scale bandwidth management of IP flows using a hierarchy of traffic … | |
| LANGuardian Quick Start Guide | About this guide This guide tells you how NetFort LANGuardian works, and explains how to install, configure, and use the software. Intended audience This guide is intended for anyone who wants to install or use NetFort LANGuardian – typically, network engineers, system administrators, IT managers, human resource managers, and compliance officers. What’s in this guide? This guide contains the following information: Chapter 1 explains how LANGuardian works and describes the deployment options. Chapter 2 describes how to install and configure LANGuardian. Chapter 3 describes how to configure your network switch to enable LANGuardian to capture traffic from it. Chapter 4 describes how to use LANGuardian to monitor and troubleshoot your network. Chapter 5 describes how to use the LANGuardian REST API. Chapter 6 describes how to integrate LANGuardian with other network monitoring tools such as Solarwinds and Splunk. |
| LANGuardian Integration Pack for SolarWinds NPM | This manual describes how to integrate NetFort LANGuardian data into a SolarWinds Network Performance Monitor environment. |
| LANGuardian for Healthcare Networks | NetFort LANGuardian is the industry’s leading deep packet inspection software for monitoring, troubleshooting, and reporting on network activity. It is a passive network traffic analyser, not inline, so it doesn’t impact on network performance. There are no proxies, no agents or clients to install, and no special hardware appliances are needed. |
| LANGuardian architecture NetFort Technologies LANGuardian is software that tells you what is happening on your network. It shows you detailed information that you can use to monitor network activity, troubleshoot problems, and demonstrate compliance with internal and external standards. | Monitor your SQL Server environment SQL Server Database Monitor from NetFort Technologies is database activity monitoring software for your SQL Server databases. It monitors and records every access to your SQL Server databases, helping you to protect sensitive business data, secure your database infrastructure, detect fraudulent activity, and more easily meet your audit and compliance obligations. You can do all of this with no impact on performance and without needing to redesign your databases or applications. And, with our Active Directory and Novell eDirectory integration, you can identify the actual users responsible for all database activity. |
| LANGuardian Architecture | NetFort Technologies | LANGuardian architecture NetFort Technologies LANGuardian is software that tells you what is happening on your network. It shows you detailed information that you can use to monitor network activity, troubleshoot problems, and demonstrate compliance with internal and external standards. |
| LANGuardian and SolarWinds: complete the picture with deep- packet traffis analysis and integrated used information | |
| LANGuardian Administration and User Guide | About this guide This guide tells you how NetFort LANGuardian works, and explains how to install, configure, and use the software. Intended audience This guide is intended for anyone who wants to install or use NetFort LANGuardian – typically, network engineers, system administrators, IT managers, human resource managers, and compliance officers. What’s in this guide? This guide contains the following information: Chapter 1 explains how LANGuardian works and describes the deployment options. Chapter 2 describes how to install and configure LANGuardian. Chapter 3 describes how to use LANGuardian to monitor and troubleshoot your network. Chapter 4 describes how to integrate LANGuardian with Solarwinds Orion. Appendix A is a reference guide to the report categories. Appendix B is a reference guide to the ports and protocols. Appendix C is a glossary of terms. |
| Knowing your network enhances productivity, security and compliance. Know your network NetFort LANGuardian gives you total network insight you can act on. | You may think of your network as the backbone of your IT infrastructure—but it’s also the backbone of your business. Without the network up and running at optimum performance, every aspect of your business suffers—work grinds to a screeching halt and productivity drops. If you can’t meet compliance requirements, you could face potential legal risks or fines. And a breach in network security could result in a wide range of problems that may literally jeopardize your business. The bottom line? You need to be able to accurately see what’s going on with your network at all times. |
| Know exactly what is happening on your network. Monitor, troubleshoot, and report on all network and student activity with a single cost-effective system. | Proactive monitoring NetFort LANGuardian gives you a detailed view of what is happening on your network, enabling you to take a proactive approach to managing it instead of reacting to events after they have happened. LANGuardian monitors network traffic via the monitoring port on your core switch. It stores traffic data in a database, so you can view historical as well as real-time activity on your LAN. With LANGuardian, you can see how your network bandwidth is being used. You can monitor security threats and detect torrent downloads as well as other P2P file share activity. |
| Processing data flows with a data flow processor | |
| Procera Use Cases | Procera Networks structures mobile and fixed broadband network data, transforming it into actionable intelligence to empower operators to make informed business decisions and improve the quality of Subscriber Experience. Procera’s solutions are delivered by our proprietary PacketLogic™ Deep Packet Inspection /DPI/ platform, built on 15 years’ investment into our best-in-class traffic identification engine, DRDL. Solutions include Use Cases in the areas of Insights Reporting, Traffic Management and Policy Enforcement. |
| Procera Networks’ NAVL Engine Powers Connectem vEPC for Telekom Austria Group | Procera Networks: Empowering Intelligence | |
| Procera Networks Selected by NTT DATA for NAVL-based Network Visibility | Procera Networks: Empowering Intelligence | |
| Procera Networks Products Overview | PacketLogic solutions are composed of three building blocks: PRE /PacketLogic Real-Time Enforcer/, PIC /PacketLogic Intelligence Center/ and PSM /PacketLogic Subscriber Manager/ – all of which are mature and proven technologies that have operated in strenuous network environments. Our solutions enable: • Traffic Management, Fair Usage and Congestion Management to delay CAPEX and deliver high QoE • Time, Content, Application, or Location-based Services • Topology-aware Peering Bandwidth Control and Analytics • Fine-grained visibility on network behavior and content consumption in real-time • Application Delivery Networking Services including Traffic Steering or Carrier Grade NAT • New business and pricing models • Quad Play Services through non-disruptive shaping and prioritization technology |
| Procera Networks Products Overview | The PacketLogic solutions are composed of three building blocks: PRE /PacketLogic Real-Time Enforcer/, PIC /PacketLogic Intelligence Center/ and PSM /PacketLogic Subscriber Manager/ – all of which are mature and proven technologies that have operated in strenuous network environments. Our solutions help: • Traffic Management, Fair Usage and Congestion Management to delay CAPEX • Time, Application, or Location-based Services • Topology-aware Peering Bandwidth Control • Accurate, Fine-grained visibility on network behavior in real-time • Identify improper user behavior and limit the impact of network attacks • Implement new business and pricing models • Enable Quad Play Services through non-disruptive shaping and prioritization technology |
| Procera Networks Offers New NAVL 4.0 DPI Engine as SDK for License to OEMs | |
| Procera Networks Names James Dirksen to Lead NAVL Team | Procera Networks: Empowering Intelligence | |
| Procera Networks and Tilera Reach New Heights in DPI Performance | Procera Networks and Tilera have achieved what was once considered impossible – the Industry’s first 200 Gbps* Layer 7 DPI solution running on a 1RU appliance. The solution combines Procera’s NAVL DPI engine and Tilera’s TILE-GX36 architecture to set a new standard for DPI performance. This feat is especially remarkable given the throughput-per-watt the application achieves, making it possible to deliver such high performance, while positively impacting CapEx and OpEx costs! The record-setting performance achieved by the combination of Procera and Tilera technologies addresses the pressing need for telecommunications and enterprise security providers to implement application-aware policies that enable them to efficiently manage their networks while ensuring high quality of experience /QoE/ for all network users. This solution can be deployed in a variety of networking scenarios including Network Security /IDS/IPS, DPI, DLP/, Cyber Security, Network Monitoring, Data Forensics, Network Probes, Policy Enforcement, Analytics and Big Data processing. |
| Procera Networks and Napatech High Performance DPI Solution Layer 7 Application Classification and Metadata Extraction | Procera Networks and Napatech have joined forces to deliver a high performance Deep Packet Inspection /DPI/ solution that significantly decreases the time to market for networking equipment manufacturers to add industry leading Layer 7 application classification and metadata extraction capabilities to their solutions. The combination of Procera’s Network Application Visibility Library /NAVL/ and Napatech’s intelligent network analysis adapters addresses the pressing need for telecommunications and enterprise security providers to implement application-aware policies that enable them to efficiently manage their networks while ensuring high Quality of Experience /QoE/ for all network users. This solution can be deployed in a variety of networking scenarios including Network Security /IDS/ IPS, DPI, DLP/, Cyber Security, Network Monitoring, Data Forensics, Network Probes, Policy Enforcement, Analytics and Big Data processing. |
| Predictability and Security of High Performance Networks: Expanding Control through Monitoring, Visualization and Analysis | Objective of the Project UCSD/CAIDA is focusing on advancing the capacity to monitor, depict, and predict traffic behavior on current and advanced networks, through developing and deploying tools to better engineer and operate networks and to identify traffic anomalies in real time. CAIDA will concentrate efforts in the development of tools to automate the discovery and visualization of Internet topology and peering relationships, monitor and analyze Internet traffic behavior on high speed links, detect and control resource use /security/, and provide for storage and analysis of data collected in aforementioned efforts. CAIDA’s cooperative agreement with DARPA for funding these vital activities went into effect on July 16th, 1998. |
| Powerful Forces Are Reshaping Continuous OT Monitoring Requirements | |
| Policy-based detection of anomalous control and data flow paths in an application program | Anomalous control and data flow paths in a program are determined by machine learning the program’s normal control flow paths and data flow paths. A subset of those paths also may be determined to involve sensitive data and/or computation. Learning involves collecting events as the program executes, and associating those event with metadata related to the flows. This information is used to train the system about normal paths versus anomalous paths, and sensitive paths versus non-sensitive paths. Training leads to development of a baseline “provenance” graph, which is evaluated to determine “sensitive” control or data flows in the “normal” operation. This process is enhanced by analyzing log data collected during runtime execution of the program against a policy to assign confidence values to the control and data flows. Using these confidence values, anomalous edges and/or paths with respect to the policy are identified to generate a “program execution” provenance graph associated with the policy. |
| Policy-based detection of anomalous control and data flow paths in an … | |
| Policy Traffic Switch 32000: Datasheet | The Policy Traffic Switch /PTS/ is a key component of Sandvine’s network policy control platform, enabling the realtime application of business logic and policy enforcement on data traffic. The PTS 32000 is powered by the Sandvine Policy Engine and a high-performance packet processing operating system executing on purpose-built, carrier-grade hardware. In conjunction with the Service Delivery Engine /SDE/, in the control plane, the PTS is bringing unified network policy control to fixed, mobile, and converged networks worldwide. |
| Policy Traffic Switch 24000:Datasheet | The Policy Traffic Switch /PTS/ is a key component of Sandvine’s network policy control platform, enabling the realtime application of business logic and policy enforcement on data traffic. The PTS 24000 is powered by the Sandvine Policy Engine and a high-performance packet processing operating system executing on purpose-built, carrier-grade hardware. In conjunction with the Service Delivery Engine /SDE/, in the control plane, the PTS is bringing unified network policy control to fixed, mobile, and converged networks worldwide. Within a network policy control deployment, the PTS performs three critical functions: traffic classification, policy decision-making, and policy enforcement. More information about the PTS in general is available in Policy Traffic Switch: Overview |
| Policy Traffic Switch 22000: Datasheet | The Policy Traffic Switch /PTS/ is a key component of Sandvine’s network policy control platform, enabling the realtime application of business logic and policy enforcement on data traffic. The PTS 22000 is powered by the Sandvine Policy Engine and a high-performance packet processing operating system executing on purpose-built, carrier-grade hardware. In conjunction with the Service Delivery Engine /SDE/, in the control plane, the PTS is bringing unified network policy control to fixed, mobile, and converged networks worldwide. Within a network policy control deployment, the PTS performs three critical functions: traffic classification, policy decision-making, and policy enforcement. More information about the PTS in general is available in Policy Traffic Switch: Overview. |
| Policy Enforcement Firewall | Aruba Networks | The stateful Policy Enforcement Firewall provides context-based controls to enforce application-layer security and prioritization. You can enforce network access policies based on user roles, device types, app flows, location, and more. |
| Policy Charging and Rules Function | |
| Platform and method for providing data services in a communication network | A communication node and corresponding method for processing data communication passing through the node between a first data network and a second data network is described. The method includes detecting an event associated with data communication arriving at the node from the first data network, and determining whether the data communication is to be suspended for service at the node based on the detected event. Suspended data communication is processed based on information in the data communication. Return data communication arriving at the node from the second data network in response to the processed data communication from the first data network is detected. The detected return data communication is allowed to pass through the node without processing the detected return data communication. |
| Platform and method for providing data services in a communication network | A communication node and corresponding method for processing data communication passing through the node between a first data network and a second data network is described. The method includes detecting an event associated with data communication arriving at the node from the first data network, and determining whether the data communication is to be suspended for service at the node based on the detected event. Suspended data communication is processed based on information in the data communication. Return data communication arriving at the node from the second data network in response to the processed data communication from the first data network is detected. The detected return data communication is allowed to pass through the node without processing the detected return data communication. |
| Pinning the route of IP bearer flows in a next generation network | Methods and systems for extending the IMS/SIP architecture of the NGN to provide QoS service to generic bearer flows. More particularly, a method is provided for establishing an bearer end-to-end path of a communication session in a multi-domain communication network in which an out of band signalling protocol is used to establish communications sessions. The method comprises receiving an out-of-band signalling message including information representative of at least an opposite end point of a first bearer segment of the end-to-end path. The information is used to define a cross-connect mapping through a node of the network between respective local endpoints of the first bearer segment and a second bearer segment hosted by the node. Information representative of the cross-connect mapping is then inserted into the out-of-band signalling message, and the out-of-band signalling message forwarded. |
| Performing services on data messages associated with endpoint machines | |
| Performing process control services on endpoint machines | |
| Performing context-rich attribute-based process control services on a host | |
| Performing context-rich attribute-based load balancing on a host | |
| Performing context-rich attribute-based encryption on a host | |
| Performing appID based firewall services on a host | |
| Peakflow X – Data Sheet | Built to meet the demands of the largest enterprise networks, Peakflow X allows organizations to solve the internal security threat. Utilizing a breakthrough in network modeling technology, Peakflow X constructs a holistic view of the entire network by clustering scores of hosts into groups based on their operational policy. Using this perspective, Peakflow X generates actionable security information, detecting zero-day threats, worms, misuse, abuse, and other anomalous behavior, hardening infrastructure, and informing security policy. |
| PC WEEK: EcoScope update unearths app bottlenecks | |
| Peakflow SP – Data Sheet | PeakflowTM SP streamlines infrastructure security and network operations, while improving operational efficiencies and reducing costs. Peakflow SP is comprised of two modules: Peakflow DoS, which proactively detects and mitigates network-wide anomalies, and Peakflow Traffic, which models traffic from across the entire network, enabling operators to make informed business decisions about routing, transit, partners, and customers. Peakflow SP is built on the Peakflow Platform, an architecture for network-wide data collection, analysis, and anomaly-detection. Peakflow observes network traffic to construct models of normal operational behavior from the edge through the core. Then, in real-time, Peakflow compares traffic against these baselines to identify any new, previously unseen activity. This provides network operators with a deep understanding of normal network activity and rapid response in the face of outage or attack. |
| PacketShaper® Xpress Turbo-charges Networks for Improved Application Performance and Bandwidth Savings | |
| PacketShaper® WAN Application Optimization Solutions | |
| PACKETSHAPER® PACKETWISE™ VERSION 5.2.2 RELEASE NOTES | |
| PACKETSHAPER® PACKETWISE™ VERSION 5.2 RELEASE NOTES | |
| PACKETSHAPER® 8500 GETTING STARTED GUIDE PacketWise™ version 5.2 | |
| PacketShaper vs. Other Application Traffic Management Solutions – March 2003 | |
| PacketShaper Version 5.0.1 Release Notes | |
| PacketShaper Version 5.0.0 Release Notes | |
| PACKETSHAPER PACKETSEEKER™ PACKETWISE® VERSION 5.3.1 RELEASE NOTES | |
| PACKETSHAPER VERSION 4.1 RELEASE NOTES | |
| PACKETSHAPER Reference Guide VERSION 5.0 | |
| PACKETSHAPER Reference Guide PACKETWISE™ VERSION 5.1 | |
| PACKETSHAPER PACKETWISE™ VERSION 5.2.4 RELEASE NOTES | |
| PACKETSHAPER PACKETWISE™ VERSION 5.2.3 RELEASE NOTES | |
| PACKETSHAPER PACKETWISE™ VERSION 5.2 RELEASE NOTES | |
| PacketShaper PacketWise Version 5.1.1 Release Notes | |
| PacketShaper PacketWise Version 5.1 Release Notes | |
| PacketShaper PacketWise Version 5.0.6 Release Notes | |
| PacketShaper PacketWise Version 5.0.5 Release Notes | |
| PacketShaper PacketWise Version 5.0.2 Release Notes | |
| PacketShaper Overview | PacketShaper is an application-based traffic and bandwidth management system that delivers predictable, efficient performance for applications running over the WAN and Internet. It gives you control over your applications’ performance. |
| PacketShaper Models Specifications | |
| PacketShaper Models | |
| PACKETSHAPER GETTING STARTED GUIDE Version 5.0 | |
| PACKETSHAPER GETTING STARTED GUIDE PacketWise™ Version 5.1 | |
| PACKETSHAPER GETTING STARTED GUIDE PacketShaper Models 1500, 2500, 4500, 6500, 2500/ISP, 4500/ISP, 6500/ISP PacketWise™ Version 5.2 | |
| PacketShaper Features Technical Document | |
| PacketShaper Features | |
| Packetshaper Feature Highlights | |
| PacketShaper Enterprise Solutions Brochure | |
| PacketShaper Components | |
| Packetshaper Benefits | |
| PacketShaper 4000/ISP Version 4.1 Release Notes | |
| PacketShaper 4000/ISP Software version 4.1.0-4.1.2 PacketShaper 4500/ISP Software version 4.1.2 Release Notes | |
| PacketShaper 1500 Series | |
| PACKETSEEKER™ PACKETSHAPER® PACKETSHAPER® ISP PACKETSHAPER XPRESS™ RELEASE NOTES PACKETWISE® VERSION 6.1.1 | |
| PACKETSEEKER™ PACKETSHAPER® PACKETSHAPER® ISP PACKETSHAPER XPRESS™ RELEASE NOTES PACKETWISE® VERSION 6.0.2 | |
| PACKETSEEKER™ PACKETSHAPER® PACKETSHAPER® ISP PACKETSHAPER XPRESS™ RELEASE NOTES PACKETWISE® VERSION 6.0.0 | |
| PacketSeeker™ PacketShaper® PacketShaper® ISP PacketShaper Xpress™ Getting Started Guide Packeteer Series 1500, 2500, 4500, 6500, 8500, 9500 PacketWise® Version 6.1 | |
| PACKETSEEKER PACKETSHAPER® PACKETSHAPER® ISP PACKETSHAPER XPRESS™ RELEASE NOTES PACKETWISE® VERSION 6.0.1 | |
| Packeteer’s PacketSeeker | You need visibility into your network because it’s so important to running your business. After all, that visibility can identify the sources of performance problems that inevitably emerge at bandwidth-constrained WAN and Internet links. Yet it is very difficult to determine exactly how your network is utilized by competing applications and how the performance of your businesscritical applications is impacted. Packeteer® provides a basis for achieving those goals. PacketSeeker, our application-intelligent traffic monitoring appliance, gives you visibility into network utilization and application performance and provides a path to fix problems. |
| PACKETEER INTRODUCES NEW PACKETSHAPER® MODELS BASED ON ENVIRONMENTALLY SOUND AND SCALABLE HARDWARE DESIGN | |
| Packet capture | NetFort Technologies | |
| Packet Capture | Packet capture or data capture is one possible first step in the process of deep packet inspection /DPI/, as performed by solutions such as Procera’s Network Application Visibility Library /NAVL/. It describes the act of act of capturing data packets in transit across a computer network and storing them in on-board memory for further inspection. Solutions such as NAVL are able to look into the packet header and payload, in addition to applying other advanced techniques, to report application type, name, source, destination, and other information. |
| Pace 2.0- Protocol and Application Detection with Metadata Extraction | |
| PACE | Network Analysis with Layer-7 Deep Packet Inspection | Products | ipoque | |
| Overview of Felix approach | |
| Output Sampled NetFlow [Cisco IOS NetFlow] – Cisco Systems | |
| Order Out of Chaos – The Policy Solution – White Paper | |
| OptiViewTM Link Analyzer OPV-LA and OPV-LA/HD User’s Manual | |
| OptiView Protocol Expert v7.0 User’s Manual | |
| OptiView Protocol Expert v7.0 Quick Start Guide | |
| Optimizing Pattern Matching for Intrusion Detection | This paper presents an optimized version of the Aho-Corasick [1] algorithm. This design represents a significant enhancement to the author’s original implementation released in 2002 as part of an update to the Snort Intrusion Detection System. The enhanced design uses an optimized vector implementation of the Aho-Corasick state table that significantly improves performance. A memory efficient variant uses sparse matrix storage to reduce memory requirements and further improve performance on large pattern groups. Intrusion Detection Systems are very specialized applications that require real-time pattern matching capabilities at very high network speeds, and in hostile environments. Several of the major issues that must be considered in pattern matching and Intrusion Detection are discussed to establish a framework for the use of the Aho-Corasick algorithm as implemented in the Snort Intrusion Detection System. The performance results comparing the original, optimized, and sparse storage versions of the authors Aho-Corasick algorithm are presented. Tests were conducted using several dictionary tests and a Snort based Intrusion Detection performance test. The impact of pattern group sizes and compiler selection on performance is also demonstrated using several popular compilers. |
| Optimize Your Network Across Layers with Gigamon Application Filtering Intelligence | Much of the world is now working from home, and that’s transforming how you and your team support employees. You need to maintain network availability, performance and great user experiences as network traffic shifts from LANs to WANs on a scale you never planned for. You also need to secure the increased attack surface and vulnerabilities this shift has created, all while doing more with less as revenues drop and IT budgets are frozen. Security and analytics tools are a particular pain point: They’re being overwhelmed, for example, by a suddenly spiking flow of network traffic as packets boomerang through VPN connections. That can overwhelm available resources, which reduces performance and increases overall risk. |
| Optimize and Monetize Networks with Context-Aware Policy Enforcement | The growth in mobile device usage and the explosion of data traffic from resource-intensive content like streaming video and high-bandwidth, over-the-top applications is forcing service providers to push their networks to the limit. The challenge is to find ways to efficiently deliver customized services with best-in-class customer experience, while also optimizing network utilization and managing radio access network congestion. |
| Optimal Networks Announces Optimal Application Modules | |
| Optimal Networks Announces Application Insight™ 1.5 | |
| Optimal Internet Monitor Knowledge Base | |
| Optimal Internet Monitor Knowledge Base | |
| Optimal Internet Monitor FAQ | |
| Optimal Internet Monitor FAQ | |
| Optimal Internet Monitor Data Sheet | |
| Optimal Application Insight: Because your business depends on your applications | |
| Optimal Application Insight | |
| On-line timed protocol trace analysis based on uncertain state descriptions | This paper presents a new approach to the task of passive protocol tracing. The method called FollowSM for the first time meets all requirements of practical in-field use, including the checking of time constraints, the independence of the current state when starting the analysis, the admittance of nondeterminism, and on-line real time analysis capability. This is achieved by a suitable modeling of the implementation under test and the generalization of the tracing algorithm to operate on state information with any degree of uncertainty. FollowSM has been implemented as a prototype system and proved capable of minimizing the time required for troubleshooting. |
| OEM – ipoque PACE :: ipoque | |
| OC3MON: Flexible, Affordable, High-Performance Statistics Collection | Introduction The Internet is rapidly growing in number of users, traffic volume, and topological complexity. At the same time it is increasingly driven by economic competition. These developments render it more difficult, and yet more critical, to characterize network usage and workload trends, and point to the need for a high-performance monitoring system that can provide workload data to Internet users and administrators. To ensure the practicality of using the monitor at variety of locations, implementation of low-cost commodity hardware is a necessity. In its role as the network service provider for NSF’s vBNS /very high speed Backbone Network Service/ project, MCI has undertaken the development of an OC3-based monitor to meet these needs. We will describe and demonstrate our current prototype. The goal of the project is to specifically accommodate three incompatible trends: Current widely used statistics gathering tools, largely FDDI and Ethernet based, are running out of gas, so scaling to higher speeds is difficult. ATM trunks at OC3c are increasingly used for high-volume backbone trunks and interconnects. Detailed flow-based analysis is important to understanding usage patterns and growth trends, but such analysis is not possible with the data that can be obtained directly from today’s routers and switches. Specific design goals that led to the current prototype are A flexible data collection and analysis implementation that can be modified as we codify and refine our understanding of the desired statistics Low cost, in order to facilitate widespread deployment The vBNS has deployed the monitor at all vBNS sites as of January 1997. The software is freely available to others for use elsewhere, and both the flow analysis code and monitor architecture are public domain. |
| Observing Web Browser Behaviour Using the Nprobe Passive Monitoring Architecture | We introduce a novel passive network monitoring architecture which enables us to capture and integrate data from different levels of the protocol stack using a probe which can be placed at any arbitrary point in the network. We subject the data gathered to off-line analysis and show how, by modelling the dynamics of the protocols observed, we are able to extract information which would not be available using existing means. In this paper, we show how the technique can be used to observe the network behaviour of Web Browsers, and the way in which they use TCP connections. |
| NSX Demos: Features and Capabilities – YouTube Playlist | |
| Systems and Methods for Processing Data Flows | |
| Systems and methods for processing data flows | |
| Systems and methods for processing data flows | |
| Systems and methods for processing data flows | |
| Systems and methods for preventing malicious network connections using … | |
| Systems and methods for performing selective deep packet inspection | |
| Systems and methods for partial video caching | |
| Systems and methods for managing quality of service | |
| Systems and methods for handling fraudulent uses of brands | |
| Systems and methods for enabling personalization of data service plans | Systems and methods for enabling personalization of data service plans are disclosed herein. According to an aspect, a method can include receiving profile and network usage data of a subscriber. Further, the method can include generating a personalized data service offer for the subscriber based on the profile and network usage data. The method can also include presenting the personalized data service offer to the subscriber. The subscriber may respond to accept the offer. |
| Systems and methods for dynamic congestion management in communications networks | Systems and methods for dynamic congestion management in communications networks are disclosed herein. According to an aspect, a method can include determining traffic statistics of at least one node in a communications network. The method can also include determining whether the at least one node is congested based on the traffic statistics. Further, the method can include dynamically changing or provisioning a set of at least one traffic shaping rule for application to the at least one node in response to determining that the at least one node is congested. |
| Systems and methods for detecting obscure cyclic application-layer message … | |
| Systems and methods for detecting device identity at a proxy background | |
| System, device, and method of traffic detection | |
| System, device, and method of detecting, mitigating and isolating a signaling … | |
| System and method to correlate handover transitions between 3gpp network access … | |
| System for accessing a set of communication and transaction data associated … | |
| System and method of traffic inspection and classification for purposes of … | |
| System and method of storage, recovery, and management of data intercepted on a … | |
| System and method for using real-time packet data to detect and manage network … | |
| System and method for subscriber tier plan adjustment in a computer network | A method for subscriber tier plan adjustment including: monitoring traffic flow for one or more subscriber of a plurality of subscribers on an operator’s network; determining a bandwidth requirement for each of the one or more subscribers; determining a recommended tier plan for each subscriber based on the subscribers’ bandwidth requirement; and providing the recommended tier plan for each of the subscribers to a network operator. A system for subscriber tier plan adjustment including: a learning module configured to monitor traffic flow for one or more subscribers of a plurality of subscribers on a network and determine a bandwidth requirement of each of the one or more subscribers; an analysis module configured to determine a recommended tier plan for each of the subscribers based on each subscriber’s bandwidth requirement; and a notification module configured to provide the recommended tier plan for each subscriber. |
| System and method for providing seamless on-demand application service using … | |
| System and method for providing a network traffic portal | |
| System and method for preventing leak of personal information | |
| System and method for network capacity planning | method and system for network capacity planning are provided. The method includes: collecting utilization data related to a plurality of network resources on the network; determining a peak period for each of the network resources based on the utilization data; determining at least one key performance indicator /KPI/ over the peak period for each of the network resources; aggregating each of the KPIs for each of the plurality of network resources; and outputting the aggregated KPIs. The system includes a data source module configured to collect utilization data related to a plurality of network resources; a peak period module configured to determine a peak period for each of the network resources based on the utilization data; a peak KPI module configured to determine at least one KPI over the peak period for each of the plurality of network resources; a KPI aggregation module configured to aggregate the KPIs for each of the network resources; and a processor module configured to output the aggregated KPIs. |
| System and method for packet distribution on a network | |
| System and method for network incident identification and analysis | |
| System and method for monitoring and managing video stream content | |
| System and method for managing traffic detection | |
| System and method for managing online charging sessions | |
| System and method for managing online charging sessions | |
| System and method for managing filtering information of attack traffic | |
| System and method for managing bitrate on networks | |
| System and method for managing bitrate on networks | |
| System and method for managing bitrate on networks | |
| System and method for managing adaptive bitrate video streaming | |
| System and method for load balancing in computer networks | |
| System and method for load balancing in computer networks | |
| System and method for load balancing in computer networks | |
| System and method for determining quality of a media stream | |
| System and method for hypertext transfer protocol layered reconstruction | |
| System and method for electronic monitoring | |
| System and method for allocating bandwidth across a network | A system and method for allocating bandwidth across a network to and from different end point nodes improves the predictability and efficiency of best effort network architectures. Advanced traffic processors associated with end point nodes detect and classify packets transferred across a network and allocate bandwidth. A packet policy module of the advanced traffic processor allocates bandwidth by applying policy definitions, flow ID rules, and flow policy maps to prioritize packet flows. In one embodiment, bandwidth is allocated on demand on a per-download basis so that bulk file transfers are provided substantially reduced download times through allocation of bandwidth for a premium fee. |
| System and method for authorizing traffic flows | |
| System and method for client network congestion detection, analysis, and … | |
| System and method for classifying network traffic | |
| System and method for classifying network packets with packet content | Packets are classified by content across a packet flow by sequencing packets according to packet flows through a content engine. A sequencer tracks packet flows, sending and buffering out-of-order packets to have missing packets resent. A regular expression engine determines matches of regular expressions and subexpressions with regular expressions encoded as non-deterministic finite automata with field programmable gate arrays and subexpression matches computed with a hash and determined by a hash look-up table. A tag module establishes a classification tag for a packet based on the packet’s content by matching the tag with the regular expression and subexpressions of the packet. |
| System and method for classifying network devices | |
| System and method for analyzing devices accessing a network | |
| System and method for adaptive traffic path management | |
| System and method for adaptive traffic path management | |
| Symantic Security Analytics Software See, Understand,and Resolve Advanced Attack | Advanced targeted attacks, customized malware, and zero-day attacks are infiltrating networks at record speeds. Traditional security solutions are simply not keeping pace. In fact, recent reports indicate that the vast majority of attacks compromised their target in a matter of hours, minutes, even seconds, while 75/ of attacks take days, months, even years before they are discovered and resolved. Symantec has a solution. Symantec Security Analytics Software, delivers the full visibility, security analytics, real-time threat intelligence and “system of record” you need to successfully uncover advanced threats and further protect your infrastructure and your workforce. |
| Symantec Secutiry Analytics: A Cornerstone of Effective Security Indident Report | Symantec delivers a comprehensive and innovative network forensics solution to enable enterprises to detect and respond to security events quickly. Its award-winning Security Analytics levels the battlefield against advanced targeted attacks and zero-day malware. Security Analytics enables the security operations center to deliver clear and concise answers to the toughest security questions. It’s powered by full-packet capture, next-generation deep-packet inspection and indexing technologies, file brokering, and advanced malware analysis, as well as real-time threat intelligence, anomaly detection and alerting capabilities. |
| Surveillance d’une session de communication comportant plusieurs flux sur un reseau de donnees | |
| SummitStack Stacking Technology | Extreme Networks® SummitStack™ stacking technology enables the physical connection of up to eight individual Summit® switches together as a single logical unit. This logical unit reduces the management overhead of fixed configuration switches by behaving as a single switch with a single IP address and a single point of authentication. In ExtremeXOS®, Extreme Networks edge-to-core modular operating system, a stack is controlled by a master switch, called the master. The master switch runs the full-featured version of ExtremeXOS and is responsible for maintaining all of the software tables for all the switches in the stack. There can only be one master switch in a stack of switches. All switches in the stack, including the master switch, are called nodes. |
| Streams, Flows, and Torrents | RTFM /RFCs 2720-2724/ considers network traffic as being made up of bidirectional flows, which are arbitrary groupings of packets defined only by attributes of their end-points. This paper extends RTFM’s view of traffic by adding two further concepts, streams and torrents. Streams are individual IP sessions /e.g. TCP or UDP/ between ports on pairs of hosts, while a torrent refers to all traffic on a link. We present stream measurement work using a meter located at UCSD /University of California, San Diego/ to measure response times for DNS requests to the global root and gTLD nameservers. This example shows how to configure NeTraMet to collect flow data for stream-based flow metrics, and demonstrates the usefulness of global DNS response plots for network operations. |
| Streamlined creation and expansion of a wireless mesh network | |
| Stateful Inspection Technology The industry standard for enterprise-class network security solutions | Check Point FireWall-1’s Stateful Inspection architecture utilizes a unique, patented INSPECT™ Engine which enforces the security policy on the gateway on which it resides. The INSPECT Engine looks at all communication layers and extracts only the relevant data, enabling highly effi cient operation, support for a large number of protocols and applications, and easy extensibility to new applications and services. The INSPECT Engine is programmable using Check Point’s powerful INSPECT Language. This provides important system extensibility, allowing Check Point, as well as its technology partners and end users, to incorporate new applications, services, and protocols, without requiring new software to be loaded. For most new applications, including most custom applications developed by end users, the communication-related behavior of the new application can be incorporated simply by modifying one of FireWall-1’s built-in script templates via the graphical user interface. Even the most complex applications can be added quickly and easily via the INSPECT Language. Check Point provides an open application programming interface /API/ for third-party developers and regularly posts INSPECT Scripts to support new applications on the Check Point Web site at http://www.checkpoint.com. |
| Splunk and Cynerio: Optimizing Healthcare IoT Cybersecurity with a Clinical SIEM | Patients have more control over their data and treatment plans than ever, thanks to connected medical and IoT devices. These devices have transformed the healthcare industry and provided greater accessibility to treatment for patients and streamlined workflows for healthcare professionals, but they have also broadened the attack surface and exposed healthcare facilities to myriad threat actors and cyber exploitation. |
| Specifying and utilizing paths through a network | |
| Specifying and utilizing paths through a network | |
| SourceForge: Project Info – IPgrab | |
| Sourcefire Sourcefire FirePOWER™ Appliances | FirePOWER network security appliances are based on a flexible enterprise security architecture to deliver industry-best threat protection and low total cost of ownership with unmatched performance, scalability and energy efficiency. Sourcefire FirePOWER network security appliances are the foundation for Sourcefire’s entire portfolio of network security solutions. |
| Sourcefire Real-time Network Awareness /RNA/ Sensor – Product Brochure | RNA sensors enables orgs to more confidently protect their networks through a unique combination of passive network discovery, behavioral profiling, and change management without the drawbacks of traditional approaches to identifiying network assets and vulnerabilities. |
| Sourcefire Open Source /Snort/ | Sourcefire has an enduring commitment to the open source security community and is a leader in open source security technology. Sourcefire manages some of the world’s most respected open source security projects including Snort®, the defacto standard for intrusion detection and prevention. |
| Sourcefire Next-Generation Network Security | Sourcefire offers the smartest way to buy the best network security available. Our innovative, platform approach to network security via FirePOWER™ appliances enables us to deliver consistent security effectiveness, performance and value across a broad portfolio of industry-leading, next-generation network security products. Products inclue Next-Generation IPS, Application Control/URL Filtering, Next-Generation Firewall, Virtual Security, and SSL Appliances. |
| Sourcefire Intrusion Sensor – Product Brochure | Sourcefire Intrusion Sensor provides defense in depth for all networks by monitoring and analyzing network traffic and alerting when suspicious activity is detected. By enhancing the SnortTM technology and adding an easy to use interface, optimized hardware, powerful data analysis, policy management and forensic capabilities, as well as a full staff of professional services and 24×7 support, Sourcefire Intrusion Sensor provides the most effective network monitoring technology available today |
| Sourcefire FireSIGHT® Management Center | The FireSIGHT Management Center unifies the critical security functions of the Sourcefire next-generation network security platform using FireSIGHT real-time awareness and security automation technology. Real-time awareness technology provides the network intelligence and contextual awareness you need to respond to changing conditions and threats. The visibility and automation that this provides make networks more secure and reduces operational costs. |
| Sourcefire Defense Center – Product Brochure | Sourcefire Defense Center is the industry’s best management platform for intrusion detection deployments, especially for large distributed enterprise networks. Sourcefire Defense Center simplifies the complicated issues usually associated with intrusion detection system /IDS/ deployments by incorporating policy management, data aggregation, correlation and reporting into a single centralized solution to make the most of a distributed sensor infrastructure. |
| Sourcefire Advanced Malware Protection | Sourcefire Advanced Malware Protection /AMP/ products span extended networks and devices to focus on threats across the full attack continuum – before, during and after™ an attack. |
| Sourcefire 3D Product Suite – Product Brochure | Sourcefire’s 3D Product Suite is the industry’s first fully integrated real-time network defense infrastructure for identifying and protecting against network threats. |
| SonicWall/Aventail Whitepaper | A popular feature of the SonicWALL® Aventail® SSL VPN appliances is called End Point Control /EPC/. This allows the administrator to define specific criteria or attributes which an endpoint must meet to adhere to the company security policy. EPC can check for running applications, domain membership, certificates, files, and common anti-virus, anti-spyware, and personal firewall applications. Even with these checks though, it is still possible for malicious packets to enter the corporate network over the SonicWALL Aventail SSL VPN connection. This is especially true when connections are established from untrusted endpoints like home computers or kiosks where specific security applications can not be enforced. |
| SonicWALL Solutions For Network Protection | SonicGuard.com | |
| SonicWALL NSA 5000 Appliance | SonicGuard.com | |
| SonicWALL NSA 5600 | |
| SonicWALL NSA 4500 Appliance | SonicGuard.com | |
| SonicWALL NSA 240 Appliance | SonicGuard.com | |
| SonicWall Next-Gen Firewalls Delivers Users More Connections | |
| SonicWALL Intrusion Prevention Service | SonicGuard.com | |
| SonicWALL E-Class NSA Series | SonicGuard.com | |
| SonicWALL E-Class NSA E7500 Appliance | SonicGuard.com | |
| SonicWALL E-Class NSA E5500 Appliance | SonicGuard.com | |
| Sonicwall DPI-SSL Remote Implementation Service | The Remote Implementation Service for SonicWall DPI-SSL is a deployment service that deploys and integrates the product into a customer environment within 10 business days. This service is delivered by Advanced Services partners who have completed training and have demonstrated expertise in DPI-SSL implementation and configuration. The implementation and integration of the DPI-SSL solution will commence once the implementation planning document is received, processed and approved. The service delivery process and in-scope activities are outlined in the following pages. |
| SonicWALL Deep Packet Inspection | |
| SonicOS Platform | The SonicOS architecture is at the core of every SonicWall physical and virtual firewall including the TZ, NSa, NSv and SuperMassive Series. SonicOS leverages our patented*, single-pass, low-latency, Reassembly-Free Deep Packet Inspection® /RFDPI/ and patent-pending Real-Time Deep Memory Inspection™ /RTDMI/ technologies to deliver industry-validated high security effectiveness, SD-WAN, real-time visualization, high-speed virtual private networking /VPN/ and other robust security features. |
| Solution Brief Real-time ICS Cybersecurity and Visibility for MSSPs & MDRs | As the cybersecurity risk to critical infrastructure and manufacturing organizations increases, it’s more important than ever for enterprises to actively monitor and secure OT networks. To answer this need, Managed Security Service Providers /MSSPs/ and Managed Detection and Response /MDR/ vendors are expanding their managed IT services to encompass industrial networks. This is not merely a matter of extending existing tools and practices to industrial control systems /ICS/, however. Effectively serving this market requires products that address the unique challenges of managing 24/7/365 operational systems where availability is often a bigger concern than confidentiality or integrity. |
| Solera News » Solera Partners with Bivio Networks | |
| Software Defined Network | |
| Snort™ Protocol Flow Analyzer | The Snort 2.0 Protocol Flow Analyzer classifies network application protocols into client and server data flows. Indepth analysis of these protocol data flows allows the Fusion Detection Engine to make intelligent decisions about protocol inspection, greatly enhances performance and efficiency, and helps to reduce false positives. Currently, the Fusion Detection Engine has an HTTP flow analyzer that is user-configurable and significantly reduces the Fusion Detection Engine’s HTTP processing time. |
| Snort™ Multi-Rule Inspection Engine | Snort 2.0 introduces a new High Performance Multi-Rule Inspection Engine responsible for detecting rule matches during packet processing. Packets are first analyzed by the Rule Optimizer to select the appropriate set of rules for inspection. Then the Multi-Rule Inspection Engine searches for rule matches, builds a queue of detected rule matches, and selects the best rule match to log based on a simple set of event priorities. The process of inspecting network traffic for rule matches is performed by using three stages: 1. Rule optimization to produce efficient rule sets for inspection. 2. Set based inspection algorithms that perform high-speed multi-pattern content searches. 3. Parameterized inspection techniques which allow for complicated parameter inspections. The rule optimization and multi-pattern inspection provides the high performance needed for modern high speed networks. The use of Snorts’ standard parameterized inspection allows the rule language to be enhanced without affecting the high performance inspection engine. The combination of these strategies applies the strength of each strategy where it works best, and allows the Snort rule language to remain flexible for future enhancements. Snort’s Multi-Rule Inspection Engine is capable of inspecting Gigabit speed networks without packet loss, while detecting and logging events using very large rule sets. |
| Snort.org | First archived version of snort.org. Includes latest news describing software releases and links out to general Snort information, updates, documentation, rules, forums, FAQs, etc. |
| Snort Users Manual for Snort Release: 2.0.0 | Web Version of Snort Users Manual for Snort Release: 2.0.0 |
| Snort Users Manual for Snort Release: 1.9.1 | Web Version of Snort Users Manual for Snort Release: 1.9.1 |
| Snort Users Manual for Snort Release: 1.8.1 | Web Version of Snort Users Manual for Snort Release: 1.8.1 |
| Snort Signature Database | Provides listing of Snort signatures and links to documentation describing signatures. Signatures include: BACKDOOR ACKcmdC trojan scan BACKDOOR subseven DEFCON8 2.1 access BACKDOOR QAZ Worm Client Login access BACKDOOR BackOrifice access BACKDOOR Doly 2.0 access BACKDOOR GirlFriendaccess BACKDOOR DeepThroat 3.1 Client Sending Data to Server on Network BACKDOOR BackConstruction 2.1 Connection BACKDOOR BackConstruction 2.1 Client FTP Open Request BACKDOOR BackConstruction 2.1 Server FTP Open Reply DDOS Trin00 Attacker to Master default mdie password DNS zone transfer EXPLOIT LPRng overflow FTP CWD ~root attempt ICMP Destination Unreachable /Port Unreachable/ ICMP redirect net ICMP superscan echo ICMP Large ICMP Packet BAD TRAFFIC tcp port 0 traffic RPC portmap request rusers SCAN synscan portscan SHELLCODE x86 stealth NOOP SMTP RCPT TO overflow Virus – Possible Worm – txt.vbs file Virus – Possible Worm – xls.vbs file Virus – Possible Worm – jpg.vbs file Virus – Possible Worm – gif.vbs file Virus – Possible Worm – doc.vbs file WEB-CGI wwwboard passwd access WEB-CGI calendar access WEB-CGI bb-hist.sh access WEB-FRONTPAGE dvwssr.dll access WEB-IIS ISAPI .printer access WEB-IIS ism.dll attempt WEB-IIS perl access WEB-MISC weblogic view source attempt WEB-MISC tomcat directory traversal attempt WEB-MISC webdav search access WEB-MISC webhits.exe access WEB-MISC webdav propfind access WEB-MISC unify eWave ServletExec upload WEB-MISC whisker tab splice attack WEB-CGI webstore directory traversal WEB-MISC whisker space splice attack WEB-MISC whisker HEAD/./ WEB-MISC windmail access WEB-MISC webplus access WEB-CGI webdist.cgi access WEB-MISC ws_ftp.ini access WEB-MISC whisker HEAD with large datagram WEB-MISC wwwboard.pl access WEB-CGI SGI InfoSearch fname attempt RPC portmap request rusers RPC portmap request sadmind WEB-CLIENT readme.eml download attempt WEB-CLIENT readme.eml autoload attempt WEB-ATTACKS /etc/shadow access CHAT IRC EXPLOIT Ettercap parse overflow attempt WEB-MISC viewcode.jse access WEB-CGI wayboard attempt WEB-IIS iissamples access DOS MSDTC attempt EXPERIMENTAL DDOS Stacheldraht handler->agent /niggahbitch/ DDOS Stacheldraht agent->handler /skillz/ DDOS Stacheldraht handler->agent /ficken/ |
| Snort 1.6 Release Announcement | Provides download link for Snort 1.6. Links to Documentation, ChangeLog, Downloads, and Signatures /aka Rules/. New features to Snort 1.6 include: 1q DPI Consortium 11 Aug 2022.csv DPI Consortium.csv DPI Consortium02042025.csv Database Summary and Methodology PAB.docx Test June 2025.csv Zotero Database.lnk check.sh database.csv dpiconsortium-index.html gentable.sh log.txt log2.txt table.html table2.html test.csv xx Token Ring and FDDI decoder support 1q DPI Consortium 11 Aug 2022.csv DPI Consortium.csv DPI Consortium02042025.csv Database Summary and Methodology PAB.docx Test June 2025.csv Zotero Database.lnk check.sh database.csv dpiconsortium-index.html gentable.sh log.txt log2.txt table.html table2.html test.csv xx Snort ported to Tru64/Alpha, IRIX 6.X, and AIX 1q DPI Consortium 11 Aug 2022.csv DPI Consortium.csv DPI Consortium02042025.csv Database Summary and Methodology PAB.docx Test June 2025.csv Zotero Database.lnk check.sh database.csv dpiconsortium-index.html gentable.sh log.txt log2.txt table.html table2.html test.csv xx Output plugins added /modular output system/ 1q DPI Consortium 11 Aug 2022.csv DPI Consortium.csv DPI Consortium02042025.csv Database Summary and Methodology PAB.docx Test June 2025.csv Zotero Database.lnk check.sh database.csv dpiconsortium-index.html gentable.sh log.txt log2.txt table.html table2.html test.csv xx Improved the speed of the content pattern matcher 1q DPI Consortium 11 Aug 2022.csv DPI Consortium.csv DPI Consortium02042025.csv Database Summary and Methodology PAB.docx Test June 2025.csv Zotero Database.lnk check.sh database.csv dpiconsortium-index.html gentable.sh log.txt log2.txt table.html table2.html test.csv xx Added FlexResp /active response/ plugin from Christian Lademann 1q DPI Consortium 11 Aug 2022.csv DPI Consortium.csv DPI Consortium02042025.csv Database Summary and Methodology PAB.docx Test June 2025.csv Zotero Database.lnk check.sh database.csv dpiconsortium-index.html gentable.sh log.txt log2.txt table.html table2.html test.csv xx Snort man page now ships with the distribution 1q DPI Consortium 11 Aug 2022.csv DPI Consortium.csv DPI Consortium02042025.csv Database Summary and Methodology PAB.docx Test June 2025.csv Zotero Database.lnk check.sh database.csv dpiconsortium-index.html gentable.sh log.txt log2.txt table.html table2.html test.csv xx Snort now generates a PID file for easier integration with scripting 1q DPI Consortium 11 Aug 2022.csv DPI Consortium.csv DPI Consortium02042025.csv Database Summary and Methodology PAB.docx Test June 2025.csv Zotero Database.lnk check.sh database.csv dpiconsortium-index.html gentable.sh log.txt log2.txt table.html table2.html test.csv xx Added support for |
| Snort 2.0: Rule Optimizer | The Rule Optimizer is a major component of the Snort 2.0 detection engine. It optimizes the active Snort rules by sorting them into smaller, unique rule sets. This allows Snort to quickly inspect a packet against any applicable rule set, while providing Snort with the opportunity of using faster and more efficient set inspection technologies. The efficiency of set inspection technologies is directly linked to the quality of the set that used for rule inspection. This is the Rule Optimizer’s primary function to create a rule set that is ideal for use in set inspection technologies. |
| Snort 2.0: High Performance Multi-Rule Inspection Engine | |
| Snort 2.0 Release Candidate 1 Announcement | Provides download link for Snort 2.0 release candidate 1. New features to Snort 2.0 release candidate 1 include: Higher performance /due to a new pattern matcher and rebuilt detection engine/ Better decoders Enhanced stream reassembly and defragmentation Updated rules Updated snort.conf New detection keywords /byte_test, byte_jump, distance, within/ & stateful pattern matching New HTTP flow analyzer Enhanced anomaly detection /HTTP, RPC, TCP, IP, etc/ Better self preservation in stateful sunsystems Xrefs fixed Flexresp works faster and more effectively Better chroot//’ing Fixed 802.1q decoding Better async state handling New alerting option: -A cmg!! |
| Snort 2.0 Official Release Announcement | Provides download link for Snort 2.0. New features to Snort 2.0 include: Enhanced high-performance detection engine Stateful Pattern Matching New detection keywords: byte_test & byte_jump The Snort code base has undergone an external third party professional security audit funded by Sourcefire /http://www.sourcefire.com/ Many new and updated rules snort.conf has been updated Enhancements to self preservation mechanisms in stream4 and frag2 State tracking fixes in stream4 New HTTP flow analyzer Enhanced protocol decoding /TCP options, 802.1q, etc/ Enhanced protocol anomaly detection /IP, TCP, UDP, ICMP, RPC, HTTP, etc/ Enhanced flexresp mode for real-time TCP session sniping Better chroot//’ing Tagging system updated Updated FAQ available for Download |
| Snort 1.9 Release Announcement | Provides download link for Snort 1.9. Links to Documentation, Downloads, and Signatures. |
| Snort 1.3 Release Announcement | Provides download link for Snort 1.3. Links to Documentation, ChangeLog, Downloads, and FAQ. |
| Sniffer Technologies- Sniffer Distributed Servers | Distributed Sniffer System/RMON is the industry’s leading network fault isolation and performance management solution. The combination of Sniffer Expert technology, integral RMON1/RMON2 monitoring, built-in reporting, and application-layer analysis gives you the unique ability to anticipate, isolate, and diagnose network fault and performance problems. That’s why more network managers have chosen Sniffer Technologies’ Sniffer solution as their network analysis and fault isolation tool than any other product. Sniffer Expert technology Detects, diagnoses, and repairs network failures with unprecedented speed. Industry-standard RMON Provides the most complete network instrumentation for LAN, WAN, networks, including switched VLAN and converged voice, video and data. Always-on monitoring and remote access Allows immediate problem resolution, allowing you to analyze and solve network problems without leaving your desk. |
| Sniffer Technologies Management Troubleshoot Monitor Tool – Sniffer Reporting | Sniffer Reporting offers two solutions, Sniffer Reporter and Sniffer Watch, that help identify critical problem areas so resolution efforts can be effectively prioritized. These solutions offer pre-packaged, easy-to-generate reports that make it possible to quickly display key network statistics. The reports offer critical insight into network traffic trends, such as which users are accessing what resources, and which protocols are consuming the most bandwidth. This data helps network managers forecast additional bandwidth needs and allows them to reassign network resources as appropriate. In conjunction with Sniffer Expert analysis, Sniffer Reporting products can help spot and correct network degradation before it escalates into a severe network outage. Additionally, Sniffer Reporting products can help users identify excess capacity-particularly helpful if they have purchased more capacity in terms of Committed Information Rate /CIR/ than they need. |
| Sniffer Technologies – Sniffer Pro Reporter | Sniffer Pro Reporter gives you valuable insight into network performance. This advanced reporting application allows you to generate graphical reports based on the RMON1/RMON2 – like data collected by the Sniffer Pro application. From bandwidth usage to potential network degradation, Sniffer Pro Reporter delivers in-depth data to help you plan for future network needs. Trend reporting Sniffer Pro Reporter displays detailed network traffic trends, such as which users are accessing which resources, which protocols are consuming the most bandwidth, and more. Forecasting tool Sniffer Pro Reporter not only helps network managers forecast additional bandwidth needs, it also helps in resegmenting network resources. Troubleshooting and repair In conjunction with the Sniffer Pro Expert analysis, Sniffer Pro Reporter can help foresee and correct network degradations before they become severe network outages. |
| Sniffer Technologies – Sniffer Network Analysis Overview Brochure | |
| Sniffer Technologies – Products – Sniffer Pulse | Sniffer Pulse expands the industry-leading Sniffer Technologies product line into Web performance analysis. It is based on the award-winning Sniffer Technologies principle of providing detailed analysis of all traffic in a non-intrusive fashion. The browser-based Sniffer Pulse appliance monitors and analyzes all Web traffic in real time, using an industry-standard protocol for data retrieval. In the world of e-commerce, millions of dollars per minute can be lost if a website is unavailable. According to a 2000 IDC report, if visitors have to wait more than eight seconds for your Web page to load, you’ll probably lose them to the competition. The losses can be even greater if your supply chain management system doesn’t perform. You need to keep your visitor and ensure that your back-end e-business processes are reliable while running at peak performance 24×7. The Sniffer Pulse appliance helps you do just that. By tracking performance and alerting you to bottlenecks in your key e-business components-Web servers, the network, and the end-user experience. Sniffer Pulse is the only solution on the market that provides true end-to-end Web performance monitoring and alerting in real-time, with real data, and with no synthetic transactions or log file parsing. |
| Sniffer Technologies – DSS/RMON Watch | DSS/RMON Watch is a web-based network management and trend-reporting tool which allows you to generate Scheduled and On-Demand reports based on Application Response Time, Frame Relay, Expert, and RMON data collected by DSS/RMON agents across the network. These reports provide critical insight into traffic trends on the network, such as the Top 10 Applications, Worst Response Time /by User/, and more. DSS/RMON Watch reports not only display information essential to minimizing network downtime, but also provide trend-reporting data to assist in planning future network needs. Flexible report generation On-Demand reports allow you to specify reports by type and specific time period. These customizable reports can help clarify trends or document before and after conditions when a problem is solved. Improves productivity Reports on Expert alarms, symptoms, and diagnoses warn you of network degradation issues, while trend-reporting data helps you identify problems and plan for future network needs. A complete suite of Applications Response Time reports helps you optimize your Application Response Time. Benefits • User-friendly web interface provides for automatic discovery of DSS/RMON agents and allows user to view reports and troubleshoot problems. • Simplifies data management by automatically purging and rolling up data • Convenient reporting options allow you to display, print, or export reports • Provides a way for DSS customers to leverage their investment |
| Sniffer Technologies – DSS/RMON Analysis Software | Distributed Sniffer System/RMON is the industry’s leading network fault isolation and performance management solution. The combination of Sniffer Expert technology, integral RMON1/RMON2 monitoring, built in reporting, and application layer analysis results in the unique ability to anticipate, isolate, and diagnose network fault and performance problems. That’s why more network managers have chosen Sniffer Technologies’ Sniffer solution as their network analysis and fault isolation tool than any other product. The ultimate network troubleshooting tool combined with industry-standard RMON2 in a single cost-effective solution Sniffer Expert yields the fastest time to detect, diagnose and resolve network failures. RMON2 agent provides statistics on network traffic, protocol distribution and application usage to help proactively manage the business. |
| Sniffer Distributed, Assuring optimal network performance and security – Data Sheet | Product Overview Managing today’s complex and widespread enterpise network has never been more challenging. As an IT professional, how can you ensure that your network and the applications it supports delivers the availability, security, and reliability that your business requires to succeed in this highly competitive world—24×7? Sniffer® Distributed helps you meet these formidable challenges by providing a fault and network performance management solution that you can deploy across your entire enterprise. It delivers unparalleled network monitoring, protocol decodes, and Expert analysis capabilities to all key segments, e.g., Local Area Network /LAN/, Wide Area Network /WAN/, Asynchronous Transfer Mode /ATM/, and Gigabit Ethernet, throughout your network. This powerful combination of standards-based monitoring and Expert analysis makes Sniffer Distributed the ideal solution to proactively manage today’s multitopology, multiprotocol distributed networks. With Sniffer Distributed you can monitor, validate, and evaluate your entire network infrastructure operations—from troubleshooting and baselining—to real-time and historical analysis. Armed with these insights, you can identify and correct network performance problems and bottlenecks—before they impact your users. Sniffer Distributed also gives you centralized, secure, and easy information access. With its Windows- or browser-based UI, you can access Sniffer Distributed appliances anytime, from anywhere. Now your network engineering team can monitor and troubleshoot your network without incurring the travel expenses involved in on-site problem diagnosis and resolution. |
| Sniffer – IBM Case Study | |
| Smart Capacity™ for the Yottabyte Era | Is Mobile Video Controlling Your Network? Bytemobile’s Mobile Analytics Reports over the last several quarters show that video has continued its surge as the dominant form of data traffic – currently accounting for 40–60/ of the total volume in mobile networks worldwide. With the rise of full-length and studio-quality videos and live streaming of multimedia content on mobile devices – as well as the emergence of personal two-way video communications, or “video chat” – mobile data traffic volume is expected to grow 25 to 35 times in the next five years, causing tremendous capacity strain on already challenged network resources. |
| Signature creation for malicious network traffic | |
| Shared rate limiters using floating buckets | |
| Shaping Traffic and Controlling Performance for PacketShaper Products White Paper | |
| Session-aware service chaining within computer networks | Techniques are described for providing session-aware, stateful network services to subscriber packet flows. Devices within a service provider network direct subscriber packets along service chains. Each tunnel is established to direct traffic according a particular ordered set of network services for the corresponding service chain. An ingress device for the tunnels encapsulate the subscriber packets and embed opaque session cookies that each uniquely identifies a collection of packet flows of a subscriber session amongst other packet flows transported by a given service tunnel. Each service node need only identify the tunnel on which a tunnel packet was received and the session cookie embedded within the tunnel packet to uniquely associate the encapsulated subscriber packet with a subscriber session, without needing to further inspect the encapsulated subscriber packet, and to index or otherwise retrieve state and statistics required to enforce the network service the service nod is programmed to deliver. |
| Session-aware GTPv2 load balancing | |
| Service platform on wireless network | A method of operating a wireless network is provided. A method of providing a sponsored packet switched data service including receiving a request in a wireless network for a sponsored packet switched data service from a user, determining a sponsor for the requested service in accordance with stored policies, determining a billing in accordance with the stored policies, monitoring a session between the user and the sponsor, and billing the sponsor on completion of the session. A method includes, in a wireless network, receiving a request from a user for a packet switched data service, determining a provider for the service according to stored policies, determining a billing arrangement for the service according to the stored policies, and tracking the service between the user and the provider. |
| Service operation chaining | |
| Service Classification for vCPE Solutions: Enabling Service Function Chaining and New VAS | By integrating service classification, vendors can create vCPE solutions that support Srrvice Funtion Chaining and a host of nes volue-added sercives. Wosmos ixEngine, the market leading classigication and metadata engine, is a key enabler in developing a robust servie classification function for vCPE. |
| Service -Aware Network Architecture Based on SDN, NFV, and Network Intelligence | x |
| Self-localizing data distribution network | |
| Self-Learning IP Traffic Classification Based on Statistical Flow Characteristics | A number of key areas in IP network engineering, management and surveillance greatly benefit from the ability to dynamically identify traffic flows according to the applications responsible for their creation. Currently such classifications rely on selected packet header fields /e.g. destination port/ or application layer protocol decoding. These methods have a number of shortfalls e.g. many applications can use unpredictable port numbers and protocol decoding requires high resource usage or is simply infeasible in case protocols are unknown or encrypted. We propose a framework for application classification using an unsupervised machine learning /ML/ technique. Flows are automatically classified based on their statistical characteristics. We also propose a systematic approach to identify an optimal set of flow attributes to use and evaluate the effectiveness of our approach using captured traffic traces. |
| Securing Your Enterprise Applications with the BIG-IP Local Traffic Manager | The Internet has become increasingly complex, leaving many enterprises vulnerable to malicious attacks. Organizations are faced with trying to protect their infrastructure against network security attacks, as well as attacks that are specific to the application layer. Every year, security breaches cost companies millions of dollars in revenue, productivity, and lost reputations. |
| Securing transmission paths in a mesh network | |
| Securing and Analyzing Networks with EtherPeek | |
| Securing an endpoint in a computer network | |
| Securing a network with data flow processing | |
| Secure Web Gateway | |
| Schlumberger—Cisco NetFlow in Cisco IOS Software and the NetQoS Reporter-Analyzer Technology Enable Global Network Optimization at Schlumberger | |
| Scalable Distributed Policy Managment with HP Openview PolicyXpert | WHAM can receive global policies from a central policy server like HP’s Openview PolicyXpert, and then set local policies within the global framework. For example, PolicyXpert might set bandwidth control policies for a remote site, and allow WHAM to divide allocated bandwidth among users. WHAM can also set local policies which are independent of the central policy server like access controls. HP Openview PolicyXpert can also manage Policy Agents directly to provide end-to-end QoS! |
| Scalable architecture for deep-packet processing | |
| SCADAguardian 17.0 Bulletin | Auto-Discovery and Visualization of Industrial Assets • Asset Management • Real-time Network Modeling • Process and Asset Monitoring • Vulnerability Assessment ICS Process Anomaly Detection • Dynamic ICS Behavioral Learning • Cybersecurity Intrusion and Risk Detection • Incident Correlation and Management • Dashboards & Compliance Reporting • Ad-hoc Queries, Forensics & Troubleshooting Tools |
| SCADAguardian | Nozomi Networks | |
| Sandvine – Traffic Classification | |
| Sandvine – Sandvine Policy Engine | |
| Sandvine – Policy Traffic Switch 32000 | |
| Sandvine – Policy Traffic Switch 24000 | |
| Sandvine – Policy Traffic Switch 22000 | |
| Sandvine – Policy Traffic Switch /PTS/ | |
| Sandvine – PCEF/TDF | |
| Sandvine – Deep Packet Inspection /DPI/ | |
| Rule processing and enforcement for interleaved layer 4, layer 7 and verb based … | |
| RFDPI | Reassembly-Free Deep Packet Inspection /RFDPI/ engine RFDPI is a stream-based inspection system that performs simultaneous inbound and outbound traffic analysis at high speed without proxying or buffering to effectively uncover intrusion attempts, malware and identify application traffic regardless of port and protocol. The RFDPI engine is not limited by file size or the amount of concurrent traffic it can scan /unlike other scanning engines/. By working at the application layer, RFDPI protects against hidden application vulnerabilities that may be inadvertently letting attackers in through an unknown back door. |
| Reputation-based threat protection | |
| Representing identity data relationships using graphs | |
| Reassembly-free rewriting of out-of-order data payload | |
| Remote Analysis of a Wireless LAN Environment | |
| Enforcement of network service level agreements | A service level agreement may be imposed by a service provider that may include, e.g., a volume limitation and a bandwidth limitation. One or more limitations of the service level agreement may be enforced or modified in response to a triggering event. For example, a bandwidth limitation on a network subscriber may be enforced or modified based on how much data is consumed by the subscriber. |
| Reassembly-free deep packet inspection on multi-core hardware | |
| Reassembly free deep packet inspection for peer to peer networks | |
| Real-time prevention of malicious content via dynamic analysis | |
| Real-time network updates for malicious content | |
| Real-Time Deep Packet Object Detection ObjectFinder 1023| ObjectFinder 2022 | VSS Monitoring helps you get so much more from your network intelligence infastructure. Using out Network Intelligence Optimization Systems, you make better use of your analytical tools and security tools, simplify operational complexity and realize a higher ROI from greater cost savings and service quality improvements. |
| Real-time alert reasoning and priority-based campaign discovery | |
| Real World Intrusion Prevention /IPS/ | Introduction This white paper addresses three primary areas that organizations must consider when formulating network security strategies and evaluating possinle solutions for intruaion prevention. 1. First what are the key network security challenges facing enterprises today and how have they evolved over the past few years? 2. Second what are teh criteria for an effective IPS solution within the context of a new securtiy reality? 3. Third, what insights can be gained from the experiance of enterprises already deploying IPS solutions in the real world? |
| README – information about FlowScan | FlowScan is a system to analyze and report on flows collected using Cflowd. This document is the FlowScan README $Revision: 1.5 $, $Date: 2000/09/15 18:37:37 $. |
| Qosmos WHITE PAPER : IP NETWORKS AND TRAFFIC MANAGEMENT | Data networks carry more and more varied information for services which are constantly changing. The same infrastructure carries VoIP, e-mail, video and computer data that is key to a company’s business, as well as interactive games. The infrastructures themselves are also diversifying. Wireless data networks /WiFi or WiMax, for example/, mobile telephony /GSM, GPRS, UMTS/3G or 4G/, DSL and cable networks also function as data collection channels. At different levels, it is necessary to sort this data effectively. Carriers must be able to provide a guaranteed SLA to their clients. IP telephony users demand services with a guaranteed level of quality. Companies need to manage communication costs by tracking the usage of their infrastructure. Law enforcement agencies must be able to find traffic connected with criminal acts. These are only a few examples that demonstrate the need for tools to manage traffic on today’s data networks. This level of management includes monitoring, tracking, and measuring. It cannot be set up without precise identification. Unfortunately, the IP protocol family is not built for a universal signaling system which would allow taking a priori action on circulating information and usage. It is necessary to compile this information in real time by observing the packets circulating on a network. QOSMOS has developed unique, patented technologies that allow for analysis, monitoring, and management of information |
| R&S PACE 2 Solution Guide | |
| R&S PACE 2 Protocol & Application Classification Engine | |
| Quick Installation Guide-PRX 1000 | |
| Qosmos* Deep Packet Inspection Characterization- White Paper | Packet classification is an essential part of most /if not all/ network functions. It is the process of associating packets with identifiers by analyzing the layers of the protocol stack up to, but not including, the application layer /see Figure 1/. Actions taken by a VNF are based on these identifiers. Since different applications can use the same protocol parameters from the perspective of the transport and network layer /i.e., same IP addresses, protocol IDs and ports/, it is impossible to reliably distinguish between them with this type of packet classification. In contrast, Deep Packet Inspection /DPI/ is concerned with analyzing not only the headers up to the application layer, but also the application layer itself. The classification result is at a higher level of detail. It allows the implementation of detailed network analytics and fine-grained policies. Service providers are interested in this since it allows them to improve network performance and implement services to improve end-user quality of experience. More specifically, bandwidth costs can be reduced, and fine-grained congestion control can be applied. DPI is becoming increasingly relevant in NFV due to its applicability in many well-known network functions. |
| Qosmos Q-Work | Qosmos Q-Work: Designed to continuously monitor traffic flows, collect and analyze all meaningful information traveling on your network Feed Third Party Systems, such as Monitoring, Business Intelligence or Billing platforms with relevant data May be connected anywhere on your IP network |
| Qosmos Q-Tools Datasheet | |
| Qosmos Q-Center | Q-center provides a comprehensive cision of anentife network from a central location . Q-Center collects and consolidates any kind of intofmation in |
| Qosmos Newsletter May 2005 | |
| Qosmos Newsletter January/February/ March 2007 | In this issue point of view Qosmos inside DPI for Service Providers News:Q-Work 10, the state of the art of network probes Legal view-point: The conservation of connection data by operators News: Qosmos Joins Telemanagment Forum |
| Qosmos Newsletter April 2006 | |
| Qosmos ixMachine DPI and Network Intelligence Streaming Probe | The Qosmos ixMachine streaming probe is specially designed to collect in real time the information embedded or generated by traffic flow, and to deliver this actionable data to third party systems. Qosmos ixMachine enables a wide variety of applications such as lawful interception, cyber security, application-based billing, traffic optimization, audience measurement, and many more. |
| Qosmos ixEngine®: DPI-Based Classification & Metadata Extraction | More than 70/ of networking and security vendors who have decided to source DPI software have selected Qosmos ixEngine to embed Layer 2 to Layer 7 flow classification & metadata extraction into their products. |
| Qosmos ixEngine® for SIEM and Security Analytics | Strengthening security solutions and Security Information and Event Management systems /SIEMs/ with Qosmos protocol and metadata information for faster discovery and containment of advanced threats. |
| Qosmos ixEngine”” Mobile Data Offloading Use Case | Application awareness to enable data delivery with network technology complementary to 3G/4G such as WiFi networks or femtocells. |
| Qosmos ixEngine: Policy Control and Charging /PCC/ Use Case | For developers of telecom equipment who want to build products to handle the growth of mobile data traffic, traffic, provide diffrentiated sercices and enhance quality of experience. |
| Qosmos ixEngine: Policy and Charging /PCC/ Use Case | For developers of telecom equipment who want to build products to handle the growth of mobile data traffic, provide differentiated services and enhance quality of experience. |
| Qosmos ixEngine: Classification &Metadata Engine | Qosmos ixEngine is the market leading network intelligence engine. More than 70/ of networking vendors and ISVs who have decided to outsource DPI-based technology have selected Qosmos ixEngine to embed state-of-the-art L7 flow classification and metadata extraction into their products. |
| Qosmos ixEngine SDK Deep Packet Inspection and Network Intelligence Building Blocks | Qosmos ixEngine SDK consists of pre-developed, reusable building blocks that are easily integrated into new or existing solutions. Using Qosmos ixEngine, software vendors and network equipment providers leverage market-leading Network Intelligence Technology based on advanced Deep Packet Inspection /DPI/ to concentrate on their core competence of building complete solutions and accelerate the delivery of more precise, secure and intelligent applications and services. |
| Qosmos ixEngine 5.0 – What’s New Enabling True Network Intelligence Everywhere | |
| Qosmos DeepFlow DPI Probe for QoE Solutions Feeding QoE Solutions with Application-Level Traffic Detail | Qosmos DeepFlow for QoE identifies applications behind each IP session and delivers detailed QoE metadata such as application response time, jitter or codec. This information is forwarded in real-time to a third party system that computes QoE scoring. DeepFlow provides data for analysis per individual subscriber, per handset type, per data content and per network element. Flow inspection is carried out in real time, at very high speeds up to 20 Gb/s per box. Virtualizing or stacking several DeepFlows enables monitoring of hundreds of Gb/s and millions of subscribers. |
| Q-Engine Deep Packet Inspection Software Development Kit | Q-Engine provides youe software and hardware solutions with best of breed DPI features and developere sercide for fast cose-efficient integration; Q-Enting Deep Packet Inspection technology enables OEMs and Sercive Procoders to see inside next generation network floes, providing customers with total visibility at network, application and user level. |
| Q A: What is Deep Packet inspection /DPI/? | Extreme Portal | Question What is Deep Packet inspection /DPI/? Environment All Summit WM3000 Series Controllers ExtremeWiNG Controllers WirelessWiNG Controllers ExtremeWiNG Access Points WirelessWiNG Acess Points WiNG v5.X Software |
| Purview Network Powered Applicaiton Analytics and Optimization Data Sheet | Purview is a network powered application analytics and optimization solution that captures and analyzes context-based application traffic to deliver meaningful intelligence – about applications, users, locations and devices. It is the Industry’s first and only – patent pending – Solution to Transform the Network into a Strategic Business Asset – by enabling the mining of networkbased business events and strategic information that help business leaders make faster and more effective decisions. It does this all from a centralized command control center that combines Network Management with Business Analytics, and at unprecedented scale /100M sessions/ and scope. |
| Purview | Extreme Networks | |
| PRX Traffic Manager-Handbook | |
| PRX Traffic Manager- Data Sheet | |
| PRX Traffic Manager :: Ipoque | |
| PRX 100 P2P Traffic Filter-Datasheet | |
| Providing network security through autonomous simulated environments | |
| Proxy-less secure sockets layer /ssl/ data inspection | |
| Providing access to data in a secure communication | |
| PROTOCOLS AND SERVICES CLASSIFIED BY PACKETWISE VERSION 5.0 | |
| Protocol and Application Plugin & Signature Library | Qosmos ixEngine® is the most complete DPI engine on the market, with the ability to identify all major protocols and applications circulating on fixed and mobile networks. The technology goes beyond traditional DPI by extracting additional information in the form of metadata and by classifying encrypted traffic. |
| Protocol and Application Classification Engine /PACE/ | |
| Protocol Analyzer | Tektronix Communications | Tektronix Communications’ Protocol Analyzer/PA/ is an advanced troubleshooting tool for network engineers offering a set of features designed to bring focus to relevant protocol-based information. Designed to maximize performance, PA delivers a common application for mixed protocol stacks and sub-networks. Capture and view protocol data unit /PDU/ traffic from a combination of interfaces or monitored nodes in the network. With Protocol Analyzer, users can perform real-time capture from multiple probe interfaces simultaneously. Historical capture options extend protocol analysis capabilities with automated PDU store and recall functions. Once captured, PDUs are available for display in Summary, Decode and Octet panes. |
| Protect Against HTTP Evasion with SonicWall Next-Gen Firewall Deep-Packet Inspection – YouTube | Rob Krug explains how SonicWall next-generation firewalls employ deep-packet inspect to prevent HTTP evasion and malware attacks, while still delivering top performance. |
| Protocol Analyzer – Data Sheet | Analyze More, Analyze Faster Designed for more advanced troubleshooting functions, Protocol Analyzer /PA/ offers a set of features designed to bring focus to relevant protocol-based information independent of the underlying GeoProbe® platform. Offering Network Engineers a composite view across mixed protocol stacks and sub-networks, PA supports both real-time and historical PDU investigation from a common platform. – Harvest information from multiple probes into a single capture for a complete, “time-stitched” view of network activity By providing this capability with a common tool, Network Engineers can accelerate problem investigation and analysis efforts—significantly reducing the mean time to repair /MTTR/. |
| Protei Develops Layer 7/DPI Packet Processing Platform in Less than 6 Months | PROTEI is one of Russia’s leading providers of telecoms solutions. The company specializes in creating solutions that take full advantage of the most line operators in 14 countries, serving over 70 million subscribers worldwide. RROTEI has a culture of staying at the forefront of technology and therefore selected the industry leading DPI engine to develop cutting-edge solutions for its customers. Integrating Qosmos’ off the shelf DPI engine enabled PROTEI to boost innovation with a cost- effective approach, staying ahead of the competition is a highly competitive market. Then modularity of Qosmos ixEngine enabled PROTEI to develop solutions that could be tailored to fit the operators’ business requitrements. |
| Proposed Measurement Specification | Preliminary Measurement Spec for Internet Routers 1.0 Introduction Collection and analysis of basic traffic statistics is fundamental to providers’ ability to design and and operate their networks. In addition to link utilization statistics /e.g., data supplied by MIB- II and other SNMP MIBs.[1]/, both long-term aggregated statistics and short-term per flow statistics provide necessary insights relating to network provisioning peering arrangements per-customer accounting, SLA verification per-peer accounting /traffic balance of trade/ performance management tracking topology and routing changes tracing back DOS attacks ATM/cell/circuit level errors other trouble shooting connectivity complexity/vulnerability TCP flow dynamics routing table/address space efficiency The sheer volume of the traffic and the high capacity of modern Internet trunks, however, make traffic monitoring for these and other purposes an increasingly challenging endeavor. Backbone engineering and planning are among the most pressing needs for reliable forms of traffic data and analyses. Key elements of these analyses are aggregate traffic data at the IP layer, including port and protocol statistics /packets and bytes per port and per protocol/ and traffic matrix statistics /how many packets and bytes were sent from network A to network B/. At the 1997 Internet Statistics and Metrics Analysis /ISMA/ workshop, however, participants criticized both the vendor community /for not addressing these needs/ and the research community for not assisting to articulate requirements associated with traffic collection and analysis, saying… |
| Programmable Deep Packet Inspection /DPI/ for Service Providers | Service providers around the globe are in the process of converging legacy and future network services to a common IP infrastructure. While global IP networks have created great opportunities for growth and business transformation, they also present a new set of challenges to the service providers operating these networks. |
| Profiling, Predicting and Planning- A White Paper | |
| Processing data messages of a virtual network that are sent to and received … | |
| rfc3234 Middleboxes: Taxonomy and Issues | This document is intended as part of an IETF discussion about “”middleboxes”” – defined as any intermediary box performing functions apart from normal |
| rfc2895 Remote Network Monitoring MIB Protocol Identifier Reference | This memo defines a notation describing protocol layers in a protocol encapsulation, specifically for use in encoding INDEX values for the protocolDirTable, found in the RMON-2 MIB /Remote Network Monitoring Management Information Base/ [RFC2021]. The definitions for the standard protocol directory base layer identifiers are also included. The first version of the RMON Protocol Identifiers Document [RFC2074] has been split into a standards-track Reference portion /this document/, and an Informational document. The RMON Protocol Identifier Macros document [RFC2896] now contains the non-normative portion of that specification. This document obsoletes RFC 2074. |
| rfc2123 Traffic Flow Measurement: Experiences with NeTraMet | This memo records experiences in implementing and using the Traffic Flow Measurement Architecture and Meter MIB. It discusses the implementation of NeTraMet /a traffic meter/ and NeMaC /a combined manager and meter reader/, considers the writing of meter rule sets and gives some guidance on setting up a traffic flow measurement system using NeTraMet. |
| rfc2021 Remote Network Monitoring Management Information Base Version 2 using SMIv2 | This memo defines a portion of the Management Information Base /MIB/ for use with network management protocols in TCP/IP-based internets. In particular, it defines objects for managing remote network monitoring devices. |
| rfc1624 Computation of the Internet Checksum via Incremental Update | This memo describes an updated technique for incremental computation of the standard Internet checksum. It updates the method described in RFC 1141. |
| rfc1525 Definitions of Managed Objects for Source Routing Bridges | This memo defines a portion of the Management Information Base /MIB/ for use with network management protocols in TCP/IP based internets. In particular, it defines objects for managing source routing and source routing transparent bridges. These bridges are also required to implement relevant groups in the Bridge MIB [6]. This MIB supersedes the dot1dSr group of objects published in an earlier version of the Bridge MIB, RFC 1286. Changes have primarily been made to track changes in the IEEE 802.5M SRT Addendum to the IEEE 802.1D Standard for MAC Bridges. |
| rfc1512 FDDI Management Information Base | This memo defines a portion of the Management Information Base /MIB/ for use with network management protocols in TCP/IP-based internets. In particular, it defines objects for managing devices which implement the FDDI based on the ANSI FDDI SMT 7.3 draft standard [8], which has been forwarded for publication by the X3T9.5 committee. |
| rfc1493 Definitions of Managed Objects for Bridges | This memo defines a portion of the Management Information Base /MIB/ for use with network management protocols in TCP/IP based internets. In particular it defines objects for managing MAC bridges based on the IEEE 802.1D-1990 standard between Local Area Network /LAN/ segments. Provisions are made for support of transparent bridging. Provisions are also made so that these objects apply to bridges connected by subnetworks other than LAN segments. |
| rfc1286 Definitions of Managed Objects for Bridges | This memo defines a portion of the Management Information Base /MIB/ for use with network management protocols in TCP/IP based internets. In particular it defines objects for managing bridges based on the IEEE 802.1d draft standard between Local Area Network /LAN/ segments. Provisions are made for support of transparent and source route bridging. Provisions are also made so that these objects apply to bridges connected by subnetworks other than LAN segments. |
| rfc1271 Remote Network Monitoring Management Information Base”” /RMON MIB/ | This memo is an extension to the SNMP MIB. This RFC specifies an IAB standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the |
| Review: Deep Packet Inspection Comes to Solarwinds NPM | |
| Requirements for the MIDCOM architecture and control language | This document presents the requirements for the MIDCOM Architecture and the associated control language. |
| Representing software defined networks using a programmable graph model | System, method, and computer program product to represent a network using a programmable graph model, by generating a directed graph to represent a topology of the network, wherein each of a plurality of network elements in the network are represented, in the directed graph, by one of the plurality of nodes, identifying, through the directed graph, a subset of network elements, of the plurality of network elements, upon which to apply a requested operation, and applying the requested operation to the subset of network elements in a distributed manner through the directed graph. |
| Rendering network policy and monitoring compliance | In one embodiment, a network controller receives data indicative of one or more traffic requirements for network traffic. The network controller maps the data indicative of the one or more traffic requirements into a network policy. The network controller causes installation of the network policy onto one or more networking devices. The one or more networking devices are configured to route the network traffic based on the network policy. The network controller receives feedback regarding the installed network policy. The network controller adjusts the network policy based on the received feedback. |
| Removal of environment and local context from network traffic for device classification | In one embodiment, a device classification service assigns a set of endpoint devices to a context group. The device classification service forms a context summary feature vector for the context group that summarizes telemetry feature vectors for the endpoint devices assigned to the context group. Each telemetry feature vector is indicative of a plurality of traffic features observed for the endpoint devices. The device classification service normalizes a telemetry feature vector for a particular endpoint device using the context summary feature vector. The device classification service classifies, using the normalized telemetry feature vector for the particular endpoint device as input to a device type classifier, the particular endpoint device as being of a particular device type. |
| Remote Network Monitoring MIB Protocol Identifier Reference | This memo defines a notation describing protocol layers in a protocol encapsulation, specifically for use in encoding INDEX values for the protocolDirTable, found in the RMON-2 MIB [RFC2021]. The definitions for the standard protocol directory base layer identifiers are also included. The first version of the RMON Protocol Identifiers Document [RFC2074] has been split into a standards-track Reference portion /this document/, and an Informational document. The RMON Protocol Identifier Macros document [RMONPROT_MAC] now contains the non-normative portion of that specification. |
| Remote Network Monitoring Management Information Base /RMON MIB/ Version 2 /Draft Version 00/ | This memo defines an experimental portion of the Management Information Base /MIB/ for use with network management protocols in TCP/IP-based internets. In particular, it defines objects for managing remote network monitoring devices. This memo does not specify a standard for the Internet community. |
| Remote Monitoring MIB Extensions for Identifying Application Protocol Verbs | This memo defines an experimental portion of the Management Information Base /MIB/ for use with network management protocols in the Internet community. In particular, it describes the algorithms required to identify protocol operations /verbs/ within the protocol encapsulations managed with the Remote Network Monitoring MIB Version 2 [RFC2021]. |
| Remote crowd attestation in a network | In one embodiment, a first device in a network receives information regarding one or more nodes in the network. The first device determines a property of the one or more nodes based on the received information. The first device determines a degree of trustworthiness of the one or more nodes based on the received information. The first device attests to the determined property and degree of trustworthiness of the one or more nodes to a verification device. The verification device is configured to verify the attested property and degree of trustworthiness. |
| Refining synthetic malicious samples with unlabeled data | In one embodiment, a security device in a computer network determines a plurality of values for a plurality of features from samples of known malware, and computes one or more significant values out of the plurality of values, where each of the one or more significant values occurs across greater than a significance threshold of the samples. The security device may then determine feature values for samples of unlabeled traffic, and declares one or more particular samples of unlabeled traffic as synthetic malicious flow samples in response to all feature values for each synthetic malicious flow sample matching a respective one of the significant values for each corresponding respective feature. The security device may then use the samples of known malware and the synthetic malicious flow samples for model-based malware detection. |
| Refinement of device classification and clustering based on policy coloring | In one embodiment, a device classification service receives data indicative of network traffic policies assigned to a plurality of device types. The device classification service associates measures of policy restrictiveness with the device types, based on the received data indicative of the network traffic policies assigned to the plurality of device types. The device classification service determines misclassification costs associated with a machine learning-based device type classifier of the service misclassifying an endpoint device of one of the plurality device types with another of the plurality of device types, based on their associated measures of policy restrictiveness. The device classification service adjusts the machine learning-based device type classifier to account for the determined misclassification costs. |
| Real-time user awareness for a computer network | A computer system, device, computer software, and/or method performed by a computer system, is provided for determining a user name likely to be associated with an attack, a configuration, or a vulnerability. First data is obtained which associates user names with individual IP addresses onto which the user names were logged in. Second data is obtained which associates attacks, configurations, or vulnerabilities with individual IP addresses on which the attacks occurred or on which the configurations or vulnerabilities exist. The user names from the first data are associated with the attacks, configurations or vulnerabilities from the second data based on having the same IP address during a log-in. An individual user name is indicated as being associated with attacks which occurred while the individual user name was logged in or with configurations or vulnerabilities for an IP address onto which the user logs in. |
| Ransomware detection using file replication logs | In one embodiment, a device in a network obtains log data regarding replication of files stored on an endpoint client to a file replication service. The device tracks, based on the obtained logs, encryption changes to the files that convert the files from unencrypted files to encrypted files. The device determines that the tracked encryption changes to the files are indicative of a ransomware infection on the endpoint client. The device initiates a mitigation action regarding the ransomware infection. |
| Provisioning access point bandwidth based on predetermined events | The present disclosure discloses a method and network device for provisioning access point bandwidth based on predetermined events. The disclosed system identifies a pattern for one or more devices over a period of time, the pattern indicating that the one or more devices /a/ connect to a particular access point at a particular time of day, or /b/ are located near the particular access point at the particular time of day. Prior or approximately the particular time, the disclosed system facilitates at least one client device associated with the particular access point to associate with a second and different access point. The disclosed system then provides, by the particular access point to the one or more devices, access to network resources. |
| Protection of communication on a vehicular network via a remote security service | Methods and systems for protecting components of a linked vehicle from cyber-attack are disclosed. These methods and systems comprise elements of hardware and software for receiving a packet; tunneling the packet to a terrestrial-based security service, analyzing whether the packet is harmful to a component in the vehicle, and at least one action to protect at least one component. |
| Progressive refinement of device classifications using colored device and policy trees | In one embodiment, a device classification service classifies a device in a network as being of a first device type. The service applies a first network policy that has an associated expiration timer to the device, based on its classification as being of the first device type. The service determines whether the device was reclassified as being of a different device type than that of the first device type before expiration of the expiration timer associated with the first network policy. The service applies a second network policy to the device, when the service determines that the device has not been reclassified as being of a different device type before expiration of the expiration timer associated with the first network policy. |
| Product Overview-Finder Series-ObjectFinder 2022- Overview | The 10G/1G ObjectFinder 2022 is a DPI extension of the Distributed Traffic Capture System /DTCS/ family of products for warrant based applications. Four Gigabit fixed media ports are available for accessing and redirecting traffic from up to two networks to multiple inline monitoring and/or security tools, and provide fail-open loss of power protection. The other four Gigabit fixed media ports allow for flexible I/O configuration, which can be for inline tools, passive tools, Span or passive Inline inputs, or even active inline inputs with just fail-closed loss of power protection. Users have complete control over how ObjectFinder, operating fully at layers 1 and 2, refines and delivers traffic to their selected active and passive monitoring tools with VSS’ Base and Finder feature sets. |
| Preventing asymmetric routing using network tunneling | Various implementations described herein relate to routing network data traffic using network tunnels. In some implementations, one or more tunnels are established between a remote gateway device and a central gateway system. The central gateway system receives data traffic-to-tunnel information from the remote gateway device, and the central gateway system incorporates the data traffic-to-tunnel information in a data traffic-to-tunnel mapping. The data traffic-to-tunnel information comprises n-tuple of network flow information, network flow tags, application-to-tunnel binding information, or the like. The central gateway system receives first data traffic from the remote gateway and forwards the first data traffic to a server. Subsequently, the central gateway system receives second data traffic and forwards the first data traffic to the remote gateway device over one or more select tunnels selected from the established tunnels. The select tunnels can be selected based on based at least in part on the data traffic-to-tunnel mapping. |
| Preserving privacy in exporting device classification rules from on-premise systems | In one embodiment, a device in a network obtains data indicative of a device classification rule, a device type label associated with the rule, and a set of positive and negative feature vectors used to create the rule. The device replaces similar feature vectors in the set of positive and negative feature vectors with a single feature vector, to form a reduced set of feature vectors. The device applies differential privacy to the reduced set of feature vectors. The device sends a digest to a cloud service. The digest comprises the device classification rule, the device type label, and the reduced set of feature vectors to which differential privacy was applied. The service uses the digest to train a machine learning-based device classifier. |
| Prefetch intrusion detection system | In one embodiment, a device in a network generates a machine learning-based traffic model using data indicative of a particular node in the network attempting to retrieve content from a particular resource in the network. The device predicts, using the traffic model, a time at which the particular node is expected to attempt retrieving future content from the particular resource. The device causes the future content from the particular resource to be prefetched in the network prior to the predicted time. The device makes a security assessment of the prefetched content. The device causes performance of a mitigation action in the network based on the security assessment of the prefetched content and in response to the particular node attempting to retrieve the future content from the particular resource. |
| Predictive packet forwarding for a network switch | A network switch includes a predictor using data in a packet to predict a flow for the packet. A forwarding engine forwards at least a portion of the packet on a switch fabric to an egress port in the switch determined from the predicted flow. The forwarding engine is operable to forward the packet on the switch fabric to the egress port determined from the predicted flow prior to a lookup module determining a flow from a lookup. |
| Predicting and mitigating layer-2 anomalies and instabilities | In one embodiment, a server may receive both layer-2 topology information and layer-2 telemetry information from a plurality of layer-2 switches. The server may then apply behavioral learning to both the layer-2 topology information and the layer-2 telemetry information to detect layer-2 patterns that are indicative of one or more problematic layer-2 behaviors. As such, based on the behavioral learning, the server then creates predictive rules to be applied within layer-2 networks to predict the one or more problematic layer-2 behaviors. The predictive rules may then be used within a particular layer-2 network to cause i/ prediction of one or more particular problematic layer-2 behaviors within the particular layer-2 network based on data from a plurality of switches within the particular layer-2 network, and ii/ mitigation against the predicted one or more particular problematic layer-2 behaviors within the particular layer-2 network. |
| Policy-based control layer in a communication fabric | Presented herein are techniques for adding a secure control layer to a distributed communication fabric that supports publish-subscribe /pub-sub/ and direct query /synchronization/ communication. The secure control layer is configured to perform policy-based authentication techniques to securely manage the exchange of data/information within the communication fabric and enable registration/discovery of new capabilities. |
| Persistence based on server response in an IP multimedia subsystem /IMS/ | Embodiments are directed towards managing persistence of network traffic using deep packet inspections of network response packets from an application server. In one embodiment, the network packets are associated with SIP messages. A traffic management device /TMD/ interposed between client devices and a plurality of application servers receives messages from the client device and/or the application servers. The TMD performs a deep packet inspection to determine if a defined key value pair that includes a session identifier is detected. If so, and the message is from the application server, the session identifier is then mapped to an application server identifier to persistently refer each subsequent inbound packet from a client device having the same session identifier to the application server mapped to the session identifier. |
| Path optimization in distributed service chains in a network environment | An example method for path optimization in distributed service chains in a network environment is provided and includes receiving information about inter-node latency of a distributed service chain in a network environment comprising a distributed virtual switch /DVS/, where the inter-node latency is derived at least from packet headers of respective packets traversing a plurality of service nodes comprising the distributed service chain, and modifying locations of the service nodes in the DVS to reduce the inter-node latency. In specific embodiments, the method further includes storing and time-stamping a path history of each packet in a network service header portion of the respective packet header. A virtual Ethernet Module /VEM/ of the DVS stores and time-stamps the path history and a last VEM in the distributed service chain calculates runtime traffic latencies from the path history and sends the calculated runtime traffic latencies to a virtual supervisor module. |
| Path optimization in distributed service chains in a network environment | An example method for path optimization in distributed service chains in a network environment is provided and includes receiving information about inter-node latency of a distributed service chain in a network environment comprising a distributed virtual switch /DVS/, where the inter-node latency is derived at least from packet headers of respective packets traversing a plurality of service nodes comprising the distributed service chain, and modifying locations of the service nodes in the DVS to reduce the inter-node latency. In specific embodiments, the method further includes storing and time-stamping a path history of each packet in a network service header portion of the respective packet header. A virtual Ethernet Module /VEM/ of the DVS stores and time-stamps the path history and a last VEM in the distributed service chain calculates runtime traffic latencies from the path history and sends the calculated runtime traffic latencies to a virtual supervisor module. |
| Packet switching device using results determined by an application node | Packets are encapsulated and sent from a service node /e.g., packet switching device/ using one or more services applied to a packet by an application node /e.g., a packet switching device and/or computing platform such as a Cisco ASR 1000/ to generate a result, which is used by the service node to process packets of a flow of packets to which the packet belonged. An example of a service applied to a packet is a classification service, such as, but not limited to, using deep packet inspection on the packet to identify a classification result. The service node can, for example, use this classification result to process other packets in a same packet flow, such that all packets of a flow do not need to be, nor typically are, sent to an application node for processing. |
| Packet Capture /PCAP/ and File Attachments in NetMon | |
| Packet Analyzer – Network Analysis & Scanning Tool | SolarWinds | |
| Overview of intrusion detection and intrusion prevention | This report provides an overview of IPS systems. In the first section a comparison of IDS and IPS is made, where an IPS system is defined as an integration of IDS and a firewall. The second section describes what is needed to set up an IPS system. In the third section, IPS alternatives are discussed for different types of organizations. The fourth section describes the dangers of e-mail and the need of an E-mail Exploit Detection Engine that has many characteristics of an Intrusion Prevention System. The conclusion summarizes what should be taken into consideration when deciding on an Intrusion Prevention System. |
| Optimized channel selection for virtual access point /VAP/ enabled networks | In one embodiment, a supervisory device in a network forms a virtual access point /VAP/ for a node in the network. A plurality of access points /APs/ in the network are mapped to the VAP as part of a VAP mapping and the node treats the APs in the VAP mapping as a single AP for purposes of communicating with the network. The supervisory device determines a traffic type of traffic associated with the node. The supervisory device assigns the node to a selected wireless channel based in part on the traffic type of the traffic associated with the node. The supervisory device controls the VAP to use the channel assigned to the node. |
| Optimized channel selection for virtual access point /VAP/ enabled networks | In one embodiment, a supervisory device in a network forms a virtual access point /VAP/ for a node in the network. A plurality of access points /APs/ in the network are mapped to the VAP as part of a VAP mapping and the node treats the APs in the VAP mapping as a single AP for purposes of communicating with the network. The supervisory device determines a traffic type of traffic associated with the node. The supervisory device assigns the node to a selected wireless channel based in part on the traffic type of the traffic associated with the node. The supervisory device controls the VAP to use the channel assigned to the node. |
| OPEN SOURCE INTRUSION DETECTION SYSTEM USING SNORT | Software and hardware components are parts of almost every Intrusion Detection System /IDS/ which is able to monitor computer networks for any possible security incidents. Using Internet resources all over the world has been becoming as one of the most popular task among all people and this usage and connection to Internet creates security risk for many different network attacks. This is because these attacks and threats can strongly affects network security. IDS system became one of the most useful network security mechansinms which protectusers valuable resources and confidentialy, integrity and availability of information and information assets located in the protected part of any organization’s computer network. Therefore, IDS systems have a very significant role in protecting users, companies or any institutions againist cyber attacks. IDS can be designed as signature-based or anomaly-based detection system. Signature-based system /Misuse-based IDS/ is only eligible to detect attacks which are already known and anomaly-based systems are eligible to detect unknown attacks which give them functionality to be proactive i.e. to resolve attack before it harm specific protected system. In this paper are presented already available classification of IDS and general capabilities of SNORT open source IDS solution. |
| On-box behavior-based traffic classification | In one embodiment, a networking device in a network detects a traffic flow conveyed in the network via the networking device. The networking device generates flow data for the traffic flow. The networking device performs a classification of the traffic flow using the flow data as input to a machine learning-based classifier. The networking device performs a mediation action based on the classification of the traffic flow. |
| Nozomi Networks Selected by FireEye for ICS Depth & Technical Excellence | |
| Next-Generation Firewalls: Cisco ASA with FirePower Services | This paper aims to provide a comprehensive review of the Cisco ASA next-generation firewall with FirePower Services. The product will be introduced as to its purposes and features of why an organization would want to deploy it as a security product in an enterprise or otherwise large scale network. This paper will give insight into the technology behind the Cisco ASA as well as additional features that the FirePower Services adds. I will cover some of the strengths found on the FirePower platform that Cisco offers such as signature-based threat detection and Snort, as well as some of the limitations the platform has compared to other leading vendors in the network security world such as the lack of SSL inspection as the time of this writing. |
| New SCADAguardian Advanced product line delivers deep ICS network visibility | |
| New dimensions in intrusion defense | Sourcefire 3D combines network profiling and rule-based detection for policy enforcement |
| NetworkAdvisor_ForQuickIntelligentProblemIsolation_5091-0736E_14pages_Feb91.pdf | |
| Network-based approach for training supervised learning classifiers | In one embodiment, a supervisory device in a network receives traffic data from a security device that uses traffic signatures to assess traffic in the network. The supervisory device receives traffic data from one or more distributed learning agents that use machine learning-based anomaly detection to assess traffic in the network. The supervisory device trains a traffic classifier using the received traffic data from the security device and from the one or more distributed learning agents. The supervisory device deploys the traffic classifier to a selected one of the one or more distributed learning agents. |
| Network-based approach for training supervised learning classifiers | In one embodiment, a supervisory device in a network receives traffic data from a security device that uses traffic signatures to assess traffic in the network. The supervisory device receives traffic data from one or more distributed learning agents that use machine learning-based anomaly detection to assess traffic in the network. The supervisory device trains a traffic classifier using the received traffic data from the security device and from the one or more distributed learning agents. The supervisory device deploys the traffic classifier to a selected one of the one or more distributed learning agents. |
| Network Virtualization and Security Software – NSX | VMware | Mware NSX® Data Center delivers virtualized networking and security entirely in software, completing a key pillar of the Software-defined Data Center /SDDC/, and enabling the virtual cloud network to connect and protect across data centers, clouds, and applications. |
| Network traffic processing system | A system for processing network traffic includes a hardware-accelerated inspection unit to process network traffic in hardware-accelerated inspection mode, and a software inspection unit to process the network traffic in software inspection mode. The software inspection unit processes a connection in in the software inspection mode at least for a consecutive predetermined number of bytes of the connection. The connection may be transitioned to the hardware-accelerated inspection mode if the connection is determined to be clean. |
| Network traffic manager architecture | Methods, systems, and devices are described for managing network communications. A traffic manager module may receive a message from a first network device to a second network device. The traffic manager module may serve as a proxy between the first network device and the second network device. The traffic manager module may perform an application layer inspection at the traffic manager module on at least one of the message or a response to the message from the second network device, and forward the message or the response to the message to a third network device based on the application layer inspection at the traffic manager module. |
| Network Traffic Analysis Open Preview in Rapid7 InsightIDR | |
| Network Sniffers | Network sniffers are diagnostic software applications, often bundled with hardware devices, that provide protocol-level analysis of data flowing through a network, packet by packet. This information can help administrators monitor and identify performance problems. |
| Network security indicator of compromise based on human control classifications | In one embodiment, a service classifies a device in a network as human-controlled or self-controlled. The service also classifies an online resource as designed for access by human-controlled devices or by self-controlled devices. The service obtains traffic data regarding an attempt by the device to access the online resource via the network. The service determines that the attempt by the device to access the online resource is a security violation, based on the classifications of the device and the online resource. The service initiates a mitigation action in the network for the security violation. |
| Network Performance Monitoring and Diagnostics /NPMD/: Why DPI Is Essential | |
| Network Performance Monitor Administrator Guide | |
| Network monitoring with focus on HTTP | Since its introduction in the early 1990s, the quick growth of the World Wide Web /WWW/ traffic raises the question of whether past Local Area Network /LAN/ packet traces still reflect the current situation or whether they have become obsolete. For this thesis, several LAN packet traces were obtained by monitoring the LAN of a typical academic environment. The tools for monitoring the network were a stand-alone HP LAN Protocol Analyzer as well as the free-ware software tool tcpdump. The main focus was placed on acquiring a low-level overview of the LAN traffic. Thus, it was possible to determine what protocols were mainly used and how the packet sizes were distributed. In particular, this study aimed at establishing the amount of WWW traffic on the LAN, and determining the MIME-Types of this traffic. The results indicate that in a typical academic environment, conventional sources of LAN traffic such as NFS are still predominant, whereas WWW traffic plays a rather marginal role. Furthermore, a large portion of the network packets contains little or no data at all, while another significant portion of the packets have sizes around the Maximum Transfer Unit /MTU/. Consequently, research in the networking field has to direct its focus on issues beside the WWW. |
| Network monitoring and management system | A network monitoring and management system /10/ is provided for use in conjunction with a computer network array /12/ including a plurality of identifiable branch arrays known as LANS /14/. The system /10/ includes a sampling assembly /38/ including a plurality of probe computers /42/ situated along selected ones of the LANS /14/ for “”capturing”” data packets /22/ and building probe objects /52/ corresponding thereto. The system /10/ further includes an analysis assembly /40/ including a database computer /98/ for receiving a plurality of probe objects /52/ and manipulating them with a database builder routine /96/ into database objects /100/ |
| Network monitoring | Monitoring is done of communications which occur in a network of nodes, each communication being effected by a transmission of one or more packets among two or more communicating nodes, each communication complying with a predefined communication protocol selected from among protocols available in the network. The contents of packets are detected passively and in real time, communication information associated with multiple protocols is derived from the packet contents. |
| Network General Price List End User | Network General Sniffer end-user price list, March 16, 1987 |
| Network flow switching and flow data export | The invention provides a method and system for switching in networks responsive to message flow patterns. A message “”flow”” is defined to comprise a set of packets to be transmitted between a particular source and a particular destination. When routers in a network identify a new message flow |
| Network Based Application Recognition /NBAR/ – Cisco | |
| Network Associates launches new Infinistream network management solution – ARN | |
| Network Associates Inc. Netasyst Network Analyzer Wireless | McAfee Network Protection Netasyst Network Analyzer Wireless Netasyst wireless offerings provide a comprehensive solution for managing network applications and deployments on wireless 802.11a and 802.11b networks. With its ability to decrypt Wired Equivalent Privacy /WEP/-based traffic, either precapture or post-capture, Netasyst functionality gives you unsurpassed troubleshooting flexibility. Expert analysis specific to wireless environments, enables Netasyst wireless offerings to quickly pinpoint security breaches in radio frequencies by unauthorized mobile users or rogue access points. By tracking all wireless behavior and displaying all known information, Netasyst Wireless offerings can rapidly determine if an environment is overloaded or performing efficiently. This functionality ensures that performance issues are corrected, rogue wireless equipment is removed, and unauthorized mobile users are discovered so they no longer pose a security threat to the network. See Features See System Requirements |
| Network Application Visibility Library | Vineyard Networks | Vineyard Networks’ Network Application Visibility Library /NAVL/ classification library is an SKD providing real-time application layer classification of network traffic designed for integration into third part solutions /OEM/. NAVL uses a combination of deep packet /DPI/ and deep flow /DFI/ inspection to accurately identify thousands of today’s common applications such as Social Networking, P2P, Instant Messaging, File Sharing, Enterprise applications, Web 2.0 and more. NAVL is delivered as an OEM solution to dramatically reduce the time, cost, and complexity of adding layer-7 classification to your networking solution. |
| NetMon Architecture | The Packet Processing component /also called the Engine/ classifies the data during Deep Packet Inspection /DPI/. In this process, the Engine analyzes network data using a variety of methods, including pattern matching, heuristic modeling, signatures for session identification, application identification, and metadata extraction. The Engine also applies packet rules before sending the processed data to the Flow Output component. |
| NBAR support for HTTP – Cisco | |
| NAVL 4.3 – Exceeding Industry DPI Performance Standards | Procera Networks: Empowering Intelligence | |
| NAI to buy Net monitoring software company | Network Associates Inc. /NAI/ announced Monday it has agreed to purchase Traxess Inc., a company that develops software that allows businesses to monitor and store data on their employees’ Internet activity. |
| Multiple pairwise feature histograms for representing network traffic | In one embodiment, a device divides groups of tuples of traffic characteristics of encrypted network traffic into different pairs of the characteristics. Each of the pairs has a corresponding two dimensional /2-D/ feature subspace. The device discretizes the 2-D feature subspaces, to form a plurality of bins in each feature subspace. The device assigns the pairs of the traffic characteristics in a particular group of tuples to the bins in the discretized 2-D feature subspaces. The device forms, for each group of tuples, a vector representation of the group of tuples based on the bins in the discretized 2-D feature subspaces to which the pairs of the traffic characteristics from the group are assigned. The vector representations of the groups of tuples are of a fixed dimension. The device uses the vector representations of the groups of tuples to train a machine learning-based traffic classifier. |
| Multi-protocol visualization: a tool demonstration | This paper describes a system for the visualization of multiple protocols. The visualizer makes possible the identification of both intra and inter-protocol behaviour. This tool has become a critical resource in the development of our multi-protocol monitoring system; allowing the verification of the monitoring system, identification of new modes of behaviour and the easy visualization of potentially overwhelming quantities of information. |
| Multi-dimensional system anomaly detection | In one embodiment, a device in a network receives a first plurality of measurements for network metrics captured during a first time period. The device determines a first set of correlations between the network metrics using the first plurality of measurements captured during the first time period. The device receives a second plurality of measurements for the network metrics captured during a second time period. The device determines a second set of correlations between the network metrics using the second plurality of measurements captured during the second time period. The device identifies a difference between the first and second sets of correlations between the network metrics as a network anomaly. |
| Mobile Insider – Mobile Trends Blog – Bytemobile » Blog Archive » Bytemobile Builds Out the T-Series Adaptive Traffic Management System | |
| Middlebox Communications /MIDCOM/ Protocol Semantics | This memo specifies semantics for a Middlebox Communication /MIDCOM/ protocol to be used by MIDCOM agents for interacting with middleboxes such as firewalls and Network Address Translators /NATs/. The semantics discussion does not include any specification of a concrete syntax or a transport protocol. However, a concrete protocol is expected to implement the specified semantics or, more likely, a superset of it. The MIDCOM protocol semantics is derived from the MIDCOM requirements, from the MIDCOM framework, and from working group decisions. |
| Middlebox Communication Architecture and framework | There are a variety of intermediate devices in the Internet today that require application intelligence for their operation. Many of the applications in use are complex and the datagrams pertaining to these applications cannot be identified by merely examining packet headers. Firewalls and Network Address Translators are typical examples of devices requiring application knowledge. Real-time streaming Voice-over-IP applications such as SIP and H.323 and peer-to-peer applications such as Napster are examples of complex applications. The document specifies an architecture and framework in which trusted third parties can be delegated to assist the intermediate devices with application |
| Middle boxes: taxonomy and issues | This document is intended as input to IETF discussion about “”middle boxes”” – defined as any intermediary box performing functions apart from normal |
| MIDCOM Protocol Semantics | This memo specifies semantics for a Middlebox Communication /MIDCOM/ protocol to be used by MIDCOM agents for interacting with middleboxes, such as firewalls and NATs. The semantics discussion does not include any specification of a concrete syntax or a transport protocol. However, a concrete protocol is expected to implement the specified semantics or a superset of it. The MIDCOM protocol semantics is derived from the MIDCOM requirements, from the MIDCOM framework, and from working group decisions. |
| Micro-firewalls in a microservice mesh environment | A server, in communication with a plurality of microservices in a microservices mesh environment, obtains data about inbound communications to a first microservice and outbound communications from the first microservice of the plurality of microservices. The server analyzes the data to learn an operational behavior of the first microservice and determine a firewall rule set to be applied associated with the first microservice based on the operational behavior learned for the first microservice. The server causes a micro-firewall to be instantiated for the first microservice. The micro-firewall is configured to apply the firewall rule set to inbound communications to the first microservice and outbound communications from the first microservice. |
| Methods of collaborative hardware and software DNS acceleration and DDOS protection | Embodiments are directed towards managing name service communications. A name service device may be arranged to employ a hardware domain name service /DNS/ processor to receive a name service query. The hardware DNS processor may perform operations on the name service query. If operations performed by the hardware DNS processor do not resolve the name service query, further operations may be performed. The name service device may be arranged to provide a name service reply that includes the answer to the name service query. And, the name service device may be arranged to send the name service reply back to the hardware DNS processor. Accordingly, the hardware DNS processor on the name service device may send the name service reply that includes at least an answer to the name service query to the requesting computers. |
| Methods for packet data network service slicing with microsegmentation in an evolved packet core and devices thereof | Methods, non-transitory computer readable media, session director apparatuses, and network traffic management systems that facilitate packet data network /PDN/ service slicing with microsegmentation in an evolved packet core are disclosed. With this technology, a create session request /CSR/ general packet radio service /GPRS/ tunneling protocol /GTP/ control /GTP-c/ message is intercepted. A lookup key is then determined based on content of the intercepted CSR GTP-c message. A PDN gateway /PGW/ identifier for a PGW is obtained using a slice name obtained using the lookup key. The intercepted CSR GTP-c message is modified to include the obtained PGW identifier. Subsequently, the modified CSR GTP-c message is steered based on the obtained PGW identifier, such as directly to the PGW or to a serving gateway /SGW/ module associated with the PGW. |
| Methods and systems for using state ranges for processing regular expressions in intrusion-prevention systems | Methods and systems are provided for using state ranges for processing regular expressions in intrusion-prevention systems. In an embodiment, in an intrusion-prevention system for examining network traffic and identifying therein the presence of signature data patterns, a state-transition table is provided. The state-transition table is representative of a predetermined data pattern, and includes states each having one or more egress events defining transitions to other states. A subject is received for evaluation for the presence of the predetermined data pattern. While using the state-transition table for said evaluation, the presence of a first egress event of a first state is detected in the subject, resulting in a transition from the first state to a second state. A second-state range in the subject is calculated, and the second-state range is searched for the presence of at least one of the second state’s egress events. |
| Methods and systems for using lambda transitions for processing regular expressions in intrusion-prevention systems | Methods and systems are provided for using lambda transitions for processing regular expressions in intrusion-prevention systems. In an embodiment, a state-transition table is provided, said table being representative of a predetermined data pattern, and including states having egress events defining transitions to other states. A subject is received for evaluation for the presence of the predetermined data pattern. While using the state-transition table for said evaluation, a first state is transitioned into, the first state having an egress event defining a transition to a second state, a state count corresponding to a number of times the first state has been transitioned into, a state-count threshold, and a state-count condition. After transitioning into the first state, the state count is incremented. Responsive to determining that the state-count condition is satisfied by comparing the incremented state count with the state-count threshold, the transition to the second state is taken. |
| Methods and systems for using keywords preprocessing, Boyer-Moore analysis, and hybrids thereof, for processing regular expressions in intrusion-prevention systems | Methods and systems are provided for using keyword preprocessing, Boyer-Moore analysis, and hybrids thereof, in intrusion-prevention systems. In one embodiment, a state-transition table representative of a data pattern is provided. The table has a plurality of states, each having egress events that define transitions to other states. The data pattern is parsed to identify character strings. A subject is received for evaluation, and preprocessed to find any instances of those character strings. A keyword table is populated with the character strings found during preprocessing. While using the table to evaluate the subject, a first state having a first one of the character strings as an egress event is transitioned into. The keyword table is checked for the first character string, and, responsive to finding the first character string in the keyword table, a transition is taken from the first state to the second state. |
| Methods and systems for using incremental operation for processing regular expressions in intrusion-prevention systems | Methods and systems are provided for using incremental operation for processing regular expressions in intrusion-prevention systems. In an embodiment, a state-transition table is provided, said table representative of a predetermined data pattern, and including states each having one or more egress events defining transitions to other states. A first portion of a subject is received, where the subject is to be evaluated for the presence of the predetermined data pattern. While using the state-transition table for said evaluation, a first state is transitioned into, after which it is determined that a set of restart information should be saved for the first state, said determination including identifying a tail to save from an end of the first portion of the subject. The restart information is saved, along with at least the identified tail. |
| Methods and systems for multi-pattern searching | Embodiments of the present invention relate to systems and methods for optimizing and reducing the memory requirements of state machine algorithms in pattern matching applications. Memory requirements of an Aho-Corasick algorithm are reduced in an intrusion detection system by representing the state table as three separate data structures. Memory requirements of an Aho-Corasick algorithm are also reduced by applying a banded-row sparse matrix technique to the state transition table of the state table. The pattern matching performance of the intrusion detection system is improved by performing a case insensitive search, where the characters of the test sequence are converted to uppercase as the characters are read. Testing reveals that state transition tables with sixteen bit elements outperform state transition tables with thirty-two bit elements and do not reduce the functionality of intrusion detection system using the Aho-Corasick algorithm. |
| Methods and systems for multi-pattern searching | Embodiments of the present invention relate to systems and methods for optimizing and reducing the memory requirements of state machine algorithms in pattern matching applications. Memory requirements of an Aho-Corasick algorithm are reduced in an intrusion detection system by representing the state table as three separate data structures. Memory requirements of an Aho-Corasick algorithm are are also reduced by applying a banded-row sparse matrix technique to the state transition table of the state table. The pattern matching performance of the intrusion detection system is improved by performing a case insensitive search, where the characters of the test sequence are converted to uppercase as the characters are read. Testing reveals that state transition table with sixteen bit elements outperform state transition table with thirty-two bit elements and do not reduce the functionality of intrusion detection systems using the Aho-Corasick algorithm. |
| Methods and systems for multi-pattern searching | Embodiments of the present invention relate to systems and methods for optimizing and reducing the memory requirements of state machine algorithms in pattern matching applications. Memory requirements of an Aho-Corasick algorithm are reduced in an intrusion detection system by representing the state table as three separate data structures. Memory requirements of an Aho-Corasick algorithm are also reduced by applying a banded-row sparse matrix technique to the state transition table of the state table. The pattern matching performance of the intrusion detection system is improved by performing a case insensitive search, where the characters of the test sequence are converted to uppercase as the characters are read. Testing reveals that state transition tables with sixteen bit elements outperform state transition tables with thirty-two bit elements and do not reduce the functionality of intrusion detection systems using the Aho-Corasick algorithm. |
| Methods and systems for intrusion detection | Performance of an intrusion detection system is enhanced with the addition of rule optimization, set-based rule inspection, and protocol flow analysis. During rule optimization, rule sets are created and selected in such a way that for every incoming packet only a single rule set has to be searched. Set-based rule inspection divides rules into content and non-content type rules. Only search patterns of content type rules are initially compared to a packet. Rules containing matched search patterns are validated with a parameterized search against the packet. Matches are recorded as events. Non-content rules are searched against a packet using a parameterized search. These matches are also recorded as an event. At least one event is selected per packet for logging. Protocol flow analysis determines the direction of flow of network traffic. Based on the direction of flow and the protocol, portions of packets can be eliminated from rule inspection. |
| Methods and apparatus for traffic management in peer-to-peer networks | Methods and apparatus relating to routing and caching systems for reducing traffic and the bandwidth used by decentralized peer-to-peer /P2P/ file sharing networks is described. The peer-to-peer network operates over an underlying network including first and second network portions. The method includes routing a peer-to-peer message in one of said network portions with an intended destination in the other of said network portions to a gateway between peer-to-peer modes residing on said first and second network portions. The method further includes controlling transport of said message at said gateway to limit propagation of said message into said other of said network portions. |
| Method, device, and system for providing hot reservation for in-line deployed network functions with multiple network interfaces | Method, device, and system for providing hot reservation for in-line deployed network functions with multiple network interfaces. A system includes a first Network Function /NF/ unit, connected to an ingress router and to an egress router; and a second NF unit, connected to the ingress router and to the egress router. The first NF unit is initially configured as a controlling NF. The second NF unit is initially configured as a backup NF. The two NF units periodically exchange keep-alive messages via the two routers. The second NF unit, operating as the backup NF, automatically triggers a switchover if the second NF unit did not receive a keep-alive message from the first NF unit for at least a pre-defined time-period. Additionally or alternatively, the controlling NF initiates a switchover if the maintenance status parameters of the backup NF are better than those of the controlling NF. |
| Method for protection of automotive components in intravehicle communication system | Methods and systems for mitigating cyber attacks on components of an automotive communication system are disclosed. These methods and systems comprise elements of hardware and software for receiving a frame; determining whether the frame potentially affects correct operation of an automotive component; and, taking protective action. |
| Method and system for controlling a delay of packet processing using loop paths | A method and system for introducing controlled delay of packet processing at a network device using one or more delay loop paths /DLPs/. For each packet received at the network device, a determination will be made as to whether or not packet processing should be delayed. If delay is chosen, a DLP will be selected according to a desired delay for the packet. The desired delay value is used to determine a time value and inserts the time value in the DLP ahead of the packet. Upon completion of a DLP delay, a packet will be returned for processing, an additional delay, or some other action. One or more DLPs may be enabled with packet queues, and may be used advantageously by devices, for which in-order processing of packets may be desired or required. |
| Method and system for client association management based on estimated session duration | The present disclosure discloses a method and a network device for client association management based on estimated session duration. Specifically, a network device determines that a client device is on an active session. The client device is associated with a first access point of a plurality of access points. The network then estimates a remaining duration of the active session to obtain an estimated remaining duration. Responsive at least to the estimated remaining duration of the active session being greater than a threshold value, the network device causes the client device to associate with a second access point different than the first access point. Responsive at least to the estimated remaining duration of the active session being less than the threshold value, the network device refrains from causing the client device to associate with the second access point. |
| Method and apparatus for session bandwidth estimation and rate control | An intermediate device receives a content data message addressed to a receiving device for a communication session between a source device and the receiving device. The intermediate device substitutes adapted content data for content data of the content data message and then sends the adapted content data to the receiving device such that it appears to the receiving device that the adapted content data originated from the source device. The communication from the source device to the receiving device is intercepted by the intermediate device in a manner that is transparent to the source device and receiving device. |
| Method and apparatus for self-learning of VPNS from combination of unidirectional tunnels in MPLS/VPN networks | A technique is provided for implementing deep-packet inspection /DPI/ services in a MPLS/VPN configured computer network. The technique employs a novel self-learning algorithm that analyzes data packets belonging to different unidirectional tunnels in the MPLS/VPN network and determines whether the analyzed data packets transport data in the same VPN. If so, the unidirectional tunnels containing the analyzed data packets are associated with a common layer-2 identification /L2ID/ value. Unlike conventional flow-classification procedures, the inventive technique classifies a data packet by first associating the data packet with a L2ID value and then classifying the packet as belonging to a particular data flow based on a novel 6-tuple consisting of a conventional 5-tuple plus the packet’s L2ID value. Because unidirectional tunnels corresponding to the same application data flow transport data packets having the same set of 6-tuple values, DPI services can apply application-level policies to classified data packets consistent with their 6-tuple flow classifications. |
| Method and apparatus for flexible application-aware monitoring in high bandwidth networks | There is provided apparatus including at least one pre-capture filter, operative to receive at least some of a plurality of packets transmitted in a network, and to identify an application type of each of the received packets and a plurality of application-type specific post capture filters, each associated with at least one of a plurality of application-type specific monitoring stations, the plurality of application-type specific post capture filters being operative to receive from the at least one pre-capture filter packets of a specific application type and to transmit the packets of the specific application type to the at least one of the plurality of application type specific monitoring stations associated therewith. |
| Method and apparatus for displaying HTTPS block page without SSL inspection | The present disclosure discloses a method and system for displaying an HTTPS block page without SSL inspection. Specifically, a network device snoops a first message transmitted between a client device and a network resource. The first message is transmitted as part of a SSL Handshake between the client device and the network resource to establish a SSL session. Moreover, the network device determines whether the client device is authorized to access the network resource. If not, the network device blocks the establishment of a SSL session between the client device and the network resource, and spoofs the network resource for establishing the SSL session between the client device and the network device instead of establishment of the SSL session between the client device and the network resource. Otherwise, the network device refrains from blocking the establishment of the SSL session between the client device and the network resource. |
| Dynamic deep packet inspection for anomaly detection | In one embodiment, a device in a network captures a first set of packets based on first packet capture criterion. The captured first set of packets is provided for deep packet inspection and anomaly detection. The device receives a second packet capture criterion that differs from the first packet capture criterion. The device captures a second set of packets based on the second packet capture criterion. The device provides the captured second set of packets for deep packet inspection and anomaly detection. The anomaly detection of the captured first and second sets of packets is performed by a machine learning-based anomaly detector configured to generate anomaly detection results based in part on one or more traffic metrics gathered from the network and based further in part on deep packet inspection results of packets captured in the network. |
| Dynamic cascaded clustering for dynamic VNF | In an example, a server architecture is described for a dynamic cascaded node chain providing a resource cluster. The cascaded node chain may include one or more resource instances provisioned as a head node, zero or more middle nodes, and a tail node. Each node may include a discrete number of available resource entries in a flow table. As traffic enters the head node, each node attempts to match the traffic to an entry in its flow table. If no match is found, the packet is downlinked to the next node in the chain. If the packet reaches the tail node without a match, it is punted to the controller. The controller may then provision a matching entry if an entry is available. If not, the controller may spawn a new resource instance. When the full capacity of the cluster is reached, non-matching entries may be dropped. |
| Dynamic application degrouping to optimize machine learning model accuracy | In one embodiment, a device in a network identifies a plurality of applications from observed traffic in the network. The device forms two or more application clusters from the plurality of applications. Each of the application clusters includes one or more of the applications, and wherein a particular application in the plurality of applications is included in each of the application clusters. The device generates anomaly detection models for each of the application clusters. The device tests the anomaly detection models, to determine a measure of efficacy for each of the models with respect to traffic associated with the particular application. The device selects a particular anomaly detection model to analyze the traffic associated with the particular application based on the measures of efficacy for each of the models. |
| Dynamic application degrouping to optimize machine learning model accuracy | In one embodiment, a device in a network identifies a plurality of applications from observed traffic in the network. The device forms two or more application clusters from the plurality of applications. Each of the application clusters includes one or more of the applications, and wherein a particular application in the plurality of applications is included in each of the application clusters. The device generates anomaly detection models for each of the application clusters. The device tests the anomaly detection models, to determine a measure of efficacy for each of the models with respect to traffic associated with the particular application. The device selects a particular anomaly detection model to analyze the traffic associated with the particular application based on the measures of efficacy for each of the models. |
| DPI matrix allocator | A deep packet inspection /DPI/ allocator for managing bandwidth in a communication channel, the DPI allocator comprising: a DPI application for inspecting data packets propagating to a destination via the channel that enter the allocator; and at least one service application for processing data packets that enter the allocator. |
| DNS metadata-based signaling for network policy control | In one embodiment, a device in a network intercepts a Domain Name System /DNS/ query sent by a node in the network to a DNS service. The device inserts metadata information about the node into the DNS query before sending the DNS query on to the DNS service. The device extracts policy information regarding the node from a DNS response sent from the DNS service back to the node in response to the DNS query. The device implements a network policy for the node within the network based on the policy information extracted from the DNS response. |
| Distributed packet flow inspection and processing | Distribution of network processing load among a set of packet processing devices is improved by employing means for eliminating, controlling, or otherwise affecting redundant packet processing operations. In one embodiment, at least two packet processing devices are present, both capable of processing data packets flowing therethrough, such as, inspecting, detecting, and filtering data packets pursuant to one or more filters from a filter set. Redundancy is controlled by providing or enabling either or both of the packet processing devices with capability for detecting during its said inspection of said data packets that, for example, one or more filters had been previously executed on said data packets by the other packet processing device, and then not executing the previously-executed filters on said data packets. |
| Distributed network instrumentation system | A distributed network instrumentation system /100/ includes a security management station /110/ including a global network policy decomposer /112/ configured to decompose global network security policies to local security policies for distributed policy enforcement, and a network interface /220/ communicatively coupled to a compute platform /200/. The network interface /220/ is configured to off-load processing of the local security policies and end-to-end encryption from an operating system /210/ of the compute platform /200/ for facilitating network instrumentation. |
| Distributed machine learning autoscoring | In one embodiment, a management system determines respective capability information of machine learning systems, the capability information including at least an action the respective machine learning system is configured to perform. The management system receives, for each of the machine learning systems, respective performance scoring information associated with the respective action, and computes a degree of freedom for each machine learning system to perform the respective action based on the performance scoring information. Accordingly, the management system then specifies the respective degree of freedom to the machine learning systems. In one embodiment, the management system comprises a management device that computes a respective trust level for the machine learning systems based on receiving the respective performance scoring feedback, and a policy engine that computes the degree of freedom based on receiving the trust level. In further embodiments, the machine learning system performs the action based on the degree of freedom. |
| Distributed functionality across multiple network devices | According to one embodiment, a method comprises an operation of identifying a plurality of network devices, and detecting a presence of firewall processing functionality in a subset of the network devices. At least one of the network devices not in the firewall subset is configured to forward packets to a network device of the subset for firewall processing. |
| Distributed feedback loops from threat intelligence feeds to distributed machine learning systems | In one embodiment, a device in a network receives anomaly data regarding an anomaly detected by a machine learning-based anomaly detection mechanism of a first node in the network. The device matches the anomaly data to threat intelligence feed data from one or more threat intelligence services. The device determines whether to provide threat intelligence feedback to the first node based on the matched threat intelligence feed data and one or more policy rules. The device provides threat intelligence feedback to the first node regarding the matched threat intelligence feed data, in response to determining that the device should provide threat intelligence feedback to the first node. |
| Distributed feedback loops from threat intelligence feeds to distributed machine learning systems | In one embodiment, a device in a network receives anomaly data regarding an anomaly detected by a machine learning-based anomaly detection mechanism of a first node in the network. The device matches the anomaly data to threat intelligence feed data from one or more threat intelligence services. The device determines whether to provide threat intelligence feedback to the first node based on the matched threat intelligence feed data and one or more policy rules. The device provides threat intelligence feedback to the first node regarding the matched threat intelligence feed data, in response to determining that the device should provide threat intelligence feedback to the first node. |
| Distributed chassis architecture having integrated service appliances | A distributed virtual chassis comprises scaled-out fabric coupler /SFC/ boxes. Each SFC box has fabric ports and a cell-based switch fabric for switching cells associated with a packet among the SFC fabric ports of that SFC box. Distributed line cards /DLCs/ include switching DLCs and an appliance DLC /A-DLC/. Each switching DLC has network ports. Each switching DLC and A-DLC has DLC fabric ports. Each switching DLC and A-DLC is connected to each of the SFC boxes. The A-DLC provides an upper layer service for packets arriving on the network ports of the switching DLCs. To forward a packet to the A-DLC, a switching DLC divides the packet into cells and distributes the cells among the SFC boxes. The SFC boxes forward the cells to the A-DLC, and the A-DLC reassembles the packet from the cells and provides the upper layer service to the packet. |
| Distributed anomaly detection management | In one embodiment, a device in a network performs anomaly detection functions using a machine learning-based anomaly detector to detect anomalous traffic in the network. The device identifies an ability of one or more nodes in the network to perform at least one of the anomaly detection functions. The device selects a particular one of the anomaly detection functions to offload to a particular one of the nodes, based on the ability of the particular node to perform the particular anomaly detection function. The device instructs the particular node to perform the selected anomaly detection function. |
| Distributed anomaly detection management | In one embodiment, a device in a network performs anomaly detection functions using a machine learning-based anomaly detector to detect anomalous traffic in the network. The device identifies an ability of one or more nodes in the network to perform at least one of the anomaly detection functions. The device selects a particular one of the anomaly detection functions to offload to a particular one of the nodes, based on the ability of the particular node to perform the particular anomaly detection function. The device instructs the particular node to perform the selected anomaly detection function. |
| Discovery of services provided by application nodes in a network | An application node advertises service/s/, using a routing protocol, that it offers to other network nodes. For example, the routing protocol used to advertise service/s/ in a Service Provider Network is typically an link-state, Interior Gateway Protocol /IGP/, such as, but not limited to, Intermediate System to Intermediate System /IS-IS/ or Open Shortest Path First /OSPF/. Packets are encapsulated and sent from a service node /e.g., packet switching device/ using one or more advertised services applied to a packet by an application node /e.g., a packet switching device and/or computing platform such as a Cisco ASR 1000/. |
| Digital filter correlation engine | A digital filter correlation engine, wherein the correlation engine combines N arbitrary digital filter states based on the weights and along with a threshold generate a network incident. This network incident in turn can be feedback to another digital filter. This multi-layering capability allows the creation of higher level event detections that are time-based for a cyber security analyst to analyze, thereby reducing the amount of manual work the analyst has to do in inspecting behaviors within the network. |
| Differentiating devices with similar network footprints using active techniques | In one embodiment, a labeling service receives traffic feature data for a cluster of endpoint devices in a network. A device classification service forms the cluster of endpoint devices by applying machine learning-based clustering to the feature data. The labeling service selects a subset of the endpoint devices in the cluster, in an effort to maximize diversity of the traffic feature data of the selected endpoint devices. The labeling service sends a control command into the network, to trigger a traffic behavior by the selected subset. The labeling service receives updated traffic feature data for the selected subset associated with the triggered traffic behavior. The labeling service controls whether a label request is sent to a user interface for labeling of the cluster of endpoint devices with a device type, based on the updated traffic feature data for the subset of endpoint devices in the cluster. |
| Device, system and method for timestamp analysis of segments in a transmission control protocol /TCP/ session | A method performed in an intrusion detection/prevention system, a system or a device for determining whether a transmission control protocol /TCP/ segment in a TCP connection in a communication network is acceptable. The TCP connection can include TCP segments beginning with a three way handshake. A TCP segment can include a field for a timestamp. A timestamp policy of plural timestamp policies is identified, the timestamp policy corresponding to a target associated with the segments in a TCP connection. A baseline timestamp is identified based on a three way handshake in the TCP connection. Segments in the TCP connection are monitored. The segments in the TCP connection are filtered as indicated in the timestamp policy corresponding to the target, the timestamp policy indicating whether the segments are to be filtered out or forwarded to the target by comparing the timestamp of the segments to the baseline timestamp. |
| Device, system and method for analysis of segments in a transmission control protocol /TCP/ session | A method performed in an intrusion detection/prevention system, a system or a device for analyzing segments in a transmission in a communication network. The transmission includes segments in the same transmission control protocol /TCP/ session. Segments in a transmission are monitored. Data in the segments in the transmission are reassembled in an order indicated by a segment reassembly policy, the segment reassembly policy indicating an order specific to at least comprehensively overlapped segments. |
| Device, system and method for analysis of fragments in a fragment train | Fragment trains in a communication network are analyzed. A fragment train includes fragments in the same fragment train and associated with the same target system. One or more fragment reassembly policies are identified out of several fragment reassembly policies, where the fragment reassembly policy corresponds to a target system associated with fragments in a fragment train. The data in the fragments in the fragment train are provided in an order indicated by the fragment reassembly policy. The fragment reassembly policy can include determining the order responsive to an offset and a more fragments indication in the fragments, and/or indicating an order specific to overlapped fragments such as comprehensively overlapped fragments. |
| Device-health-based dynamic configuration of network management systems suited for network operations | In an embodiment, in response to receiving an indication of a change in quality of services provided by a network device, collecting one or more performance measurements of the network device; by applying a network policy to the measurements, determining one or more operations capable of performing on the network device to enhance the quality of services; in response to determining that the network device is not configured for instrumentation, causing automatic self-configuration of the network device by execution of the one or more operations on the network device; wherein the method is performed by one or more computing devices. |
| Detection of user behavior deviation from defined user groups | A machine learning-based technique for user behavior analysis that detects when users deviate from expected behavior. In this approach, a set of user groups are provided, preferably based on information provided from a user registry. A set of training data for each of the set of user groups is then obtained, preferably by collecting security events generated for a collection of the users over a given time period /e.g., a last thirty /30/ days/. A machine learning system is then trained using the set of training data to produce a model that includes a set of clusters in user behavior model, wherein a cluster is a learned user group that corresponds to a defined user group. Once the model is built, it is used to identify users that deviate from their expected group behavior. In particular, the system compares a current behavior of a user against the model and flags anomalous behavior. The user behavior analysis may be implemented in a security platform, such as a SIEM. |
| Detection of botnet hosts using global encryption data | In one embodiment, a device obtains certificate information for a plurality of network addresses. The device constructs, based on the certificate information, a bipartite graph that maps nodes representing common names from the certificate information to nodes representing autonomous systems. The device determines edge counts from the bipartite graph for the nodes representing the autonomous systems. The device identifies, based on the edge counts, a particular one of the common names as botnet-related by comparing edge counts for the autonomous systems associated with that particular common name to edge counts for the autonomous systems associated with one or more of the other common names. |
| Detection and analysis of seasonal network patterns for anomaly detection | In one embodiment, a device in a network determines cluster assignments that assign traffic data regarding traffic in the network to activity level clusters based on one or more measures of traffic activity in the traffic data. The device uses the cluster assignments to predict seasonal activity for a particular subset of the traffic in the network. The device determines an activity level for new traffic data regarding the particular subset of traffic in the network. The device detects a network anomaly by comparing the activity level for the new traffic data to the predicted seasonal activity. |
| Detection and analysis of seasonal network patterns for anomaly detection | In one embodiment, a device in a network determines cluster assignments that assign traffic data regarding traffic in the network to activity level clusters based on one or more measures of traffic activity in the traffic data. The device uses the cluster assignments to predict seasonal activity for a particular subset of the traffic in the network. The device determines an activity level for new traffic data regarding the particular subset of traffic in the network. The device detects a network anomaly by comparing the activity level for the new traffic data to the predicted seasonal activity. |
| Detecting targeted data exfiltration in encrypted traffic | In one embodiment, a service that monitors a network obtains file characteristic data of a file stored on a first endpoint in the network. The service infers characteristics of encrypted content within encrypted traffic in the network between the first endpoint and a second endpoint, by applying a machine learning-based classifier to traffic data regarding the encrypted traffic session. The service compares the file characteristic data of the file to the inferred content characteristics of the encrypted content within the encrypted traffic, to detect the file within the encrypted traffic. The service enforces a network policy in the network, based on the detection of the file within the encrypted traffic. |
| Detecting network services based on network flow data | Detecting network services based on network flow data is disclosed. Using a networking device, network flow data is obtained for a plurality of endpoints of a telecommunications network. Each endpoint of the plurality of endpoints is uniquely described by data comprising an IP address, a port, and a communication protocol. For each endpoint of a set of at least one endpoint selected from the plurality of endpoints, a plurality of peers of the endpoint is determined by detecting communication between the endpoint and the plurality of peers based on the network flow data. For each peer of a set of peers selected from the plurality of peers, a difference between a number of peers of the endpoint and a number of peers of said each peer is determined based on the network flow data. It is determined if the endpoint is a service based on the difference determined for each peer of the set of peers. Network management is performed based on the determination of whether the endpoint is a service. |
| Detecting DGA-based malicious software using network flow information | Detecting DGA-based malware is disclosed. In an embodiment, a number of domain name server requests originating from a particular host among a plurality of hosts is determined. The number of domain name server requests are directed to one or more domain name servers. A number of internet protocol addresses contacted by the particular host is determined. Based on the number of domain name server requests and the number of internet protocol addresses contacted existence of malware on the particular host is determined. |
| Deep packet inspection virtual function | Concepts and technologies are disclosed herein for providing and using a deep packet inspection virtual function. A control system can detect a service request. The control system can analyze a policy to determine a function of a service to which the service request relates, a virtual machine that will host the function, and a deep packet inspection virtual function associated with the service. The control system can trigger loading of an image to the virtual machine and instantiation of the virtual machine. The image can include the function of the service and the deep packet inspection virtual function. The control system can validate the service and the deep packet inspection virtual function. |
| DDoS & Security Reports » What’s New?! – Threat Analysis with Deep Packet Inspection | Context is King when it comes to understanding and analysing attacks and attackers. Today we are releasing the analysis feature for the Threats module. Internally we call this feature “play by play” and it does exactly that. It allows you to peer inside every attack and step through it so you can rule the attack in or out of your analysis. What do you need to do to enable it? – nothing. We are processing all datasets on Packetloop today to enable this new functionality. |
| Data path processing information included in the pseudowire layer of packets | Data path processing information is included in the pseudowire layer of pseudowire packets in order to provide information for use in the data path processing of data /e.g., a packet/, typically, but not always, included in the payload of the pseudowire packet itself. The pseudowire packet typically includes in corresponding fields: a pseudowire label for identifying a pseudowire type; a pseudowire control word; and payload data. The pseudowire type identifies the structure of the pseudowire control word field and the payload field, including the location of data path meta data, such as in the pseudowire control word field or payload field. This data path meta data identifies one or more attributes for use in processing the payload data. |
| Data path processing information included in the pseudowire layer of packets | Data path processing information is included in the pseudowire layer of pseudowire packets in order to provide information for use in the data path processing of data /e.g., a packet/, typically, but not always, included in the payload of the pseudowire packet itself. The pseudowire packet typically includes in corresponding fields: a pseudowire label for identifying a pseudowire type; a pseudowire control word; and payload data. The pseudowire type identifies the structure of the pseudowire control word field and the payload field, including the location of data path meta data, such as in the pseudowire control word field or payload field. This data path meta data identifies one or more attributes for use in processing the payload data. |
| Data path processing | An intermediate device receives a content data message addressed to a receiving device for a communication session between a source device and the receiving device. The intermediate device substitutes adapted content data for content data of the content data message and then sends the adapted content data to the receiving device such that it appears to the receiving device that the adapted content data originated from the source device. The communication from the source device to the receiving device is intercepted by the intermediate device in a manner that is transparent to the source device and receiving device. |
| Corroborating threat assertions by consolidating security and threat intelligence with kinetics data | A cognitive security analytics platform is enhanced by providing a computationally- and storage-efficient data mining technique to improve the confidence and support for one or more hypotheses presented to a security analyst. The approach herein enables the security analyst to more readily validate a hypothesis and thereby corroborate threat assertions to identify the true causes of a security offense or alert. The data mining technique is entirely automated but involves an efficient search strategy that significantly reduces the number of data queries to be made against a data store of historical data. To this end, the algorithm makes use of maliciousness information attached to each hypothesis, and it uses a confidence schema to sequentially test indicators of a given hypothesis to generate a rank-ordered /by confidence/ list of hypotheses to be presented for analysis and response by the security analyst. |
| Cooperative caching for fast and scalable policy sharing in cloud environments | Systems, methods, and computer-readable media for distributing policies in a SDN environment through chunking. A policy can be chunked into a plurality of policy chunks having corresponding chunk identifications at a controller of a SDN environment. Each of the plurality of policy chunks can be hashed to create corresponding chunk hashes for each of the plurality of policy chunks. Further, the plurality of policy chunks, the chunk identifications of the plurality of policy chunks, and the chunk hashes of the plurality of policy chunks can be distributed from the controller of the SDN environment to an intermediate policy node in a fabric of the SDN environment. The chunk hashes and the chunk identifications of the plurality of policy chunks can be used to control distribution of the plurality of policy chunks to one or more edge nodes in the SDN environment. |
| Control plane protection for various tables using storm prevention entries | The present disclosure discloses a method and network device for control plane protection for various tables using storm prevention entries. Specifically, the disclosed system receives a first packet, and creates an inactive entry in a table. The system then forwards the first packet from a first processor to a second processor for processing. Also, the system associates the inactive entry with a timestamp indicating when the first packet is forwarded to the second processor, and determines a configured interval /CI/ associated with the table. Further, the system compares a difference between a current timestamp and the timestamp associated with the inactive entry against the CI upon receiving a second packet. If the difference is longer than the CI, the system associates the inactive entry with the current timestamp, and forwards the second packet to the second processor for processing. Otherwise, the system discards the second packet. |
| Contextual service mobility in an enterprise fabric network environment | In one embodiment, contextual service mobility in an enterprise fabric network environment /e.g., overlay and underlay networks/ provides for moving of the location of a service being applied to packets with minimal updates to the mapping database. The mapping database is used to convert addresses of the overlay network to physical network and service addresses. The mapping database provides contextual lookup operations on the same destination address of a packet being forwarded in the overlay network to provide different results. The contextual lookup operations provide for a packet to be forwarded to a service node or its intended destination depending on the current context. In one embodiment, the enterprise fabric network uses Locator/ID Separation Protocol /LISP/, a network architecture and set of protocols that uses different overlay and underlay namespaces and a distributed mapping database for converting an overlay address to an underlay address. |
| Context-Aware Micro-segmentation – an innovative approach to Application and User Identity Firewall | Network and Security Virtualization | VMware | |
| Content-aware Internet application traffic measurement and analysis | As the Internet is quickly evolving from best-effort networks to business quality networks, billing based on the precise traffic measurement becomes an important issue for Internet service providers /ISP/. Billing settlement is necessary not only between ISP and customers but also between ISP. Currently, most ISP use a flat rate charging policy. Besides the degree of difficulty in deriving appropriate charging policies agreeable by a concerned party, there are substantial technical challenges to come up with a good usage-based accounting system. Usage-based accounting depending on IP packet header information only is not sufficient any more due to the highly dynamic nature of the development and the use of the Internet applications such as peer-to-peer and network games. They use port numbers dynamically and even several applications can use the same port number. Thus, more precise means of classifying them and accounting for their traffic usage are required. In this paper, we propose a high performance, adaptable, configurable, and scalable content-aware application traffic measurement and analysis system which can achieve very accurate usage-based accounting. |
| Constraint-aware resource synchronization across hyper-distributed learning systems | In one embodiment, a device in a network receives data indicative of a target state for one or more distributed learning agents in the network. The device determines a difference between the target state and state information maintained by the device regarding the one or more distributed learning agents. The device calculates a synchronization penalty score for each of the one or more distributed learning agents. The device selects a particular one of the one or more distributed learning agents with which to synchronize, based on the synchronization penalty score for the selected distributed learning agent and on the determined difference between the target state and the state information regarding the selected distributed learning agent. The device initiates synchronization of the state information maintained by the device regarding the selected distributed learning agent with state information from the selected distributed learning agent. |
| Compuware Corporation v. Opnet Technologies Inc. | |
| Communications flow analysis | In one implementation, a communications flow analysis system determines whether a communications flow between a source and a destination should be retained. If the communications flow should be retained, the communications flow analysis system injects an extraneous data set into the communications flow in response to determining that the communications flow should be retained. |
| Communication system | A communication system includes data generation units that generate data and a plurality of data evaluation units physically separated from the data generation units and connected to the data generation units via a non-proprietary network. The data evaluation units evaluate data transmitted by the communication system, which includes a hardware abstraction layer that represents a data evaluation unit as a resource that includes a property |
| Cognitive offense analysis using enriched graphs | An automated method for processing security events begins upon receipt of information representing an offense. Based in part on context data extracted from the offense, an offense context graph is built. The offense context graph comprises nodes and edges, with an edge therein representing a relationship between a pair of nodes, at least one of the nodes being a root node representing an entity associated with the offense. The method then continues by mining information about other events that are determined to share a local contextual relationship with the offense represented by the offense context graph. This operation generates an enriched offense context graph. The enriched offense context graph is then pruned to identify an offense context for further examination. Pruning may involve applying a metric to events associated with the offense and removing nodes that, based on evaluation of the metric, do not contribute to the offense. |
| Cognitive offense analysis using contextual data and knowledge graphs | An automated method for processing security events in association with a cybersecurity knowledge graph. The method begins upon receipt of information from a security system representing an offense. An initial offense context graph is built based in part on context data about the offense. The graph also activity nodes connected to a root node; at least one activity node includes an observable. The root node and its one or more activity nodes represent a context for the offense. The knowledge graph, and potentially other data sources, are then explored to further refine the initial graph to generate a refined graph that is then provided to an analyst for further review and analysis. Knowledge graph exploration involves locating the observables and their connections in the knowledge graph, determining that they are associated with known malicious entities, and then building subgraphs that are then merged into the initial graph. |
| Closed loop control for fixing network configuration issues to aid in device classification | In one embodiment, a device receives traffic telemetry data captured by a plurality of networks and used by device classification services in the networks to classify endpoints in the networks with device types. The device compares the telemetry data from a particular one of the networks to the telemetry data from the other networks to identify one or more traffic characteristics that are missing from the telemetry data for one or more endpoints of the particular network. The device identifies a networking entity in the particular network that is common to the one or more endpoints for which the one or more characteristics are missing. The device determines a configuration change for the networking entity by comparing a current configuration of the entity to those of one or more entities in the other networks. The device initiates implementation of the determined configuration change for the entity in the particular network. |
| Client-side application-classifier gathering network-traffic statistics and application and user names using extensible-service provider plugin for policy-based network control | Low-level network services are provided by network-service-provider plugins. These plugins are controlled by an extensible service provider that is layered above the TCP or other protocol layer but below the Winsock-2 library and API. Policy servers determine priority of network traffic through control points on a network. Examining packets passing through these control points provides limited data such as the source and destination IP address and TCP ports. Many applications on a client machine may use the same IP address and TCP ports, so packet examination is ineffective for prioritizing data from different applications on one client machine. Often some applications such as videoconferencing or data-entry for corporate sales are more important than other applications such as web browsing. A application-classifier plugin to the extensible service provider intercepts network traffic at above the client’s TCP/IP stack and associates applications and users with network packets. These associations and statistics such as maximum, average, and instantaneous data rates and start and stop time are consolidated into tables. The policy server can query these tables to find which application is generating network traffic and prioritize the traffic based on the high-level application. Bandwidth-hogging applications such as browsers can be identified from the statistics and given lower priority. |
| Client reputation driven role-based access control | The present disclosure discloses a system and method for dynamically modifying role based access control for a client based on the activity. Generally, a client device is granted access to a network resource based on a first reputation score assigned to the client device. The activity of the client device is monitored. Responsive to monitoring the activity of the client device, a second reputation score is determined for the client device based on the activity. The access by the client device to the network resource is then modified to be granted based on the second reputation score. |
| Classifying Network Traffic Using NBAR – Cisco | Classifying Network Traffic Using NBAR First Published: April 4, 2006 Last Updated: May 7, 2007 Network-Based Application Recognition /NBAR/ is a classification engine that recognizes and classifies a wide variety of protocols and applications. When NBAR recognizes and classifies a protocol or application, the network can be configured to apply the appropriate quality of service /QoS/ for that application or traffic with that protocol. This module contains overview information about classifying network traffic using NBAR. The processes for configuring NBAR are documented in separate modules. Note This module includes information for both NBAR and Distributed Network-Based Application Recognition /dNBAR/. dNBAR is NBAR used on the Cisco 7500 router with a Versatile Interface Processor /VIP/ and on the Catalyst 6000 family of switches with a FlexWAN module. The implementation of NBAR and dNBAR is identical. Therefore, unless otherwise noted, the term NBAR is used throughout this module to describe both NBAR and dNBAR. The term dNBAR is used only when applicable. Contents: •Prerequisites for Using NBAR •Restrictions for Using NBAR •Information About Using NBAR •Where to Go Next •Additional References •Glossary |
| Classification of IoT devices based on their network traffic | In one embodiment, a traffic analysis service obtains telemetry data regarding network traffic associated with a device in a network. The traffic analysis service forms a histogram of frequencies of the traffic features from the telemetry data for the device. The traffic features are indicative of endpoints with which the device communicated. The traffic analysis service associates a device type with the device, by comparing the histogram of the traffic features from the telemetry data to histograms of traffic features associated with other devices. The traffic analysis service initiates, based on the device type associated with the device, an adjustment to treatment of the traffic associated with the device by the network. |
| Cipher rule feedback | Embodiments are directed towards managing network communication. A TMC may be arranged to receive network traffic that includes cipher negotiation information from a client computer. The TMC may receive other network traffic from a server computer that may include server cipher negotiation information. The TMC provides negotiation data that may correspond to the client cipher negotiation information and other negotiation data that may correspond to the server cipher negotiation information. The TMC may store the negotiation data and the other negotiation data in a data store. Then TMC may send the server cipher negotiation information at least the client computer. If a query is received from a query client, the TMC may provide result set information based on the stored the negotiation data and the other negotiation data in the data store. The TMC may send the reporting information based on the result set information to the query client. |
| Characterizing unique network flow sessions for network security | A technique to identify and distinguish flow sessions begins by capturing a flow record indicating an initiation of a network flow. A unique session identifier associated with the captured flow record is computed by applying a given function over data comprising a set of information /e.g., a tuple/ captured in the flow record, together with a time value associated with collection interval having a start time. The given function may be a hash function. The unique session identifier is associated with one or more additional network flows captured during the collection interval, e.g., from another network flow device that computes the same identifier for at least a second flow record captured during the collection interval. In one embodiment, the flow records are captured by distinct data collectors and comprise portions of a same flow session. The distinct data collectors may utilize the same or different flow record types or protocols. |
| Centralized predictive routing using delay predictability measurements | In one embodiment, a central device receives a routing strategy instruction that specifies a predictability threshold for communication delays in the network. The device estimates communication delays for a plurality of paths in the network and determines predictability measurements for the estimated delays. The device also selects, from among the plurality of paths, a particular path that has a predictability measurement that satisfies the predictability threshold and has a minimal estimated delay. The central device further installs the particular path at one or more other devices in the network. |
| Cellular traffic monitoring and charging using application detection rules | A cellular traffic monitoring system includes: a traffic detection function /TDF/ module to monitor cellular traffic associated with a cellular subscriber device, and to generate detection output which includes at least one of: a type of an application associated with the cellular traffic of the cellular subscriber device, and a type of the cellular traffic of the cellular subscriber device. The cellular traffic monitoring system further includes a policy charging and enforcement function /PCEF/ module to enforce one or more charging rules to the cellular subscriber device, based on the detection output. |
| Cascade-based classification of network devices using multi-scale bags of network words | In one embodiment, a device classification service extracts, for each of a plurality of time windows, one or more sets of traffic features of network traffic in a network from traffic telemetry data captured by the network. The service represents, for the time windows, the extracted one or more sets of traffic features as feature vectors. A feature vector for a time window indicates whether each of the traffic features was present in the network traffic during that window. The service trains, using a training dataset based on the feature vectors, a cascade of machine learning classifiers to label devices with device types. The service uses the classifiers to label a particular device in the network with a device type based on the traffic features of network traffic associated with that device. The service initiates enforcement of a network policy regarding the device based on its device type. |
| Canary release validation mechanisms for a containerized application or service mesh | Systems and methods provide for validating a canary release of containers in a containerized production environment. A first container of the containerized production environment can receive network traffic. The first container can transmit the network traffic to a first version of a second container of the containerized production environment and to a traffic analysis engine. First metrics relating to processing by the first version of the second container can be captured. The traffic analysis engine can determine one or more traffic patterns included in the network traffic. The traffic analysis engine can cause simulated network traffic corresponding to the one or more traffic patterns to be transmitted to a second version /e.g., a canary release/ of the containerized production environment. Second metrics relating to processing by the second version of the second container can be captured. A comparison between the first metrics and the second metrics can be presented. |
| Calculating latency in computer networks | In one implementation, data is communicated along a communications route in a network. A mediatrace request is generated for the communications route. Responses to the mediatrace request are received from along the communications route. The hop-by-hop latency is passively measured, from the responses, with one-way delay along the communications route in the network. |
| Calculating latency in computer networks | In one implementation, data is communicated along a communications route in a network. A mediatrace request is generated for the communications route. Responses to the mediatrace request are received from along the communications route. The hop-by-hop latency is passively measured, from the responses, with one-way delay along the communications route in the network. |
| Bridge mode firewall mobility | Mobility of firewall rules for clients moving among bridge AP nodes in a wireless network. APs operate in bridge mode. A wireless client C is associated with a first AP. As part of that association, the first AP establishes and maintains personal firewall rules and state for client C. When wireless client C associates with a second AP in the L2 domain, the second AP sends session request to other APs. This may be in the form of a multicast message. Optionally, the second AP may send a unicast message to the first AP indicating that client C has associated with the second AP. APs receiving the multicast session request message for client C check their tables to see if they have stored firewall or other state for client C. APs having storied firewall or other state for client C send session response messages to the second AP containing stored firewall sessions and other state for client C. When the second AP receives a session response, it sends an acknowledgement to the AP which sent the response. When the AP, such as the first AP, receives the acknowledgement, it may remove all stored state for client C. If the second AP receives session response messages for client C from multiple APs, it acknowledges each, and creates session entries and state using the oldest rules in the session response messages. Flags may be logically ORed together. |
| Bounce diagram: a user interface for graphical exploration of packet trace information | A user interface for a protocol analyzer or similar network management software product provides a graphical representation of the behavior of packets in a packet trace with respect to time, graphically showing a transmission time, source node and destination node. In a preferred implementation, the user interface, called a |
| BlindBox: Deep Packet Inspection over Encrypted Traffic | Many network middleboxes perform deep packet inspection /DPI/, a set of useful tasks which examine packet payloads. These tasks include intrusion detection /IDS/, exfiltration detection, and parental filtering. However, a long-standing issue is that once packets are sent over HTTPS, middleboxes can no longer accomplish their tasks because the payloads are encrypted. Hence, one is faced with the choice of only one of two desirable properties: the functionality of middleboxes and the privacy of encryption. We propose BlindBox, the first system that simultaneously provides {em both} of these properties. The approach of BlindBox is to perform the deep-packet inspection {em directly on the encrypted traffic. BlindBox realizes this approach through a new protocol and new encryption schemes. We demonstrate that BlindBox enables applications such as IDS, exfiltration detection and parental filtering, and supports real rulesets from both open-source and industrial DPI systems. We implemented BlindBox and showed that it is practical for settings with long-lived HTTPS connections. Moreover, its core encryption scheme is 3-6 orders of magnitude faster than existing relevant cryptographic schemes. |
| Autonomous performance probing | A method, device, and computer-readable medium are disclosed for automatically activating a probe configured to generate test network traffic in response to evaluating a policy that accounts for aggregated information that describes traffic that was processed by a network device. The method includes storing a policy, and evaluating the policy based at least in part on an item of received aggregated information that describes a set of packets that were processed by the network device and sent or received on a network. The probe is activated at least partially in response to evaluating the policy. The probe generates test packets to emulate one or more applications, services, or devices communicating on the network. |
| Automation and programmability for software defined networking systems | System, method, and computer program product to orchestrate software defined networking /SDN/ applications, by providing a plurality of network elements in a network, each network element comprising a plurality of ingress interfaces, a plurality of egress interfaces, and a routing information base /RIB/, providing, to an SDN application, an application program interface /API/ to abstract properties and events of: /i/ the ingress interfaces, /ii/ the egress interfaces, and /iii/ the RIB of a specified network element, receiving a request from the SDN application apply a function to the specified network element, the function specifying to modify: /i/ a preprocessing operation on a data packet, /ii/ the RIB, /iii/ a post processing operation on the data packet, and /iv/ the properties of the ingress interfaces, egress interfaces, and RIBs of the specified network element, and applying the function to the specified network element through the API. |
| Automatically detecting authorized remote administration sessions in a network monitoring system | In one embodiment, a service receives data regarding administration traffic in a network associated with a remote administration session in which a control device remotely administers a client device. The service analyzes the received data to determine whether the administration traffic is authorized. The service flags the received data as authorized, based on the analysis of the received data. The service uses the data flagged as authorized to distinguish between benign traffic and malicious traffic in the network. |
| Automatic tiered services based on network conditions | A traffic selector table for a network switch is populated with one or more entries that each identifies a tiered service. A traffic flow that matches an entry in the table is identified by the switch. The matched traffic flow is redirected to an intrusion prevention device to determine whether the traffic presents a threat to the network. The switch detects a condition in network traffic flowing through the switch. The traffic selector table is dynamically modified in response to the detected condition. |
| Automatic retraining of machine learning models to detect DDoS attacks | In one embodiment, a device in a network receives an attack mitigation request regarding traffic in the network. The device causes an assessment of the traffic, in response to the attack mitigation request. The device determines that an attack detector associated with the attack mitigation request incorrectly assessed the traffic, based on the assessment of the traffic. The device causes an update to an attack detection model of the attack detector, in response to determining that the attack detector incorrectly assessed the traffic. |
| Automated individualized network security controls for internet of things /IoT/ devices | A method, apparatus and computer program product for protecting enterprise Information Technology /IT/ infrastructures by automatically instantiating individualized network flow controls and/or network access controls specific to an IoT device. In this approach, an IoT device is identified, e.g., via network scanning or other observational sensors, or by receipt of information from a network administrator. In response to receiving information about the new IoT device, a control component obtains applicable network flow control and/or access control rules for the IoT device. These rules are obtained from one or more authoritative /trusted/ sources, e.g., querying a website of the IoT vendor, an industry site, or an enterprise site. In this manner, applicable network flow control and/or access control rules are obtained. The control component then translates those rules into configuration parameters that are consumable by the particular network flow control device that is /or will be/ associated with the IoT device. |
| Architecture for routing and IPSec integration | The invention is directed towards routing a packet using both IPSec and common routing protocols within dynamic network topologies in a VPN. The routing of IPSec packets employs Open System Interconnection /OSI/ layer three information. In one embodiment, a tree mechanism is used for looking up layer three information that may be associated with a protected subnetwork. When a packet is identified as being associated with a protected subnetwork, the packet may be encrypted and encapsulated, including the original destination and source IP address header information within another packet employing the IP Encapsulating Security Payload /ESP/ protocol. New source and destination IP addresses are provided for the new packet using IP addresses associated with an entry gateway and an exit gateway to the VPN. The new packet may then be routed through the VPN using traditional routing protocols. |
| Application Performance Measurement MIB | This memo defines a portion of the Management Information Base /MIB/ for use with network management protocols in TCP/IP-based internets. In particular, it defines objects for measuring the application performance as experienced by end-users. |
| Application Performance Measurement Framework Transport Performance Metrics MIB | This memo defines an experimental portion of the Management Informa-tion Base /MIB/ for use with network management protocols in the Internet community. In particular, it describes managed objects used for monitoring selectable performance metrics and statistics derived from the monitoring of network packets and transport protocol states. |
| Application of services in a packet switching device | A service is applied in a packet switching device to both directions of a flow of packets through the packet switching device, with the application of this Layer-4 to layer-7 service to one direction requiring state information shared from the application of the service to packets traversing in the other direction. The service /e.g. firewall, network address translation/ can be applied by different processing complexes which do not share memory; thus, state information is communicated between the processing complexes. When the service is applied by a single processing complex, packets can be directed explicitly to the single processing complex. The inline application of services in a packet switching system typically eliminates the need to change a packet’s path through the packet switching system to that through a dedicated application server, and may eliminate the need for a dedicated services card or blade server. |
| Application identifier in service function chain metadata | This disclosure pertains to augmenting metadata of a packet destined for service function chaining with application identifier information. The application identifier information can be added to the metadata of a packet service header /or, more specifically, a network service header/. The packet can be exported to a statistics collector that can correlate statistical information about the application with statistical information about service functions applied to the packet, as well as other statistical information. |
| Application based data traffic routing using network tunneling | Various implementations described herein relate to routing network data traffic using network tunnels. In some implementations, one or more tunnels are established between a remote gateway device and a central gateway device central gateway system. The remote gateway device can receive data traffic from one or more client devices and analyzed the data traffic. Based at least in part on the resulting analysis, the remote gateway device identified an application or an application type associated with the data traffic. The remote gateway device can select one or more select tunnels, from the one or more tunnels, based at least in part on the identification of the application or the application type associated with the data traffic. Eventually, the remote gateway device can route the data traffic to the central gateway system using the one or more select tunnels. |
| Apparatus and method for detecting network attack | There are provided a network attack detection apparatus and method capable of determining even unknown network attack, the apparatus connected between two networks or connected by port mirroring of an Ethernet switch to real-time monitor all packets flowing through the networks. The apparatus decodes a payload portion of an inputted network packet into a machine code instruction, determines whether an executable code is included in the decoded machine code by analyzing relationship between instructions, and determines whether the packet is harmful based on statistics with respect to a possibility that an executable code exists in a service and a certain transaction of the service when the executable code is included. |
| Anomaly selection using distance metric-based diversity and relevance | In one embodiment, a device in a network receives a notification of a particular anomaly detected by a distributed learning agent in the network that executes a machine learning-based anomaly detector to analyze traffic in the network. The device computes one or more distance scores between the particular anomaly and one or more previously detected anomalies. The device also computes one or more relevance scores for the one or more previously detected anomalies. The device determines a reporting score for the particular anomaly based on the one or more distance scores and on the one or more relevance scores. The device reports the particular anomaly to a user interface based on the determined reporting score. |
| Anomaly detection in a network coupling state information with machine learning outputs | In one embodiment, a device in a network receives an output of an anomaly detection model. The device receives state information surrounding the output of the anomaly detection model. The device determines whether the state information supports the output of the anomaly detection model. The device causes the anomaly detection model to be adjusted based on a determination that the state information does not support the output of the anomaly detection model. |
| Analyzing encrypted traffic behavior using contextual traffic data | In one embodiment, a device in a network detects an encrypted traffic flow associated with a client in the network. The device captures contextual traffic data regarding the encrypted traffic flow from one or more unencrypted packets associated with the client. The device performs a classification of the encrypted traffic flow by using the contextual traffic data as input to a machine learning-based classifier. The device generates an alert based on the classification of the encrypted traffic flow. |
| AG Group – products/etherpeek | |
| Affectedness scoring engine for cyber threat intelligence services | A network-accessible cyber-threat security analytics service is configured to characterize and respond to a description that includes threat indicators /e.g., IOCs/, and an initial severity. Enterprises register with the service by providing identifying information, such as industry, geographies, and the like. For each threat indicator, a query is sent to each of a set of one or more security knowledge bases, and at least some of the queries are scoped by the enterprise industry/geo information specified. The knowledge bases may vary but typically include: a managed security service, a cyber threat intelligence service, and a federated search engine that searches across one or more enterprise-connected data sources. Responses to the queries are collected. A response provides an indication whether the threat indicator identified in the query has been sighted in the knowledge base and the frequency. The system then adjusts the initial severity to reflect the indications returned from querying the security knowledge bases. |
| Adaptive sampling to build accurate application throughput models | In one embodiment, a node in a network reports, to a supervisory service, histograms of application-specific throughput metrics measured from the network. The node receives, from the supervisory service, a merged histogram of application-specific throughput metrics. The supervisory service generated the merged histogram based on a plurality of histograms reported to the supervisory service by a plurality of nodes. The node performs, using the merged histogram, application throughput anomaly detection on traffic in the network. The node causes performance of a mitigation action in the network when an application throughput anomaly is detected. The node adjusts, based on a control command sent by the supervisory service, a histogram reporting strategy used by the node to report the histograms of application-specific throughput metrics to the supervisory service. |
| Adaptive progressive download | Data packets to be transferred over a network as part of a temporally ordered content stream are obtained by an adaptive progressive download /APD/ server. The APD server divides the data packets of the content stream into epochs of contiguous data, the epochs including a current epoch. The APD server determines a bit rate available on the network for transferring the current epoch and calculates an estimate of a playback time of the content stream buffered at a computer to which the content stream is being transferred and played back. The calculation of the estimate is based at least in part on the bit rate available on the network and an encoding bit rate of the content stream. The APD server controls the transfer of the content stream over the network in accordance with the estimated playback time. |
| Adaptive object modeling and differential data ingestion for machine learning | A machine learning /ML/-based technique for user behavior analysis that detects when users deviate from expected behavior. A ML model is trained using training data derived from activity data from a first set of users. The model is refined in a computationally-efficient manner by identifying a second set of users that constitute a “”watch list.”” At a given time |
| Adaptive capture of packet traces based on user feedback learning | In one embodiment, a node in a network detects an anomaly in the network based on a result of a machine learning-based anomaly detector analyzing network traffic. The node determines a packet capture policy for the anomaly by applying a machine learning-based classifier to the result of the anomaly detector. The node selects a set of packets from the analyzed traffic based on the packet capture policy. The node stores the selected set of packets for the detected anomaly. |
| Adaptive capture of packet traces based on user feedback learning | In one embodiment, a node in a network detects an anomaly in the network based on a result of a machine learning-based anomaly detector analyzing network traffic. The node determines a packet capture policy for the anomaly by applying a machine learning-based classifier to the result of the anomaly detector. The node selects a set of packets from the analyzed traffic based on the packet capture policy. The node stores the selected set of packets for the detected anomaly. |
| Active network defense system and method | An active network defense system is provided that is operable to monitor and block traffic in an automated fashion. This active network defense system is placed in-line with respect to the packet traffic data flow as a part of the network infrastructure. In this configuration, inspection and manipulation of every passing packet is possible. An algorithmic filtering operation applies statistical threshold filtering to the data flow in order to identify threats existing across multiple sessions. A trigger filtering operation applies header and content match filtering to the data flow in order to identify threats existing within individual sessions. Threatening packet traffic is blocked and threatening sessions are terminated. Suspicious traffic is extracted from the data flow for further examination with more comprehensive content matching as well as asset risk analysis. A flow control mechanism is provided to control passage rate for packets passing through the data flow. |
| Active learning for interactive labeling of new device types based on limited feedback | In one embodiment, a device clusters traffic feature vectors for a plurality of endpoints in a network into a set of clusters. Each traffic feature vector comprises traffic telemetry data captured for one of the endpoints. The device selects one of the clusters for labeling, based in part on contextual data associated with the clusters that was not used to form the clusters. The device obtains a device type label for the selected cluster by providing data regarding the selected cluster and the contextual data associated with that cluster to a user interface. The device provides the device type label and the traffic feature vectors associated with the selected cluster for training a machine learning-based device type classifier. |
| Accurate, scalable in-network identification of p2p traffic using application signatures | The ability to accurately identify the network traffic associated with different P2P applications is important to a broad range of network operations including application-specific traffic engineering, capacity planning, provisioning, service differentiation,etc. However, traditional traffic to higher-level application mapping techniques such as default server TCP or UDP network-port baseddisambiguation is highly inaccurate for some P2P applications.In this paper, we provide an efficient approach for identifying the P2P application traffic through application level signatures. We firstidentify the application level signatures by examining some available documentations, and packet-level traces. We then utilize the identified signatures to develop online filters that can efficiently and accurately track the P2P traffic even on high-speed network links.We examine the performance of our application-level identification approach using five popular P2P protocols. Our measurements show thatour technique achieves less than 5/ false positive and false negative ratios in most cases. We also show that our approach only requires the examination of the very first few packets /less than 10packets/ to identify a P2P connection, which makes our approach highly scalable. Our technique can significantly improve the P2P traffic volume estimates over what pure network port based approaches provide. For instance, we were able to identify 3 times as much traffic for the popular Kazaa P2P protocol, compared to the traditional port-based approach. |
| About the Optimal Internet Monitor 2.0 | |
| A Tuning Method of a Monitoring System for Network Forensics in Cloud Environment | A software-based monitoring system is required for choosing monitor points flexibly in cloud network forensics. Especially, in the mission-critical network, since system halt cannot be allowed, the infected system must remove malware analyzing existing attack patterns and estimating potential attack scenarios. It requires full capture for reconstructing the attack behavior. In this research, we realize a software-based full capture monitoring system. First, Linux and libpcap packet capture procedure are investigated, and it is clarified that the packet losses occur depending on ingress throughput, the read stop time, the number of blocks and the block size of the ring buffer. We proposed a tuning method using those parameters for loss-less capturing and confirmed the proposed method can establish loss-less property. |
| A Rule Status Monitoring Algorithm for Rule-Based Intrusion Detection and Prevention Systems | Since the time of Denning’s2 model for the intrusion detection system /IDS/, the system that laid the basis for most modern IDSes, intrusion detection technologies have grown in both complexity and sophistication. Yet challenges related to accuracy, management, and the detection of new attacks abound. This work focuses on the management issue. Specifically, it addresses the problem of determining the enabled and disabled states of rules in a rule-based IDS. Knowing the state of a rule in this regard is important because a rule-based IDS can detect a particular event only if it has a rule to detect that event and that rule is enabled. This work develops an algorithm to monitor the enabled/disabled state of rules of a signature based IDS. Given a particular action that a rule would execute when invoked, the algorithm proceeds as follows: /1/ it searches through each of the rule sets /sets of rules having similar characteristics/ for rules bearing the given action, /2/ for each such rule, it determines whether that rule is enabled or disabled, and /3/ for each rule set, it reports the total number of enabled and disabled rules, and creates two files containing the line numbers from the rule set where each enabled and disabled rule, respectively, could be found. The algorithm is implemented in Python and is ran against Snort as a test case. Statistical results were obtained and the following are some of the findings: /a/ the vast majority of rules are inactive by default, /b/ of all the actions that could be taken when a rule is invoked, the ALERT action far outpaced its counterparts, and /c/ from the rule versions that were examined, it was found that the number of rules are growing significantly. |
| 5967-4339_HP_Internet_Advisor_Mainframe_Features_Jul98.pdf | Introduction to HP Internet Advisor The HP J2300C, J3446C, and J3754C Internet Advisor Family of Products is designed for testing your network needs in combination with available WAN, LAN, ISDN, and ATM Interface Modules or Undercradles. Features are integrated through software. The Advisor Family of Products lets you look at decoded protocol information as it is traveling across a network which lets you identify network problems quickly. The HP Internet Advisor systems consist of various combinations of Mainframes, Interface Modules, Undercradles, and Software to help you: – Connect – Capture – Comprehend. |
| Zero copy packet buffering using shadow sends | |
| Workgroup Host Application Manager /WHAM/ | WHAM is a mini-policy management system that enables workgroup managers to see what their users are doing, when and where they’re doing it, and what their actual network performance looks like. It displays trends, allows you to set alarm thresholds, and notifies you of unusual occurences in your workgroup. For example, you can be notified when any application or user exceeds a certain bandwidth threshold, or when a user’s performance drops below a certain level. You can even be told /via an alert or email/ when a user has loaded an unauthorized network hogging application /and you’ll get both the user and application’s name too/! |
| Wishing for Secure Remote Access Control? Granted! | |
| Wireshark User’s Guide | |
| Wireshark User’s Guide | |
| WildPackets’ Guide to Wireless LAN Analysis | |
| Wireshark Developer’s Guide | |
| WildPackets, Inc. /fka AG Group/ Announces Industry’s First Wireless LAN Packet Analyzer For Cisco Aironet 340 Series PC Cards | |
| Method and System For Controlled Delay of Packet Processing With Multiple Loop Paths /APPLICATION ONLY/ | A method and system for introducing controlled delay of packet processing at a network entity using multiple delay loop paths /DLPs/. For each packet received at the network entity, a determination will be made as to whether or not processing should be delayed. If delay is necessary, one of a plurality of DLPs will be selected according to a desired delay for the packet and a path delay determined for each DLP. Upon completion of a DLP delay, a packet will be returned for processing, an additional delay, or some other action. Multiple DLPs may be enabled with packet queues, and may be used advantageously by security devices, such as Intrusion Prevention Systems /and other packet processing platforms/ for which in-order processing of packets may be desired or required. |
| MANAGEMENT OF CLASSIFICATION FRAMEWORKS TO IDENTIFY APPLICATIONS /APPLICATION ONLY/ | According to an example, a classification framework to identify an application name may be managed by accessing network flow information collected at a client device by an agent installed on the client device, in which the network flow information is information corresponding to network traffic that is at least one of communicated and received by an application running on the client device, accessing flow features of a plurality of packets that are at least one of communicated and received by the application, and creating training data for a classifier based upon a correlation of the network flow information and the flow features of the plurality of packets. |
| LEARNING STABLE REPRESENTATIONS OF DEVICES FOR CLUSTERING-BASED DEVICE CLASSIFICATION SYSTEMS /APPLICATION ONLY/ | In one embodiment, a device classification service obtains telemetry data for a plurality of devices in a network. The device classification service repeatedly assigns the devices to device clusters by applying clustering to the obtained telemetry data. The device classification service determines a measure of stability loss associated with the cluster assignments. The measure of stability loss is based in part on whether a device is repeatedly assigned to the same device cluster. The device classification service determines, based on the measure of stability loss, that the cluster assignments have stabilized. The device classification service obtains device type labels for the device clusters, after determining that the cluster assignments have stabilized. |
| LEARNING OF MALICIOUS BEHAVIOR VOCABULARY AND THREAT DETECTION THROUGH BEHAVIOR MATCHING /APPLICATION ONLY/ | In one embodiment, a device obtains input features for a neural network-based model. The device pre-defines a set of neurons of the model to represent known behaviors associated with the input features. The device constrains weights for a plurality of outputs of the model. The device trains the neural network-based model using the constrained weights for the plurality of outputs of the model and by excluding the pre-defined set of neurons from updates during the training. |
| United States Patent: 10110627 – Adaptive self-optimzing DDoS mitigation | A system for mitigating network attacks includes a protected network including a plurality of devices. The system further includes attack mitigation devices communicatively coupled to the protected network. The mitigation devices are configured to receive network data packets from external devices attempting to access protected devices in the protected network. The attack mitigation devices are further configured to periodically analyze effectiveness of each of a plurality of packet analysis sections. Each of the plurality of packet analysis sections includes a plurality of packet analysis instructions and is associated with a counter configured to count number of packets dropped by a corresponding analysis section. The attack mitigation devices are further configured to disable one or more of the plurality of packet analysis sections responsive to the performed analysis and to analyze the received network data packets by utilizing only enabled one or more of the plurality of the packet analysis sections. |
| LEARNING AND ASSESSING DEVICE CLASSIFICATION RULES /APPLICATION ONLY/ | In various embodiments, a device obtains a set of device classification rules. Each device classification rule specifies one or more attributes from a set of attributes and being configured to assign a device type to an endpoint in a network when the endpoint exhibits the one or more attributes specified by that rule. The device forms a graphical representation of the set of attributes. The device performs an analysis of the graphical representation of the set of attributes. The device provides a result of the analysis to a user interface. |
| United States Patent: 10044751 – Using recurrent neural networks to defeat DNS denial of service attacks | A system for mitigating network attacks is provided. The system includes a protected network including a plurality of devices. The system further includes one or more attack mitigation devices communicatively coupled to the protected network. The attack mitigation devices are configured and operable to employ a recurrent neural network /RNN/ to obtain probability information related to a request stream. The request stream may include a plurality of at least one of: HTTP, RTSP and/or DNS messages. The attack mitigation devices are further configured to analyze the obtained probability information to detect one or more atypical requests in the request stream. The attack mitigation services are also configured and operable to perform, in response to detecting one or more atypical requests, mitigation actions on the one or more atypical requests in order to block an attack. |
| INTELLIGENT WIDE AREA NETWORK /IWAN/ /APPLICATION ONLY/ | In one embodiment, an electronic device maintains one or more tunnel-based overlays for a communication network. The communication network includes two or more physical provider networks. The device maintains a mapping between a particular application and the one or more overlays for the communication network. The device adjusts the mapping between the particular application and the one or more overlays for the communication network. The device causes one or more routers in the communication network to route traffic for the particular application according to the adjusted mapping between the application and the one or more overlays for the communication network. |
| Integrate Application Intelligence with a Network Device for Application Transaction Visibility and Control /APPLICATION ONLY/ | The proposed methodology provides an application state machine in a network device, such as a router which may be used to extract application transactions. The extracted transaction data may be provided to another entity for analysis and troubleshooting. |
| INSTANT NETWORK THREAT DETECTION SYSTEM /APPLICATION ONLY/ | In one embodiment, a network security service forms, for each of a plurality of malware classes, a feature vector descriptor for the malware class. The service uses the feature vector descriptors for the malware classes and a symmetric mapping function to generate a training dataset having both positively and negatively labeled feature vectors. The service trains, using the training dataset, an instant threat detector to determine whether telemetry data for a particular traffic flow is within a threshold of similarity to a feature vector descriptor for a new malware class that was not part of the plurality of malware classes. |
| FLASH CLASSIFICATION USING MACHINE LEARNING FOR DEVICE CLASSIFICATION SYSTEMS /APPLICATION ONLY/ | In various embodiments, a device classification service makes a determination that an endpoint device in a network is eligible for expedited device classification based on a policy. The device classification service obtains, after making the determination that the endpoint device in the network is eligible for expedited device classification, telemetry data regarding the endpoint device generated by actively probing the endpoint device. The device classification service determines whether the telemetry data regarding the endpoint device matches any existing device classification rules. The device classification service generates, based on the telemetry data, a device classification rule that assigns a device type to the endpoint device, when the telemetry data does not match any existing device classification rules. |
| United States Patent: 9973372 – Method and device for extracting data from a data stream travelling around an IP network | In a phase of configuration, a state machine is constructed with states and transitions configured according to at least one type of data to be extracted from a data stream travelling around an IP network. The transitions between states are activated by conditions defined as a function of rules of organization of the data of the stream according to an application layer protocol. One or more states are moreover selected for the extraction of data from the stream. Thereafter, in a phase of real-time analysis of the stream, the stream data arising from IP packets travelling successively around the network are observed. When the state machine is in a current state, a search is conducted as to whether a condition of activation of a transition to a target state is realized by the data observed from the stream, and when such an activation condition is realized, the state machine is toggled into the target state. The data from the stream are extracted when the state machine is in a state selected in the configuration phase. |
| Firewall Limiting with Third-Party Traffic Classification /APPLICATION ONLY/ | A PCP-aware firewall or other firewall validating a media session using third-party authorization receives more information than just the results of cryptographic token validation. The intent for each media stream of a media session is received from the Authorization Server. The intent may be used to compare to the received traffic of the media session. If the traffic is different than the intended traffic, then the exception to permit the firewall may be closed. |
| Exercising Security Control Point /SCP/ capabilities on live systems based on internal validation processing /APPLICATION ONLY/ | A security control point /SCP/ that protects target computing system is tested in-place and while active. The approach is initiated the SCP receiving and processing one or more “”simulated”” communication flows. To this end |
| United States Patent: 9961106 – Filtering legitimate traffic elements from a DoS alert | A method for monitoring traffic flow in a network is provided. A network monitoring probe monitors one or more network traffic flow parameters to detect a denial of service attack. In response to detecting the denial of service attack, a first set of data representing the denial of service attack alert is displayed. Filtering criteria are received from a user. The filtering criteria include at least one of the network flow parameters identified as legitimate network traffic. A second set of data is generated and displayed based on the filtering criteria. |
| United States Patent: 9954761 – Dynamic detection of VPN sites | A method for automatically detecting and configuring Virtual Private Network /VPN/ sites is provided. A Border Gateway Protocol /BGP/ message is received from a Provider Edge /PE/ router. The BGP message includes one or more attributes. The VPN site is identified based on the one or more attributes. Such attributes may include extended community attributes. |
| United States Patent: 9813317 – Self-localizing data distribution network | To adaptively self-localize distributed data processing and data distribution and reduce data transfer costs in a network monitoring system, data has a corresponding ownership association. For each data access, an ownership association value for the accessed data may be modified based on whether the access originated with a current owner processing node or a second most-frequently accessing processing node. The ownership association value indicates a strength of the ownership association between the data and the owner and is based on at least a recent history of accesses of the data by the current owner and the second most-frequently accessing node. When the ownership association value traverses a selected cutoff, ownership association of the data is transferred from the current owner to the second most-frequently accessing node. The ownership association transfer contributes to self-localizing data processing based on a source of input regarding the data. |
| Dynamic QOS Tagging for RTP Packets /APPLICATION ONLY/ | Improved handling of RTP streams in digital networks. A switching device in a digital network such as a controller, bridge, or access point examines streams flowing through the device. The device monitors the initial UDP packets of a stream until a predetermined number of packets have been monitored. The device monitors and fingerprints the header portion of UDP packets, looking for RTP header bit patterns, ignoring certain RTP packet types, and caching others. This fingerprinting process attempts to match cached packet header information against subsequent packets in the stream to detect RTP streams. If the stream is determined to be an RTP stream, then the RTP type from the packet header is used to tag the stream. In one embodiment, such tags are QoS tags. Tagging may also be based on the control session port used. |
| United States Patent: 9749340 – System and method to detect and mitigate TCP window attacks | A computer system and method for monitoring traffic for determining denial of service attacks in a network. Data packets are monitored which are attempting to access one or more server devices in a protected network. A Transport Control Protocol /TCP/ window advertisement value is determined for the data packets. If a detected TCP window advertisement value for monitored packets is determined less than a TCP window advertisement threshold value then a determination is made as to whether the data rate for the packets is less than a data rate threshold value. The monitored packets are determined malicious if the detected window advertisement value is less than the TCP window advertisement threshold value and the determined data rate is less than the data rate threshold value. |
| United States Patent: 9628510 – System and method for providing data storage redundancy for a protected network | A system and method for providing redundancy with remote scrubbing center devices. The system includes an edge detection device and a plurality of scrubbing center devices in a telecommunications network for providing redundant scrubbing center functionality for the edge detection device. The edge detection device maintains a network connection with more than one of the plurality of scrubbing center devices whereby each of the more than one of the plurality of scrubbing center devices sends and receives a synchronization signal with each of the one or more edge detection devices as if it was the only remote scrubbing center device coupled to the edge detection device. |
| DYNAMIC APPLICATION-AWARE ROUTING TOPOLOGIES /APPLICATION ONLY/ | In one embodiment, an application flow of traffic may be detected within a computer network, e.g., by a root node, border router, network management server, etc. Thereafter, one or more traffic requirements of the application flow may be determined, and a corresponding routing topology objective function may be established based on the traffic requirements. Accordingly, creation of a specific routing topology based on the objective function may then be initiated for use with the application flow. |
| DISTRIBUTED NETWORK ANALYTICS /APPLICATION ONLY/ | In an embodiment, a method comprises receiving, at an analytics engine, from a separate analytics application, an analytics query for data that is potentially available in data streams of networked computing devices; sending, to a distributed network analytics controller, sub-queries based on the analytics query; determining distributed network analytics agents capable of executing each of the sub-queries; sending instructions to the agents to initiate the sub-queries for the data at specified locations; initiating execution of the sub-queries on data streams that are locally available at one of the networked computing devices at which the agents are running; forming summarized data streams and zero or more raw data streams at the networked computing devices having the analytics agents; sending the summarized data streams and the zero or more raw data streams to the analytics engine; wherein the method is performed by computing device/s/. |
| United States Patent: 9584533 – Performance enhancements for finding top traffic patterns | A method for network traffic characterization is provided. Flow data records are acquired associated with a security alert signature. Unidimensional traffic clusters are generated based on the acquired data. A Bloom filter is populated with the acquired flow data records. Clusters of interest are identified from the generated unidimensional traffic clusters. The identified clusters of interest are compressed into a compressed set. A determination is made whether a multidimensional processing of the acquired flow data needs to be performed based on a priority associated with the alert signature. A multidimensional lattice corresponding to the unidimensional traffic clusters is generated. The multidimensional lattice is traversed and for each multidimensional node under consideration a determination is made if the Bloom filter contains flow records matching the multidimensional node under consideration. A determination is made if the unidimensional node corresponding to the multidimentional node is included in the compressed set of unidimensional nodes. |
| Distributed machine learning for anomaly detection /APPLICATION ONLY/ | A tiered machine learning-based infrastructure comprises a first machine learning /ML/ tier configured to execute within an enterprise network environment and that learns statistics for a set of use cases locally, and to alert deviations from the learned distributions. Use cases typically are independent from one another. A second machine learning tier executes external to the enterprise network environment and provides further learning support, e.g., by determining a correlation among multiple independent use cases that are running locally in the first tier. Preferably, the second tier executes in a cloud compute environment for scalability and performance. |
| United States Patent: 9578046 – Analysis of time series data | The systems and methods described herein relate to storing values, such as sketches, that represent time indexed data related to network traffic. The model may be indexed by multiple sets of keys and time range values. It is an advantage that the index is essentially repeated for different time intervals. Utilization of the sketches avoids prohibitively large amounts of network traffic from overwhelming the monitoring computing device/s/. Further, the probabilistic representative accuracy of the sketches is dynamically configurable. The time indexed data may represent data traffic on a computer network. The time indexed data may be data packets sent on the network. In one or more embodiments the time indexed data may be sketches that represent and/or approximate the data packets. Further, it is contemplated herein that the accuracy of the sketches’ representation may be dynamically configurable. |
| DISTRIBUTED DENIAL OF SERVICE REMEDIATION AND PREVENTION /APPLICATION ONLY/ | First data indicative of information that a packet is part of a DDoS attack is received at a management network device. A DDoS remediation network device to be used for remediation of packets associated with the DDoS attack is determined from the first data. Second data, indicative of the DDoS attack and indicative of the DDoS remediation network device, is transmitted from the management network device to an edge network device. The second data is configured to cause the edge network device to route packets associated with the DDoS attack to the DDoS remediation network device. |
| United States Patent: 9432385 – System and method for denial of service attack mitigation using cloud services | A method to mitigate attack by an upstream service provider using cloud mitigation services. An edge detection device, which located at the subscriber’s network edge, is able to communicate information via status messages about attacks to an upstream service provider. The service provider is then able to mitigate attacks based on the status messages. There is a feedback loop whereby the amount of dropped traffic by the service provider is added to the network traffic to keep the mitigation request open and prevent flapping. Likewise, the detection device includes time-to-engage and time-to-disengage timers to further prevent flapping. |
| DEVICE TYPE CLASSIFICATION USING METRIC LEARNING IN WEAKLY SUPERVISED SETTINGS /APPLICATION ONLY/ | In one embodiment, a device classification service receives telemetry data indicative of behavioral characteristics of a plurality of devices in a network. The service obtains side information for the telemetry data. The service applies metric learning to the telemetry data and side information, to construct a distance function. The service uses the distance function to cluster the telemetry data into device clusters. The service associates a device type label with a particular device cluster. |
| United States Patent: 9426174 – Protecting computing assets from segmented HTTP attacks | A method and system for managing data traffic and protecting computing assets. The method and system includes analyzing HTTP requests to determine if the HTTP requests are overly segmented, and, if the HTTP request is overly segmented, blocking and/or black-listing the malevolent communications and computing device. The analysis to determine if an HTTP request is overly segmented includes comparing the packet’s size to a threshold, identifying the packet’s content or lack thereof, identifying whether the packet is the last packet in a communication, and identifying whether the packet ends with the |
| DETECTION AND RESOLUTION OF RULE CONFLICTS IN DEVICE CLASSIFICATION SYSTEMS /APPLICATION ONLY/ | In one embodiment, a service receives a plurality of device type classification rules, each rule comprising a device type label and one or more device attributes used as criteria for application of the label to a device in a network. The service estimates, across a space of the device attributes, device densities of devices having device attributes at different points in that space. The service uses the estimated device densities to identify two or more of the device type classification rules as having overlapping device attributes. The service determines that the two or more device type classification rules are in conflict, based on the two or more rules having different device type labels. The service generates a rule conflict resolution that comprises one of the device type labels from the conflicting two or more device type classification rules. |
| United States Patent: 9407659 – Protecting computing assets from resource intensive querying attacks | A method and system for managing data traffic and protecting computing assets. The method and system includes intercepting queries and messages, such as EDNS0 queries, and sending probe queries and reply queries to the originating computing device to determine whether the originating computing device may be sufficiently validated so as to justify forwarding resource-intensive queries and messages to the targeted computing device. |
| DETECTING SPOOFING IN DEVICE CLASSIFICATION SYSTEMS /APPLICATION ONLY/ | In various embodiments, a device classification service obtains device telemetry data indicative of declarative attributes of a device in a network and indicative of behavioral attributes of that device. The device classification service labels the device with a device type, based on the device telemetry data. The device classification service detects device type spoofing exhibited by the device using a model that models a relationship between the declarative attributes and the behavioral attributes. The device classification service initiates, based on the device type spoofing, a mitigation action regarding the device. |
| United States Patent: 9344440 – Forced alert thresholds for profiled detection | A node in a communication network determines a data rate capacity of one or more nodes of the communication network and creates a single managed object grouping for each node of the one or more nodes having a same data rate capacity. The node establishes one or more static thresholds for the single managed object grouping based on the data rate capacity. The static thresholds are independent of a baseline condition of detected data rates at each node of the single managed object grouping. The node further detects a current rate of received data at each node of the single managed grouping and triggers at least one alert for each node of the single managed grouping when the current rate of the received data at a particular node exceeds the one or more static thresholds. |
| United States Patent: 9258289 – Authentication of IP source addresses | A method and system for authenticating IP source addresses by accessing one or more HTTP requests whose source client identifies itself as a legitimate web crawler. One or more IP addresses are detected from the one or more HTTP requests and each detected IP address is authenticated via a probability estimation regarding its association with a legitimate web crawler. A lookup table is preferably compiled for the authenticated IP addresses for reference, publication and authentication purposes. |
| United States Patent: 9191872 – System and method to correlate handover transitions between 3GPP network access and untrusted non-3GPP network access | There is provided a passive network monitoring device that monitors one or more network interfaces between network nodes including a SGW node, a PGW node, an ePDG node, and a PCRF node and a PCEF node. The device receives a handover indication for UE from untrusted non-3GPP network access to 3GPP network access and receives a response to an attach request from one or more of the network interfaces, the response including a MSIP address and a charging ID for the UE. The device determines the UE is from a single subscriber based on each of the handover, the MSIP address of the response and the charging ID of the response, and correlates information for the UE at each of the one or more network interfaces with the single subscriber. |
| United States Patent: 9143414 – Scenario, call, and protocol data unit hierarchical comparator | A system, method and computer program product monitors the operation of a telecommunications network and receives source metadata at a metadata comparator. The source metadata is associated with data captured from a source in a telecommunications network. Target metadata associated with target data is also received at the metadata comparator. The source and target metadata are compared to identify metadata parameters that match or do not match. Bias data is also received at the metadata comparator. The bias data comprises weighting parameters and/or tolerance parameters. The weighting and tolerance parameters correspond to selected metadata parameters. |
| United States Patent: 9130825 – Confidence intervals for key performance indicators in communication networks | Systems and methods for calculating and presenting confidence interval/s/ for key performance indicator/s/ /KPIs/ are described. For example, in some embodiments, a method may include identifying vectors representing network events observed by a network monitoring system, each vector including: a dimension, an indication of a sampling ratio with which a respective event was observed, and a value associated with the dimension. The method may also include calculating a KPI corresponding to the observed events for the dimension based, at least in part, upon the values. The method may further include calculating a confidence associated with the KPI, based, at least in part, upon the sampling ratios. In some cases, events may be observed with different sampling ratios. Additionally or alternatively, sampling ratios may include adaptive sampling ratios controlled by the network monitoring system in response to network or resource loading /e.g., subject varying over time/, whitelist differentiated sampling ratios, etc. |
| United States Patent: 9094283 – Data collection device for monitoring streams in data network | The invention relates to a data collection device for monitoring streams in a data network using a packet transmission mode, including an extractor for extracting data contained in packets belonging to a stream defined by a transmitter, a receiver, and a protocol. The collection device also includes a syntax analyzer which receives data in real time from the extractor and breaks the data down into elements according to the syntactic rules of the protocol, said syntactic rules enabling the elements to be represented as a tree structure. The syntax analyzer combines respective tree state indicators with at least some of the elements, wherein the tree state indicator combined with an element locates said element within the tree structure. An interface transmits the tree state indicators, together with the elements with which the latter have been combined, to a stream analyzer external to the collection device. |
| DETECTING NETWORK INTRUSION AND ANOMALY INCIDENTS /APPLICATION ONLY/ | In an embodiment, a method comprises: using computing apparatus, receiving one or more data streams, determining one or more characteristics of the one or more data streams, and based on the one or more characteristics of the one or more data streams, determining one or more tags for the one or more data streams; determining whether the one or more tags indicate one or more malicious patterns representative of network intrusions; in response to determining that the one or more tags indicate one or more malicious patterns representative of network intrusions: generating, based on the one or more tags, one or more aggregated alert streams; applying one or more rules to the one or more aggregated alert streams and receiving a result indicating whether a network intrusion is in progress; in response thereto, determining and executing one or more remedial actions. |
| United States Patent: 9077639 – Managing data traffic on a cellular network | A method and system for managing data traffic on a cellular network. The method and system includes detecting that an internet service is experiencing excessive amounts of data traffic from a cellular network. Sending, to a cellular device on the cellular network, a modified IP address for the internet service, wherein the modified IP address points away from the internet service. The modified IP address is sent in response to detecting that the internet service is experiencing excessive amounts of traffic from a cellular network and detecting a DNS query from the cellular device for the internet service. |
| DETECTING EVASIVE NETWORK BEHAVIORS USING MACHINE LEARNING /APPLICATION ONLY/ | In one embodiment, a traffic analysis service identifies a client in a network having an associated traffic flow that was blocked by a firewall. The traffic analysis service obtains traffic telemetry data regarding one or more subsequent traffic flows associated with the identified client that are subsequent to the blocked flow. The traffic analysis service uses a machine learning-based classifier to determine that the identified client is exhibiting evasive network behavior, based on the obtained traffic telemetry data. The traffic analysis service initiates a mitigation action in the network, based on the determination that the identified client is exhibiting evasive network behavior. |
| United States Patent: 9060020 – Adjusting DDoS protection based on traffic type | A system, method and computer readable storage medium that receives traffic/packets from external devices attempting to access protected devices in a protected network. A determination is made to whether a received packet belongs to one of a plurality of packet classifications. Each packet classification indicative of different classes of IP traffic. Countermeasures are applied to a received packet to prevent attack upon the protected devices. Applying a countermeasure to a received packet determined to belong to one of the plurality of packet classifications includes countermeasure modification/selection contingent upon the determined packet classification for the received packet. |
| CRYPTOGRAPHIC SECURITY AUDIT USING NETWORK SERVICE ZONE LOCKING /APPLICATION ONLY/ | In one embodiment, a service receives captured traffic flow data regarding a traffic flow sent via a network between a first device assigned to a first network zone and a second device assigned to a second network zone. The service identifies, from the captured traffic flow data, one or more cryptographic parameters of the traffic flow. The service determines whether the one or more cryptographic parameters of the traffic flow satisfy an inter-zone policy associated with the first and second network zones. The service causes performance of a mitigation action in the network when the one or more cryptographic parameters of the traffic flow do not satisfy the inter-zone policy associated with the first and second network zones. |
| United States Patent: 9055113 – Method and system for monitoring flows in network traffic | A method and system for correlating web content with content providers to determine the origin of the content such that it is not necessary to look inside the information exchange. The method and system maintains sequences of reference points, which are ordered lists of content providers accessed by subscribers over time, and correlates the internet content applications, such as video, found in network traffic to the sequence of reference points accessed by subscribers to determine the origins of the content even when the content being delivered by third-party content delivery networks. |
| United States Patent: 9049170 – Building filter through utilization of automated generation of regular expression | A system and method performed by a computing device connected to a network and having one or more processors and memory storing one or more programs for execution by the one or more processors. At least one packet is received over a network. The packet is analyzed to detect predetermined content. The predetermined content is selected if it is determined that the packet contains the predetermined content. Future transmission of any packet containing the predetermined content is prevented in response to selection of the predetermined content. |
| CORRELATING ENDPOINT AND NETWORK VIEWS TO IDENTIFY EVASIVE APPLICATIONS /APPLICATION ONLY/ | In one embodiment, a service receives traffic telemetry data regarding encrypted traffic sent by an endpoint device in a network. The service analyzes the traffic telemetry data to infer characteristics of an application on the endpoint device that generated the encrypted traffic. The service receives, from a monitoring agent on the endpoint device, application telemetry data regarding the application. The service determines that the application is evasive malware based on the characteristics of the application inferred from the traffic telemetry data and on the application telemetry data received from the monitoring agent on the endpoint device. The service initiates performance of a mitigation action in the network, after determining that the application on the endpoint device is evasive malware. |
| United States Patent: 8990938 – Analyzing response traffic to detect a malicious source | A system and method are provided to receive mirrored versions of transmissions sent by a node in response to initiating transmissions received by the node over a network. At least one mirrored response transmission sent from the node in response to at least one corresponding initiating transmission is analyzed to determine whether or not the corresponding at least one initiating transmission is malicious. |
| CONTINUOUS VALIDATION OF ACTIVE LABELING FOR DEVICE TYPE CLASSIFICATION /APPLICATION ONLY/ | In one embodiment, a device classification service forms a device cluster by applying clustering to telemetry data associated with a plurality of devices. The service obtains device type labels for the device cluster. The service generates a device type classification rule using the device type labels and the telemetry data. The service determines whether the device type classification rule should be revalidated by applying a revalidation policy to the device type classification rule. The service revalidates the device type classification rule, based on a determination that the device type classification rule should be revalidated. |
| United States Patent: 8982842 – Monitoring 3G/4G handovers in telecommunication networks | Systems and methods for monitoring 3G/4G handovers in telecommunication networks are described. In some embodiments, a method may include receiving a plurality of packets at a telecommunications monitoring system, the plurality of packets including a first packet following a first version of a protocol and a second packet following a second version of the protocol. The method may also include determining, via the a telecommunications monitoring system, that the first packet belongs to a first communication session that is correlated with a second communication session to which the second packet belongs. The method may further include using the telecommunications monitoring system to associate the first packet with the second packet in response to the determination. |
| United States Patent: 8964582 – Data integrity scoring and visualization for network and customer experience monitoring | Systems and methods for data integrity scoring and visualization for network and customer experience monitoring are described. In some embodiments, a method may include receiving a first set of vectors, each vector representing a network event generated by a network testing system, each vector including a plurality of dimensions and a first plurality of values, each value associated with a corresponding one of the dimensions. The method may also include identifying a second set of vectors representing at least a portion of the network events as observed by a network monitoring system, each vector in the second set of vectors including the plurality of dimensions and a second plurality of values. The method may further include calculating a presence score as a ratio between a number of vectors in the second and first sets of vectors, and/or an accuracy score as a measure of a discrepancy between corresponding values. |
| United States Patent: 8954080 – Monitoring traffic across diameter core agents | Systems and methods for monitoring traffic across Diameter Core Agents /DCAs/ such as, for example, Diameter Signaling Routers /DSRs/ and/or Diameter Routing Agents /DRAs/. In some embodiments, a method may include receiving a first set of one or more messages at a telecommunications monitoring system, the first set of one or more messages transmitted between a Diameter client and a Diameter device. The method may also include receiving a second set of one or more messages at the telecommunications monitoring system, the second set of one or more messages transmitted between the Diameter device and a Diameter server. The method may further include correlating the first set of one or more messages with the second set of one or more messages as part of a single Diameter call. |
| United States Patent: 8924718 – Deciphering internet protocol /IP/ security in an IP multimedia subsystem /IMS/ using a monitoring system | Systems and methods for deciphering Internet Protocol /IP/ security in an IP Multimedia Subsystem /IMS/ using a monitoring system are described. In some embodiments, a method may include identifying a Security Association /SA/ between a User Equipment /UE/ and a Proxy Call Session Control Function /P-CSCF/ of an Internet Protocol /IP/ Multimedia Subsystem /IMS/ over a Gm interface during a registration procedure, correlating the SA with a ciphering key /CK/ exchanged between the P-CSCF and a Serving CSCF /S-CSCF/ of the IMS over an Mw interface during the registration procedure, and storing an indication of the correlated SA and CK in a deciphering record. |
| CO-OPERATIVE LOAD SHARING AND REDUNDANCY IN DISTRIBUTED SERVICE CHAINS IN A NETWORK ENVIRONMENT /APPLICATION ONLY/ | An example method for co-operative load sharing and redundancy in distributed service chains is provided and includes deriving a service chain comprising a plurality of services in a distributed virtual switch /DVS/ network environment, where a first service node provides a first portion of a specific service in the plurality of services to a packet traversing the network, and a second service node provides a second portion of the specific service to the packet, and configuring service forwarding tables at virtual Ethernet Modules associated with respective service nodes in the service chain. In a specific embodiment, the first service node and the second service node provide substantially identical service functions to the packet, wherein the specific service comprises the service functions. In various embodiments, each service node tags each packet to indicate a service completion history of service functions performed on the packet at the service node. |
| United States Patent: 8902754 – Session-aware GTPv2 load balancing | Systems and methods for session-aware GTPv2 load balancing are described. In some embodiments, a method may include receiving a first and a second transaction between an MME and an S-GW over an S11 interface of an LTE/SAE network using a control portion of a second version of a GTPv2-C protocol and storing an uplink UP TEId and IP address, a downlink CP TEId and IP address, and an uplink CP TEId and IP address obtained from the first transaction, and a downlink UP TEId and IP address obtained from the second transaction. The method may further include identifying messages between an eNodeB and the S-GW over a direct tunnel using a user portion of a GTPv1-U protocol as belonging to a session in response to the messages including at least one of: the first uplink UP TEId and IP address, or the first downlink UP TEId and IP address. |
| CLASSIFICATION OF TRAFFIC FOR APPLICATION AWARE POLICIES IN A WIRELESS NETWORK /APPLICATION ONLY/ | In one embodiment, a method includes performing stateful application classification on packets received at a controller and transmitting classification information to an access point. The classification information includes flow information and stateless rules for applying policies. The access point is configured to use the classification information to perform stateless application classification and apply policies to packets received from a mobile device. An apparatus and logic are also disclosed herein. |
| United States Patent: 8879415 – Method and system for annotating network flow information | A scalable flow monitoring solution takes in standard flow records exported from network devices such as routers, switches, firewalls, hubs, etc., and annotates the flow with additional information. This information is derived from a number of sources, including Border Gateway Protocol /BGP/, Simple Network Management Protocol /SNMP/, user configuration, and other, intelligent flow analysis. These annotations add information to the flow data, and can be used to perform value-added flow analysis. The annotated flow is then resent to a configurable set of destinations using standard flow formatting, e.g., Cisco System Inc.’s NetFlow, in one implementation. This allows the annotated flow to be processed and the enhanced information to be used by other flow analysis tools and existing flow analysis infrastructure. |
| United States Patent: 8856913 – Method and protection system for mitigating slow HTTP attacks using rate and time monitoring | A system and methods for mitigation slow HTTP, SSL/HTTPS, SMTP, and/or SIP attacks. A protection system monitors each TCP connection between a client and a server. The protection system monitors the header request time and minimum transfer rate for each client and TCP connection. If the client has not completed the data transfer in the minimum time or the data are not transferred at the minimum transfer rate, the protection system determines the connections are potentially a slow attack and resets the connections for the protected devices. |
| United States Patent: 8817649 – Adaptive monitoring of telecommunications networks | Systems and methods for the adaptive monitoring of telecommunications networks are described. In some embodiments, a method may include monitoring traffic transmitted through a mobile telecommunications network /e.g., 3G, 4G, LTE, etc./ and identifying a monitoring rule. The monitoring rule may associate a selected portion of the traffic /e.g., based on content type, source, destination, transport protocol, session, etc./ with a monitoring sampling ratio, and the monitoring sampling ratio may determine a fraction of the selected portion of the traffic usable to provide one or more performance indicators /e.g., service indicators, network congestion, connection maintenance, service quality, and/or network availability/. The method may further include modifying the monitoring sampling ratio in response to a change in network monitoring conditions /e.g., one or more probes operating at or near capacity, scheduled maintenance events, peak traffic times, etc./ |
| United States Patent: 8761757 – Identification of communication devices in telecommunication networks | Systems and methods for identifying communication devices in telecommunication networks are described. In some embodiments, a method may include receiving an identification code of a device operating in a network controlled, at least in part, by a telecommunications operator, the device having a model and/or a manufacturer. The method may also include obtaining user-plane information within one or more communications made by the device, correlating the identification code with the user-plane information, and determining, based upon the correlation the model and/or the manufacturer of the device. In some cases, by correlating these disparate pieces of information, an approximation of the device’s identifier may be created, which may then allow the device to be identified /e.g., for presentation, etc./ even in cases where such an identifier has not been provisioned /or even has been provisioned incorrectly/ to a telecommunications monitoring system by the network operator. |
| CAPABILITY IDENTIFICATION AND MODIFICATION THROUGH HARDWARE INTROSPECTION AND REFLECTION /APPLICATION ONLY/ | System, method, and computer program product to provide capability identification and modification through hardware introspection and reflection in a network, by exposing, to an application: /i/ a plurality of attributes of each of a plurality of network elements in a network, /ii/ a current state of each of the plurality of network elements, and /iii/ a set of networking capabilities of each of the plurality of network elements, and providing, to the application, an interface for real-time configuration of each of the plurality of network elements and a set of data flows passing through each respective network element. |
| ANOMALY SEVERITY SCORING IN A NETWORK ASSURANCE SERVICE /APPLICATION ONLY/ | In one embodiment, a network assurance service that monitors a network detects a set of anomalous measurements from the network over time by applying a machine learning-based anomaly detector to the measurements. The service computes, for each of the anomalous measurements, an anomaly severity score based on weighted severity factors used to compute anomaly severity scores. The severity factors include one or more of: a device type associated with the measurements, a duration of the anomalous measurements, a network impact associated with the anomalous measurements, or an aggregate metric based on distances between the measurements and a prediction band of the anomaly detector. The service sends an anomaly alert to a user interface, based on the computed anomaly severity score, and receives feedback from the user interface regarding the anomaly alert. The service adjusts, based on the received feedback, weightings of the severity factors used to compute anomaly severity scores. |
| ADJUSTING ANOMALY DETECTION OPERATIONS BASED ON NETWORK RESOURCES /APPLICATION ONLY/ | In one embodiment, a device in a network monitors a selective anomaly forwarding mechanism deployed in the network. The selective anomaly forwarding mechanism causes a participating node in the mechanism to selectively forward detected network anomalies to the device. The device monitors one or more resources of the network. The device determines an adjustment to the selective anomaly forwarding mechanism based on the one or more monitored resources of the network. The device implements the determined adjustment to the selective anomaly forwarding mechanism. |
| United States Patent: 8689107 – System and method for aggregating multi-protocol flows for network monitoring | A system and method for aggregating IP flows in a telecommunication network is disclosed. A multi-protocol flow representing packets captured from the telecommunications network during a selected time period is displayed on a user interface of a network monitoring system. The multi-protocol flow is highlighted on the user interface display if any session records within the multi-protocol flow do not meet operator-defined criteria. The user interface detects a user’s selection of the multi-protocol flow and displays a plurality of protocol-specific flows that are within the multi-protocol flow. The user interface detects the user’s selection of one of the protocol-specific flows and displays a plurality of session flows that are within the selected protocol-specific flow. Any session records that do not meet operator-defined criteria are highlighted on the user interface. |
| United States Patent: 8661522 – Method and apparatus for probabilistic matching to authenticate hosts during distributed denial of service attack | A system and method to track external devices attempting to connect to a protected network using probabilistic filters. When a connection from a new external device attempts to access the protected network, the memory of a protection system, which is organized as a probabilistic filter, is searched to determine if the IP address already exists in the memory of protection system. If the search locates the IP address, the protection system terminates the connection to the external device. If the search is negative, then protection device begins the authentication process for the external device. |
| United States Patent: 8509086 – Detecting network misuse | An apparatus is equipped to receive network traffic data for network traffic routed over one or more network links relevant to a network link. Selected numbers of analysis are performed to determine if the network link of interest is being misused. The analyses include but are not limited to analyses to determine whether the network traffic routed are inconsistent with an expected traffic pattern, whether unallocated source addresses are present, whether source addresses exhibit an uncharacteristic even distribution pattern, whether a server is uncharacteristically excessive in responding to the same source address, whether normal bursty behavior is absent from the traffic, whether a ratio of packets in one direction to packets in another direction is out of balance, whether a ratio of packets of one type to packets of another type is out of balance, and whether a server is uncharacteristically excessive in responding with error responses. |
| ACTIVE LABELING OF UNKNOWN DEVICES IN A NETWORK /APPLICATION ONLY/ | In one embodiment, a labeling service receives telemetry data for a cluster of endpoint devices in a first network environment. The endpoint devices in the cluster are clustered by a device classification service based on their telemetry data and labeled by a device type classifier of the device classification service as being of an unknown device type. The labeling service obtains a first device type label for the cluster of endpoint devices via a first user interface. The labeling service identifies one or more other network environments in which endpoint devices are located that have similar telemetry data as that of the cluster of endpoint devices. The labeling service obtains device type labels for the cluster of endpoint devices via a selected set of user interfaces from the identified one or more other network environments. The labeling service validates the first device type label for the cluster using the device type labels obtained via the selected set of user interfaces from the identified one or more other network environments. |
| United States Patent: 8463901 – Stateful flow information table method and system for packet inspection system | A packet processing system comprises two packet inspection systems for tracking packet flows between a first network and a second network. A memory is accessible by each of the packet inspection systems for storing flow entries. Each of the flow entries includes a flow key characterizing a packet flow associated with flow entry, a flow identifier. State information is further maintained indicating ownership of the flow identifiers among the two packet inspection systems. Using stateful identifiers ensures that two packet processing systems do not become incoherent and properly indicate the status of free flow identifiers. |
| United States Patent: 8271678 – Independent detection and filtering of undesirable packets | A server, using a deterministic function, a secret value and persistent information of a packet, destined for a client device, generates and includes a conversation identifier for inclusion with the packet. The client device in turn includes the conversation identifier in a subsequent packet sent by the client device destined for the server. An intermediate routing device having knowledge of the deterministic function and the secret value, upon receiving the packet en-route from the client device to the server, would independently determine whether the packet is a part of a conversation between the client and the server, by independently verifying the included conversation identifier, and forward or not forward the packet accordingly. As result, undesirable packets may be independently detected and filtered for the server. |
| United States Patent: 8219675 – System and method for correlating IP flows across network address translation firewalls | Systems and methods are disclosed for correlating IP flows across a NAT firewall. Data packets are captured from a first interface using a monitor probe coupled to the first interface and are correlated into a first group of session records. For each of the first group of session records, a correlation key is created using data in one of the packets in the session record. Data packets are captured from a second interface using a monitor probe coupled to the second interface and are correlated into a second group of session records. For each of the second group of session records, a correlation key is created using data in one of the packets in the session record. The correlation key for one of the first group is compared to the correlation keys for each of the second group of session records to identify session records with matching correlation keys. |
| United States Patent: 8185651 – Multi-segment network application monitoring and correlation architecture | A system, method and computer program product are provided for network and network application monitoring. Accordingly, one or more media modules are each coupled to an associated network segment. In the case of network application monitoring, each media module is coupled to a network segment on which a network application is running. Each media module monitors and collects data relating to traffic on the associated network segment corresponding to the network application, wherein each media module is tailored for network analysis. An application server module is coupled to the at least one media module and receives the data and analyzes the data for helping to improve the performance of the network and/or network application. |
| United States Patent: 8146160 – Method and system for authentication event security policy generation | A method and system allows for the deployment of security policies into the higher layers of the OSI model. Specifically, it allows for the establishment of security policies at layer 4 and higher, by monitoring authentication flows and using these flows as the basis for establishing security policies which then can be used as a basis for assessing the operation of the network. |
| United States Patent: 8144688 – System and method for discovering SCTP associations in a network | Systems and methods for discovering SCTP associations between devices communicating in a network are described. A method comprises monitoring packets communicated among a plurality of source and destination devices, determining a combination of source EP address, source port number, destination IP address, and destination port number that defines an association between a source device and a destination device, and resolving a combination of source and destination verification tags that further defines the association based upon the combination of EP addresses and port numbers. The method further comprises ascertaining whether a subsequently monitored packet belongs to the association based at least in part upon an element of the combination of verification tags after at least one element of the combination of EP addresses and port numbers has changed during the ongoing communication. |
| United States Patent: 8103755 – Apparatus and method for managing a provider network | An administration system is defined that provides an interface between a subscriber and resources on a provider network. The subscriber, via the administration system, has access to and control over certain of the resources on the provider network. The subscriber may have access to and control over only those resources on the provider network related to the services provided to his network. Also, the subscriber may not be capable of altering resources on the provider network in a way that affects the services provided to another subscriber. Because the administration system allows a user to control resources on the provider network that relate to services provided to his network, the amount of support required by the provider to administer those resources is reduced. |
| United States Patent: 8090820 – Distributed traffic analysis | A distributed system for analyzing traffic flow on a communications network architecture where a computer provides information over a data network to a concentrator, which provides a bridge between the computer and the end user terminals. The interface between the terminals and the concentrator is provided through access points for each workstation. The system to analyze the traffic is distributed into three components that perform, respectively, classification of the traffic flow, processing of the results of the classification, and handling of the processed results. |
| United States Patent: 8001271 – Method and apparatus for locating naming discrepancies | A system is provided that polls one or more caching nameservers and compares their results to a trusted or standard set of data. The set of data may be, for example, stored in a computer system or distributed among several computer systems. In one aspect, the system comprises a discrepancy detector that detects discrepancies between one or more copies of mapping information. Mapping information may be, for example, mapping stored on a Domain Name System /DNS/. |
| United States Patent: 7970886 – Detecting and preventing undesirable network traffic from being sourced out of a network domain | The present invention provides for a novel approach to protecting a system owner’s system/s/ from being exploited and providing involuntary assistance to a DOS attack. The present invention provides the protection by detecting and preventing undesirable or inappropriate network traffic from being sourced from a network domain. More specifically, a monitor/regulator is provided to monitor network traffic leaving a network domain. The monitor/regulator determines if undesirable/inappropriate network traffics are leaving the network domain based on the observed characteristics of the outbound and inbound network traffics. If it is determined that undesirable/inappropriate network traffics are leaving the network domain, the monitors/regulator, in one embodiment, at least warns system owners of the detection. In another embodiment, the monitors/regulator further issues regulation instruction/s/ to boundary routing device/s/ of the network domain/s/, thereby preventing the network domain/s/ from being exploited to source such undesirable/inappropriate network traffics. |
| United States Patent: 7844696 – Method and system for monitoring control signal traffic over a computer network | A system and method is provided for detecting, tracking and/or blocking control signal attacks, which can occur between local computer systems and/or between remote computer systems, network links, and/or routing systems over a computer network. The system includes a router monitor adapted to receive a plurality of control signals and related information from the computer network and to process the plurality of control signals and related information to detect one or more control signal anomalies. The router monitor is further adapted to generate a plurality of alert signals representing the one or more control signal anomalies. The system further includes a controller that is coupled to the router monitor and is adapted to receive the plurality of alert signals from the router monitor. The controller is constructed and arranged to respond to the plurality of alert signals by tracking attributes related to the one or more control signal anomalies to at least one source, and to block the one or more control signal anomalies using a filtering mechanism executed in close proximity to the at least one source. |
| United States Patent: 7617314 – HyperLock technique for high-speed network data monitoring | In one embodiment, a network architecture includes a plurality of application monitoring modules for monitoring network traffic data in a plurality of network segments. Network monitoring modules include a staging area that receives network traffic data from a packet capture and analysis engine and an indexing area that stores the data in meta-flow tuples with associated measures divided into time interval buckets. Index tables store dimension-based sorted pointers to the storage locations in the data buckets. HyperLock queries collect time aggregated results for measure based operators with respect to a queried dimension. For each value of the queried dimension, the time interval buckets are traversed compiling a partial result that is finally stored in a stack as the time aggregated value. The stored sorted pointers are used to determine the starting location in each bucket with respect to the next value of the queried dimension. |
| United States Patent: 7596807 – Method and system for reducing scope of self-propagating attack code in network | Technique for protecting a communications network, such a computer network, from attack such as self-propagating code violations of security policies, in which the network is divided into |
| United States Patent: 7529192 – System and method for correlating traffic and routing information | In one aspect, it is realized that changes in routing configuration /and therefore network topology/ may have an effect on how data is forwarded in a communication network. More particularly, it is realized the changes in the control plane have a statistical effect on information tracked in the data plane, and this relation may be used by a network manager in monitoring the network and determining a control plane cause of a data plane forwarding effect. For instance, a change in BGP routing information /control plane information/ may affect the data forwarded by a router based on the changed BGP routing information /e.g., next hop data may be forwarded to a different BGP router attached to another physical port/. A system and method are provided that correlate control plane and data plane information to support root cause analysis functions. |
| United States Patent: 7475141 – Distributed service level management for network traffic | One or more networking apparatuses are employed to practice a networking method that improves a first networking device’s likelihood in meeting its service level goals/commitments for a first group of network traffic serviced by the first networking device. Determination is made, away from the networking device, on whether the first network device is meeting the service level goals/commitments for the first group of network traffic. Determination may include monitoring the first group of network traffic at or away from the networking device. If the service level goals/commitments are not being met, a second group of network traffic /also serviced by the first networking device/ is regulated. Regulation may be made at the networking device or away from the network device. Additionally, if the condition for regulation is no longer presents, regulation may be moderated or removed. Further, the service level goals/commitments may include reliability and/or performance goals/commitments. |
| United States Patent: 7444404 – Network traffic regulation including consistency based detection and filtering of packets with spoof source addresses | A director is provided to receive source address instances of packets routed through routing devices of a network. The director determines whether any of the reported source address instances are to be deemed as spoof source address instances. The director further determines where filtering actions are to be deployed to filter out packets having certain source addresses deemed to be spoof instances. The director makes its determinations based at least in part on a selected one of a number of consistency measures. The consistency measures may include but are not limited to spatial consistency, destination consistency, migration consistency, and temporary consistency. The consistency measures are evaluated using spatial, destination source address range, migration and timing S/D/M/T distribution profiles of the reported source addresses. In some embodiments, the determinations are based further in view of reference S/D/M/T distribution profiles, which may be an exemplary S/D/M/T distribution profile of a typical non-spoof source address or a historical S/D/M/T distribution profile of the source address. |
| United States Patent: 7359930 – System and method for managing computer networks | A system and method are provided for monitoring traffic in an enterprise network. Similar hosts may be grouped using flow information. Network policy may then be created at the group level based on the signatures of the hosts and groups of hosts in the enterprise. Hosts may be arranged in hierarchical clusters. Some of these clusters may be selected as groups based on a desired degree of similarity between hosts in a group. The similarity between hosts may be determined based on similarity of network behavior of the hosts. |
| United States Patent: 7272646 – Network monitor internals description | A method and apparatus for a network monitor internals mechanism that serves to translate packet data into multiple concurrent streams of network event data is provided. The data translation is accomplished by interpreting both sides of each protocol transaction. |
| United States Patent: 7058015 – Distributed solution for regulating network traffic | A number of sensors are distributively deployed in a network, either integrally disposed in a number of routing devices of the network or externally disposed and coupled to the routing devices, to monitor and report on network traffic routed through the routing devices. A director is provided to receive network traffic reports from the sensors for the routing devices, and to determine whether moderating actions are to be taken to moderate an amount of network traffic, based at least in part on some of the network traffic reports received from the sensors. In one embodiment, upon determining moderating actions are to be taken, the director further determines what kind of moderating actions are to be taken, including where the moderating actions are to be taken. In one embodiment, the director further instructs appropriate ones of the sensors to cause the desired moderating actions to be applied on the network traffic going through some of the routing devices. In one embodiment, the director, in cooperation with the sensors, also determines when and where moderating actions are to be relaxed, and causes such relaxation to be effectuated. In yet another embodiment, the director, in cooperation with the sensors, also determines when and where regulating actions filtering out certain types of network traffic destined for a network node are to be applied, and causes such filtering to be performed. |
| United States Patent: 6965574 – Network traffic data collection and query | An apparatus is equipped to receive descriptive data for network traffic. In one embodiment, the apparatus is equipped to conditionally modify timing data of the network traffic to conform the timing data to the timing patterns of previously network traffic, when determined that the timing data of the network traffic are aberrations. Further, the apparatus is equipped with a query facility that supports a network oriented query language. The language includes specific network oriented language elements. |
| United States Patent: 6868069 – Method and apparatus for passively calculating latency for a network appliance | A device that passively monitors arriving and departing data packets on one or more networks, correlates arriving data packets with departing data packets, and calculates a latency estimate based on the confidence of the correlation. The device detects and copies data packets arriving at a network device and the data packets departing from the same network device. A timestamp is stored for each arriving or departing data packet. Latency across a network device can be determined based on the timestamps for correlating data packets. Additionally, latency across a network device per protocol layer can also be calculated. Varying levels of confidence of a latency estimation depend on the operation necessarily performed on the data packet by the network device and the protocol level at which correlation between the arriving and departing data packets can be achieved. |
| United States Patent: 6801503 – Progressive and distributed regulation of selected network traffic destined for a network node | An apparatus is equipped to receive network traffic data for network traffic routed through a number of routing devices with one or more degrees of separation from a network node. The network traffic data include at least network traffic data for network traffic destined for the network node which meet a traffic type selection criteria and are routed by the routing devices to the network node. The apparatus is further equipped to progressively regulate and de-regulate network traffic routing by the routing devices based at least in part on the received network traffic data and the degrees of separation of the routing devices from the network node. Regulation extends from routing devices with the lowest degree of separation from the network node to routing devices with the highest degree of separation, following in the reverse direction of the routing paths traversed by the packets to reach the network node. In one embodiment, the extension or push back is made one degree of separation at a time. In one embodiment, deregulation follows the reverse path, whereas in another embodiment, deregulation is determined and implemented locally, whenever regulation or the extent of regulation is no longer needed. In one embodiment, regulation is made in accordance with a not-to-exceed profile, and the not-to-exceed limit or limits are divided up as regulation extends away from the network node. |
| United States Patent: 6785237 – Method and system for passive quality of service monitoring of a network | A method and system for passive quality of service monitoring of a network are described. In one embodiment, a number of signatures are extracted from a number of network packets at a number of monitoring points. In addition, at least one quality of service parameter is generated based upon the signatures. |
| United States Patent: 6728885 – System and method for network access control using adaptive proxies | A method, system and computer program for providing multilevel security to a computer network. The method comprises the step of receiving a first communication packet on at least one network interface port from an outside network. The method further includes the steps of filtering the first packet in one of at least two levels of security comprising a first level of security which examines the content information of the packet and a second level of security which examines the first packet excluding the content information of the packet. The system includes a first packet filter configured to filter its input packets by examining content information of its packets and a second packet filter configured to filter its input packets by examining the header information without examining the content information of its packets. The system further includes a third filter which is configured to forward a number of packets to one of the first and second filters, thereby providing security to the computer network. The computer program includes a first module located in an application layer, a second module located in a network layer, and a third module located in a kernel space and configured to examine a number of packets received by the computer network from at least one outside network and to forward the number of packets to one of the first and second modules after examining the number of packets. |
| United States Patent: 6708292 – System, method and software for protocol analyzer remote buffer management | A method and system for gathering data by monitoring data packets on a network. At least some of the packets are captured in a data buffer. Each captured packet is classified according to a preselected classification system and each captured packet is marked with an indicia of its classification. An analysis program is executed on a network coupled computer. The analysis program displays data about the buffer contents including the indicia before transferring the buffer contents to the analysis program. |
| United States Patent: 6707794 – Method, system and computer program product for physical link layer handshake protocol analysis | A method, system and computer program product for analyzing link failure in a network is described, wherein a protocol analyzer captures handshake protocol frames exchanged by two nodes attempting to establish a physical link. The captured handshake protocol frames ordered sets are displayed to the user in a merged, time-ordered list, and the information contained in the frames is decoded and displayed. If an attempt to establish a link fails, the symptoms of the failure and a possible diagnosis are identified and displayed. The user is thereby provided with a complete, understandable picture of the events leading up to the link failure, and with symptoms and possible cause of the link failure. |
| United States Patent: 6584508 – Advanced data guard having independently wrapped components | A system and method for increasing the security of a data guard is disclosed. The data guard is based on a multi-part proxy that includes a first proxy agent that communicates with an inside computer network region, a second proxy agent that communicates with an outside computer network region, and a content-based filter application that reviews information that is passed between the first proxy agent and the second proxy agent. Both the first and second proxy agents can be based on existing firewall proxies. The proxy agents listen for protocol operations /e.g., IIOP requests or replies/ and translate those protocol operations into protocol-independent data. The protocol independent data is then analyzed by a protocol-independent content-based filter. The behavior of the multi-part proxy can be further constrained through the use of software wrapper technology. |
| United States Patent: 6553377 – System and process for maintaining a plurality of remote security applications using a modular framework in a distributed computing environment | A system and a process for maintaining a plurality of remote security applications using a centralized broker in a distributed computing environment are described. A centralized broker is executed on a designated system within the distributed computing environment. A console interface from the centralized broker is exposed. The console interface implements a plurality of browser methods which each define a browser function which can be invoked by a plurality of snap-in components. A namespace snap-in component is defined and includes a logical grouping identifying at least one remote security application being executed on a remote system within the distributed computing environment. A namespace interface from the namespace snap-in component is exposed. The namespace interface implements a plurality of namespace methods each defining a storage function which can be invoked by the centralized broker. A repository including a plurality of storages corresponding to each remote system is formed. Each storage includes a set of attributes describing each such remote security application defined within the namespace snap-in component. |
| United States Patent: 6412000 – Method for automatically classifying traffic in a packet communications network | In a packet communication environment, a method is provided for automatically classifying packet flows for use in allocating bandwidth resources by a rule of assignment of a service level. The method comprises applying individual instances of traffic classification paradigms to packet network flows based on selectable information obtained from a plurality of layers of a multi-layered communication protocol in order to define a characteristic class, then mapping the flow to the defined traffic class. It is useful to note that the automatic classification is sufficiently robust to classify a complete enumeration of the possible traffic. |
| United States Patent: 6285658 – System for managing flow bandwidth utilization at network, transport and application layers in store and forward network | In a packet communication environment, a method is provided for classifying packet network flows for use in determining a policy, or rule of assignment of a service level, and enforcing that policy by direct rate control. The method comprises applying individual instances of traffic objects, i.e., packet network flows to a classification model based on selectable information obtained from a plurality of layers of a multi-layered communication protocol, then mapping the flow to the defined traffic classes, which are arbitrarily assignable by an offline manager which creates the classification. It is useful to note that the classification need not be a complete enumeration of the possible traffic. |
| United States Patent: 6046980 – System for managing flow bandwidth utilization at network, transport and application layers in store and forward network | In a packet communication environment, a method is provided for classifying packet network flows for use in determining a policy, or rule of assignment of a service level, and enforcing that policy by direct rate control. The method comprises applying individual instances of traffic objects, i.e., packet network flows to a classification model based on selectable information obtained from a plurality of layers of a multi-layered communication protocol, then mapping the flow to the defined traffic classes, which are arbitrarily assignable by an offline manager which creates the classification. It is useful to note that the classification need not be a complete enumeration of the possible traffic. |
| United States Patent: 6038216 – Method for explicit data rate control in a packet communication environment without data rate supervision | A method for explicit data rate control is introduced into a packet communication environment /10/ which does not have data rate supervision by adding latency to the acknowledgment /ACK/ packet and by adjusting the size of the flow control window associated with the packet in order to directly control the data rate of the source data at the station /12 or 14/ originating the packet. |
| United States Patent: 5787253 – Apparatus and method of analyzing internet activity | An internet activity analyzer includes a network interface controller, a packet capturing module, a packet analysis module, and a data management module. The network interface controller is connected to a transmission medium for a network segment and is arranged to receive the stream of data packets passing along the medium. The packet stream is filtered to remove undesired packet data and is stored in a raw packet data buffer. The packet data is decoded at the internet protocol layer to provide information such as timing and sequencing data regarding the exchange of packets between nodes and the packet data for exchanges between multiple nodes may be recompiled into concatenated raw transaction data which may be coherently stored in a raw transaction data buffer. An application level protocol translator translates the raw transaction data and stores the data in a translated transaction data buffer. The translated data provides high level information regarding the transactions between nodes which is used to monitor or compile statistics regarding network or internetwork activity. The data management module communicates with the packet capturing module and the packet analyzer and, particularly, the data in the raw packet, decoded packet, raw transaction, and translated transaction data buffers to provide real time and stored analytical information concerning internet activity. |
| biTS-1 ISDN Test Set | The Basic ISDN Test Set -1 /biTS-l/ is a portable, hand held,communication line tester which allows for quick and easy troubleshooting and verification of ISDN S/T interface lines. The biTS-l unit provides a variety of comprehensive tests designed to assist telephony and ISDN craft technicians in isolating problems on the line. This is How to use manual. |
| Application Note AP-500-02 | Data transmission on voice frequency circuits continues to expand, both in speed and in the number of lines in service. The higher bit rates and the expectation that transmission efficiency should continue to improve has resulted in the definition and control of more line parameters. This in turn requires more sophisticated testing prior to turning a circuit up for service and in trouble—shooting the cause of errors in data transmission. A large amount of excellent material has been published on this subject in the form of books, Technical References, Operating – Practices, and magazine articles, unfortunately, is not always readily available to the technician in the field or else the treatment of the subject matter is not oriented at practical application. The purpose of this Application Note is to provide background material to enable a technician to more readily understand not only how testing is performed but also what precisely is being measured and why. With this knowledge. it will be easier to interpret instrument operating instructions and to better understand a particular instrument’s capabilities and limitations. |
| Network General: Network and Protocol Reference – Part 2 of 2 | Network General’s Network and Protocol Reference provides background information on a broad spectrum of network types and communication protocols. You will want to refer to it from time to time to help you get the most out of your Sniffer Network Analyzer or Distributed Sniffer System. |
| Network General: Network and Protocol Reference-Part 1 of 2 | Network General’s Network and Protocol Reference provides background information on a broad spectrum of network types and communication protocols. You will want to refer to it from time to time to help you get the most out of your Sniffer Network Analyzer or Distributed Sniffer System. |
| General Technical Reference For 4541-1 and 4541-2 clustered configurations using BSC and ADCCP protocol and 4543-2 single display configurations using ADCCP protocol | This technical reference describes the 4541-1, 4541-2 & 4543-2 /remote-connect/ versions of the 4540 data terminal family. These versions are designed to be compatible with many in-use software supported systems for remotely connected display devices, and to enable users to take advantage of the economies obtained by clustering several terminal devices on a common controller. Also, their efficient interactive mode of operation makes them attractive for a variety of on-line computer input-output applications, such as a inquiry-response, data entry and data retrieval. /4541-3 configurations, which provide many of these features for locally connected termimal. |
| Handbook on Analog Transmission Impairment Testing | This handbook has been designed to aid both the end user and the service technician with the task of testing and isolating troubles within analog and digital communications facilities. Its intent is to familiarize you with the common terms associated with transmission impairment testing and to provide you with a simple yet concise guide for logically addressing the testing of telecommunications transmission systems. |
| ATM REALITIES, CHALLENGES, and SOLUTIONS | |
| Data Communications A User’s HANDBOOK | Handbook covering Basic Switched Network Elements, The Metropolitan Area and Connecting Metropolitan Areas Switch Telecommunications Network. Satellite vs. Terrestrial Connection, Signaling, Digital Data Service, Multipoint Systems, Two WIre Bridge and Much More. |
| DATASCOPE MODEL D-601 | The SPECTRON® DATASCOPE is a portable test instrument for troubleshooting and monitoring data communication Channels. It provides both a CRT display and a magnetic tape recording of all traffic at the business machine /EIA RS—232C/ interface of any standard modem. It is compatible with most forms of data transmission, whether synchronous or asynchronous, and it operates at any speed up to 9600 BPS /Display-only, up to 😯 Kbps/. It may be connected to the data link directly or through a Remote Connection Unit which bridges the EIA interface and provides electrical isolation without adding cable length or increasing electrical loading. The block diagram /Figure l/ shows internal DATASCOPE components and a typical modem connection. |
| SteelCentral Packet Analyzer Reference Manual-Personal Edition – Version 10.9 | Riverbed® SteelCentral™ Packet Analyzer, Cascade Pilot is a Windows-based packet analysis tool that provides network visibility through live traffic monitoring and analysis. It analyzes traffic seen on local interfaces, including Riverbed AirPcap™ wireless LAN packet capture adapters, TurboCap capture cards, Riverbed packet capture appliances, and standard .pcap packet trace files. Its graphical user interface supports a wide variety of views and charts for analyzing network traffic on local interfaces or trace files. |
| SteelCentral Packet Analyzer Reference Manual – Version 10.9.x | |
| SteelCentral Packet Analyzer Installation Guide – Version 10.9.x | Riverbed® SteelCentral™ Packet Analyzer, Cascade Pilot is a Windows-based packet analysis tool that provides network visibility through live traffic monitoring and analysis. It analyzes traffic seen on local interfaces, including Riverbed AirPcap™ wireless LAN packet capture adapters, TurboCap capture cards, Riverbed packet capture appliances, and standard .pcap packet trace files. Its graphical user interface supports a wide variety of views and charts for analyzing network traffic on local interfaces or trace files. |
| SteelCentral Network Performance Management Deployment Guide | Riverbed® SteelCentral™ Packet Analyzer, Cascade Pilot is a Windows-based packet analysis tool that provides network visibility through live traffic monitoring and analysis. It analyzes traffic seen on local interfaces, including Riverbed AirPcap™ wireless LAN packet capture adapters, TurboCap capture cards, Riverbed packet capture appliances, and standard .pcap packet trace files. Its graphical user interface supports a wide variety of views and charts for analyzing network traffic on local interfaces or trace files. |
| Cascade Pilot 9.5 Reference Manual | Riverbed® Cascade Pilot, aka SteelCentral™ Packet Analyzer is a Windows-based packet analysis tool that provides network visibility through live traffic monitoring and analysis. It analyzes traffic seen on local interfaces, including Riverbed AirPcap™ wireless LAN packet capture adapters, TurboCap capture cards, Riverbed packet capture appliances, and standard .pcap packet trace files. Its graphical user interface supports a wide variety of views and charts for analyzing network traffic on local interfaces or trace files. |
| Cascade Pilot 9.5 Personal Edition 9.5 Reference Manual | Riverbed® Cascade Pilot, aka SteelCentral™ Packet Analyzer is a Windows-based packet analysis tool that provides network visibility through live traffic monitoring and analysis. It analyzes traffic seen on local interfaces, including Riverbed AirPcap™ wireless LAN packet capture adapters, TurboCap capture cards, Riverbed packet capture appliances, and standard .pcap packet trace files. Its graphical user interface supports a wide variety of views and charts for analyzing network traffic on local interfaces or trace files. |
| WIDEBAND DATA STATIONS 303 TYPE Technical Reference Manual | This reference describes standard 303-type wide band data stations for use in the transmission of serial binary synchronous or nonsynchronous data over half-group, group, or supergroup facilities. |
| ISDN Training Guide – Europe | Manual contains Introduction and Overview of Integrated Services Digital Network /ISDN/, Fundamental Concepts and End to End Connections for ISDN. Call Signaling Information along with ISDN Switch Protocols. ISDN Glossary. |
| biTS-1 ISDN Test Set – Operating Manual | Operating Manual for the Basic ISDN Test Set-1 /biTS-1/. A portable, hand held, communication line tester which allows for quick and easy troubleshooting and verification of ISDN S/T interface lines. Verifies physical layer /Layer 1/ parameters. |
| Digital Computer Study Guide | Study Guide on the History of Data Processing, Functional Description of a Digital Computer, IBM Number Systems, Analog-Digital-Analog Conversion. |
| PACER Model-103 Operators Manual | The Digitech Pacer model 103 – 1976 to 1980 The Digitech Pacer was one of the first of three data network analyzers and emulators. The Pacer was one of the very first Datascope to include emulation capability. The first three were the Spectron D-600 and 601B The Scientific Atlantic and the Digitech Pacer 103.The most popular were the Spectron Datascopes which had a large real time, multi-line display and a tape drive for review and storage of events. By 1980 the Datascope market had many new and much more sophisticated monitors that could handle real time monitoring, recording and emulation at 56Kbps, more interfaces – V.35, RS-442, RS-449 as well as visibility for bit-oriented protocols like SNA/SDLC and X-25/X-75. The Pacer was the first “REAL” portable data analyzer. It did require AC power but had an expandable 1Kb memory for programs or captured data. The Pacer had a seven-segment red/orange 32-character display that was very small and very difficult to read in real time monitoring mode. The data would have to be stored for a slow review. If one was looking at full duplex data flows, it was hard to determine the request from the response /Tx/Rx/. The Pacer also had a versatile BERT feature – /Bit Error Rate Tester/ for evaluation of cabling with loopback. It could monitor as well as emulate RS-232 interfaces, which was very useful for testing the new data terminals. Other interfaces could be attached in later years. The maximum speed for monitor and emulation was 19.2 Kbps, later 56Kbps with the V.35 interface pod. The Pacer also featured an RS-232 pin passive lead breakout for positive polarity visibility. It could force the interface pins high with its emulation feature. To handle passive monitoring the external interface had to be used as well as for any emulation it had to use the separate external interface. The external RS-232 interface had 3 connections, DTE, DCE /for emulation mode/ and a Passive Monitor connection. One feature was that it had a battery for storage/saving of programs only but not for monitoring! The Keyboard was only ASCII /7-bits/ parity recognition had to be set by programming. It had a 1Kb memory /option for more/ and at high speeds one had to capture and replay to see the data. The data display could be either ASCII or Hex without parity and no NRZI. Plus, it had an ACSII printer output capability and an audio output for listening data flow chatter. It featured a very good emulator for testing ASCII terminals and some data flows with the first modems. Later the Pacer had an optional external small video monitor option, called the PacerScope. |
| Telephony Signaling and Signaling System System 7 | Attached are two documents covering the basics of /1/ Telephony Signaling and /2/ Signaling System 7. These documents cover Technical Definitions and Delimiters, Components, Characteristics, Protocols and Advantages of using the original Intelligent Telephony and Data Communication Network. These documents also cover the three standards of the Intelligent Network – BellCore, CCITT and ANSI. Plus includes a discussion on and the comparison the different Layers of communications – The OSI for Data Communication versus the 7 layers of the intelligent SS7 based network. |
| Common Channel Signaling Technical Note 2 | This technical note on common channel signaling is the second in a series describing aspects of modern telecommunication and, where appropriate, identifying relevant international performance and testing standards. |
| Pulse Code Modulation – Technical Note 1 | This technical note on pulse code modulation is the first in a series describing aspects of modern telecommunication and, where appropriate, identifying relevant international performance and testing standards. GN Elmi’s main aim for the series is to provide clear, up-to-date technical information on the fast-changing world of telephony. |
| HP 4952A Protocol Analyzer Operating Manual | The HP 4952A is a rugged portable protocol analyzer and BERT tester. Some of the major features are: Monitoring The HP 4952A can recognize and monitor all major protocols and on all common interfaces at speeds up to 64 kbits/sec. Auto Configure can find the protocol, speed, data code, and parity of most datacommunication links. The HP 4952A will look for simultaneous triggering events, count the events or measure the time between them. Simulating You can substitute the instrument for a DTE or DCE. This allows you to exercise the datacommunication link and drive other devices on the line to isolate any malfunctions. Remote Testing The HP 4952A is capable of remote operation as either a controlling device or as a slave. The unattended operation enables you to monitor or simulate without being at the remote site. Asynchronous Terminal Emulation Terminal emulation allows you the flexibility of an extra device and eliminates the need to carry both the analyzer and a terminal in the field. |
| Network General: Expert Analysis Technology Oct 1994 | The Foundation for Intelligent Network Management Network General Corporation leads the industry, delivering intelligent network analysis and monitoring solutions that address evolving trends in computing technology. As businesses increasingly rely on client/server networks to maximize their competitive edge, Network General offers a family of products and services that help solve network problems and maximize network performance. Network General pioneered Expert Analysis technology in 1991. By placing the intelligence of a network expert into the hands of network professionals, Expert Analysis continues to revolutionize the process of network design, implementation, and management. Expert Analysis forms the foundation for intelligent systems management and helps: 1q DPI Consortium 11 Aug 2022.csv DPI Consortium.csv DPI Consortium02042025.csv Database Summary and Methodology PAB.docx Test June 2025.csv Zotero Database.lnk check.sh database.csv dpiconsortium-index.html gentable.sh log.txt log2.txt table.html table2.html test.csv xx Improve network performance and decrease downtime 1q DPI Consortium 11 Aug 2022.csv DPI Consortium.csv DPI Consortium02042025.csv Database Summary and Methodology PAB.docx Test June 2025.csv Zotero Database.lnk check.sh database.csv dpiconsortium-index.html gentable.sh log.txt log2.txt table.html table2.html test.csv xx Identify problems proactively and speed the problem resolution process 1q DPI Consortium 11 Aug 2022.csv DPI Consortium.csv DPI Consortium02042025.csv Database Summary and Methodology PAB.docx Test June 2025.csv Zotero Database.lnk check.sh database.csv dpiconsortium-index.html gentable.sh log.txt log2.txt table.html table2.html test.csv xx Increase productivity by providing answers, not just data 1q DPI Consortium 11 Aug 2022.csv DPI Consortium.csv DPI Consortium02042025.csv Database Summary and Methodology PAB.docx Test June 2025.csv Zotero Database.lnk check.sh database.csv dpiconsortium-index.html gentable.sh log.txt log2.txt table.html table2.html test.csv xx Reduce network operating costs and leverage existing hardware This paper explores the following: What is Expert Analysis Expert Solutions to Network Problems The Benefits of Expert Analysis Network General Expert Analysis Products. |
| Network General: Distributed Sniffer System Server Installation Manual | This manual describes the installation and configuration of the Sniffer® server. It also gives recommendations on fine-tuning the server within the system for thorough monitoring and analysis of your network. The Distributed Sniffer System consists of two types of product: Sniffer® servers and SniffMaster” consoles. Each server observes the local- or wide-area network to which it’s attached; consoles control servers and display the results of the servers’ activities. Some servers run the monitoring and analysis applications alone, while others run both. Other manuals describe the monitoring and analysis applications. |
| Network General: Expert Analyzer Output File Format | The Expert Analyzer Output File Format manual describes the format of the Expert analyzer output file and the data it contains. For information about the Expert analyzer and how to save an Expert analyzer output file, refer to the Analyzer Operations manual. |
| Sniffer University LAN/WAN Internetwork Analysis & Troubleshooting | Course Topics: Overview of WAN Technology Product Overview and Interface Installation ° Sniffer Internetwork Analyzer T-1 Networking HDLC and related protocols Frame Relay PPP ISDN Fundamentals and Troubleshooting X.25 |
| Network General: Network And Protocol Reference | Network General’s Network and Protocol Reference provides background information on a broad spectrum of network types and communication protocols. You will want to refer to it from time to time to help you get the most out of your Sniffer® Network Analyzer or Distributed Sniffer System®. This manual is intended as a reference volume; you most likely will not use it on a daily basis. For information on how to operate your Sniffer Network Analyzer or Distributed Sniffer System, turn to the operations documentation provided with your product shipment. |
| Network General: Expert Analysis Quick Reference Card | This guide provides an overview of most options in the Sniffer analysis application’s menus. These illustrations show the analysis application’s factory defaults. |
| Sniffer University Curriculum 1996 | Curriculum on: Troubleshooting with the Sniffer Network Analyzer Ethernet Network Analysis & Troubleshooting Token Ring Network Analysis & Troubleshooting Upper-Layer Protocal Analysis & Troubleshooting Sharpe Shooter Guide for NFS Internetwork Analysis & Troubleshooting FDDI Netowrk Analysis & Troubleshooting Managing the Enterprise Network with Distributed Sniffer System Switched Network Analysis & Troubleshooting Novell NetWare Netowrk Analysis & Troubleshooting Troubleshooting Sybase SQL with Expert Troubleshooting Oracle7 SQL*Net with Expert TCP/IP Network Analysis & Troubleshooting |
| Sniffer University Ethernet & Token Ring Network Analysis & Troubleshooting | Major Topics Ethernet Physical Layer ° Ethernet Data Link Layer Token Ring Principles Source Routing ° Logical Link Control /LLC/ Upper Layer Protocol Analysis/Decode TCP/IP Novell NetWare Banyan VINES SMB NetBios AppleTalk SNA DECne |
| Network General: Internetwork Management Oct 1994 | Issues in Distributed Network Environments |
| Sniffer University TCP/IP Network Analysis & Troubleshooting | The Internet Protocols TELNET IP FTP, ARP TFTP,RARP SMTP, SNAP DNS, ICMP SNMP,Internet Gateways RUNIX,TCP ONC /NES/ Protocols, TRLR NetBIOS/SMB; EGP /in UDP Miscellaneous section/ Troubleshooting Exercises |
| Sniffer University: Troubleshooting With The Expert Sniffer Network Analyzer | A networking troubleshooting tool that assists you in finding and solving network communication problems, analyzing and optimizing network performance, and planning for future growth. e A hardware and software combination that includes: — DOS — Sniffer Software /Provided by Network General/ — Personal Computer with a minimum of 8MB RAM and 10MB free disk — Network Interface Card /Provided by Network General/ |
| Network General: Distributed Sniffer System Expert Analyzer Operations Manual | This manual describes the functions and operations of the Expert Sniffer® analyzer, a software application of the Distributed Sniffer System™ /DSS/. It also provides recommendations on how to use the Expert analyzer effectively to detect and solve network problems. This manual describes only those operations relating to the Expert mode of the analysis application. For information on Classic mode operations, see the Distributed Sniffer System: Analyzer Operations Manual. The Distributed Sniffer System consists of two types of product: Sniffer Servers and SniffMaster™ Consoles. Each Server observes the local or wide area network to which it is attached; Consoles control Servers and display the results of the Servers’ activities. |
| Network General: LM2000 Protocol Analyzer User’s Manual | This manual describes the installation and operation of the LM2000 Protocol Analyzer and provides recommendations on using the analyzer effectively to monitor the network. It also contains information on using the PowerScript custom test builder and protocol macros to perform sophisticated emulation. The LM2000, a PC-based protocol analyzer designed for diversified Wide Area Networks /WANs/, helps network managers and field technicians analyze and troubleshoot both traditional WANs and emerging technologies like frame relay. The LM2000 supports a wide range of protocols at speeds from 50 bps to 2.048 Mbps. |
| Network General: Distributed Sniffer System Network And Protocol Reference Manual | The Network and Protocols Reference provides background information on a broad spectrum of network types and communication protocols. You will want to refer to it from time to time to help you get the most out of your Distributed Sniffer™ System. The manual is divided into two chapters and two appendixes. Chapter 1 covers basic knowledge about local and wide area network architectures and Chapter 2 covers basic knowledge about network protocols and protocol interpreters.Appendix A provides a glossary of data communications terminology and Appendix B is an extensive bibliography of source material. The Distributed Sniffer System consists of two types of products: Sniffer® servers and SniffMaster™ consoles. The servers observe the attached local or wide-area network; the consoles control the servers and display the results of the servers’ activities. Some servers run only the monitoring or analysis application, while others run both. There are other manuals that describe the Distributed Sniffer System’s hardware and applications. |
| Network General: Distributed Sniffer System Installation And Operations Manual | This manual describes the installation and operations of the Distributed Sniffer System™ . It also gives recommendations on configuring system components and on fine-tuning the system for thorough monitoring and analysis of your network. The Distributed Sniffer System consists of two types of product: Sniffer® servers and SniffMaster”” consoles. Each server observes the local or wide-area network to which it’s attached; consoles control servers and display the results of the servers’ activities. Some servers run the monitoring and analysis applications alone |
| Network General: Distributed Sniffer System Analyzer Operations Manual | This manual describes the functions and operations of the Sniffer analyzer, a software component of the Distributed Sniffer System™. The Distributed Sniffer System consists of two types of products: Sniffer® servers and SniffMaster™ consoles. Each server observes the local or wide-area network to which it is attached; the consoles control the servers and display the results of the servers’ activities. Some servers run the monitoring or analysis application alone, while others run both. |
| Network General: Distributed Sniffer System Token-Ring Monitor Operations Manual | This manual describes the functions and operations of the token ring monitor, a software component of the Distributed Sniffer System™. It also gives recommendations on how to use the monitor effectively to detect network problems. The Distributed Sniffer System consists of two types of products: Sniffer® servers and SniffMaster™ consoles. Each server observes the local or wide-area network to which it is attached; the console controls the servers and displays the results of the servers’ activities. Some servers run the monitoring or analysis application alone, while others run both. |
| Network General: Distributed Sniffer System Ethernet Monitor Operations Manual | This manual describes the functions and operations of the Ethernet monitor, a software component of the Distributed Sniffer System™. It also gives recommendations on how to use the monitor effectively to detect network problems. The Distributed Sniffer System consists of two types of products: Sniffer® servers and SniffMaster™ consoles. Each server observes the local or wide-area network to which it is attached; the console controls the servers and displays the results of the servers’ activities. Some servers run the monitoring or analysis application alone, while others run both. |
| Network General: Advanced Token-Ring Network Monitor Users Manual | This manual describes how to activate, configure, and operate the Token-Ring Monitor. It also describes the Token-Ring Monitor’s various features and provides recommendations on how to use them. The manual has been prepared with the assumption that you are a token-ring network manager who understands how a token-ring network operates according to the IBM® Token Ring and IEEE 802.5 specifications. It also assumes that you are familiar with DOS. This manual corresponds to the Token-Ring Monitor software version 1.20. If the product shipment includes a release note, the information in the note supersedes the information in this manual. Also, if the software diskette in the shipment contains a README file, be sure to read the file because it provides up-to-date information on the Token-Ring Monitor. |
| Network General: Sniffer Advanced Ethernet Monitor Users Manual | Product Overview Welcome to the Sniffer Advanced Ethernet Monitor™, the advanced network monitoring program that uses state-of-the-art data collection techniques. The Ethernet Monitor provides an accurate picture of network activity at any moment, or an historical record of network activity over a period of time. You can use this information to find traffic overloads, to plan for network expansion, to detect intruders, to establish performance baselines, and to distribute traffic more efficiently between servers. The Ethernet Monitor’s report capabilities let you communicate this information to others, complete with graphics. And the Ethernet Monitor’s alarm capabilities ensure that you know about problems with the network or with individual stations before users call you to complain. |
| Network General Network: Analyzer Operations Manual | This manual tells you how to operate the Sniffer network analyzer. It covers all current models and all networks on which the Sniffer analyzer runs. This isn’t the installation guide. There’s a separate installation guide for every model of the Sniffer network analyzer. If you’re connecting the analyzer for the first time, you really should read its installation guide. |
| Network General: TeleSniffer Installation And Operations Manual | Every Sniffer analyzer includes TeleSniffer™, software that permits you to operate the Sniffer analyzer remotely from an IBM-compatible personal computer /PC/. The remote PC can be located anywhere, across the room or across the country. The link is by telephone. You attach your own modem to the Sniffer analyzer’s serial port and a corresponding modem at the remote PC. |
| Network General: SniffMaster Installation And Operations Manual | The SniffMaster I™ Installation and Operations Manual is the basic guide to your SniffMaster I system. Other documents are also useful. You will find them listed in Chapter 1 and referred to throughout this document. The organization of this manual follows the sequence of steps that a new user would typically follow. It begins with some preliminary information that introduces you to the system. Next, it explains the basic procedures for setting up the system. Finally, it covers some guidelines and tips on running the system. Chapter 1 provides information on various topics that you may want to review before installing and operating your SniffMaster I system. The chapter covers several possible SniffMaster I system configurations, an explanation of SniffMaster I system operation, a discussion of the variety of uses for a SniffMaster I system, the hardware and software requirements, and a list of documentation you will need to install and to operate your system. Chapter 2 explains how to install and to configure your SniffMaster I system. The procedures include setting up Sniffer remote analyzers, terminal servers, and the central console. Chapter 3 covers basic operating procedures for your SniffMaster I system. Topics include starting remote analyzers, setting options from the from the central console, and using the Sniffer features that are unique to the SniffMaster I system. |
| Network General: Sniffer Network And Protocol Reference | The Network and Protocols Reference provides background information on networks and protocols. You will want to refer to it from time to time to help you get the most out of your Sniffer™ network analyzer. Three chapters cover basic knowledge about local and wide area network architectures, network protocols, and protocol interpreters. Chapter 1 explains some basic differences and similarities between the network architectures to which you can attach an analyzer. In Chapter 2, you will find information about the various protocol suites interpreted by the Sniffer analyzer. Finally, Chapter 3 details how you can construct your own custom protocol interpreter or extend an existing one. |
| Xerox® Letter/Legal-size Color Printers: Key Feature Comparison | Xerox offers a broad range of color printer products, beginning at the entry level where costs are low and users’ feature-requirements are minimal, up to our flagship products, such as the Phaser 6360 Printer and Phaser 8560/8860 Printers, which offer intelligent features that help enterprise customers deploy and manage large quantities of printers on their network. Use the following chart to determine which color, letter-size devices have the available administration, printing and security features your customers need to get the most from their printer purchase. |
| Xerox WorkCentre 7132 – Bertl Analysis | Product review by Bertl. |
| Xerox WorkCentre 4150 – Bertl Analysis | Product review by Bertl. |
| Xerox Government Solutions: Secure printing and productivity solutions | Marketing overview of Xerox public sector products and solutions. |
| Xerox Government Solutions: Secure printing and productivity solutions | Marketing overview of Xerox public sector products and solutions. |
| Xerox Device Data Collector 1.3: Security and Evaluation Guide | This document provides additional background on the Xerox Device Data Collector /XDDC/ software capabilities, and specifically focuses on the software’s security aspects. This document will help you better understand how XDDC functions and help you feel confident that XDDC transmits device data in a secure and accurate manner. This guide will help you certify, evaluate, and approve the deployment of XDDC in support of your contract. It includes information on XDDC’s potential impact on security and network infrastructure as well as calculations of theoretical network traffic. |
| Xerox Device Agent /XDA/ Lite: Security and Evaluation Guide | This document provides additional background on XDA Lite software capabilities, and specifically focuses on the software’s security aspects. This document will help you better understand how XDA Lite functions and help you feel confident that XDA Lite transmits device data in a secure and accurate manner. This guide will help you certify, evaluate, and approve the deployment of XDA Lite in support of your contract. It includes information on XDA Lite’s potential impact on security and network infrastructure as well as calculations of theoretical network traffic. |
| Xerox and Information Security | Today’s rising security threats come in various forms and in varying degrees of severity. The explosive proliferation of networked devices means an ever-increasing number of potentially vulnerable points of entry for intruders. And the “hacker” threat is constant, with programs running 24/7 that automatically seek and exploit network security shortcomings. Networked printers and multifunction printers, or MFPs, which can print, copy, scan to network destinations, send email attachments and handle incoming and outgoing fax transmissions, are particularly vulnerable. |
| SNMP V 1, 2, 3 and Your Xerox Printers | “”Simple Network Management /SNMP/ seems to be a popular subject over on the Xerox Community Support Forum. There are hundreds of views every month of solutions regarding the use and disabling of SNMP. Let’s look at what the forum and the online support say about this protocol.”” |
| National Information Assurance Partnership: Validation Report | This report documents the NIAP validators’ assessment of the evaluation of Xerox Corporation Image Overwrite Security for a line of copiers and multifunction systems. It presents the evaluation results, their justifications, and the conformance results. This validation report is not an endorsement of the IT product by any agency of the U.S. Government and no warranty of the IT product is either expressed or implied. The evaluation was performed by Computer Sciences Corporation /CSC/, and was completed during March 2006. The information in this report is largely derived from the Evaluation Technical Report /ETR/ and associated test report, both written by CSC. The evaluation determined the product to be Part 2 extended and Part 3 augmented, and to meet the requirements of EAL2 augmented with ALC_FLR.2. The product is not conformant with any published Protection Profiles. |
| iXware International: Fax over IP | Besides the traditional way of making a telephone call with ISDN or analog technology, more and more organizations transfer to Voice over IP /VoIP/. The most logical continuation is that these organizations are looking in to the possibilities of Fax over IP /FoIP/. iXware can offer a wide range of solutions |
| Faxing Over IP Networks | “”Fax over IP |
| Enabling Apple® AirPrint® with your Xerox® AltaLink® Multifunction Printer | Apple® AirPrint® is a printing technology introduced with iOS version 4.2 in November 2010. It enables Apple Mac OS® devices to print, fax and scan, and Apple iOS devices /iPhone®, iPad®, iPod touch®/ to print without installing additional drivers or software. AirPrint uses well-established, familiar technologies already in use today including Apple Bonjour®, IPP, PDF and JPEG. Xerox is now certified and implementing AirPrint in the latest Xerox® AltaLink® devices. However, when these devices first launched, they were not all AirPrint-enabled. This document will instruct you on the basics of how AirPrint works and how to enable it on your AltaLink device. |
| IPv6 Transition/Co-existence Security Considerations /RFC4942/ | The transition from a pure IPv4 network to a network where IPv4 and IPv6 coexist brings a number of extra security considerations that need to be taken into account when deploying IPv6 and operating the dual-protocol network and the associated transition mechanisms. This document attempts to give an overview of the various issues grouped into three categories: 1. issues due to the IPv6 protocol itself 2. issues due to transition mechanisms, 3. issues due to IPv6 deployment. |
| Dynamic service discovery via deep packet inspection | Moving between physical locations often requires a user to reconfigure their personal computing devices to operate correctly inside the new environment. A user may have to ensure that they have compatible versions of certain software installed and configured when located at a client site. For example, the local intranet may only be accessible via a version of a particular web browser application. In this article we propose a system to simplify and automate configuring and connecting via compatible software in a new unknown network location. |
| A Survey of Worldwide Censorship Techniques /RFC9505/ | This document describes technical mechanisms employed in network censorship that regimes around the world use for blocking or impairing Internet traffic. It aims to make designers, implementers, and users of Internet protocols aware of the properties exploited and mechanisms used for censoring end-user access to information. This document makes no suggestions on individual protocol considerations, and is purely informational, intended as a reference. This document is a product of the Privacy Enhancement and Assessment Research Group /PEARG/ in the IRTF. |
| UC Software – Improper Input Validation | A potential vulnerability was discovered in certain Poly devices. A malformed packet sent to the device can result in a Denial-of-Service attack. |
| POLY SYSTEMS – H323 AND SIP AES ENCRYPTION IMPACT | As more video conference calls are conducted over public networks and public environments, the need to deploy security measures to protect the information discussed in the call rises. Conducting video conferences behind firewalls or over ISDN based networks reduce the potential for call tapping, although there is still residual risk. Encryption solutions can assist with call privacy, even when calls are made over the public internet. This document explains the details of Poly’s implementation of H.323 and SIP Media Encryption using the Advanced Encryption Standard /“AES”/, which provides privacy during a video conference call. Specific details are then also provided for all Poly® Video endpoint and MCU products. |
| Xerox Government Solutions: Secure printing and productivity solutions | |
| Suricata | Suricata is a high performance, open source network analysis and threat detection software used by most private and public organizations, and embedded by major vendors to protect their assets. |
| Netdeep Secure Firewall | Netdeep Secure is a Linux distribution with focus on network security. Netdeep is a Next Generation Open Source Firewall, which provides virtually all perimeter security features that your company may need. It offers Web content filters, ensuring better performance of the network, allowing users to use the service efficiently and securely, providing a deep control of the use of the Web access service, blocking access to unwanted websites, Virus, Spam, Applications and intrusion attempts. Its configuration is made entirely by the web interface. |
| Endian Firewall | Endian Firewall Community /EFW/ is a “”turn-key”” linux security distribution that makes your system a full featured security appliance with Unified Threat Management /UTM/ functionalities. The software has been designed for the best usability: very easy to install |
| A NetWare Tool Time | Whether you are a Certified NetWare Administrator /CNA/, a CNE, a network administrator, or a systems integrator, you have probably wished for a few simple utilities to help you complete tedious network management tasks. When I attended the Baltimore and Washington, DC. NetWare Conferences and Exhibits last month, l decided to walk through the exhibit hall, looking for helpful NetWare utilities. I found them in the most obvious place Novell’s booth. This article introduces the Novell Consulting Toolkit, which is available on CDROM, and the Novell Consulting Toolkit Online, which is available on the World’Wide Web /WWW/, and it describes some of the utilities that are available in both of these toolkits. |
| Unshackle Your Computer: Mobile IPX | During the past couple of years, Novell has implemented several technoloies that have caused a big stir, such as Novell Directory Services /NDS/ and Novell Embedded Systems Technology /NEST/. In all of the hubbub, you may not have noticed one of Novell’s most interesting new technologies: Mobile IPX. With Mobile IPX, you can physically move a Mobile IPX client from one location n a network to another without severing the client’s NetWare Core Protocol /NCP/ connection. You can even hotrswap your network interface board and maintain the client’s NCP contion the entire time. |
| Ethernet Switches: Faster Than CI Speeding Hub | The first time I saw a Kalpana switch in 1991, I had no idea how a switch worked or how it could improve network per— formance. I certainly had no ideal that by 1996 the networking industry would be having a love affair with switch technology. This article briefly explains switch technology and describes some solutions for managing and troubleshooting networks that are connected by switches. |
| IPX-IP Gateways | An IPX-IP gateway allows you to filter the traffic between the Internet and your NetWate network, providing effective access control management. For example, you can manage Internet access based on individual users, groups, destination addresses, or even applications. |
| Is Your Network Doomed | As IPXecapable games have boomed over the past several years, more and more network administrators are finding their users playing games over the network. Should this network game craze concern you? How much traffic do these games cause? Can games conflict with other network software? How Clo you locate games and filter their traffic from the network? How do network games affect WANS? Can you remove games from network servers and client workstations? |
| network security monitoring tool | Zeek has a long history in the open source and digital security worlds. Vern Paxson began developing the project in the 1990s under the name “Bro” as a means to understand what was happening on his university and national laboratory networks. Vern and the project’s leadership team renamed Bro to Zeek in late 2018 to celebrate its expansion and continued development. Zeek is not an active security device, like a firewall or intrusion prevention system. Rather, Zeek sits on a “sensor,” a hardware, software, virtual, or cloud platform that quietly and unobtrusively observes network traffic. Zeek interprets what it sees and creates compact, high-fidelity transaction logs, file content, and fully customized output, suitable for manual review on disk or in a more analyst-friendly tool like a security and information event management /SIEM/ system. |
| Prints out a description of the contents of packets | tcpdump prints out a description of the contents of packets on a network interface that match the Boolean expression /see pcap-filter/7/ for the expression syntax/; the description is preceded by a time stamp, printed, by default, as hours, minutes, seconds, and fractions of a second since midnight. It can also be run with the -w flag, which causes it to save the packet data to a file for later analysis, and/or with the -r flag, which causes it to read from a saved packet file rather than to read packets from a network interface. It can also be run with the -V flag, which causes it to read a list of saved packet files. In all cases, only packets that match expression will be processed by tcpdump. |
| Packet capture library | The Packet Capture library provides a high level interface to packet capture systems. All packets on the network, even those destined for other hosts, are accessible through this mechanism. It also supports saving captured packets to a “savefile”, and reading packets from a “savefile”. |
| Intrusion detection system | Snort is the foremost Open Source Intrusion Prevention System /IPS/ in the world. Snort IPS uses a series of rules that help define malicious network activity and uses those rules to find packets that match against them and generates alerts for users. Snort can be deployed inline to stop these packets, as well. Snort has three primary uses: As a packet sniffer like tcpdump, as a packet logger — which is useful for network traffic debugging, or it can be used as a full-blown network intrusion prevention system. Snort can be downloaded and configured for personal and business use alike. |
| Utility to allow sending and receiving TCP, UDP, and SSL packets | Packet Sender is an open source utility to allow sending and receiving TCP, UDP, and SSL /encrypted TCP/ packets as well as HTTP/HTTPS requests and panel generation. The mainline branch officially supports Windows, Mac, and Desktop Linux /with Qt/. Other places may recompile and redistribute Packet Sender. Packet Sender is free and licensed GPL v2 or later. It can be used for both commercial and personal use. If you find the app useful, please consider donating/sponsoring so development may continue. |
| Network monitoring and management platform | Observium is a network monitoring and management platform that provides real-time insight into network health and performance. It can automatically discover network devices and services, collect performance metrics, and generate alerts when problems are detected. Observium includes a web-based interface that allows users to view network status and performance metrics in real time, as well as historical data. It is designed to be easy to use and maintain, with a focus on providing the information that network administrators need to quickly identify and resolve issues Observium supports a wide range of device types, platforms and operating systems including Cisco, Windows, Linux, HP, Juniper, Dell, FreeBSD, Brocade, Netscaler, NetApp and many more. Professionally developed and maintained by a team of experienced network engineers and systems administrators, Observium is a platform designed and built by its users. |
| Data structures to help work with online or offline network data | NFStream is a multiplatform Python framework providing fast, flexible, and expressive data structures designed to make working with online or offline network data easy and intuitive. It aims to be Python’s fundamental high-level building block for doing practical, real-world network flow data analysis. Additionally, it has the broader goal of becoming a unifying network data analytics framework for researchers providing data reproducibility across experiments. |
| Open source network monitoring tool | What Nagios Provides Designed with scalability and flexibility in mind, Nagios gives you the peace of mind that comes from knowing your organization’s business processes won’t be affected by unknown outages. Nagios is a powerful tool that provides you with instant awareness of your organization’s mission-critical IT infrastructure. Nagios allows you to detect and repair problems and mitigate future issues before they affect end users and customers. By Using Nagios, You Can: – Plan for infrastructure upgrades before outdated systems cause failures – Respond to issues at the first sign of a problem – Automatically fix problems when they are detected – Coordinate technical team responses – Ensure your organization’s SLAs are being met – Ensure IT infrastructure outages have a minimal effect on your organization’s bottom line – Monitor your entire infrastructure and business processes |
| Computer security project that provides information about security vulnerabilities | Welcome to Metasploit-land. Are you a Metasploit user who wants to get started or get better at hacking stuff /that you have permission to hack/? The quickest way to get started is to download the Metasploit nightly installers. This will give you access to both the free, open-source Metasploit Framework and a free trial of Metasploit Pro. If you’re using Kali Linux, Metasploit is already pre-installed. See the Kali documentation for how to get started using Metasploit in Kali Linux. Are you anxious to get your Metasploit Development Environment set up so you can start Landing Pull Requests and contributing excellent exploit code? If so, you’re in the right place. If you’re an exploit developer, you will want to review our Guidelines for Accepting Modules and Enhancements to find out what we expect when we see pull requests for new Metasploit modules. No idea what you should start working on? Check out the guidelines for contributing to Metasploit, and dive into Setting Up a Metasploit Development Environment. |
| Real-time packet sniffer and application performance analyzer | Junkie is an open source, fast, extensible, deep packet inspection tool /aka DPI/. Other distinguishing features include: – Can take advantage of many threads while still handling packet reassembly and connection tracking; – Can handle out-of-order traffic, missing and even truncated packets /as in tcpdump -s/ and keep on parsing, skipping the gaps; – Can see through TLS if provided with private keys; – Can be controlled via a scripting language although Junkie itself is written in C; – Does nothing but parsing by itself but comes with many plugins to perform various tasks. Examples of what’s doable with Junkie default plugins from the command line: – Dumping live traffic à la tshark; – Protocol aware net-top; – Monitor SSL certificate expiry dates; – Dump response times for all known protocols; |
| Tool for active measurements of the bandwidth on IP networks | iPerf3 is a tool for active measurements of the maximum achievable bandwidth on IP networks. It supports tuning of various parameters related to timing, buffers and protocols /TCP, UDP, SCTP with IPv4 and IPv6/. For each test it reports the bandwidth, loss, and other parameters. This is a new implementation that shares no code with the original iPerf and also is not backwards compatible. iPerf was orginally developed by NLANR/DAST. iPerf3 is principally developed by ESnet / Lawrence Berkeley National Laboratory. It is released under a three-clause BSD license. |
| Software designed to bypass Deep Packet Inspection systems | This software designed to bypass Deep Packet Inspection systems found in many Internet Service Providers which block access to certain websites. It handles DPI connected using optical splitter or port mirroring /Passive DPI/ which do not block any data but just replying faster than requested destination, and Active DPI connected in sequence. Windows 7, 8, 8.1, 10 or 11 with administrator privileges required. |
| Web-based network monitoring, performance, fault and configuration management framework | Cacti is a robust performance and fault management framework and a frontend to RRDTool – a Time Series Database /TSDB/. It stores all of the necessary information to create performance management Graphs in either MariaDB or MySQL, and then leverages its various Data Collectors to populate RRDTool based TSDB with that performance data. Cacti is also a LAMP stack Web Application. The term LAMP originally stood for Linux, Apache, MySQL and PHP but through the years the term has evolved. Cacti is now also supported on Windows, it can use Nginx or IIS as its Web Server, and MariaDB is now the default database on many Linux platforms. The key concept of the LAMP stack continues to be consistent. Structural data is stored in the relational database, Time Series data is stored in RRDTool’s Round Robin Archives /RRA/, and the Web Site is ultimately driven by PHP. At the center of Cacti and its database are the Device and Device Template. You first create Devices that have certain attributes associated with them such as a Device Template, SNMP community, and other meta information such as Site, Location, and GPS location. From from that information, Cacti will create Graphs and Data Sources appropriate for the Device. These Graphs can then be placed upon Trees that are allow for a very organized and flexible layout which allows users to drill into their organizations operational ecosystem. When Ian Berry first created Cacti in 2001 it was never intended to go beyond performance management. Through the years a select community of Plugin developers have extended Cacti to become a fairly comprehensive operational management framework covering other areas of operations management. In 2021 through the use of these Plugins Cacti can be used not only as a performance management tool, but can be used for: fault management, log management, device discovery, router configuration backup, network mapping, NetFlow data collection and display, etc. Through the use of its Plugin architecture Cacti can and has been extended well beyond its original intent. Cacti can scale from just a few to 10’s of thousands of hosts. Its Data Collection framework is fully distributed and fault tolerant. Its core services can be deployed behind load balancers with session management coming from its database, and its structural database deployed as well in a fully fault tolerant way. The RRDTool TSDB can be distributed using technologies such as GlusterFS, the RRDProxy and GPFS as well. There is literally no component in the modern Cacti that can not be made fault tolerant. |
| A comprehensive list of GPT agents focused on cybersecurity | The “”Awesome GPTs /Agents/ Repo”” represents an initial effort to compile a comprehensive list of GPT agents focused on cybersecurity /offensive and defensive/ |
| IP address and port scanner | Angry IP scanner is a very fast IP address and port scanner. It can scan IP addresses in any range as well as any their ports. It is cross-platform and lightweight. Not requiring any installations, it can be freely copied and used anywhere. Angry IP scanner simply pings each IP address to check if it’s alive, then optionally it is resolving its hostname, determines the MAC address, scans ports, etc. The amount of gathered data about each host can be extended with plugins. It also has additional features, like NetBIOS information /computer name, workgroup name, and currently logged in Windows user/, favorite IP address ranges, web server detection, customizable openers, etc. Scanning results can be saved to CSV, TXT, XML or IP-Port list files. With help of plugins, Angry IP Scanner can gather any information about scanned IPs. Anybody who can write Java code is able to write plugins and extend functionality of Angry IP Scanner. In order to increase scanning speed, it uses multithreaded approach: a separate scanning thread is created for each scanned IP address. The full source code is available, see the download page. |
| WiFi network security tools suite | Aircrack-ng is a complete suite of tools to assess WiFi network security. All tools are command line which allows for heavy scripting. A lot of GUIs have taken advantage of this feature. It works primarily on Linux but also Windows, macOS, FreeBSD, OpenBSD, NetBSD, as well as Solaris and even eComStation 2. It focuses on different areas of WiFi security: – Monitoring: Packet capture and export of data to text files for further processing by third party tools. – Attacking: Replay attacks, deauthentication, fake access points and others via packet injection. – Testing: Checking WiFi cards and driver capabilities /capture and injection/. – Cracking: WEP and WPA PSK /WPA 1 and 2/. We also maintain patches for: – Packet injection for Linux drivers – HostAPd and Freeradius, called WPE /Wireless Pawn Edition/ patches, to attack WPA Enterprise. |
| A comprehensive list of GPT agents focused on cybersecurity | |
| TZ Entry Level Firewall Series Products Compare – SonicWall | |
| Traffic measurement system and traffic analysis method thereof | A traffic measurement system and a traffic analysis method are provided. The traffic measurement system includes a plurality of measurement devices that collect all of packets flowing through Internet links, extract traffic data required to analyze traffic from the collected packets, and process the extracted data into predetermined flow types, and an analysis server that identifies applications of traffic by analyzing the traffic data transferred from the plurality of measurement devices as a whole, classifies the identified applications into predetermined traffic types, and outputs the classification result. The traffic measurement system measures the traffics in the Internet network and processes the measured traffics to generate detailed traffic statistical data according to applications. In particular, the traffics are analyzed considering measurement data from various points, and the data for identifying the applications are extracted from headers of the applications included in payloads of IP packets in real time. Accordingly, detailed traffic analysis result is provided. |
| Traffic Flow Measurement: Experiences with NeTraMet | This memo records experiences in implementing and using the Traffic Flow Measurement Architecture and Meter MIB. It discusses the implementation of NeTraMet /a traffic meter and combined manager / meter reader/, considers the writing of meter rule sets and gives some guidance on setting up a traffic flow measurement system using NeTraMet. |
| Tracking anomaly propagation at the network level | In one embodiment, a device in a network monitors one or more metrics regarding network traffic associated with a particular application. The device detects an application-centric anomaly based on the monitored one or more metrics. The device causes an anomaly mitigation action to be performed in the network, in response to detecting the application-centric anomaly. |
| Tool for network performance design and configuration | Systems, methods, and computer-readable media for designing network performance and configuration include determining one or more use cases for a network to be provisioned, based on at least one or more business verticals related to a customer of the network. A data plane scale is determined from the use cases and an initial data plane scale generated using a linear regression on one or more data plane parameters. The data plane parameters include a platform type, feature set, packet size, or software version of the network. A control plane scale is determined from the use cases and an initial control plane scale generated using a linear regression on one or more control plane parameters of the network. The control plane parameters include a platform type, feature set, or software version of the network. The network is provisioned for the data plane scale and the control plane scale. |
| TippingPoint is now part of Trend Micro | |
| The NIDS Cluster: Scalable, Stateful Network Intrusion Detection on Commodity Hardware | In this work we present a NIDS cluster as a scalable solution for realizing high-performance, stateful network intrusion detection on commodity hardware. The design addresses three challenges: /i/ distributing traffic evenly across an extensible set of analysis nodes in a fashion that minimizes the communication required for coordination, /ii/ adapting the NIDS’s operation to support coordinating its low-level analysis rather than just aggregating alerts; and /iii/ validating that the cluster produces sound results. Prototypes of our NIDS cluster now operate at the Lawrence Berkeley National Laboratory and the University of California at Berkeley. In both environments the clusters greatly enhance the power of the network security monitoring. |
| The FDDI Ring Manager for the HP Network Advisor Protocol Analyzer | |
| The BSD Packet Filter: A New Architecture for User-level Packet Capture | Many versions of Unix provide facilitiesfor user-level packet capture, making possible the use of general purpose workstations for network monitoring. Because network monitors run as user-level processes, packets must be copied acrossthe kernel/user-space protection boundary. This copying can be minimized by deploying a kernel agent called a packet filter, which discards unwanted packets as early as possible. The original Unix packetfilter was designed around a stack-based filter evaluator that performs sub-optimally on current RISC CPUs. The BSD Packet Filter /BPF/ uses a new, registerbased filter evaluator that is up to 20 times faster than the original design. BPF also uses a straightforward buffering strategy that makes its overall performance up to 100 times faster than Sun’s NIT running on the same hardware |
| The Architecture of CoralReef: An Internet Traffic Monitoring Software Suite | Passive data collection tools have traditionally been designed for specific tasks such as accounting /NeTraMet/ or packet capture /tcpdump/. [The CoralReef suite]/https://www.caida.org/tools/measurement/coralreef// was designed to provide a uniform interface to passive data for a wide range of applications: from raw capture to real-time report generation. CoralReef provides convenient set of passive data tools for a diverse audience, from network administrators to researchers. The CoralReef architecture is based on a toolbox paradigm. The base programming interface is implemented in a C library named libcoral. In order to allow users to write a single program to access many data sources, libcoral provides a consistent API for capture cards from multiple providers on ATM, POS, and 10-100-1000 ethernet capture cards from multiple vendors, as well as pcap interfaces. In addition, libcoral provides a consistent interface to many packet capture file formats including: all coral formats /NLANR formats included/, pcap, DAG ATM, and DAG POS. This API satisfies an important design goal of providing multiple ways to approach the same problem. The libcoral API can operate on ATM cells, blocks of cells, or network packets, one at a time or via callbacks; the application developer can use whichever is most convenient. NeTraMet and Vern Paxson’s Bro are two applications that have been adapted to use the Coral API. To facilitate rapid prototyping and development, another design goal is to provide the same interface in C/C++ and Perl. Because the Perl module CRL.pm directly calls the C routines, Perl scripts using CRL.pm perform well enough for many data analysis applications. Additional libraries and modules have been provided to perform more complex tasks. There are libraries and Perl modules for doing AS lookups from BGP routing tables and others for determining geographic locations via NetGeo. CoralReef includes modules for the storage and manipulation of frequently collected data including: source and destination hosts, IP protocols, ports, and amounts of traffic in bytes, packets and flows. These modules provide methods to automatically aggregate data into other table types and allow for efficiently selecting those entries that generate the most traffic. For example, it is possible to convert an AS table of byte/packet counts into a country table with a single method call. Higher level applications are written using these building blocks, so that for example creating an IP or AS matrix is accomplished with just a small Perl program, while larger programs /such as the realtime report generator t2_report/ are more complex arrangements of the same building blocks. |
| The {CoralReef} Software Suite as a Tool for System and Network Administrators | Until now, system administrators have lacked a flexible real-time network traffic flow monitoring package. Such a package must provide a wide range of services but remain flexible enough for rapid in-house customization. Existing passive data collection tools are typically narrow in scope, designed for specific tasks from packet capture /tcpdump [9]/ to accounting /NeTraMet [4]/. In response, CAIDA has created the CoralReef suite designed to provide network administrators and researchers with a consistent interface for a wide range of network analysis applications, from raw capture to flows analysis to real-time report generation. CoralReef provides a convenient set of passive data tools for a diverse audience. CoralReef is a package of device drivers, libraries, classes, and applications. We briefly outline the architecture and provide relevant case studies and examples of CoralReef’s use as applied to real-world networking situations. We will show how CoralReef is a powerful, extensible, and convenient package for network monitoring and reporting. |
| Testing by simulation using variations of real-time traffic | A system with at least one device including a hardware processor, performs the steps of receiving, by the system, a packet from a second system to be transmitted to a third system, forwarding, by the system to the third system, the packet received from the second system; modifying a portion of the packet to obtain a modified packet that falsely identifies a fourth system as a source of the modified packet, and transmitting, by the system to the third system, the modified packet identifying the fourth system as the source of the modified packet. |
| Techniques for efficient service chain analytics | A method is provided in one example embodiment and includes receiving at a network element an encapsulated packet including an encapsulation header, in which the encapsulation header includes an Analytics Proxy Function / |
| Technique for dispatching data packets to service control engines | A dispatching technique dispatches packets to a plurality of service control engines /SCEs/ which in aggregate may be configured to handle traffic produced by a high-speed high-capacity data link. Upstream and downstream packets that are associated with a data flow between a subscriber and a destination node in a communication network are received from by a dispatcher which is located in a path used by the data flow. For each packet, the dispatcher identifies an SCE from among a plurality of SCEs that is to receive the packet based upon an address contained in the packet. The packet is then dispatched by the dispatcher to the identified SCE which processes the packet accordingly. After processing the packet, the SCE returns the packet to the dispatcher which further processes the packet including transferring the packet onto the communication network towards its destination. |
| Target-based SMB and DCE/RPC processing for an intrusion detection system or intrusion prevention system | A method performed in a processor of an intrusion detection/prevention system /IDS/IPS/ checks for valid packets in an SMB named pipe in a communication network. In a processor configured as an IDS/IPS, a packet in a transmission is received and a kind of application of a target of the packet is determined. Also, the data in the packet is inspected by the IDS/IPS as part of the SMB named pipe on only one of a condition that: /a/ the FID in an SMB command header of the packet is valid /i/ for segments/fragments in the SMB named pipe and /ii/ for the determined kind of application of the target of the packet, as indicated by a reassembly table, and /b/ the determined kind of application of the target of the packet does not check the FID, as indicated by the reassembly table. |
| Take Control of your Applications with NetScaler SD-WAN | Citrix Blogs | |
| Systems and methods for modifying network map attributes | The disclosed systems and methods provide a user interface for modifying host configuration data that has been automatically and passively determined and for adding or modifying other parameters associated with a host. A host data table can store various parameters descriptive of a host including the applicability of specific vulnerabilities. If it is determined that one or more hosts should not be identified as associated with a specific vulnerability, a graphical user interface can be used to modify the vulnerability parameter. |
| Systems and methods for modifying network map attributes | The disclosed systems and methods provide a user interface for modifying host configuration data that has been automatically and passively determined and for adding or modifying other parameters associated with a host. A host data table can store various parameters descriptive of a host including the applicability of specific vulnerabilities. If it is determined that one or more hosts should not be identified as associated with a specific vulnerability, a graphical user interface can be used to modify the vulnerability parameter. |
| Systems and methods for identifying the services of a network | A packet transmitted on a network is read and decoded. A network device and its operating system are identified by analyzing the decoded packet. If more than one operating system is identified from the decoded packet, the operating system is selecting by comparing confidence values assigned to the operating systems identified. A service running on the network device is identified from the decoded packet or subsequent packets that are read, decoded and analyzed. The network topology of a network is determined by reading, decoding, and analyzing a plurality of packets. A flow between two network devices is determined by reading, decoding, and analyzing a plurality of packets. Vulnerabilities are assigned to operating systems and services identified by reading, decoding, and analyzing packets. Network configuration policy is enforced on operating systems and services identified by reading, decoding, and analyzing packets. |
| Systems and methods for identifying the client applications of a network | A packet transmitted on a network is read and decoded. A network device and its operating system are identified by analyzing the decoded packet. If more than one operating system is identified from the decoded packet, the operating system is selecting by comparing confidence values assigned to the operating systems identified. A client application running on the network device is identified from the decoded packet or subsequent packets that are read, decoded and analyzed. The network topology of a network is determined by reading, decoding, and analyzing a plurality of packets. A flow between two network devices is determined by reading, decoding, and analyzing a plurality of packets. Vulnerabilities are assigned to operating systems and client applications identified by reading, decoding, and analyzing packets. Network configuration policy is enforced on operating systems and client applications identified by reading, decoding, and analyzing packets. |
| Systems and methods for dynamic threat assessment | The threat probability of events generated by a security device on a computer network is assessed by comparing the threat probability to a global threat probability. An abstract data type is used to describe how the events are combined to form a threat. If an event matches an unpopulated member of an instance of an abstract data type, the event is added to the instance and the probability of the instance is computed. If the probability of the instance is greater than a global threat probability, a dynamic threat assessment event is generated. A system for dynamically assessing threats to computers and computer networks system includes at least one security device that generates events, an event collection database, policy configuration information, and a dynamic threat assessment engine. |
| Systems and methods for determining the network topology of a network | A packet transmitted on a network is read and decoded. A network device and its operating system are identified by analyzing the decoded packet. If more than one operating system is identified from the decoded packet, the operating system is selecting by comparing confidence values assigned to the operating systems identified. A service running on the network device is identified from the decoded packet or subsequent packets that are read, decoded and analyzed. The network topology of a network is determined by reading, decoding, and analyzing a plurality of packets. A flow between two network devices is determined by reading, decoding, and analyzing a plurality of packets. Vulnerabilities are assigned to operating systems and services identified by reading, decoding, and analyzing packets. Network configuration policy is enforced on operating systems and services identified by reading, decoding, and analyzing packets. |
| Systems and methods for determining flow and path analytics of an application of a network using sampled packet inspection | Systems and methods are disclosed herein for monitoring health of each switch of a plurality of switches on a network by selectively mirroring packets transmitted by each switch of the plurality of switches. In some embodiments, control circuitry generates a plurality of mirroring parameters, each mirroring parameter comprising an instruction to mirror a respective type of packet. The control circuitry transmits the plurality of mirroring parameters to each switch of the plurality of switches on the network, and receives, from a switch, a packet that was mirrored by the switch according to a mirroring parameter of the plurality of mirroring parameters. The control circuitry determines the respective type of the packet, executes an analysis of contents of the packet based on the respective type of the packet, and determines a health of the switch based on results of the analysis. |
| Systems and methods for determining characteristics of a network based on flow analysis | A packet transmitted on a network is read and decoded. A network device and its operating system are identified by analyzing the decoded packet. If more than one operating system is identified from the decoded packet, the operating system is selecting by comparing confidence values assigned to the operating systems identified. A service running on the network device is identified from the decoded packet or subsequent packets that are read, decoded and analyzed. The network topology of a network is determined by reading, decoding, and analyzing a plurality of packets. A flow between two network devices is determined by reading, decoding, and analyzing a plurality of packets. Vulnerabilities are assigned to operating systems and services identified by reading, decoding, and analyzing packets. Network configuration policy is enforced on operating systems and services identified by reading, decoding, and analyzing packets. |
| Systems and methods for determining characteristics of a network and enforcing policy | A packet transmitted on a network is read and decoded. A network device and its operating system are identified by analyzing the decoded packet. If more than one operating system is identified from the decoded packet, the operating system is selecting by comparing confidence values assigned to the operating systems identified. A service running on the network device is identified from the decoded packet or subsequent packets that are read, decoded and analyzed. The network topology of a network is determined by reading, decoding, and analyzing a plurality of packets. A flow between two network devices is determined by reading, decoding, and analyzing a plurality of packets. Vulnerabilities are assigned to operating systems and services identified by reading, decoding, and analyzing packets. Network configuration policy is enforced on operating systems and services identified by reading, decoding, and analyzing packets. |
| Systems and methods for determining characteristics of a network and enforcing policy | A packet transmitted on a network is read and decoded. A network device and its operating system are identified by analyzing the decoded packet. If more than one operating system is identified from the decoded packet, the operating system is selecting by comparing confidence values assigned to the operating systems identified. A service running on the network device is identified from the decoded packet or subsequent packets that are read, decoded and analyzed. The network topology of a network is determined by reading, decoding, and analyzing a plurality of packets. A flow between two network devices is determined by reading, decoding, and analyzing a plurality of packets. Vulnerabilities are assigned to operating systems and services identified by reading, decoding, and analyzing packets. Network configuration policy is enforced on operating systems and services identified by reading, decoding, and analyzing packets. |
| Systems and methods for determining characteristics of a network and assessing confidence | A packet transmitted on a network is read and decoded. A network device and its operating system are identified by analyzing the decoded packet. If more than one operating system is identified from the decoded packet, the operating system is selecting by comparing confidence values assigned to the operating systems identified. A service running on the network device is identified from the decoded packet or subsequent packets that are read, decoded and analyzed. The network topology of a network is determined by reading, decoding, and analyzing a plurality of packets. A flow between two network devices is determined by reading, decoding, and analyzing a plurality of packets. Vulnerabilities are assigned to operating systems and services identified by reading, decoding, and analyzing packets. Network configuration policy is enforced on operating systems and services identified by reading, decoding, and analyzing packets. |
| Systems and methods for determining characteristics of a network and analyzing vulnerabilities | A packet transmitted on a network is read and decoded. A network device and its operating system are identified by analyzing the decoded packet. If more than one operating system is identified from the decoded packet, the operating system is selecting by comparing confidence values assigned to the operating systems identified. A service running on the network device is identified from the decoded packet or subsequent packets that are read, decoded and analyzed. The network topology of a network is determined by reading, decoding, and analyzing a plurality of packets. A flow between two network devices is determined by reading, decoding, and analyzing a plurality of packets. Vulnerabilities are assigned to operating systems and services identified by reading, decoding, and analyzing packets. Network configuration policy is enforced on operating systems and services identified by reading, decoding, and analyzing packets. |
| Systems and methods for determining characteristics of a network | A packet transmitted on a network is read and decoded. A network device and its operating system are identified by analyzing the decoded packet. If more than one operating system is identified from the decoded packet, the operating system is selecting by comparing confidence values assigned to the operating systems identified. A service running on the network device is identified from the decoded packet or subsequent packets that are read, decoded and analyzed. The network topology of a network is determined by reading, decoding, and analyzing a plurality of packets. A flow between two network devices is determined by reading, decoding, and analyzing a plurality of packets. Vulnerabilities are assigned to operating systems and services identified by reading, decoding, and analyzing packets. Network configuration policy is enforced on operating systems and services identified by reading, decoding, and analyzing packets. |
| Systems and methods for client transparent video readdressing | Network operators are striving to find ways to provide stable video services amid a rapid increase in video traffic. In order to provide stable video services with constrained network resources, network operators attempted to reduce video file sizes using a content adaptation engine /CAE/. However, network operators failed to efficiently readdress video flows to CAEs. This disclosure provides systems and methods for efficiently readdressing video flows to CAEs. |
| Systems and methods for analyzing network packets | There is provided a system for computing connectivity of medical imaging network nodes, comprising: at least one hardware processor executing a code for: monitoring packets transmitted over a network connecting a plurality of network nodes, analyzing the monitored packets to identify packets associated with a Digital Imaging and Communications in Medicine /DICOM/ protocol, analyzing the packets associated with the DICOM protocol to identify medical imaging network nodes implementing the DICOM protocol, designating a respective medical imaging type for each node of the medical imaging network nodes, and computing a data structure storing connectivity of the medical imaging network nodes each designated with the respective medical imaging type. |
| System, method, and apparatus of securing and managing internet-connected devices and networks | System, method, and apparatus of securing and managing Internet-connected devices and networks. A wireless communication router is installed at a customer venue, and provides Internet access to multiple Internet-connected devices via a wireless communication network that is served by the router. A monitoring and effecting unit of the router performs analysis of traffic that passes through the router; identifies which Internet-connected devices send or receive data; and selectively enforces traffic-related rules based on policies stored in the router. Optionally, the monitoring and effecting unit is pre-installed in the router in a disabled mode; and is later activated after the router was deployed at a customer venue. Optionally, the router notifies the Internet Service Provider the number and type of Internet-connected devices that are served by the router. |
| System, device, and method of traffic detection | A cellular traffic monitoring system includes: a Traffic Detection Function /TDF/ module to monitor cellular traffic associated with a cellular subscriber device, and to generate application detection output indicative of an application used by the cellular subscriber device; an application-based charging module to generate, based on the application detection output of said TDF module, application-based charging data related to said cellular subscriber device; a Policy Charging and Enforcement Function /PCEF/ module to enforce one or more charging rules that are Service Data Flow /SDF/ based and are related to said cellular subscriber device; an SDF-based charging module to generate SDF-based charging data related to said cellular subscriber device; and a charging correlator module to identify a potential over-charging due to an overlap between the application-based charging data and the SDF-based charging data. |
| System, device, and method of media delivery optimization | A method for alleviation of congestion in a mobile communications network includes detecting congested cells in the mobile communications network, identifying subscribers with active data sessions in the congested cells; and optimizing bandwidth usage for at least one of the identified subscribers. A bandwidth optimization system includes a network sampling interface to receive at least subscriber, cell and data session identifiers from a network data packet sampler, where the sampler identifies the identifiers from internal data traffic within a mobile communications network, and a network awareness engine /NAE/ to at least cross reference the identifiers with external data traffic output by the mobile communications network to at least detect congested cells and associated subscriber data sessions emanating from the mobile communications network. |
| System, device, and method of detecting cryptocurrency mining activity | A system monitors network activity of an end-user device that communicates with servers over a communications network. The performs analysis of packets of data that are transported via the network. The system detects a first set of communications in which a first server infects the end-user device with a cryptocurrency mining malware; a second set of communications, in which a second server activates the end-user device as an activated cryptocurrency mining bot; and a third set of communications, in which the second server allocates a cryptocurrency mining task to the end-user device and later receives a cryptocurrency mining output from the end-user device. The system determines that the first server is a malicious infecting web-server; that the second server is a malicious Command and Control server of a distributed bot-net of cryptocurrency mining bots; and that the end-user device is an infected and activated and operational cryptocurrency mining bot. |
| System, device, and method of deploying layer-3 transparent cloud-based proxy network element | System, device, and method of deploying layer-3 transparent cloud-based proxy network element. A virtual network function is defined between a west-side router and an east-side router. A west-side interface receives east-bound traffic from a west-side Virtual LAN. East-bound queries from the west-bound router, are intercepted and responded to by the west-side interface, the response indicating the MAC address of the west-side router instead of the east-side router. The system enables the virtual network function to transparently intercept network traffic, and to selectively apply to such traffic one or more network functions or operations, prior to forwarding the traffic or a modified version thereof to the east-side router, in a Layer-3 transparent manner. |
| System, device, and method of adaptive network protection for managed internet-of-things services | System, device, and method of adaptive network protection for managed Internet-of-Things /IoT/ services. A network traffic monitoring unit monitors data traffic, operations-and-management traffic, and control messages, that relate to cellular communication between an IoT device and a core cellular network. An IoT grouping unit groups multiple IoT devices into a particular IoT group. A baseline behavior determination unit determines a Regular Baseline Cellular Communication Behavior /RBCCB/ profile that characterizes the cellular communications that are outgoing from and incoming to each member of the particular IoT group. An outlier detector subsequently detects that a particular IoT device of that particular IoT group, exhibits cellular traffic characteristics that are abnormal relative to the RBCCB profile that was characterized for that particular IoT group. An enforcement actions generator is triggered to selectively perform one or more enforcement operations, notification operations, and quarantine operations. |
| System, device, and method for providing distributed quality-of-service control and policy enforcement | System, device, and method for providing distributed quality-of-service control and policy enforcement. A tree hierarchy representation is constructed for distributed enforcement of a Quality-of-Service /QoS/ policy on incoming packets that are intended for transmission towards a destination, by at least two separate Processing Units /PUs/ that separately process different packets that are intended for transmission towards that destination. A cross-PU Instances Synchronization Unit automatically determines that a first PU caused modification of a first set of instances of parent-child Policy Objects that are utilized by the first PU, and dynamically causes a corresponding modification to a second set of instances of parent-child Policy Objects that are utilized by a second PU. The QoS policy is enforced, on a packet-by-packet basis, by different member entities of the tree hierarchy representation, to achieve the overall QoS policy. |
| System and methods providing anti-virus cooperative enforcement | A system providing methods for anti-virus cooperative enforcement is described. In response to a request from a device for access to protected resources, such as a network or protected data, a determination is made as to whether an anti-virus policy applies to the request for access made by the device. If an anti-virus policy is applicable, information pertaining to virus protection available on the device is collected. The virus protection information that is collected is evaluated to determine whether the device is in compliance with the anti-virus policy. If the device is determined to be in compliance with the anti-virus policy, the device is allowed to access the protected resources. |
| System and method of predictive internet traffic steering | System and method of predictive Internet traffic steering. An Internet steering gateway decouples between traffic classification and traffic steering, and includes: a deep packet inspection /DPI/ utility to ascertain an indication of a destination remote application server /RAS/ from an initial packet of a data session in a network; a RAS database to store an optimization profile for each RAS; and a steering utility to look-up, based on the RAS addressing information that was determined by the DPI utility inspection of the initial packet of the data session, an indicated RAS in the RAS database. The steering utility steers the data session to an external optimization platform /EOP/ based on the associated profile in the RAS database. |
| System and method for securing distributed exporting models in a network environment | A method is provided in one example implementation and includes identifying a plurality of exporters that are authorized to communicate data to a collector on behalf of a secure domain; generating secure credentials for the secure domain; communicating the secure credentials to the collector; and authenticating the exporters using the secure credentials. In more particular implementations, the method can include receiving the secure credentials; receiving certain data that includes identifying information, which further includes an Internet protocol /IP/ address of a source associated with the certain data; accepting the certain data if the secure credentials validate the identifying information; and rejecting the certain data if the secure credentials do not validate the identifying information. |
| System and method for resolving operating system or service identity conflicts | A system includes a processor device. The processor device is configured to receive reports of operating system identities for a single host; determine which of the operating system identities are an intersection of the reported operating system identities; and assign the intersection of the reported operating system identities as a resolved operating system identity. |
| System and method for real time data awareness | A system includes a sensor and a processor. The sensor is configured to passively read data in packets as the packets are in motion on a network. The processor is cooperatively operable with the sensor. The processor is configured to receive the read data from the sensor; and originate map profiles of files and file data, both from the read data from the sensor, as the passively read packets are in motion on the network. The processor is also configured to infer a user role for a user who is using the file and the file data and how the user is transferring or accessing the file and the file data. Inappropriate usage being performed by the user can then be detected from the user role and the read data to control access to particular files. |
| System and method for real time data awareness | A system includes a sensor and a processor. The sensor is configured to passively read data in packets as the packets are in motion on a network. The processor is cooperatively operable with the sensor The processor is configured to receive the read data from the sensor; and originate real-time map profiles of files and file data, both from the read data from the sensor, as the passively read packets are in motion on the network. |
| System and method for real time data awareness | A system includes a sensor and a processor. The sensor is configured to passively read data in packets as the packets are in motion on a network. The processor is cooperatively operable with the sensor The processor is configured to receive the read data from the sensor; and originate real-time map profiles of files and file data, both from the read data from the sensor, as the passively read packets are in motion on the network. |
| System and method for providing targeted advertising through traffic analysis in a network environment | An example method includes receiving packets associated with network traffic and identifying location information associated with an end user related to the network traffic. The method also includes extracting keywords from the network traffic, the keywords and the location information are used as a basis for rendering an advertisement on digital signage that is physically proximate to a current location of the end user. In other embodiments, the network traffic can be matched against access control lists, which are configured with Internet protocol /IP/ addresses relating to search engines. Additionally, the network traffic can be classified based on fields in the packets, wherein the fields include a source Internet protocol /IP/ address, a destination IP address, and a transmission control protocol /TCP/ port. In more particular embodiments, the network traffic is hypertext transfer protocol /HTTP/ requests originating from a handheld device operated by the end user. |
| System and method for near-real time network attack detection, and system and method for unified detection via detection routing | A system includes a processor. The processor is configured to receive network traffic that includes a data block. The processor will generate a unique identifier /UID/ for the file that includes a hash value corresponding to the file. The processor will determine whether the file is indicated as good or bad with the previously-stored UID. The processor will call a file-type specific detection nugget corresponding to the file’s file-type to perform a full file inspection to detect whether the file is good or bad and store a result of the inspection together with the UID of the file, when the file is determined to be not listed in the previously-stored UIDs. The processor will not call the file-type specific detection nugget when the file’s indicator is |
| System and method for managing chained services in a network environment | An example method is provided in one example embodiment and may include configuring a measurement indication for a packet; forwarding the packet through a service chain comprising one or more service functions; recording measurement information for the packet as it is forwarded through the service chain; and managing capacity for the service chain based, at least in part, on the measurement information. In some cases, the method can include determining end-to-end measurement information for the service chain using the recorded measurement information. In some cases, managing capacity for the service chain can further include identifying a particular service function as a bottleneck service function for the service chain; and increasing capacity for the bottleneck service. In various instances, increasing capacity for the bottleneck service can include at least one of: instantiating additional instances of the bottleneck service; and instantiating additional instances of the service chain. |
| System and method for improved service chaining | There is disclosed an apparatus having logic elements to: receive an incoming packet associated with a first service function chain; identify a next hop service function for the incoming packet as a non-reactive service function; create a duplicate packet; forward the duplicate packet to the non-reactive service function; and forward the incoming packet to a next reactive service function. There is also disclosed an apparatus having logic to: receive an incoming packet associated with a first service function chain /SFC/, having a first service path identifier /SPI/; determine that the incoming packet has a first service index /SI/, and that a next-hop SI identifies a non-reactive service function /NRSF/; receive a duplicate packet of the incoming packet; rewrite a service header of the duplicate packet to identify a second SFC having a second SPI, wherein the second SPI is different from the first SPI; and alter the first SI of the incoming packet to identify a next reactive service function in the first SFC. |
| System and method for exporting structured data in a network environment | An apparatus is provided in one example embodiment and includes a network element configured to receive a plurality of packets. The network element is configured to couple to a module, the module being configured to generate a data record that is based on information associated with the packets and capable of being interpreted according to a template in which multiple information elements can be positioned to create a hierarchical relationship within structured data. The structured data further includes references to the information elements. The network element further including an export module configured to export the data record to a next destination. |
| System and method for directing network traffic in tunneling applications | A method, apparatus, and system are directed to managing traffic towards a tunnel in a network. The invention enables a network device, to extract data from a received packet. A deep packet inspection is employed that enables examination of the extracted data at virtually any layer of an OSI layered protocol of the packet. If the extracted data does not satisfy the flow criteria, a second packet may be inspected at a deep packet level to determine whether the data of the first and second packet satisfies the flow criteria. If the extracted data satisfies the flow criteria a tunnel is determined based, in part, on the flow criteria. The packet is associated with and forwarded towards the determined tunnel. |
| System and method for configuring service appliances as virtual line cards in a network environment | An example method is provided and includes configuring a service appliance to offload network control plane and network data plane operations to a switch; establishing a communication channel between the service appliance and the switch; and communicating control messages between the service appliance and the switch over the communication channel. In more particular embodiment, the method can include communicating data messages between the service appliance and the switch over the communication channel. |
| System and method for automated rendering of service chaining | In one embodiment, a method includes creating a catalog of service function / |
| System and method for assigning network blocks to sensors | A system includes a processor device. The processor device is configured to detect a physical topology of a network comprising hosts and sensors in the network. The processor device is also configured to generate a sensor policy for assignment of the sensors to network blocks of the hosts, that balances a processing load and accuracy of the sensors in the network based on physical closeness of the sensors to different divisions of hosts within a same network block. |
| System and method for assigning network blocks to sensors | A system includes a processor device. The processor device is configured to detect a physical topology of a network comprising hosts and sensors in the network. The processor device is also configured to generate a sensor policy for assignment of the sensors to network blocks of the hosts, that balances a processing load and accuracy of the sensors in the network based on physical closeness of the sensors to different divisions of hosts within a same network block. |
| Symmetric service chain binding | A plurality of network nodes are deployed in a network, each network node configured to apply a service function to traffic that passes through the respective network nodes. A controller generates information for a service chain that involves application to traffic of one or more service functions at corresponding ones of the plurality of network nodes along a forward path through the one or more network nodes. The controller identifies one or more of the service functions within the service chain that is stateful. When one or more of the service functions of the service chain is stateful, the controller generates information for a reverse path through the one or more service nodes for the one or more stateful service functions. The controller binds a forward chain identifier for the forward path with a reverse chain identifier for the reverse path for the service chain. |
| Switch to SonicWall and defend your network at every point against any cyber-threat. | |
| Supporting programmability for arbitrary events in a software defined networking environment | Techniques are disclosed for using arbitrary criteria to define events occurring within a network infrastructure, as well and techniques for detecting and responding to the occurrence of such custom events. Doing so allows a collection of networking elements /switches, routers, etc./ to perform a variety of distributed functions from within the network itself to respond to custom events. Further, because custom events are published across the network, multiple network elements can communicate and respond to the same event. Thus, unlike currently available event management systems, custom events /and responding applications/ can be used to create and coordinate software defined networking within a common network infrastructure. |
| Study of snort-based IDS | General trend in industry is a shift from Intrusion Detection Systems /IDS/ to Intrusion Prevention Systems /IPS/. In this paper, we have investigated the motivations behind this trend. In addition, we have surveyed some of the available IDS/IPS tools. Real time analysis of several Internet attacks was done using SNORT, |
| Structural command and control detection of polymorphic malware | In one embodiment, a service receives a plurality of process hashes for processes executed by a plurality of devices. The service receives traffic data indicative of traffic between the plurality of devices and a plurality of remote server domains. The service forms a bipartite graph based on the processes hashes and the traffic data. A node of the graph represents a particular process hash or server domain and an edge between nodes in the graph represents network traffic between a process and a server domain. The service identifies, based on the bipartite graph, a subset of the plurality of processes as exhibiting polymorphic malware behavior. The service causes performance of a mitigation action in the network based on the identified subset of processes identified as exhibiting polymorphic malware behavior. |
| Statistical fingerprinting of network traffic | In one embodiment, a device in a network determines a set of lattice points in a multi-dimensional space constructed using message characteristics of messages exchanged between endpoint nodes in the network. The device uses the lattice points to derive vector representations of communication channels in the network with each of the communication channels being associated with one or more of the exchanged messages. A vector representation of an application in the network is based on one or more of the derived vector representations of one or more channels used to exchange messages associated with the application. The device identifies the application as associated with a first one of the channels by determining a measure of similarity between the first channel and the vector representation of the application that approximates a maximum mean discrepancy /MMD/ distance between the message characteristics for the vector representations of the first channel and the application. |
| Stateful application identification while roaming | Stateful roaming techniques are provided for use in a wireless network. In one embodiment, a method is provided that includes: obtaining flow information descriptive of one or more traffic flows associated with a wireless client device that is associated to a current access point in a wireless network; storing state data representing the flow information for flows associated with the wireless client device together with a traffic descriptor for each flow; determining that the wireless client device is seeking to roam from the current access point to a new access point; and sending the state data for the wireless client device to the new access point to enable the new access point to apply a policy based on the state data before the wireless client device completes its roam to the new access point. |
| State machine for collecting information on use of a packet network | A protocol analyzer includes an input buffer, a lookup table and a counter memory. The input buffer includes a frame header buffer and the lookup table comprises a state machine including a CAM and a RAM. A frame is stored in the frame header buffer while the CAM and RAM analyze predetermined portions of it. If a portion is eight bits or less, it is input into the RAM and the RAM outputs instructions stored at the location indicated by the data portion. If the portion is greater than eight bits, it is input into the CAM, which outputs a RAM address at which corresponding instructions are stored. The instructions can include an instruction to increment a count in a predetermined register of the counter memory; an instruction to add a new count register in the counter memory; an instruction to generate a snapshot trigger to cause a capture RAM to store a specific data segment traveling on the packet network; and an instruction to further analyze the data portion. The instruction to further analyze the data portion includes an address offset to indicate the location of the next data segment to be analyzed. The protocol analyzer does not include a processor, and is not operated by software; it can analyze all data frames on a packet network, even at gigabit transfer rates. |
| SSH Deep Packet Inspection | The Secure Shell /SSH/ is a protocol which uses for secure remote login and other secure network services over an insecure network. SSH allows tunneling, which can be used to bypass firewalls and breach Security Policies. You can use the SSH Deep Packet Inspection / |
| SS8 to Acquire Bivio Networks | |
| Speed and memory optimization of intrusion detection system /IDS/ and intrusion prevention system /IPS/ rule processing | In an intrusion detection/prevention system, network traffic is received and checked for a matching pattern. Upon identifying the matching pattern, the network traffic with the matching pattern is evaluated against rules that are represented by a rule tree. References to rule options are represented in the rule tree and are stored separately from the rule tree. The rule tree represents unique rules by unique paths from a root of the tree to the leaf nodes, and represents rule options as non-leaf nodes of the rule tree. Evaluating the network traffic includes processing, against the network traffic, the rule options in the rule tree beginning at the root. Processing of the rules represented by subtrees of nodes with rule options that do not match is eliminated. The network traffic is evaluated against rules terminating in leaf nodes only for combinations of rule options that match the network traffic. |
| Specializing unsupervised anomaly detection systems using genetic programming | In one embodiment, a device in a network receives sets of traffic flow features from an unsupervised machine learning-based anomaly detector. The sets of traffic flow features are associated with anomaly scores determined by the anomaly detector. The device ranks the sets of traffic flow features based in part on their anomaly scores. The device applies a genetic programming approach to the ranked sets of traffic flow features to generate new sets of traffic flow features. The genetic programming approach uses a fitness function that is based in part on the rankings of the sets of traffic flow features. The device specializes the anomaly detector to emphasize a particular type of anomaly using the new sets of traffic flow features. |
| Specializing unsupervised anomaly detection systems using genetic programming | In one embodiment, a device in a network receives sets of traffic flow features from an unsupervised machine learning-based anomaly detector. The sets of traffic flow features are associated with anomaly scores determined by the anomaly detector. The device ranks the sets of traffic flow features based in part on their anomaly scores. The device applies a genetic programming approach to the ranked sets of traffic flow features to generate new sets of traffic flow features. The genetic programming approach uses a fitness function that is based in part on the rankings of the sets of traffic flow features. The device specializes the anomaly detector to emphasize a particular type of anomaly using the new sets of traffic flow features. |
| SonicWall NSA 6650 – Security appliance – 10 GigE, 2.5 GigE – 1U – rack-mountable | Dell USA | |
| SonicWall high-performance firewalls as an integrated threat prevention platform for small/medium organizations and distributed enterprises. | |
| SonicWall firewalls give you comprehensive threat prevention at multi-gigabit speeds. | |
| SonicWALL E-Class NSA Series | SonicGuard.com | |
| SonicWALL E-Class NSA E6500 Appliance | SonicGuard.com | |
| SnortView: visualization system of snort logs | False detection is a major issue in deploying and maintaining Network-based Intrusion Detection Systems /NIDS/. Traditionally, it is recommended to customize its signature database /DB/ to reduce false detections. However, it requires quite deep knowledge and skills to appropriately customize the signature DB. Inappropriate customization causes the increase of false negatives as well as false positives. In this paper, we propose a visualization system of a NIDS log, named SnortView, which supports administrators in analyzing NIDS alerts much faster and much more easily. Instead of customizing the signature DB, we propose to utilize visualization to recognize not only each alert but also false detections. The system is based on a 2-D time diagram and alerts are shown as icons with different styles and colors. In addition, the system introduces some visualization techniques such as overlayed statistical information, source-destination matrix, and so on. The system was used to detect real attacks while recognizing some false detections. |
| SNORT — LIGHTWEIGHT INTRUSION DETECTION FOR NETWORKS | Network intrusion detection systems /NIDS/ are an important part of any network security architecture. They provide a layer of defense which monitors network traffic for predefined suspicious activity or patterns, and alert system administrators when potential hostile traffic is detected. Commercial NIDS have many differences, but Information Systems departments must face the commonalities that they share such as significant system footprint, complex deployment and high monetary cost. Snort was designed to address these issues. |
| Sniffer Technologies Unveils InfiniStream Forensics Tool | Sniffer Technologies, a division of Network Associates, this week is expanding beyond network management into security with a new forensics tool. The new product, InfiniStream, is built on technology Network Associates acquired with its purchase of Lindon, Utah-based Traxess last summer, said Christopher Thompson, vice president of product marketing at Network Associates, based here. |
| Signature creation for unknown attacks | In one embodiment, a device in a network generates an expected traffic model based on a training set of data used to train a machine learning attack detector. The device provides the expected traffic model to one or more nodes in the network. The device receives an unexpected behavior notification from a particular node of the one or more nodes. The particular node generates the unexpected behavior notification based on a comparison between the expected traffic model and an observed traffic behavior by the node. The particular node also prevents the machine learning attack detector from analyzing the observed traffic behavior. The device updates the machine learning attack detector to account for the observed traffic behavior. |
| Session aware access point load balancing | The present disclosure discloses a method and a network device for session aware access point load balancing. Specifically, a network device monitors data corresponding to a plurality of client devices associated with a first access point. Then, the network device determines whether the data matches particular criteria. Responsive to determining that the data matches the particular criteria, the network device select at least a first client device of the plurality of client devices for disassociation and/or de-authentication. Moreover, the network device causes disassociation and/or de-authentication of the first client device from the first access point. |
| Service usage model for traffic analysis | In one embodiment, a device in a network identifies an set of services of a domain accessed by a plurality of users in the network. The device generates a service usage model for the domain based on the set of services accessed by the plurality of users. The service usage model models usage of the services of the domain by the plurality of users. The device trains a machine learning-based classifier to analyze traffic in the network using a set of training feature vectors. A particular training feature vector includes data indicative of service usage by one of the users for the domain and the modeled usage of the services of the domain by the plurality of users. The device causes classification of traffic in the network associated with a particular user by the trained machine learning-based classifier. |
| Service request packet including an exterior network protocol attribute | Packets are encapsulated and sent from a service node to one or more application nodes for applying one or more Layer-4 to Layer-7 services to the packets. Before which for a packet, the service node performs a lookup operation based on a destination address of the packet in a routing data structure derived from a exterior network protocol, such as, but not limited to Border Gateway Protocol /BGP/. This lookup operation results in the identification of a next hop packet switching device to which the packet would be sent from the service node. The service node includes this identification of the next hop address in the request packet sent to the application node/s/. After the service/s/ are applied to the packet, an application node will send the services-applied packet to this next hop address. In this manner, application nodes do not need to run an exterior network protocol. Although, they typically will run an Interior Gateway Protocol for identifying how to forward packets to the next hop address. |
| Service function chaining branching | A system comprising a plurality of service nodes, a controller and a network device in communication with the controller. Each of the plurality of service nodes is configured to support one or more service functions to establish a service function chain that includes a plurality of service functions to be performed by routing traffic among the plurality of service nodes. The controller is configured to generate provisioning information for the service function chain. The provisioning information includes at least one condition upon which a service function reclassification or branching operation is to be performed by at least one service node. The network device is in communication with the controller, and is configured to distribute the provisioning information for the service function chain to the plurality of service nodes using a distributed routing protocol. |
| Semi-active probing framework to gather threat intelligence for encrypted traffic and learn about devices | In one embodiment, a device in a network observes traffic between a client and a server for an encrypted session. The device makes a determination that a server certificate should be obtained from the server. The device, based on the determination, sends a handshake probe to the server. The device extracts server certificate information from a handshake response from the server that the server sent in response to the handshake probe. The device uses the extracted server certificate information to analyze the traffic between the client and the server. |
| Self organizing learning topologies | In one embodiment, a networking device at an edge of a network generates a first set of feature vectors using information regarding one or more characteristics of host devices in the network. The networking device forms the host devices into device clusters dynamically based on the first set of feature vectors. The networking device generates a second set of feature vectors using information regarding traffic associated with the device clusters. The networking device models interactions between the device clusters using a plurality of anomaly detection models that are based on the second set of feature vectors. |
| Self modifying state graphs for quality of service classification | A method and intermediate device for dynamically modifying a stateful inspection of data. In one embodiment, the present invention is comprised of an intermediate device such as, for example, a router. The intermediate device is adapted to perform a stateful inspection of data passing therethrough. In one approach, the intermediate device performs the stateful inspection by inspecting the data to determine state information for the data. Next, the intermediate device modifies a state graph used to perform the stateful inspection of the data based upon the state information found during the aforementioned inspection. The intermediate device then utilizes the modified state graph to perform continued stateful inspection of the data. In so doing, the present invention enables an enhanced use of Quality of Service /QoS/ classification based upon the high level application of the data. The present invention further provides a classification engine which can readily be adapted to new protocols. |
| Selective service based virtual local area network flooding | The present disclosure discloses a method and network device for selective service based virtual local area network /VLAN/ flooding. The disclosed system receives a packet originated from a device received on a first VLAN, and flood one or more copies of the packet to a second and different VLAN if the packet is received on an access port. Furthermore, the system will flood copies of the packet to the first and same VLAN if the packet is received on a trunk port. The device originating the packet is a member of the first VLAN but not a member of the second VLAN. |
| Selective and dynamic application-centric network measurement infrastructure | In one embodiment, a device in a network receives data indicative of traffic characteristics of traffic associated with a particular application. The device identifies one or more paths in the network via which the traffic associated with the particular application was sent, based on the traffic characteristics. The device determines a probing schedule based on the traffic characteristics. The probing schedule simulates the traffic associated with the particular application. The device sends probes along the one or more identified paths according to the determined probing schedule. |
| Security system providing methodology for cooperative enforcement of security policies during SSL sessions | A security system providing methodology for cooperative enforcement of security policies during SSL sessions is described. In one embodiment, for example, a method is described for controlling SSL /Secure Sockets Layer/ communication, the method comprises steps of: defining rules indicating conditions under which a machine is permitted to participate in an SSL session; trapping an attempt by a particular application running on the machine to participate in an SSL session, by intercepting the particular application’s attempt to provide authentication; determining whether the machine complies with the rules; allowing the attempt to succeed when the machine complies with the rules; and otherwise blocking the attempt when the machine does not comply with the rules. |
| Scripting for implementing policy-based traffic steering and management | Methods, systems, and devices are described for managing network communications. A traffic manager module may receive a script over a management plane of a packet core, interpret the script to identify a traffic management policy; and dynamically modify at least one aspect of a proxy connection over a bearer plane of the packet core at the traffic manager module based on the identified traffic management policy. |
| Score boosting strategies for capturing domain-specific biases in anomaly detection systems | In one embodiment, a device in a network detects an anomaly in the network using an anomaly detector. The anomaly corresponds to an anomalous behavior exhibited by one or more nodes in the network. The device computes an anomaly score for the anomaly that represents a measure of the anomalous behavior. The device adjusts the anomaly score using a boost score. The boost score is generated by a boosting function that accounts for domain-specific biases of the anomaly detector. The device reports the anomaly to a supervisory device based on whether the adjusted anomaly score exceeds a reporting threshold. |
| Scheduling predictive models for machine learning systems | In one embodiment, a device in a network monitors performance data for a first predictive model. The first predictive model is used to make proactive decisions in the network. The device maintains a supervisory model based on the monitored performance data for the first predictive model. The device identifies a time period during which the supervisory model predicts that the first predictive model will perform poorly. The device causes a switchover from the first predictive model to a second predictive model at a point in time associated with the time period, in response to identifying the time period. |
| Sanity check of potential learned anomalies | In one embodiment, a device in a network receives, from a supervisory device, trace information for one or more traffic flows associated with a particular anomaly. The device remaps network addresses in the trace information to addresses of one or more nodes in the network based on roles of the one or more nodes. The device mixes, using the remapped network addresses, the trace information with traffic information regarding one or more observed traffic flows in the network, to form a set of mixed traffic information. The device analyzes the mixed traffic information using an anomaly detection model. The device provides an indication of a result of the analysis of the mixed traffic information to the supervisory device. |
| Sampling traffic telemetry for device classification with distributed probabilistic data structures | In one embodiment, a network element in a network maintains a probabilistic data structure indicative of devices in the network for which telemetry data is not to be sent to a device classification service. The network element detects a traffic flow sent from a source device to a destination device. The network element determines whether the probabilistic data structure includes entries for both the source and destination devices of the traffic flow. The network element sends flow telemetry data regarding the traffic flow to the device classification service, based on a determination that the probabilistic data structure does not include entries for both the source and destination of the traffic flow. |
| Rule based extensible authentication | A system, apparatus, and method are directed to managing access to a resource using rule-based deep packet extractions of a credential. A network device, such as a traffic management device, is situated between a client device and a server device. When the client device sends a request for a resource, the request is intercepted by the network device. The network device may employ a multi-layer deep packet extraction of the credential from the request. The network device may then use the credential to determine whether the request enabled to access the resource. Based, in part, on a variety of rules, the network device may deny access, enable access, route the request to a different server, or the like. In one embodiment, the network device may receive a rule from another device that directs the network device to request a different credential. |
| rfc5189 Middlebox Communication /MIDCOM/ Protocol Semantics | This document specifies semantics for a Middlebox Communication /MIDCOM/ protocol to be used by MIDCOM agents for interacting with middleboxes such as firewalls and Network Address Translators /NATs/. The semantics discussion does not include any specification of a concrete syntax or a transport protocol. However, a concrete protocol is expected to implement the specified semantics or, more likely, a superset of it. The MIDCOM protocol semantics is derived from the MIDCOM requirements, from the MIDCOM framework, and from working group decisions. This document obsoletes RFC 3989. |
| rfc4150 Transport Performance Metrics MIB | This memo defines a portion of the Management Information Base /MIB/ for use with network management protocols in the Internet community. In particular, it describes managed objects used for monitoring selectable performance metrics and statistics derived from the monitoring of network packets and sub-application level transactions. The metrics can be defined through reference to existing IETF, ITU, and other standards organizations’ documents. The monitoring covers both passive and active traffic generation sources. |
| rfc3989 Middlebox Communications /MIDCOM/ Protocol Semantics | This memo specifies semantics for a Middlebox Communication /MIDCOM/ protocol to be used by MIDCOM agents for interacting with middleboxes such as firewalls and Network Address Translators /NATs/. The semantics discussion does not include any specification of a concrete syntax or a transport protocol. However, a concrete protocol is expected to implement the specified semantics or, more likely, a superset of it. The MIDCOM protocol semantics is derived from the MIDCOM requirements, from the MIDCOM framework, and from working group decisions. |
| rfc3729 Application Performance Measurement MIB | This memo defines a portion of the Management Information Base /MIB/ for use with network management protocols in TCP/IP-based internets. In particular, it defines objects for measuring the application performance as experienced by end-users. |
| rfc3395 Remote Network Monitoring MIB Protocol Identifier Reference Extensions | This memo defines extensions to the Protocol Identifier Reference document for the identification of application verb information. It updates the Protocol Identifier Reference document but does not obsolete any portion of that document. In particular, it describes the algorithms required to identify protocol operations /verbs/ within the protocol encapsulations managed with MIBs such as the Remote Network Monitoring MIB Version 2, RFC 2021. |
| rfc3304 Middlebox Communications /midcom/ Protocol Requirements | This document specifies the requirements that the Middlebox Communication /midcom/ protocol must satisfy in order to meet the needs of applications wishing to influence the middlebox function. These requirements were developed with a specific focus on network address translation and firewall middleboxes. |
| rfc3303 Middlebox communication architecture and framework | A principal objective of this document is to describe the underlying framework of middlebox communications /MIDCOM/ to enable complex applications through the middleboxes, seamlessly using a trusted third party. This document and a companion document on MIDCOM requirements /[REQMTS]/ have been created as a precursor to rechartering the MIDCOM working group. There are a variety of intermediate devices in the Internet today that require application intelligence for their operation. Datagrams pertaining to real-time streaming applications, such as SIP and H.323, and peer-to-peer applications, such as Napster and NetMeeting, cannot be identified by merely examining packet headers. Middleboxes implementing Firewall and Network Address Translator services typically embed application intelligence within the device for their operation. The document specifies an architecture and framework in which trusted third parties can be delegated to assist the middleboxes to perform their operation, without resorting to embedding application intelligence. Doing this will allow a middlebox to continue to provide the services, while keeping the middlebox application agnostic. |